Examining Legal Sector Affinity Group guidance on use of technology in Client Due Diligence
The latest Legal Sector Affinity Group (LSAG) draft Anti-Money Laundering (AML) guidance for the legal sector represents a detailed refresh, and addresses many new issues – technology being one.
The LSAG is a cross-sector group made up of members from each regulatory and representative body in the legal sector, and this is the first time that the group has examined the guidance as a whole in detail. Their previous version in 2018 mainly focused on the amendments needed to interpret the 2017 Money Laundering Regulations.
It is clear that, here, the LSAG has sought to provide much more detail on what regulators consider good and poor practice. There are many instances of policies and procedures that the LSAG say ‘should’ be in place, and, whilst it is not mandatory to follow any of the guidance, a firm who deviates from it must be able to justify that decision if asked by their regulator.
Also, if there are any practices you have now that come away from their recommendations then it would make sense to record your rationale now, rather than wait to be asked for your justification.
Many will welcome the inclusion of a new chapter on technology. Whilst technology was referred to in previous versions, this new content provides clarity on the regulator’s expectations when implementing new technologies to assist with Client Due Diligence (CDD).
What you need to know
This focus is no doubt prompted by the implementation of the Fifth Money Laundering Directive (5MLD), provided for Member States to encourage the adoption of technology. It is important to note that the resulting 2019 Money Laundering Regulations did not mandate use, but did make clear the circumstances in which electronic verification was permitted.
The new technology chapter also clearly addresses the intention behind 5MLD. We can see from the Compliance Principles that the LSAG expect firms to evidence:
30. Measures taken when new technology is adopted to protect against ML or TF risks
As a result of an amendment to the 2017 and 2019 regulations, firms now need to make sure that they assess the risk of implementing new technology in respect of money laundering or terrorist financing. When thinking about the types of technology this will apply to, think wider than any client due diligence systems. Think about methods of delivery of your services, through portals for example, which may increase the risk of anonymity.
Given you need to display you have assessed risks, your practice wide risk assessment appears to be the most sensible place to record this.
31. Where practices use electronic identification and verification (EID&V) tools they should document the role of the tool, the data sources it uses, and in what circumstances (clients/matters) it is appropriate to use the solution.
Technology for use in the CDD process is the focus for much of the chapter. In my experience, many firms now do deploy some sort of electronic ID&V in their process. For those, this chapter is a must read because you may need to create some records of your decisions and think about the training you provide to the users of the technology.
I think the key action points will be:
- Define which risks in your business the tool addresses and how it mitigates against those risks. For example, a tool which checks PEPs data reduces the risk of you acting for a PEP without being aware.
- Find out how the tool you are using works. You should be able to explain to your regulator, or an auditor like me, how it works. Make sure you can explain what the results mean. If there is a rating of the subject, you need to ask how that rating was arrived at/what it means.
- Many services are sold “out of the box”, with configurations to suit law firms. Even so, you need to understand which data sets it checks, and why, and how reliable they are.
- Your policies and procedures should define when the technology should be used, and when it should not. For some clients, say UK companies, most of the corporate search providers will be able to bring back results. But for foreign companies, the searches may be inconclusive and other methods may need to be deployed.
- Ensure that the users of the system have adequate training on the process, and how to interpret the results. Give some thought to how you will train new starters, particularly if they start after you have introduced a new system. Can you get a recording of the training from your provider to keep?
- Consider the impact of user error on your process. Will this be picked up? Can clients pass even if there are typos, otherwise known as fuzzy matching? Can someone tamper with the search process to give false results?
One thing is for sure, the LSAG are certainly supportive of technology, but not as a cure all. Firms will remain responsible for CDD, and need to explain how the technology helps them meet their obligations and mitigate their risks.
The Encompass view
It is clear from the guidance that a great deal of importance is being placed on the use of technology in CDD, with the onus on firms to be able to evidence not only how technology helps them meet obligations, but also to ensure their clients have adequate understanding of that technology and process.
At Encompass, we work closely with our customers to understand their key use cases to ensure we provide a solution best suited to their KYC policy requirements to consistently search and retrieve key risk factor information to mitigate their risks. In essence, we replicate a customer’s existing policies in a more automated and streamlined environment.
Encompass’ Product Manager, Kate McAleavey, explains how our platform helps to address some of the issues highlighted by Amy:
We recognise that the inconsistent application of KYC policies, the varying quality and depth of information gathered and the potential for human error all pose risks to our customers. With Encompass, they can rely on a simple and repeatable process, which can be shared across users, offering much needed consistency and confidence, with our audit trails evidencing every action and decision made.
Even with limited identifying information, we can discover and build the ownership tree of an entity, screening and identity checking all associated parties, presenting all the information to ensure customers can make informed decisions.
As Amy points out, you need to understand the data sets your tool checks, and why, and how reliable they are.
When onboarding new customers, we work closely with them to understand the specific steps taken during their CDD process to retrieve and analyse information. Using this information, we create policies that automate this data collection from the same trusted sources. In this way, Encompass is able to fully satisfy their KYC policy requirements while automating manual processes. We review these, together, on an ongoing basis to ensure that they are still relevant and appropriate for our customers’ regulatory requirements.
As is highlighted by the guidance, technology solutions must be fully understood by users and explainable to regulators and auditors, like Amy. Encompass dynamically builds a full and accurate audit trail that records every search, action and decision taken, ensuring our customers are always regulator ready. In some cases, data providers themselves may conduct fuzzy matching on the search terms we have provided. Where this is the case, we present all the search results as returned, allowing the customer to compare this to the search details provided and make an educated decision.
When it comes to human error, the standardisation of processes provided by the Encompass platform ensures a consistent, robust and repeatable approach, ensuring a firm’s processes are consistently being followed, in an effective and efficient manner. Automating data collection and analysis ensures human error is eliminated, providing a sound base for further due diligence and onboarding processes.
Within Encompass, our customers’ policies provide consistency and offer uniformity in the information presented back, reducing the opportunity for this human error. Finally, here at Encompass, our Customer Success team offers regular training to all customers to keep them informed of new features within the platform and to onboard new users. We produce and maintain training packs specific to each customer, which can be shared for peer to peer training and used as helpful reference material, ensuring customers get the most out of the platform.