Kayleigh Smale

AML, Compliance & Anti-Fraud Specialist

Since there is so much to cover on this subject, we've decided to provide you with a series of articles discussing, AML Firm Wide Risk Assessments, AML Policy Controls and Procedures, Client Due Diligence and Client/Matter Risk Assessment. But before we get into the nitty-gritty let's discuss why being ‘audit ready’ is so important.

Legal regulators such as the Solicitors Regulation Authority (SRA) and the Law Society of Scotland have said that they will be increasing visits to law firms to audit AML policies, controls and procedures, which means it’s more of a “when they will visit” as opposed to “if they visit”.

Before my time at Legl part of my role was to conduct Regulation 21 Audits under the Money Laundering Regulations (MLR) for law firms, I also assisted many firms through an SRA inspection (as they like to call it). The process for a Reg 21 Audit and an SRA inspection are not too dissimilar.

The Anti Money Laundering (AML) audit process is designed to strengthen or enhance a firm’s AML program. It serves as a method to evaluate whether a firm’s AML policies, controls, and procedures (PCPs) are current, comply with the MLR, and are effectively implemented as intended.

There are two types of independent audits to consider:

Mandatory Audit (Reg 21 Audit): Reg 21 of the MLR requires that a relevant person, appropriate to the size and nature of the business (I won’t go into size and nature this time), must establish an independent audit function. This does not necessarily require an external audit. However, it must be conducted by someone within the firm who is independent of the risk/compliance/AML function, but who possesses sufficient AML knowledge to conduct the audit. Any findings in an audit report carried out under a Reg 21 Audit are disclosable to the Regulator.

Non-Mandatory Audit (Internal Audit): A firm may choose to conduct an internal money laundering audit as a routine procedure to verify that the firm’s policies, controls, and procedures comply with the MLR. The audit report in these cases would be for internal use only and remain confidential to the firm.

The SRA have suggested that it would expect most law firms to have a Reg 21 Audit, with this in mind, to get yourself ahead of the game, make sure this is at the top of your to do list.

The SRA have issued some helpful guidance on what to expect when a law firm has been selected for an SRA inspection which can be found here.

So let's discuss the common AML pitfalls to watch out for when the SRA inevitably pays a visit, starting with AML Firm Wide Risk Assessments.

A firm-wide risk assessment helps you identify and manage money laundering risks that your firm might face. This process will guide your firm in taking a risk-based approach to prevent money laundering.

Having this assessment will also help you create the right policies, controls, and procedures and assist fee earners when they are evaluating AML risks for clients and specific matters.

The SRA expect to be able to understand the AML risks your  firm is exposed to by simply reading your AML Firm Wide Risk Assessment.


Make sure you have an AML Firm Wide Risk Assessment.

Believe it or not, there are still law firms out there without an AML  firm-wide risk assessment, despite it being a requirement since the 2017 MLR. That's seven years to get compliant! In January 2020, Compliance Officers for Legal Practice (COLPs) received an email from the SRA asking them to confirm their firm had a compliant firm-wide AML risk assessment in place. Many firms signed the declaration without fully grasping what was needed, and now some are in a bit of a pickle. They can't prove they had a compliant firm wide AML risk assessment at the time, and the SRA isn't likely to go easy on disciplinary action in these cases.

Don’t just use a template risk assessment - consider the firm's unique AML risks when preparing a risk assessment.

Regulators are not keen on template documents (despite providing templates themselves), so it’s crucial that if you use one, you approach it with fresh eyes and a clean slate. Ask yourself: What are our firm’s AML risks? How significant are these risks? And most importantly, what steps are we taking to mitigate them?

Review the risk assessment regularly and document that review and any amendments.

This applies across all AML policies and procedures, not just the firm-wide risk assessment. It's a detail I typically notice during AML policy reviews or audits. Sometimes, documents are reviewed and even updated, but the act of doing so isn't recorded. In compliance we always say, if it’s not written down it didn’t happen! So make sure you give yourself credit for the work you are doing by making a record of it.

The SRA expects at least an annual review of your AML policies, controls and procedures or sooner if there are changes or updates in legislation, relevant guidance (such as from the Legal Sector Affinity Group or SRA), or within your firm. This could include starting a new department or using a new AML legal tech provider (such as Legl). I would always recommend that details of any review, update and subsequent sign off are recorded within the document itself.

Don’t forget to include relevant granular data

It’s all in the numbers! Consider adding the following data to your firm wide risk assessment:

  • What percentage of the work the firm undertakes falls within scope of the money laundering regulations - This will help you break down how much of the work you as a firm undertake is at risk of money laundering.
  • What is your client turnover - do you have long standing clients or do you do one off pieces of work for your clients?
  • How many politically exposed persons (PEPs) do you act for and/or you have declined to act for.
  • How many Suspicious Activity Reports (SARs) have you submitted to the National Crime Agency (NCA)
  • How many internal suspicious activity reports have been recorded.
  • How many clients have you declined to act for because they do not meet your risk profile? This is an important number, the NCA complain that the legal sector don’t submit enough SARs, however if you capture this figure, you can show the regulator that you are thinking about AML risk and you are stopping the matter from going any further before there is any suspicious activity

Provide a breakdown of the AML risks associated with each department.

During my days of carrying out AML audits, this was something I saw  firms struggling with the most. Firms need to thoroughly examine each department and type of work to identify AML risks accurately. For example, within a property department, purchasing property poses a high risk for money laundering, whereas landlord and tenant work presents much lower risk. Therefore, it's important to provide a detailed breakdown of the risk associated with each type of work within each department.