In Industry Insights

The thought of an SRA money laundering audit may fill you with dread. But the regulators are getting more proactive about their role as AML supervisor. Many firms have had the pleasure of discussing AML procedure, over tea and a biscuit no doubt, with the SRA. So what can you expect when the SRA comes calling?

It’s worth pointing out at this stage that the SRA may have selected your firm for one of two reasons. The first reason is that they want to look closely at your AML controls, perhaps relating to a recent breach or complaint. The second, is that your firm is caught by the Money Laundering Regulations (2017) (or MLRs) and now, you are one of many thousands of firms, who are being routinely investigated.

You will be aware that AML has been a priority issue for the SRA in recent years. Proactive AML supervision is designed to tighten AML standards across the profession. It also gives the SRA the data it needs to feed back to OPBAS (Office for Professional Body Anti Money Laundering).

First you get the call

When the SRA first makes contact, they will usually offer a few dates for you to respond with availability. It is unlikely that they will turn up, unannounced on your doorstep. Naturally, even the most highly organised firms will want to give themselves enough time to prepare and so elect for the date furthest away. No surprises there.

So what next? Blind panic? Well, let’s be super optimistic at this stage and look at the impending visit as an opportunity to get your AML ducks in a row.

If you know you are not up to date, or fear that something may have slipped under the radar with all the recent legislative changes (and subsequent tinkerings) then read on…

Mercifully, there are no rules as to how often law firms should be updating their policies or reviewing procedures. Unsurprisingly, this area has been left deliberately vague, so that each law firm applies the all-important ‘risk based’ approach to their AML framework.

However, the time for absorbing, refreshing and re-implementing the recent changes in AML is now.

If, on the other hand, you have manged to stay abreast of the changes (well done, you!), you may even have future dates in mind for a review of your exisiting systems. Don’t forget to follow this up. Failure to review things in line with your policy may indicate to the SRA that your AML framework is not working.

What the auditor will look at

So, what exactly will the SRA will want to see during one of these visits?

SRA routine investigations are ‘front loaded’ in terms of the assessment of your AML framework. You will need to submit all of your policy documents in advance of the visit. You will likely be asked for the following:

  1. Firm Wide Risk Assessment (FWRA)
  • Sometimes referred to as a Practice Wide Risk Assessment, or PWRA, this is a cornerstone of your AML controls. You must have one in place to be compliant with the Regulations.
  • Starting with a template is acceptable, but you have to tailor it to the risks faced by your firm.
  • Make sure the document is reviewed in accordance with your policy.
  • If it doesn’t already, your risk assessment should include reference to the Legal Sector Affinity Group (LSAG) guidance.
  • See our risk assessment checklist here.
  1. Policies Controls and Procedures (PCPs)

Including client and matter risk assessments and your core AML policy (Anti-Financial Crime) document.

  1. Associated policy documents

Including reference to the Criminal Finances Act 2017 and how you store your client data.

  1. Fee Earner lists

Whose work is subject to the Money Laundering Regulations and their ‘live’ matters.

  1. Training records
  • To include all ‘relevant’ staff members. Make sure that your MLRO and MLCO are trained on and familiar with the Regulations and the LSAG guidance.
  • What is the process? What solutions have been rolled out to manage the risk?
  • Keep records of all AML updates that you circulate within the firm, to show how you are reminding staff of their responsibilities.
  1. Screening employees

This is an ongoing requirement and not just something that happens at the recruitment stage.

  1. CDD records

Are these held centrally or on the client matter? Do your fee earners know how often CDD is refreshed? This needs to be clear in your AML policy.

  1. Source of Funds and Wealth procedure.

How are you evidencing this and capturing the perceived risk?

  1. SARs and MLRO records.

The SRA will be interested in how many SARs you have completed. Remember that having no SARs may indicate that your training has not been effective. It is also sensible to maintain records of any cases that you have turned away.

  1. Minutes of Board meetings where AML is discussed.

The SRA want to see that AML is high on the compliance agenda.

You’ll want to have easy access to all of your AML policy documents if and when the SRA come knocking.

When we conduct Regulation 21 Audits, some clients struggle to locate everything that we ask for, as they are tucked away in another Manual. For example, it makes sense that an employee screening policy (noted above), should live in the HR Manual, but evidently, these things can cause delays.

This would be the perfect time to ensure that all of your AML Policy documents are listed in a central register. And for extra Brownie points, you could use a hyperlink to the latest version, rather than trawling through the documents for the most up to date.

Probing deeper

During the visit, you can expect the SRA to interview some of your fee earners and to go through a selection of their live matters. This can be anyone from Partner level through to junior staff.

Is it time to brush up on training? Would your staff be able to confidently talk through the firm’s AML controls?

When conducting file reviews, the SRA will be looking for:

  • Client Care letter
  • Client Ledger
  • ID and verification documents. Is conference calling part of your process? If so, where is it documented?
  • Any e-verification results and how any referred matters have been handled. What has been done to further investigate any false positives? How was this resolved?
  • Any Google searches or adverse findings kept on file.
  • Any Company Searches
  • Evidence of Source of Funds and Wealth
  • Client and Matter risk assessments and how the risk is managed through the life cycle of the transaction.

The Aftermath

Once the investigation is over and the Regulator has all the information they need, they will write to you again, with their findings. We have seen them highlight areas of good practice, as well as areas for change, along with deadlines for implementation.

Firms that ‘fail’ an SRA audit leave themselves open to enforcement action. The fining levels have been creeping up, and the SRA now has the power to fine a firm (or individuals) up to £25,000.

Perhaps worse is the damage to reputation. The SRA publishes details of AML enforcement, which will be available to your clients, staff, accreditation bodies and insurers.

If you would like a mock audit, please drop us a line.

By Carly Fallon

Recent Posts

Start typing and press Enter to search

Get your FREE COLP Insider email delivered fortnightly

We’ll never share your email address and you can opt out at any time, we promise


Regulation 39 reliance CDDandy poole says a business review is a must