This is a question I ask myself many times each day since being appointed the MLRO for Weightmans in May 2020!
Faced with the current economic uncertainties caused by the pandemic, Brexit, new AML risks identified by the SRA in its Risk Outlook 2020/2021 including the shift from face to face to on-line identification/verification procedures, the SRA’s thematic risk reviews of firms’ AML policies and procedures and the recent release of the long awaited 212 page updated LSAG guidance following the implementation of the 5th Money Laundering Directive, I could be forgiven for regretting my decision to take on this crucially important role. It has certainly been a busy few months and, for any MLROs out there reading this and thinking it will calm down soon, I’m sorry to say that this is highly unlikely! In its November 2020 report, https://www.sra.org.uk/sra/how-we-work/reports/anti-money-laundering-visits-2019-2020/ , the SRA confirms that it will continue to visit firms to check on compliance with the AML regulations and the adequacy and effectiveness of policies and procedures.
As a compliance specialist advising law firms on all aspects of legal sector regulation, including AML, I was familiar with the obligations and responsibilities which come with being the MLRO so it made sense that I applied that knowledge internally at Weightmans when it became apparent that the role had become too onerous and time consuming for one person to be both MLRO and MLCO. Thankfully I inherited effective (touching wood as I speak!) and compliant policies and procedures but of course I am not resting on my laurels and there is always more work to be done to remain one step ahead of the crooks who seek to launder their ill-gotten gains through a law firm’s client account. My priorities currently are the updating of the firmwide risk assessment and PCPs to reflect the latest LSAG guidance and the SRA’s latest sectoral risk assessment dated 28 January 2021.
The importance of independent auditing
One of the key areas of non-compliance with the ML Regs identified by the SRA is the requirement to independently audit the firm’s PCPs.
The need for independence in auditing is an area that many firms seem to have neglected or misunderstood. Only the very smallest practices will not have to establish an independent audit function and yet, according to the SRA’s November 2020 report referred to above, more than 50% of the firms visited required follow up action on this issue.
While ‘independent’ does not necessarily mean the audit has to be carried out by someone external to the firm, there needs to be someone suitable to carry out the audit within the firm who:
- Is independent of the work areas being audited (so not the MLRO/MLCO/compliance team or the team who did the original work)
- has the requisite skills and knowledge of audit and the requirements of the anti-money laundering regulations;
- is a senior member of the firm with authority to access all relevant material and to make recommendations/report findings to senior management; and
- has the necessary time and capacity to carry out the audit.
Such a person is not always easy to find! Thankfully, Weightmans has an established internal, independent audit team, the head of which is responsible for auditing the AML PCPs, but many firms will not have this resource and, unless you can justify not having an independent audit (which will need to be carefully documented), this is where external expert support should be considered.
What should the audit include?
The independent audit should, at the very least, include:
- a review of your policies, procedures and risk assessments, to check that they address and comply with the requirements set out in the most recent AML Regulations/Directives
- interview with your MLCO/MLRO
- file reviews to consider whether policies are being followed
It may also include interviews with key members of the firm, recommendations in relation to findings and non-compliances and assistance with putting those in place.
While there are no specific time periods for subsequent audits, the SRA suggests that following the initial audit, an audit should be carried out when the regulations change, following revision of the firm’s policies, controls and procedures, and any other major change at the firm e.g. merger. Audits do not need to be carried out annually, but firms may consider that frequency to be appropriate, depending on its size and nature, and taking into account the importance of reducing the risk of being involved in money laundering. The LSAG guidance also suggests that “for those areas/clients or matters which pose the highest risks (as per your risk assessments) you should consider undertaking a targeted audit of these areas, on a more frequent basis than the wider practice”.
The Compli team at Weightmans assists firms that do not have the ability internally to carry out an independent audit and with SRA AML visits continuing in 2021, the need for compliance has never been greater. No rest for the wicked, so they say!