AML independent audits: Do you need one and what should you do?
The latest Anti Money Laundering (AML) guidance for the legal sector confirms the expectation of regulators that firms should consider whether to establish an independent audit function and, if they do not consider one necessary under the law, think about whether they would benefit from it in any event.
Regulation 21 of The Money Laundering Regulations 2017 requires a relevant person, where appropriate to the size and nature of the business, to establish an independent audit function. So, the first hurdle for the firm is to consider whether they are of a relevant size and nature to need one.
It is helpful to consider why this additional control was added into the 2017 Regulations. Regulated businesses, particularly banks, were experiencing AML failings, despite having substantial teams comprising well-trained AML staff. One of the concerns identified was around the fact that, where there were internal teams auditing, the fact that they were not independent meant they may not know if something was not quite right, or have the influence to make sure recommendations were adopted.
Making the decision
There is no formula, but think about the size of your firm, and the confidence you have that those responsible for AML – whether this is your Money Laundering Compliance Officer, Reporting Officer or Head of Risk – know whether the firm is complying with the policies, controls and procedures. The bigger the firm, the harder this may be.
For “nature”, it is helpful to consider the risks identified in your practice-wide risk assessment. Do you undertake high-risk matters, or undertake work for high-risk clients? Do you have high-risk methods of delivering your services, or carry out a lot of non-face to face work, or work through intermediaries? The Solicitors Regulation Authority have said in their Risk Outlook, from November 2020, that firms should ask themselves whether their policies, controls and procedures have been independently audited and noting: “most firms have to do this, and audits can help to highlight your weaknesses so you can take targeted action.”
If you need one, who should audit?
This does not necessarily need to be an external auditor. However, if it is not, it will need to be conducted by someone in the firm who is independent of the AML function and has enough knowledge to be able to conduct the audit. It should not be someone involved in the drafting of the policies and procedures.
Many law firms will not have an independent audit team. On fact, in my experience, it is only the largest firms which do, and many of those don’t have relevant experience of AML, so may not identify failings, which means it is likely outside assistance will be required. Whilst firms do have audits for compliance where they include AML, firms should be cautious in expecting these to be sufficient to satisfy the regulations.
The purpose of an AML audit
It is to assess whether the firm’s AML policies, controls and procedures are up to date, comply with the regulations and are functioning in practice as intended.
The purpose of the audit is to:
- Examine and evaluate the adequacy and effectiveness of the policies, controls and procedures adopted by the firm to ensure compliance with the requirements of the money laundering regulations
- Make recommendations in relation to those policies, controls and procedures; and
- Monitor compliance with those recommendations
This isn’t set out anywhere, but a good guide would be thinking of it as a four-stage process:
Policy review: A review of the firm’s policies and procedures against the requirements of the legislation
Information stage: Testing the knowledge, understanding and application of processes through staff interviews and reviews of files. The number of people we talk to and files we select will usually depend on the size of the firm
The report: Drafting the audit report, including recommendations for changes.
The final stage: A review to ensure any recommendations have been implemented. This is a key requirement and the regulators will expect to see any recommendations acted upon so showing a full audit trail of this is important.
What documentation and information should be reviewed?
There is no set list but, in preparation, it would be useful to compile the following:
- The firm’s AML policies and procedures
- The firm’s AML risk assessments (Firm Risk Assessment and Client/Matter Risk Assessment)
- A list of files from your regulated departments to assist with file selection for file reviews
- A list of staff from your regulated departments to assist with staff selection for interviews
- A list of high-risk matters
- Details of SARs reported to the NCA
- Results of internal file reviews on AML compliance
- Engagement letter
- Terms of Business