Every bank needs a law firm, and the legal department is often the silent partner in the compliance dialogue – but their expertise is nonetheless essential. With 2020 on the horizon and regulations such as the EU’s Fifth Money Laundering Directive (5MLD) front and centre when it comes to compliance, many law firms will be looking at what they need to do to ensure best practice and avoid Anti-Money Laundering (AML)-related difficulties in the year to come.
We sit down with Legal Industry Advisor to Encompass Corporation, Amy Bell, to ask how important compliance in the legal space really is – and what a robust and effective programme should look like.
Delving into subjects including ongoing monitoring and risk assessments, Amy offers her expertise on day-to-day issues, as well as looking ahead to share what law firms should be thinking about and prioritising when they are planning for the year ahead.
Who takes responsibility for ongoing monitoring and at what point in the customer relationship is this conducted, reviewed and agreed?
The relevant person is responsible for ongoing monitoring of the customer relationship. This is usually going to be the fee earner who is dealing with the matter.
In some firms there is a client partner, someone who has the main relationship with the client, but if there are other lawyers working on their matters it is important to make sure everyone communicates any changes that they become aware of (such as a change of beneficial owners). Sometimes I find that everyone assumes the client partner will know about changes, but that’s not always the case.
Regulation 28(11)(b) requires a system of regularly reviewing information to ensure it is kept up to date. It would be for the firm to decide what “regularly” means, but some firms set a timescale based on risk, and the higher the risk, the more frequently they review the client relationship.
How do you gain buy-in from the wider team (particularly from partner level) as they introduce new review processes across the business?
This is a very good question. Processes are in place to protect the firm, including the partners. There needs to be clear support from the leaders of the business: the key message is that compliance is important, and particularly in law firms – if not here, then where?
The systems can save time, which is one of the benefits of the Encompass platform, and in turn money. Those are important considerations, but by far the most important one is that compliance is important and not optional!
What are the pros and cons of automating the client due diligence (CDD) process?
Conducting CDD is a time-consuming process. Automation can allow firms to realise significant time and cost efficiencies. Encompass often helps reduce KYC execution time by as much as 80%, allowing lawyers to get started quicker.
One of the things I really like about the Encompass platform is that firms can exercise greater control over how the KYC process works, by having an automated “policy” or process that is consistently applied.
As with anything, technology is part of an effective solution. You will still need some human interaction with the information that is provided to complete the process.
How can firms feel confident that the processes and frequency of checks that they are implementing are sufficient to be compliant?
The regime is risk-based, meaning that the approach can be tailored to meet the needs of the business. The firm should have a risk assessment which considers the particular risks it faces. The CDD processes that are implemented should reflect both the firm’s identified risks, and the fee earner’s risk assessment of each matter.
If the costs of CDD are particularly high (e.g. overseas company searches or independent EDD reports), can these be charged to the client with consent and an explanation of the likely costs?
In my opinion, and for SRA regulated firms, as long as you are transparent with the client, you can charge whatever they agree to pay. There is mention in the current SRA code of conduct of not advertising overheads as disbursements, but there is nothing to stop a firm charging for the activities as professional fees.
Is there any obligation to re-verify a client’s ID if it has previously been satisfactorily verified and there are no concerns?
The regulations (Regulation 27(8)) say a relevant person must apply CDD measures at appropriate times to existing customers on a risk-based approach, or if they become aware of a change.
Many firms have a policy that states they will rely on existing CDD unless there is a gap in instructions, (typically I see three years), or they become aware of a change.
I think the issue is how does a firm “become aware” and what is required by way of investigation.
I have always preferred to have a “shelf life” for the information, after which I would re-verify the client’s ID – but that’s just me. Each firm needs to come up with its own risk-based policy.
Should you collect ID&V for all directors of a corporate client or just the ones instructing?
Regulation 28(3)(b) requires the relevant person to verify the full names of all of the directors. This does not necessarily mean the equivalent of ID&V for them as an individual. That said, many firms still ID&V at least one director in the same way as you would an individual.
What are the key differences between Money Laundering Reporting Officer (MLRO) and Money Laundering Compliance Officer (MLCO) obligations?
The MLRO receives reports as required by the Proceeds of Crime Act 2002 (POCA), while the MLCO is responsible for compliance with the regulations. They can be the same person, and for SRA-regulated firms, it is technically the Compliance Officer for Legal Practice’s (COLP) job to perform the MLCO role.
What are the differences between source of funds and source of wealth?
Source of funds is information about the money being used for the transaction, whereas source of wealth is where it came from.
What happens if CDD has not been completed but a matter has progressed/completed – does this need to be reported?
If by reported you mean in a SAR, then no, there is no defence available for failing to comply with the Money Laundering regulations, unless you are suspicious about the matter (and lack of CDD).
In an SRA-regulated law firm, this may need to be reported to the COLP, who may consider whether it is a material or serious breach of the code.
Should you corroborate that the source of funds information provided by your client matches the actual source of funds coming into client account in all transactions?
This is very difficult to do. I have clients who do, but I think the decision to do this will depend on the firm’s risk assessment. In the future, when banks are able to provide more information about payments, I’d hope to see this done more routinely.
What CDD can/should you undertake on any identified third-party payments and/or cash payments – if a third party pays funds on behalf of our client, what should we do?
There is nothing specific in the regulations about this, but the current Legal Sector Affinity Group Guidance at 12.4.2 provides some guidance.
Do I have to do a matter risk assessment for every matter?
If you look at Regulation 28(12) (a2), it does say the ways in which the person complies with their obligations to carry out CDD includes an assessment of risk of each matter, so I think, if you’re doing regulated activity or transactional work, the answer is going to be yes.
What will the impact of 5MLD be on regulated firms?
At the beginning of next year, the UK is likely to implement 5MLD. To be fair, 5MLD really is focusing on issues outside of the legal sector – around cryptocurrencies and pre-paid cards – but I think there will be some impact on firms, particularly if they act for Trusts, in terms of the new Trust Registers.
I think the main thing that people need to be thinking about as we go into 2020 is how we make sure we can demonstrate compliance with the regulations. We’re moving into a phase where the regulator will want to check that you’ve got everything in place that you should have – so you really need to be regulator ready.
Is approved guidance likely to be in place prior to January 2020?
I think, with Brexit, it’s very clear that the government is quite preoccupied at the moment, so I wouldn’t be surprised if we see the regulations quite late in the day and quite close to the 5MLD implementation time. That means it’s going to be challenging for any regulator to be able to get their guidance approved by Treasury – the process does take quite a while – but hopefully there will be some draft guidance out in time for firms to get ready to comply.