Regular readers of the COLP Insider newsletter will know that the Solicitors Regulation Authority (SRA) has been ramping up its efforts to combat money laundering within the legal sector. As part of this crackdown, numerous firms have faced substantial fines for failing to meet their Anti-Money Laundering (AML) obligations following targeted regulatory visits.
The SRA now wields unlimited fining powers for matters involving financial crime. That means no formal hearing is necessary. If the financial penalties consultation amendments come into force, the minimum fine for the most serious offences will start at £500,000 for firms (£100,000 for individuals), and could go up to as much as 10% of global turnover.
While these fines can be financially damaging, they are also a severe blow to reputation.
On the plus side, publicised decisions can offer valuable lessons that can help firms avoid similar pitfalls in the future.
Here are 5 key lessons your firm can learn from the SRA’s recent AML fines to strengthen your compliance framework and safeguard your reputation.
1. AML Compliance Is Not a ‘Tick-Box’ Exercise
One of the recurring issues in firms that have been fined is that AML compliance was treated as a box-ticking exercise. Simply having an AML policy isn’t enough. A well-crafted policy is certainly one of the key building blocks of compliance, but you need to demonstrate that it is actively implemented across all areas of your business. The SRA expects firms to not only have these policies in place but to regularly review, update, and evidence their effectiveness.
When the SRA auditor turns up, they will review a number of files looking for key indicators that the firm’s policies are being followed in practice. A firm may have fantastic documentation, only to be let down by one or two files without sufficient risk assessment or Client Due Diligence (CDD).
This means training staff, conducting regular internal audits, and keeping up-to-date with regulatory changes are just as important as the policy itself.
2. Risk Assessments Must Be Robust and Tailored
Don’t forget that the SRA is looking at three types of risk assessment: firm-wide, client and matter.
The first is the cornerstone of your AML compliance program. It informs what risks the firm faces, and what systems need to be in place to mitigate those risks.
Client risk assessments should be conducted on all new (‘in scope’) clients, and those where there have been material changes since the last instruction. This process is supposed to prompt the file handler to consider the risk presented by the client-related factors: who they are, where they are based, how they are structured etc.
Matter risk assessments should be conducted on all new (‘in scope’) instructions, even for existing clients. Each new instruction will be different to the last and could have vastly different risks attached to it, such as the location of an acquiring firm in a transaction, how the matter was introduced, where the money is coming from etc.
Client and matter risk assessments are often incorporated into one document.
Firms often get caught out by conducting generic risk assessments that fail to reflect the specific risks posed by their client base or work types, and failing to engage meaningfully in the risk assessment process. “Not applicable” is a dangerous response. The SRA expects risk assessments to be detailed, regularly updated, and tailored to each client and transaction.
Invest time in creating client-specific risk assessments that consider factors such as the nature of their business, jurisdiction, and the type of legal service provided. Using the SRA templates as a starting point will ensure you are hitting all the expected areas. Further tailoring your documents will demonstrate that you understand the risks and have measures in place to mitigate them.
3. CDD Is Not Optional
Failing to carry out proper CDD is one of the most common reasons firms are fined, and can lead to more serious penalties where there is evidence of resulting harm. CDD is much more than taking copies of a passport. The SRA expects firms to have a deep understanding of who they are doing business with. This means identifying and verifying the identity of clients, understanding the purpose of the work, and being alert to any red flags during the relationship.
Ongoing monitoring is also a big part of the CDD obligation. It is not enough to do a check at the start of the relationship and then assume nothing has changed during the life of the transaction. The SRA expects firms to build ongoing monitoring into their systems, for example identifying key milestones in a transaction where the file handler is required to check again.
We increasingly see SRA auditors challenging firms on the CDD steps taken, taking into account the risk assessments on file. Internal file supervision should ask similar questions of the file handler. Can they justify the steps they have taken, or lack of CDD, and is that evidenced sufficiently on the file?
Firms should develop a rigorous CDD process that includes identity verification, understanding the source of funds, and ongoing monitoring for suspicious activity. Automating parts of this process with technology can help reduce human error, increase efficiency and reduce friction for clients.
4. Training Is Key to Staying Compliant
Compliance isn’t just the responsibility of compliance officers – it’s everyone’s responsibility. Firms that face fines often have gaps in staff training, which in itself is a breach of the Regulations. Regular, up-to-date training for all staff members is crucial for identifying and addressing potential money laundering risks, and is one of the most important building blocks.
Training can get people on board, remind people of the firm’s systems, reduce the likelihood of rogue files and keep AML considerations top of mind. It is also an opportunity for team members to articulate particular challenges they face, problems with the firm’s systems and general questions about AML.
That does not mean you necessarily have to lock everyone in a room for a day-long PowerPoint session. Successful AML training is often regular, bite-sized and easy to digest. Nobody should be using AML training as a way to bag “CPD hours”, which are no longer relevant anyway.
5. Independent Audit is Mandatory
It is often overlooked that an independent audit of AML compliance is not just recommended but mandatory for firms within scope of the Money Laundering Regulations. The SRA requires firms to periodically assess the effectiveness of their compliance either through external audits or internal resources. Firms often report that finding an independent internal auditor with the capacity to undertake the project can be a challenge.
An independent AML audit should be conducted at regular intervals. Depending on the size and nature of the firm, that could be annually or perhaps every other year.
Independence is important to provide an unbiased review of your procedures, identify potential gaps, and ensure that the firm remains aligned with SRA expectations.
The process can also demonstrate your commitment to maintaining high standards, to both the regulator and team members, and can shine a light on areas of risk previously not considered.
Conclusion: Proactive Compliance is Essential
The SRA’s increasing scrutiny of AML compliance and ever-expanding powers mean that law firms cannot afford to be complacent. By learning from the mistakes of others, you can protect your firm from fines, reputational damage, and the risk of more severe regulatory action.
Taking a proactive approach – investing in audit, training, technology, and robust procedures – will help you stay on the right side of the regulator.