How to conduct an ‘Independent AML Audit’ under Regulation 21 of the Money Laundering Regulations [Free template audit]
If you have been paying attention to the extensive requirements of the Money Laundering Regulations (if not, start here), you will know that ‘Independent Audit’ is an important piece of the puzzle.
It can be difficult to know where to start – and who should be involved. Let’s see if we can demystify the process!
What is an independent audit under the Money Laundering Regulations?
Regulation 21 says:
“Where appropriate with regard to the size and nature of its business, a relevant person must…
…(c) establish an independent audit function with the responsibility—
(i) to examine and evaluate the adequacy and effectiveness of the policies, controls and procedures adopted by the relevant person to comply with the requirements of these Regulations;
(ii) to make recommendations in relation to those policies, controls and procedures; and
(iii) to monitor the relevant person’s compliance with those recommendations.”
When the Regulations first came into a force, there was a general assumption that this would only apply to the large law firms.
That myth has been dispelled by the SRA. As our statutory AML Supervisor, they say in the most recent Risk Outlook that ‘most firms’ should be commissioning independent audits. Which is a pretty clear indication of what they expect.
The SRA is increasing their AML supervision function and many firms are being targeted for close scrutiny. We anticipate that they will increasingly want to see evidence of an independent audit function. Firms will have to justify themselves if they do not consider independent audit necessary under the Regulations.
How does this differ from the ‘Firm wide risk assessment’?
A Firm wide risk assessment is seen by the regulators as the cornerstone of AML compliance. Once a firm analyses and understands its priority risks, its AML processes, controls and training can be tailored accordingly. Basically, everything flows from the risk assessment. That is why the risk assessment is the first thing the SRA asks to see when they come knocking.
Think of an independent audit as the quality control function. It provides a feedback loop to the firm. Does what happens on the ground follow the firm’s AML procedures? Are the controls properly tailored to the firm wide risks? Are there any gaps?
The audit is a critical analysis of the effectiveness of AML systems, which will either tell you what you already know or highlight blind spots.
Who can conduct a ‘Regulation 21 audit’?
Unhelpfully, ‘independent’ is not properly defined in the Regulations. But logic dictates that it means:
- either somebody internal who is not marking their own homework (i.e. is not generally involved in AML compliance)
- or an external third party
Who should be involved?
An audit will be a significant commitment of resources if conducted internally. The auditor will be diverted from their usual management, fee earning and other duties for at least a few days.
So the first question to ask is, who has capacity and can we afford to divert them to this project?
Secondly you will need to make sure that the auditor:
- has the knowledge and experience to be able to conduct an audit (they do not need to be an AML professional, but will need a working knowledge of the Regulations, LSAG Guidance and general legal practice – there is a steep learning curve)
- has the analytical skills to digest large amounts of information from disparate sources, come to reasoned conclusions and communicate their recommendations effectively to the firm’s managers
- will be able to maintain their independence in the face of internal defensiveness (this might dictate the seniority and character traits of the auditor).
The reality is that in a small or mid-size firm, it might be difficult to come up with a shortlist of willing and able auditor candidates.
What does the independent audit need to cover?
Again, this is not something that is dictated by the Regulations in detail. In our view, the auditor should be looking at a number of core documents, including:
- The firm wide risk assessment
- AML polices and procedures
- AML training records and content of training
- Standard file risk assessments used in each department
- AML Registers (e.g. reports to the MLRO)
To do the job properly, we also believe the auditor should dig more deeply into the day-to-day implementation of AML procedures. Our favoured tools are:
- Interviews with senior people
- Interviews with file handlers
- Interviews with junior and support staff
- File review
How long is an audit likely to take?
This largely depends on the size of the firm and the extent of the audit that is required. In our experience, even a small firm will take at least four days’ work for one person.
Can we use a template audit?
Yes, and it’s a good idea to give your auditor all the tools they need without having to reinvent the wheel.
Our free template can be found below (subject to revision). We have drafted it to give the auditor a solid indication of what will be expected of them.
How often should we repeat the audit?
Unsurprisingly, the Regulations are not prescriptive on this point and again it is likely to depend. A firm with a glowing audit might decide that another is not necessary for two, maybe three, years. Whereas a firm with lots of recommendations is likely to want to repeat the process annually, at least until the audits are more positive.
Download the free audit template
‘Salaried partner’ status – worth the risk?
Becoming a partner is still an important career milestone for many lawyers. But as we all know, not all partners are created equally.
Some are true equity owners and managers. Others have the title, but carry little influence or real upside in the business.
The regulatory responsibility of the ‘partner’ title is often overlooked when senior associates make that step up. Yet those ‘junior’ partners are likely to be just as responsible for their firm’s regulatory compliance.
As well as individuals, the SRA also regulates ‘entities’ – which is essentially shorthand for law firms. The people primarily responsible for a firm’s regulatory compliance are its ‘managers’ rather than owners.
Managers are defined by the SRA as:
- the sole principal in a recognised sole practice;
- a member of a LLP;
- a director of a company;
- a partner in a partnership; or
- in relation to any other body, a member of its governing body
That will cover most salaried partners.
For those who are described as partners, but who are not in fact a partner, may also be on slightly shaky ground. ‘Holding out’ may bring additional considerations.
But aren’t the COLP and COFA the compliance officers?
Well, yes. These lucky soles are singled out for special attention, have specific responsibilities and are expected to be the focal point for regulatory compliance.
That, however, does not relieve the rest of the firm’s ‘managers’ of their regulatory liabilities. Which of course makes sense. Otherwise the COLP and COFA would risk becoming sacrificial lambs and nobody would consent to doing the job.
Now this isn’t intended to dampen anyone’s excitement for being made up to salaried partner. But you should accept that promotion with your eyes wide open. Make sure that all partners have full visibility of compliance issues and have enough influence to recommend changes.
If there is something rotten going on, turning a blind eye or relying on ‘junior partner’ status may not be an effective defence.
News and Guidance
SRA Updates
- SRA quietly drops proposal to reduce Compensation Fund cover from £2m to £500k – this always looked like a strange policy for a public interest regulator.
Law Society Updates
- New practice: Handling Complaints – a must-read for your Complaints Manager/Partner. See also Legal Ombudsman’s best practice guide for handling complaints (be transparent; mind your language; listen; inform; respond; learn).
- New guidance: Practical framework for law firms and sole practitioners on return to the office – lots of positive reaction to this guidance.
- The SIF saga rumbles on: Please don’t close the Solicitors Indemnity Fund (SIF) during the current insurance market turmoil, begs the Law Society and LSCP
Other updates
- Apparently, around 70% of clients willing to keep to virtual consultations – what implications might this have on your client onboarding systems, case supervision and office space requirements?
- LSB confirms the direction of travel of its CPD reform, with a new report into other jurisdictions’ successful safeguards to ensure lawyers’ competence. Think annual assessments, quality assurance schemes, early intervention, beefed up CPD, and peer review. It never made much sense to replace the 16-hour CPD requirement with a pure self certification system.
- Conservative Party fined £10,000 by the ICO for sending just 51 emails to people who had not opted in.
Webinar training
Thanks to everyone who attended this week’s webinar on Risk Management (a record attendance!). The slides are below and the Zoom recording has been sent out to those who registered. (Get in touch if you would like access).
This month’s training is going back to basics, with a session on confidentiality and conflicts. An oldie but a goodie. The registration email will come around in due course and you may want to circulate around your firm.
JBL clients get priority, then we open up any remaining slots to a wider audience closer to the time.
Disciplinary decisions
- Dene McClean (a non-qualified law firm consultant) – banned from the profession after having been jailed for communicating with prisoners on smuggled mobile phones.
- Matthew Price (legal cashier) – banned after transferring thousands of pounds of client money into his personal account.
- Nicholas Peter Whiffen (sole practitioner) – struck off for treating £30,000 of client money as his own or that of his firm.
- No case to answer in the trial of Peter Metcalf – the former solicitor for South Yorkshire Police in the Hillsborough Enquiry was prosecuted for perverting the course of justice. It was alleged that witness statements were drafted and/or amended by the solicitor, in effect putting words into witnesses’ mouths. The court found no evidence to support the prosecution of a criminal offence and ordered the jury to acquit.