In continued partnership with Paragon, Weightmans’ Compli team – who provide bespoke risk management and compliance consultancy services – have produced a paper discussing the need for independent audits.
The AML regulatory landscape is continually evolving and adapting (as it has to) to the ever-changing methods adopted by criminals to launder their ill-gotten gains. The Government’s and regulator’s expectations of those it regulates are, in turn, increasing and showing no sign of abating any time soon. The SRA has confirmed it intends to visit all firms within scope of the ML Regs (including those recently brought into scope by the change to the definition of tax adviser https://www.sra.org.uk/solicitors/resources/money-laundering/guidance-support/tax-adviser-guidance/ ) to check on compliance with the ML Regs, and has been recruiting to enable it to do so. Clearly, the need for compliance has never been greater.
The long awaited 212 page updated LSAG guidance following the implementation of the 5th Money Laundering Directive (“ML Regs”) was released in January 2021. Rather than “tweaking” around the edges of previous versions, it was a complete re-write including the introduction of high level Compliance Principles, significantly revised and expanded sections on risk assessments, AML governance and internal controls and completely new chapters (including one on the use of technology).
AML Officers in law firms will have been faced with a huge workload over the past few months to familiarising themselves with this LSAG guidance as well as new AML risks identified by the SRA in its Risk Outlook 2020/2021 and sectoral risk assessment (including the shift from face to face to on-line identification/verification procedures as a result of the pandemic and its findings from its thematic risk reviews of firms’ AML policies and procedures).
One of the key internal control requirements of the ML Regs highlighted by the SRA as an area of non-compliance in its November 2020 report on its AML visits https://www.sra.org.uk/sra/how-we-work/reports/anti-money-laundering-visits-2019-2020/ is that set out in Regulation 21(1)(c), namely the need (where appropriate with regard to the size and nature of its business) to establish an independent audit function with the responsibility:
- to examine and evaluate the adequacy and effectiveness of the policies, controls and procedures adopted…..;
- to make recommendations in relation to those policies, controls and procedures; and
- to monitor the compliance with those recommendations.
The importance of independent auditing
The need for independence in auditing is an area that many firms seem to have neglected or misunderstood. Only the very smallest practices will not have to establish an independent audit function and yet, according to the SRA’s November 2020 report referred to above, more than 50% of the firms visited required follow up action on this issue.
While ‘independent’ does not necessarily mean the audit has to be carried out by someone external to the firm, there needs to be someone suitable to carry out the audit within the firm who:
- Is independent of the work areas being audited (so not the MLRO/MLCO/compliance team or the team who did the original work)
- has the requisite skills and knowledge of audit and the requirements of the anti-money laundering regulations;
- is a senior member of the firm with authority to access all relevant material and to make recommendations/report findings to senior management; and
- has the necessary time and capacity to carry out the audit.
Such a person is not always easy to find and many firms will not have anyone who fits the bill, so unless a firm can justify not having an independent audit (which will need to be carefully documented), this is where external expert support should be considered.
What should the audit include?
The independent audit should, at the very least, include:
- a review of the firm’s policies, procedures and risk assessments, including the firm wide risk assessment, to check that they address and comply with the requirements set out in the most recent AML Regulations/Directives
- interview(s) with the firm’s MLCO and MLRO
- file reviews to consider whether policies are being followed. These need to be sampled on a risk-based approach to reflect the risks identified in the firmwide risk assessment and be of a sufficient number to demonstrate effective assurance of the firm’s PCPs, across all locations, client and matter types.
It may also include interviews with key members of the firm, recommendations in relation to findings and non-compliances and assistance with implementation.
While there are no specific time periods for subsequent audits, the SRA suggests that following the initial audit, an audit should be carried out when the regulations change, following revision of the firm’s PCPs, and any other major change at the firm e.g. merger. Audits do not need to be carried out annually, but firms may consider that frequency to be appropriate, depending on its size and nature, and taking into account the importance of reducing the risk of being involved in money laundering. The LSAG guidance also suggests that “for those areas/clients or matters which pose the highest risks (as per your risk assessments) you should consider undertaking a targeted audit of these areas, on a more frequent basis than the wider practice”.
Benefits of audit
There are clear benefits to auditing (with file reviews being an important feature of any risk management regime) and carrying out an independent AML audit is no exception. An effective audit regime will identify processes and policies which are not being adhered to and enable the firm to deliver further training and make improvements where necessary to close any loopholes/knowledge gaps. It might also pick up on other issues around client onboarding such as failures to send client engagement letters or accounts rules breaches including the use of client account as a banking facility so the requirements in Regulation 21(1)(c) should not be seen solely as a “tick-box” exercise to comply with the ML Regs but an opportunity to effectively manage risks, make improvements and present to insurers a firm which is taking its risk management and regulatory responsibilities very seriously.
This article has been written by Michelle Garlick of Weightmans LLP’s Manchester Office. If you have any questions about Paragon, Weightmans, Compli and their services or the above article please do not hesitate to get in touch.
For more information on the changing market, your firms’ PII renewal or to organise a meeting, please contact:
T +44 (0)20 7280 8254
M +44 (0)7827 575 652
T +44 (0)20 7280 8224
M +44 (0)7787 375378
This article is published without responsibility on the part of the author or publishers for any loss occasioned by any person acting or refraining from action as a result of any views expressed in the article. Specific risk management advice requires detailed knowledge and analysis of firm and practice area facts relating to the risk. The information included in this article cannot and does not attempt to satisfy this requirement for any of its readers