Anti-money laundering compliance

The SRA’s Anti-Money Laundering annual report 2022-23 reveals that 1 in 3 law firms are not AML compliant. Accountancy businesses are little better, with supervisors reporting varied results including 26% of those inspected needing follow-up action and only between 3 and 4% of those inspected deemed to be ‘compliant’. Meanwhile, the property sector accounts for almost half of the AML-related fines handed out by HMRC.

With the risk of stiff penalties and even criminal prosecution for AML breaches, regulated professionals cannot afford to fall short when their supervisor or the National Crime Agency (NCA) come calling. 

By taking proactive steps to comply with evolving AML rules, firms can avoid painful sanctions and protect the integrity of the UK financial system.

How to get compliant

The most common issues cited for inspection failures include inadequate AML policies, controls and procedures (PCPs), deficient or absent business and client risk assessments, poor client due diligence practices and a lack of appropriate employee training.

If you’ve not done much AML until now, the thought of getting started might be overwhelming. The temptation might even be to put it off. But what would you do if you were inspected now? 

These steps give you an overview of what you can do today to get your AML moving, in order to prepare yourself for that call.

Step 1. Appoint the right AML leaders 

Every firm needs to appoint a member of senior management, generally known as the Money Laundering Compliance Officer (MLCO), or the Money Laundering Compliance Principal (MLCP). They’re responsible for making sure your business is correctly complying with all its legal AML obligations. This involves responsibilities like:

• creating and updating the business-wide and any secondary risk assessments
• ensuring AML PCPs are robust, relevant, up to date and address the risks identified in your business-wide risk assessment.
• overseeing all day-to-day AML activities, including client risk assessments, monitoring and training.
• serving as the key AML contact for law enforcement and regulatory bodies.

The MLRO (Money Laundering Reporting Officer) also plays a critical role in your business’ AML compliance, in their role as nominated officer. As their title suggests, they’re responsible for receiving and assessing internal SARs. They also need to make the final decision on whether to submit an external SAR to the NCA.

The MLCO or MLCP may delegate the business’ operational, day-to-day AML compliance work (this delegation must be documented). But they can’t delegate responsibility and accountability. 

Having competent individuals in these roles is critical. They need to be sufficiently senior and have authority in the business to act effectively. They should also have extensive AML expertise and understanding of the current regulations and risks. 

If you’re a sole practitioner, you’ll automatically assume both roles.

Step 2. Educate and train your employees

A critical component of AML compliance is training all employees on their legal duties, as well as on your PCPs. This AML training must include all senior management and any employee or agent who works on your behalf and cover the different roles they carry out. 

Employees should be trained as part of their onboarding and receive refresher AML training at least annually. Detailed records of all training must be maintained. During training, employees should gain:

• an understanding of UK AML laws, regulations, sector guidance and professional body requirements.
• knowledge of your PCPs.
• the ability to recognise suspicious transactions and activity.
• familiarity with internal reporting procedures for escalating suspicions.
• awareness of the consequences for non-compliance.
• confidence in carrying out AML duties according to firm policies.

Following training, employees should be tested and complete a certification confirming their understanding and readiness to help your business comply.

Step 3. Create your AML PCPs

Businesses must have written, up-to-date AML PCPs in place that reflect the risks identified in the business-wide and secondary risk assessments. Generic, off-the-shelf AML policies are not sufficient. Firms need AML policies tailored specifically to their business operations, clients, products and services.

Your AML PCPs should cover key areas like customer due diligence, reporting suspicious activity, record keeping, risk assessment and management and employee training. The policies need to provide clear, actionable procedures for your employees to follow.

Having custom AML PCPs shows regulators that your business understands the money laundering (ML), terrorist financing (TF) and proliferation financing (PF) risks inherent to your particular business model and client base.

Step 4. Evaluate risk

You must have a deep understanding of the risks your business faces and what impact your clients have on that risk, and make sure this understanding is well documented. 

You’ll make many decisions that will affect your business’ risk of exposure to money laundering. For example, how do you engage with clients? And what business sectors do you target? 

Your business as a whole, separate service lines, departments and branches, as well as each client, must have a documented risk assessment. These assessments analyse and document the money laundering, terrorist financing and proliferation financing risks your business faces. By thoroughly evaluating your exposure, you can implement appropriate steps to mitigate the risks. 

Bear in mind that money laundering is dynamic. Your AML needs to be too. Any idea of your risk formed through your client and business risk assessments is potentially only of value at the point it’s created. As your business changes and your clients change so does your exposure to risk.

Changing circumstances will require updates to risk assessments to ensure your AML keeps pace with any changes to your business, clients or the regulatory environment. If nothing has changed it’s generally expected to update risk assessments annually.

Step 5. Verify your clients

You must confirm the identity of your clients and verify that identity. 

It’s important to confirm the individual claiming an identity has the right to it. Certifying a government-issued photo ID document either in person or through a third party of good standing will do that for you. Or you could use a biometric ID check. 

If you’re using online ID verifications provided by a third party, you need to understand the steps the supplier is taking to perform these checks. An online ID check may confirm that an identity exists but additional steps are needed to confirm that someone actually has the right to it.

The information you need to gather for clients who aren’t natural persons will vary on the client type. An example is trusts, limited companies or partnerships. You must also remember it’s essential to identify and verify ultimate beneficial owners even in very opaque situations. 

And don’t forget the importance of screening clients against sanctions lists, PEP lists and adverse media.

Keeping this client information up to date is equally important, as this is essential information that would need to be disclosed if a SAR is submitted to the NCA.

It’s also important to remember that this identification and verification process is just a fraction of your overall AML obligations. 

Step 6. Write it down

To pass an AML inspection, you must be able to show that your business maintains detailed and accurate records relating to its AML processes and risk management. “If it’s not written down it didn’t happen.” 

This applies to all aspects of AML. Your records are your defence should you be unwittingly drawn into a criminal investigation. 

We’ve spoken to several UK professionals who have had law enforcement turn up out of the blue, investigating a client. Fortunately, they were able to show the enforcement agents their AMLCC documentation on the client, showing that all the necessary AML had been carried out.

As a result, the professional was in the clear and not investigated any further. Without such robust record keeping in place, the story could have ended very differently.

Step 7. Report suspicious activity 

If you or any employee suspects that criminal activity is taking place, no matter the value of the assets or funds involved, the first action is to make a written internal SAR. This goes to your business’ MLRO. 

You need to detail this process in your PCPs, so that everyone knows how to make a SAR should they need to. As a rule of thumb, they must be detailed and fact-based, and include names, addresses and account details of your clients, as well as the reasoning behind your suspicions. 

It’s up to your MLRO to assess the information and submit an external SAR to the NCA where appropriate. Where they decide an external SAR isn’t needed, their reasoning must be documented. This proves that, if an investigation by law enforcement does take place, your business has considered the matter and the report was made for good reasons.

Step 8. Keep it going

Doing all this once isn’t enough. Every part of your AML must be kept up to date to reflect changes in your clients, your business and any changes in the Regulations and sector guidance.

By taking these steps, it’s then easier to maintain your AML day-to-day, with regular updates to documentation and risk assessments. It also means you’ll be well prepared for AML inspections and able to demonstrate compliance with regulations. 

Don’t wait until it’s too late. A failure can lead to significant fines and reputational damage, so making AML compliance a priority now is crucial. 

AMLCC gives you every tool you need to complete all your business’ anti-money laundering compliance obligations. Explore our product features to discover how or book a discovery call with one of our AML-qualified advisors who will show you around the platform.