AML: sizing up the risk
A further briefing on the forthcoming Money Laundering Regulations, in particular the new requirement for a firm risk assessment
As highlighted last month (Journal, May 2017, 41), the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 are due to be implemented this summer, bringing an increased focus on the risk-based approach against money laundering and terrorist financing.
Members need to be aware that a key requirement of the new regulations is for all firms to assess and record their own risk. This is the process through which a firm will take “appropriate steps to identify and assess the risks of money laundering and terrorist financing to which its business is subject”.
The requirement has been seen as best practice for some time but, as it did not feature in the previous regulations, it was not covered by the accounts rules and was not enforced by the Financial Compliance team. Some firms have, however, proactively undertaken this risk assessment, and the concept is clearly set out in chapter 2 of the Law Society of England & Wales Anti-Money Laundering Practice Note, which the Society has adopted as guidance.
Carrying out a risk assessment is a value-adding process through which owners and managers can identify money laundering and terrorist financing risks, helping to protect both their firm and their clients. This will inform the policies and procedures established to manage and mitigate these risks, and help the firm to decide how to allocate resources. As required by the new regulations, the Society is currently completing a similar assessment of the risks faced by the profession, available soon on our website.
Our compliance processes will be revised to cover the existence and adequacy of firm risk assessments. This will be done through the well-established inspection process, but desk-based work will also be introduced. That will require confirmation that firm risk assessments have been carried out, and copies must be sent to us for review, as the new regulations require such assessments and the information on which they are based to be submitted to the relevant supervisory authority on request. The Society is required to develop money laundering/terrorist financing risk profiles for the firms under our supervision, individually or in clusters. Firm risk assessments will provide excellent information.
Inspections for most firms take place every four or five years. As the requirement to complete a firm risk assessment is fundamental to the risk-based approach, we cannot wait four or five years to find out whether firms are having difficulty with it. We still find firms who have not carried out risk assessment on transactions, often resulting in their being reported to the Client Protection Subcommittee, and we want to avoid this outcome for this new requirement. By proactively requiring up-front sight of firm risk assessments we hope to encourage firms to address this requirement promptly so there is no need to report them.
Regulation 18 sets out risk factors to be considered when completing a firm risk assessment. These include:
Client base. For example:
- Is the client base well established, or is there a high turnover?
- Does it have clients who are subject to simplified due diligence, such as public authorities or FCA registered financial institutions?
- Does the firm have a significant number of non-UK/EU clients?
- Are there politically exposed persons on its client list?
Countries or geographical areas of operation. For example:
- Does the firm operate outwith the UK/EU and/or in areas with high levels of corruption?
- Is the firm receiving new clients and/or being approached to do work outwith its usual area of coverage?
Products or services provided. For example:
- Does the firm conduct work not subject to AML supervision, litigation for example?
- Does it offer any services which may attract a higher level of risk, such as tax mitigation strategies or the creation and/or management of entities such as Scottish limited partnerships?
Transactions. For example:
- Are there any features in transactions delivered by the firm which may represent higher risk, such as proposed physical receipt of cash by the firm?
Delivery channels. For example:
- A firm which meets all clients face to face might have a lower risk profile than a firm which doesn’t.
Firms will need to apply a risk-based approach in determining the steps considered appropriate to identify and assess risks, and keep a record to demonstrate the approach adopted.
The Society is participating in a project with all other UK legal sector supervisors to develop a single piece of Anti-Money Laundering Guidance to be used by the legal sector/profession across the UK. This will be based on existing Law Society of England & Wales guidance (see the website’s practice notes section), which already has a section on firm risk assessment, and further information is available on our own website under AML information and resources. While the forthcoming UK guidance may show some changes, the principles featured in these resources will not change.
In summary, if your firm has not previously considered and documented its risk assessment, you should make sure this happens very soon. This will contribute to a risk-aware culture in your firm and help to rationalise the need for and content of its anti-money laundering/counter-terrorist financing policies and procedures. We will work closely with our members to drive compliance with this requirement.
In advance of the comprehensive UK-wide guidance, we have posted useful information on what to expect in the new regulations on the AML section of our website.
Ian Messer is director, Financial Compliance, at the Law Society of Scotland