Encompass Corporations’s Amy Bell shares her top tips for executing Anti-Money Laundering (AML) compliance programs for those working in the legal sector, exploring subjects including risk assessments, source of funds and wealth, and ID&V…

1 – all about evidence

All firms have to show regard to their supervisor’s risk assessment when preparing their own. (Reg 18 (2)).

Make sure it is mentioned in the steps you’ve taken in preparing the risk assessment. If your assessment of risk differs with theirs, explain why.

 2 – client account focus

In your Firm Risk Assessment, don’t forget to include the risk from the client account. It’s referenced in the National Risk Assessment and the Supervisors Risk Assessment, so it should be in yours. Often the focus is solely on the work types and firms don’t always identify the more generic operational risks.

Detail what you do to protect the client account in the risk mitigation section.

Also, don’t forget to include or cross reference your accounts procedures (for example, the timing of accepting funds and refusing to provide banking facilities and how you deal with funds from third parties) in your AML policy.

 3 – source of funds and source of wealth

Tell people what you want them to do, ask them to record the steps they’ve taken, check that they’ve reviewed the information and most importantly remember their assessment of risk, having considered the information they have.

I ask lawyers all the time: “if I were to look at your files tomorrow, would I be able to see you have considered the source of funds and source of wealth?”

 4 – client communication

Help your lawyers with what to say to clients about why your firm carries out Customer Due Diligence (CDD), in particular source of funds and wealth enquiries.

If I had a pound for every time I heard the concern that “clients will think they are being accused/would be insulted if we asked”… Actually, clients don’t mind being asked nearly as much as we think they do – everyone asks all the time. But it does help if you give your lawyers some wording to explain the rationale for the checks.

Some people explain that it’s a legal obligation, but I much prefer explaining why money laundering is a problem – enabling criminality, human trafficking, damage to the local and national economy… and why we as a firm care about that, as well as that the checks are essential in playing our part to prevent money laundering.

Clients understand this and are often appreciative of your efforts.

 5 – manage the timing of verification

This was the first job I had in AML. You know the law, you must complete the ID&V part of CDD before the establishment of a business relationship or before carrying out a transaction. Some firms won’t issue a file number until it’s done. The Solicitors Regulation Authority certainly seem in favour of that approach.

However, many firms open the file first but require CDD to be completed soon thereafter, using the exception in Regulation 30(3). If you are going to do that, make sure you monitor that ID&V is in fact completed “as soon as practicable”.

Make sure you can track the files and that CDD is obtained.

I see many policies which say the CDD must be obtained in, say, seven or 14 days, or work must stop – but it’s not always clear how that is managed. Is it a system issue – the file locks to prevent any further work – or is it manual, with compliance checking and chasing?

Whatever it is, include it in your written procedure and be ready to show an auditor/the regulator the records of the monitoring.

 6 – CDD on existing clients

Something I see all the time is, “we will rely on existing client due diligence unless we become aware of a change in the client’s identity, risk profile or there is a three year gap in instructions”.

That’s because it is in the guidance. However, in theory, for an existing client that instructs once every two years, the CDD would never be refreshed if the lawyer doesn’t “become aware” of a change.

When considering a private individual, they are unlikely to change their identify, but a company could and their beneficial owners could. So, where you don’t act for the beneficial owners, how would you know?

In my experience, there is little thought actually given to whether there has been a change. It’s often a case of, “yes we have CDD from last time, so I can crack on”

For me, I have always preferred to give the CDD a “shelf life” – the longest we will rely on existing CDD is x months/years and then we will refresh. I would also capture the consideration of whether the fee earner thinks anything has changed in the matter risk assessment.

 7 – “purports to act”

The regulations require that, where a person purports to act on behalf of the customer, you verify the person’s authority to act and ID&V them. Some people have taken that to mean a director, but, if you look at the guidance for the legal sector, it refers to a “representative”. Most firms take the view that a director does not “purport” to act, they do act for the company.

Usually, I see firms apply Regulation 28(10) when they have an agent or attorney situation. That said, I’m still a fan of ID&V-ing at least one director because I like to know a ‘real’ person is attached to the corporate client.

 8 – information for clients

The Money Laundering Regulations 2017 were amended by the Data Protection Act 2018. Make sure you’re giving your clients the required information.

9 – know your searches inside out

Know how your electronic verification searches work. Many firms now have electronic verification of ID as part of their CDD processes. I was an early adopter in 2006 and I’m still a big fan but I say be careful. I find that many people can’t explain to me how they work, what they are checking and how many matches are required to pass.

Is it checking what you think it’s checking? Sometimes, I see examples of CDD searches passing with the wrong date of birth included! Also, if the contract with the provider was agreed with the previous MLRO and you are the new one, make sure you are fully briefed.

 10 – certifying copy ID

Be careful who you ask to certify copy ID. I prefer to rely on someone who is either well briefed or is familiar with the AML legislation, like lawyers or accountants. Also, you (or indeed the police) may want to speak to the certifier in the future so make sure it’s someone who can be traced. That’s going to be difficult if you rely on post office or bank counter staff.

Make sure they’ve signed and dated the certification and their name is printed in a way that you can read it. I find giving the client an explanation of requirements that they can then hand to the certifier is the most effective way of getting it right.

This article was first published on Amy’s Teal Compliance blog.

About Amy Bell


Amy worked for many years as a solicitor before moving into compliance and eventually launching her own firm. A leading figure helping law firms adapt to the changing legal landscape, Amy is also the author of The Law Society’s Elearning and Toolkit on the Bribery Act, and current Chair of their Anti-Money Laundering Task Force.  Amy specialises in AML regulations mainly professional services and runs ABC Consultancy.  Connect with Amy on LinkedIn.

Source: Encompass Corporation