We followed up with Graham on some of the key questions raised in the webinar around the Legal Sector Affinity Group's update to AML guidance earlier this year. Graham's answers are below, providing you with some much needed clarity on what your firm should and shouldn't be doing to be compliant:
The new guidance has been extensively updated from its previous version with collaboration from many supervisory bodies, why now and why so much change?
"This significant rework and extension of the guidance from the last iteration in 2018 reflects the increasing prominence and complexity of AML risks, issues and challenges in the legal sector.
"These factors, along with increased AML oversight across all supervisory bodies, mean that it has become even more important to set out clearly our supervisory expectations on firms and give the profession up-to-date, practical and in-depth support to help them comply with their obligations. The changes that have been introduced are intended to support solicitors in this increasingly demanding area of practice."
What's the thinking behind the 36 new high level compliance principles as part of the guidance?
"The 36 high level compliance principles (along with the underlying regulations) should be seen as the building blocks to a strong AML risk control framework within the firm.
"We wanted to be really clear regarding what the key AML considerations were; addressing the areas covered in them will really help practices comply with their AML obligations. Documentary evidence of adherence to these principles will help to demonstrate compliance in any future AML inspections
"The guidance document itself is built around these principles. The top of each following section repeats the principles that are most applicable to that section, giving in-depth, practical advice in order to help you implement and embed good AML controls at the heart of your business."
The importance of risk assessments have always been obvious but the guidance is now far more detailed. Can you provide any specifics on what firms across the country should be doing in practice? Is now a good time to revisit their firm wide approach?
"Hopefully the guidance itself provides the detail on what firms should be doing in practice. Firms should absolutely be reviewing their r.18 practice wide risk assessment on an ongoing, regular basis – annually at the least, but also where there have been any significant changes to the profile of the business. For example, the practice has taken over or merged with another firm, or the practice has decided to expand into another area of work.
"Undertaking and maintaining a really thorough practice-wide risk assessment will allow firms to consider and document risks, concentrating and applying controls to those areas of the business which are of higher risk, while potentially easing administrative burden in areas of lower risk."
With regards to enhanced due diligence and source of funds/source of wealth, Amiqus has recently provided the means to review and manage transaction data using open banking technology directly from banks and building societies. What's your view on using technology to support corroboration of financial information?
"I’m really in favour of the use of technology in any regard, where it makes compliance more effective, efficient and simpler for practitioners. Open banking technology can absolutely help and support firms in doing that, by helping clarify and categorise credits/debits into and out of a client’s bank account.
"It is still however for the practitioner to then make sense of that information in the context of the matter at hand, ask questions of the client using the data provided by open banking as a basis, and corroborate/evidence the information provided as necessary given the level of risk inherent in the transaction. It is not enough to simply do an open banking check and leave it at that."
The new section added on technology is very detailed and poses questions for law firms to consider around the underlying processes and integrity of systems. Technology can provide efficiencies and access to vast amounts of information to support the client onboarding process. What aspects should MLRO's / MLCO's have front of mind when managing their systems day to day?
"They need to understand what the technology is doing, how it works, what it checks, and what the outputs/results actually mean. Again, just like open banking checks, it is not enough simply to do the check and put it on file thinking 'that’s my compliance done'.
"MLRO’s or whoever is utilising the technology need to understand the system and have the ability, training and knowledge to question or corroborate the outputs in the context of the client or transaction. Also the quality of a system’s output is only ever as good as the quality and integrity of data input."