Tackling the requirement for independent audit
Paul Saunders, Director of Lender Services at ULS technology, discusses how firms can tackle the requirement for independent audits, and how DigitalMove can offer an audit service to fulfil this requirement.
On the 20th January 2021, the Legal Sector Affinity Group (LSAG) published updated Anti-Money Laundering Guidance for the legal sector which states that ‘The practice must conduct an independent audit of the adequacy and effectiveness of its AML policies, controls, and procedures (PCPs)’.
The requirement to have a review was introduced in the Money Laundering Regulations 2017 and has always been risk-based, reflective of the size of the firm and nature of the work involved. This means many firms considered they were of a size, not to warrant such a review.
Whilst that may be true for some, the SRA Risk Outlook published in November 2020 and repeated in presentations since expects most SRA firms will benefit from such a review. So, there is then an expectation – probably endorsed by all Regulators – that most firms complete one. To be honest, why would you not benefit from someone independent of the development and day-to-day enforcement of your AML PCPs taking a look; but just who?
Updated Guidance provides more on the approach to independent audit – including reviewing and making recommendations, requiring file remediation, as required, and reporting AML suspicions to the MLRO. Audits can be undertaken internally from within the Firm using someone who knows the Money Laundering Regulations but has not already been involved in the formulation, or day-to-day operation of your PCPs. This could be, for example:
◼ An AML-experienced, senior individual from the Private Client Team, or Litigation reviewing the PCPs operating in other work areas of the Firm and how the MLRO/MLCO operates.
◼ It could be a recent recruit to the Firm, already having awareness of AML requirements given the task and freedom, to augment their induction training on your AML PCPs.
◼ Someone from outside your Firm.
Whoever it is, they will need a working knowledge of the expanded 212 pages of the latest LSAG Guidance and access to Senior Managers. The audit will need to check your PCPs are ‘fit for purpose’, but whether in their opinion, those PCPs and your role holder’s activities meet the expectations of Regulators. That might be where challenges arise, particularly for a recruit. It is certainly going to take them some time away from their fee earning duties to accomplish:
◼ Reading your PCPs.
◼ Talking to the MLRO and MLCO about their roles and PCPs in place and where improvements might be useful.
◼ An appropriate sampling of files from across the Firm, especially in higher-risk work areas, and talking to case handlers about their AML findings and approach.
◼ Having access to SARs (both internal & those submitted to the NCA).
◼ Compiling an overall report and recommendations.
So, might it be better to look outside of the organisation? For someone already aware and knowledgeable about the LSAG Guidance, works with AML most of the time with other Firms, so knows how Firms operate and the requirements of an AML regime?
DigitalMove can offer an audit service to fulfil this requirement. The audit and report are completed by our risk colleagues at Legal Eye, who are part of the ULS group and advise on the risk controls in DigitalMove. The report summarises an evaluation of your AML policies, controls, and procedures to set out recommendations regarding the adequacy and effectiveness of your anti-money laundering and counter-terrorist financing policies, controls, and procedures.
The report will also identify if policies and processes are working as they should. It will comment on your existing PCPs not only from a background of the LSAG Guidance but also on what we see on files drawn from a proportional assessment of the risk areas within your Firm and discussions with individuals running them.
How often, an independent review takes place is also risk-based. It will reflect time elapsed since the last audit, changes to the structure, services, or risk profile. You must record information from the audit and the actions are taken. LSAG Guidance provides a list of what to record-making reports available to a Regulator on request. You must also record why you consider the firm will not benefit from having such an audit and be prepared to justify such decisions!
From the independent audits performed, here are some common issues frequently arising:
Practice Wide Risk Assessments
◼ Suggesting not all risks in a work area have been considered, or that in a High-Risk work area, such as Conveyancing, the overall assessment for the Firm is judged as low without detailed explanation.
Client and Matter Risk Assessments
◼ Often not capable of demonstrating thought processes that individual fee or case handlers go through.
◼ A variety of approaches, from very detailed written records to a few tick boxes on a checklist pinned to a file cover. (A few tick boxes may be acceptable for work out of scope, such as drafting a simple Mirror Will, it most certainly won’t be acceptable for work falling in scope, such as creating a Trust, a Company, or where you should have suspicions of criminal activity. Remember, POCA makes you liable where you should have had reason to suspect)!
◼ Risk assessments that suggest their completion are tick-box. Not given thought, conflicting with what appears in the file, or not addressing risks identified by the firm. Dangerous in conveyancing, particularly where the only evidence of Source of Wealth is several bank statements, which themselves give rise to intriguing questions!
◼ Does asking for certified ID after a PEP alert confirm, or deny, the client is a PEP?
◼ Client and Matter must be risk assessed at instruction and reviewed as matters progress to a conclusion. Keywording in the latest Guidance is recording all steps taken in those assessments. Tick box won’t be sufficient, nor a file that is devoid of any evidence of ongoing review!
Litigation teams are not concerned over AML, or risk assessment, despite sham litigation risk on the increase. Appearing for the first time in the UK National Risk Assessment in December 2020. The National Assessment also highlights how a lack of focus on compliance – taking a tick-box approach, or a lack of understanding of risk in firms, leads to a higher risk of being exploited by criminals.