Compliance with Anti-Money Laundering (AML) regulations is increasingly a source of stress and concern for lawyers. The Solicitors Regulation Authority (SRA) has been ramping up its enforcement efforts, issuing increasingly punitive fines and scrutinising firms to ensure they meet the necessary standards.
During a recent webinar (“SRA AML Fines: Lessons to be learned”), the 500+ lawyers in attendance raised some pressing questions about the SRA’s approach to AML fines and compliance requirements. We thought it would be helpful to prepare a rapid-fire Q&A that addresses the most common concerns raised before and during the session.
1. “How does the SRA arrive at the level of fine they are planning to issue?”
The SRA has a complex formula, which takes into account several factors, including the severity of the breach, the firm’s level of cooperation, whether there was intent or negligence, and if any harm resulted from the breach. They also consider mitigating factors like a firm’s attempts at compliance. However, since enforcement is undertaken by individuals at the SRA, it is largely a subjective approach.
A recent consultation (now closed) proposes a new approach to the more serious end of the spectrum to make the most of the regulator’s unlimited fining powers for misconduct related to economic crime. Under the proposals, firms can expect minimum fines of £500,000 for the most severe breaches, potentially extending to 10% of global turnover. These are scenarios which the SRA anticipates will not be serious enough to bother with a referral to the SDT.
If you would like to know more there is an SRA guidance on the SRA’s approach to financial penalties and a useful webinar hosted by the SRA on updated proposals on financial penalties.
2. “Is it fair to fine someone when no harm has been done?”
“Fairness” does not come into it. Regulators would say that even if no direct harm has occurred, non-compliance with AML regulations still represents a risk. As a front-line AML supervisor, the SRA enforces the Regulations and is under pressure from OPBAS to be seen to police the profession. Fines are a blunt tool, but the idea is to act as a deterrent to ensure firms take AML obligations seriously.
The counter argument is that the culture of fining can produce the perverse effect of encouraging tick-box compliance out of self preservation, rather than the risk-based approach that AML is supposed to be built upon. The question becomes one of not getting fined, rather than stopping financial crime.
3. “How do PI Insurers view AML fines?”
Brokers say that Professional Indemnity (PI) insurers view AML fines negatively as they can indicate a potential compliance failure, which can increase perceived risk. This is particularly so if the fine is part of a pattern of other breaches. This could potentially impact insurance premiums or renewal terms.
4. “Who can be an AML officer and what does this entail?”
There are two official AML officers, the Money Laundering Reporting Officer (MLRO) and Money Laundering Compliance Officer (MLCO). The former is responsible for suspicious activity reporting, and the second is responsible for putting in place the AML controls. In some firms it will be the same person, although there are benefits to separating the roles where possible. Both roles should be held by someone with sufficient seniority and expertise to implement and monitor AML policies effectively. Their responsibilities include risk assessments, making reports and liaising with the authorities, providing in-house guidance, overseeing AML systems, and training staff.
5. “What to do if AML is non-compliant?”
If non-compliance is identified, it’s crucial to address the issues immediately. This includes reviewing and updating policies, conducting training, performing audits, and possibly self-reporting to the SRA if the non-compliance is “serious”. Bear in mind that the regulator thinks not having a compliant risk assessment is serious enough to warrant a fine, so logically would be self-reportable.
Think in terms of the building blocks analogy. The Money Laundering Regulations contain identifiable parts (risk assessment, policy, training etc.) which need to be put together to create a workable compliance framework. Breaking AML compliance down into manageable parts can make it less daunting to put things right.
You can read more from the SRA on obligations to report breaches of the AML regulations and the Law Society Q&A covers reporting a minor AML breach.
6. “Is an Electronic Verification search required for all clients?”
Electronic verification is not mandatory, but it offers numerous benefits and can be a valuable tool for conducting customer due diligence (CDD).
Your firm’s risk assessment and internal AML policies and procedures should ultimately guide your approach to electronic verification. Therefore, the first step is to review your existing policies, controls, and procedures. Based on your risk assessments, your firm should determine how electronic verification fits into your workflow and overall CDD system.
Consider the risk mitigation benefits of using technology in your client due diligence process. Understand the assurance it provides and your reasons for deploying it. This analysis will help you identify potential gaps without the technology and explore alternative methods to address them. Some key benefits include PEPs and sanctions screening, verifying that the person claiming a particular identity is indeed that person, and confirming the authenticity of ID documents.
7. “At what stage of a transaction should AML be done?”
AML checks should be completed as early as possible, ideally before the transaction progresses. The LSAG guidance (section 6.8) provides helpful points about timing. Client Due Diligence must be completed before you:
- Deliver substantive work or benefit
- Permit funds to be deposited in your firm’s client account (unless for fees and disbursements)
- Allow property to be transferred
- Allow final agreements to be signed and completed
It’s crucial to implement controls in your systems that restrict clients from proceeding too far into a transaction without the necessary due diligence. Honestly assess how far a client could progress without the required Client Due Diligence. Early due diligence offers several benefits:
- Helps avoid delays
- Supports prompt detection and reporting of suspicious activity
- Protects the firm from potential issues
- Reduces the risk of needing to file a SAR or seek a DAML to return funds in your client account that may be proceeds of crime
The days of “KYC” being a one-time event are long gone. Ongoing monitoring is a fundamental requirement. Failure to revisit CDD before exchange or completion could expose the firm to risks, including SRA penalties. It’s something that needs to be carefully considered.
8. “Are we tracking down and needing evidence of every last penny?”
Firms are expected to take a risk-based approach to source of funds. Higher-risk situations require more thorough checks, while for lower-risk situations, a reasonable level of due diligence is sufficient. It’s about demonstrating that the source of funds has been checked adequately in the context of the specific transaction.
Remember, the goal is to have a clear understanding of where the client’s funds originate from and to be satisfied that they are not proceeds of crime. Use your professional judgment to determine when you have sufficient information.
9. “How far back do we need to go for source of funds checks?”
Similarly, there is no strict timeline, but firms must be able to demonstrate a reasonable inquiry into the origin of funds. For complex or high-value transactions, this might mean looking back several years or tracing through multiple layers of transactions.
The extent of how far back you need to go and which monies to investigate further depends on your risk assessment and deploying your risk-based approach. The SRA’s line here is “You need to go back as far as is needed to build a clear picture”.
Keep these two questions in mind:
- Is this consistent with what I know about the client?
- Do I have information that makes me suspicious that criminal property is involved?
Putting in place an arbitrary policy (e.g. checking six month bank statements) could risk missing more serious issues.
10. “What if a client received a gift (e.g., £10k) from a foreign relative – how much should we check?”
£10k is probably in the range of “street level” money laundering where property transactions become attractive. But it is important to recognise that is no de minimis threshold within the regulations or POCA. The firm should verify the identity of the third party (relative) and check the source of the funds, especially if the amount is significant in the context of the transaction. The threshold for what’s “significant” may vary based on the firm’s risk appetite and policies.
The LSAG guidance addendum published December 2023 confirms where it becomes known that the client has received funds for a transaction from a third party, you should also seek to understand and obtain evidence relating to the third party’s underlying source of funds. The extent to which you should obtain, review and evidence third-party source of funds is dependent upon the risk profile of the client or matter.
11. “Can we rely on documentation for long-term clients?”
Yes, if the client’s circumstances have not changed significantly, previous documentation can often suffice. However, it’s important to reassess the situation regularly to ensure it remains compliant with current regulations and that nothing material has changed. You would still be expected to conduct a risk assessment on the matter i.e. the particular transaction.
12. “What to do with complex structures, including overseas companies?”
It is important to take a thorough risk-based approach. Enhanced due diligence (EDD) is typically required for higher-risk situations. Complex corporate structures involving offshore jurisdictions are a known method of disguising the true origins of funds. CDD also includes verifying the beneficial owners and understanding the nature of the business. Jurisdictions with limited transparency increase the need for more thorough due diligence. Always document your findings and decision-making process.
13. “Can someone other than a director act on behalf of the company?”
Generally, only authorised individuals, like directors, can act on behalf of a company. However, in some cases, others may act with specific authorisation, for example, General Counsel. Due diligence is crucial to verify their authority which is also in keeping with the Code of Conduct requirement to identify your client.
14. “Can we work with clients who are not yet ROE-registered?”
The Register of Overseas Entities was established to improve the transparency of UK property owned by offshore corporations and trusts. Firms can work with offshore clients, but if there is a ROE trigger then the firm would have to flag up the obligation to register. Overseas entities that do not register will face sanctions such as daily fines and are not able to transact with their land or property, including buying, selling, transferring, leasing and borrowing. There is no requirement to act as a verification agent or guide them through the registration process.
15. “Is there an expectation that the SRA will enforce more rigorously due to increased fining powers?”
With increased fining powers, the SRA is likely to take a stricter stance on AML compliance, reinforcing the need for firms to maintain high standards. We have already seen the level of fines climbing steeply in scale and regularity, and there is no sign of this stopping. The recent consultation on financial penalties suggests that the regulator is committed to using fines as an enforcement tool.
16. “How often should we conduct independent audits?”
The frequency depends on the firm’s size, risk profile, and complexity. For most, an independent audit conducted every 1-2 years would be considered good practice for ensuring ongoing compliance. Triggers for more frequent audits could include merging with another firm, taking on a new area of law within scope of the Regulations or significant changes to the underlying AML legislation.
17. “What is your top tip for compliance?”
Jonathon Bray: Take a proactive approach: regularly review and update AML policies, provide ongoing staff training, and perform regular internal audits to identify and address any weaknesses. Don’t wait for the SRA letter to arrive notifying you of a visit. Act like they are coming next week!
Harriet Holmes: Maintain an inquiring mind and stay curious. Document everything meticulously. Remember, compliance isn’t a one-off task—it’s an ongoing process. Continuously review, reflect on, and refine your practices to ensure you’re as compliant as possible at all times.