Short answer: Yes, there is a mechanism for ‘reliance’ in Regulation 39 of the Money Laundering Regulations 2017.
There are, however, certain preconditions, risks and practical considerations. It should not be the default way for law firms to conduct CDD.
What is ‘Reliance’?
The starting point is that the law firm should conduct client due diligence (CDD). However, CDD carried out by another ‘relevant person’ can also be relied upon in certain circumstances.
A ‘relevant person’ is, broadly speaking, another regulated professional who is also subject to the Money Laundering Regulations (MLR) or equivalent.
Reliance can save time and work duplication, not to mention client frustration. For example, it might be a suitable way to deal with clients who are ‘passed on’ by another company in the law firm’s group. Or if you regularly work with another professional adviser in transactions, there is potential to streamline the onboarding process.
Law firms cannot outsource their responsibility for CDD
The key point to understand is that the party relying on the CDD is responsible for it.
If the party supplying the CDD (let’s say, the client’s accountant or estate agent) failed to do sufficient checks, the solicitor relying on the same documents would remain equally liable if the client turned out to be dodgy.
There is an increased risk because circumstances may have changed since the original party conducted the CDD. Maybe the client moved, or a business gained new beneficial owners. It is imperative that the solicitor knows that the AML checks in front of them are fully up to date.
And since CDD failures potentially carry criminal liability, there is a strong incentive for law firms to insist on doing their own AML checks.
Reliance agreements must be in writing
If you do go down the reliance route, it is not an informal process. There has to be a written agreement in place, where the original party agrees to provide CDD documents within two days of being asked for it. The parties must also agree to keep records in accordance with the Regulations.
Policies, procedures and controls (PCPs)
If you use the Regulation 39 procedure for CDD, even occasionally, you must ensure that you have formal PCPs in place.
A reliance policy is likely to form a part of your wider AML policy, and will usually include:
- An overview of Regulation 39
- Circumstances when reliance is appropriate (and forbidden)
- A process for getting authorisation to enter into a reliance agreement (almost certainly the MLRO or MLCO)
- Checking the credentials of the supplying party
- How to record whether a particular client or matter has been checked under a reliance agreement
- When to update CDD
- Record keeping
If you rely on other parties’ CDD, this will also be a relevant factor to include in your firm-wide risk assessment.
What about another party relying on our CDD?
Regulation 39 works both ways, of course. You might find other parties asking to rely on your CDD.
You are not obliged to do so, and you will of course have issues to client confidentiality to consider. A client will need to expressly agree to disclosure of their confidential information. Data protection law will also come into play, so you will need to update your privacy notices and data asset registers.
Note that the terms of your agreement with electronic verification services may stipulate that records cannot be relied on by another party.