Carly Fallon discusses the often-overlooked ‘independent audit’ requirement of the Money Laundering Regulations.
It will come as no surprise that Anti-Money Laundering (AML) is a priority area for the SRA. It features time and again in the SRA Risk Outlook, in webinars, guidance and policy updates.
For over two years, the regulator has proactively visited regulated law firms for compliance spot checks, giving them no-where to hide.
And rightly so. The National Crime Agency says that organised crime costs the UK economy over £100 billion each year.
Far too often, we see disciplinary (and occasionally criminal) charges brought against solicitors and law firms with poor AML controls.
Independent audit – Regulation 21
One of the controls required is contained in Regulation 21 of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (aka Money Laundering Regulations, or MLRs), which says:
“Where appropriate with regard to the size and nature of its business, a relevant person must… establish an independent audit function with the responsibility
(i) to examine and evaluate the adequacy and effectiveness of the policies, controls and procedures adopted by the relevant person to comply with the requirements of these Regulations;
(ii) to make recommendations in relation to those policies, controls and procedures; and
(iii) to monitor the relevant person’s compliance with those recommendations.”
This means that law firms subject to the Regulations must:
- decide whether they are caught by the audit requirement
- if so, establish an independent audit function to test the effectiveness of the firm’s AML processes
- and follow up with any recommendations made
In the early days of the latest Regulations, it was generally assumed that the independent audit requirement would apply only to larger firms or those who conducted particularly high-risk transactions.
That myth has been well and truly put to bed. The SRA says that ‘most’ law firms should have an independent audit.
Firms who previously thought they were too small or low risk to be caught by the independent audit requirement, now realise that they have to do something.
This is often prompted by an SRA review. Targeted AML compliance visits are now a central part of the regulator’s supervisory toolkit.
Failure to comply with Regulation 21 is one of the most common breaches picked up by the SRA, along with issues with firm-wide risk assessments and out-of-date policies.
What does ‘independent’ mean?
In the SRA’s view, the auditor can either be:
- an internal staff member. (The candidate would need to have a deep understanding of the Money Laundering Regulations and be independent of the usual compliance process i.e. not the COLP/Compliance manager/MLRO, etc – an auditor should not be marking their own homework!); or
- an external third party
For those who opt for the former, a template report can be found here.
The essential components of a Regulation 21 audit include:
- Review of policies, controls and procedures – are they up to date with the latest legislation, guidance and best practice?
- Interviews with staff – from the front-of-house to the senior solicitors, do your people understand and follow the processes?
- File review – can compliance with the firm’s policies be evidenced?
- Report – acknowledging good practice and making recommendations for improvements.
So far, the SRA has taken a softly-softly approach to encouraging firms to comply with Regulation 21.
But it is reasonable to predict that the SRA’s patience will start wearing thin with firms who fail to grasp the requirements. Much like their approach to firm-wide risk assessments.
A free training session on independent audits will take place on 27 April at 12pm (places limited).