AML matters

Sarah Mumford, risk management consultant, caught up with Colette Best, new director of anti-money laundering (AML) at the Solicitors Regulation Authority (SRA).

The sharp rise in disciplinary investigations following a thematic review (TR) of trust and company service providers (TCSP) has caused concern among firms.

Your appointment and the formation of a specific AML supervision team is a departure for the SRA. Could you tell us about this change of approach and what it means for the profession?

The SRA is on a journey in relation to this important strand in its supervision responsibilities, and the formation of the AML team is the natural next step.

The team brings together existing resources (but with a new focus), plus the addition of key new staff. Team members are based in both Birmingham and London.

It’s fairly early days for the new team, and this interview is part of the team’s engagement with stakeholders.

Although the lack of lead-in to implementation of the Money Laundering Regulations 2017 (MLR 2017) was not very desirable, that shortness of time was reflected in the SRA’s engagement with firms in 2017 and early 2018.

The focus was on supporting firms to make sure they comply. However, it’s nearly the second anniversary of the MLR 2017 and the pace of ensuring compliance must change.

What the team means for the profession is probably the following: a focus on emerging risk; focused supervision; implementing the 5th Money Laundering Direction (5MLD); and the development of new guidance.

The SRA now has a full-time money laundering reporting officer (MLRO). Could you tell us about the reasons for this? What are the differences between that role and yours?

The MLRO is full-time and has been in place for a year.

The MLRO and deputy MLRO focus on instituting suspicious activity reports (SARs) and any onward reporting; liaison, for example with the National Crime Agency (NCA); plus training of all staff on suspicions and what to look out for.

As director of AML, I’m more focused on the profession, for example with a policy remit, understanding the risks through research and thematic review work and, in the next 18 months, addressing the requirements of 5MLD and various consultations.

The two posts are mutually complementary.

There was a lot of publicity about the formation of the Office for Professional Body Anti-Money Laundering Supervision (OPBAS). Since then, from the point of view of the ‘solicitor in the street’ there seems to have been silence. What can you tell us about the supervision by OPBAS as it affects the profession? Is there a danger to overload, with two regulators?

OPBAS’ relationship with the SRA is similar to its relationship with the LSB: addressing policy at high level and the all-important question of consistency among regulators in the same sector.

The SRA is the frontline regulator and there shouldn’t be regulatory overlap. I wouldn’t expect the ‘solicitor in the street’ to see much of OPBAS’ work.

What are your priorities (personal or as a team) in the year ahead? The TCSP thematic review talks of other thematic reviews continuing. Can you give us an idea of the likely themes?

Implementation of 5MLD is the main focus for the team. Although content and timing of implementation are in the hands of the Treasury, the team must be ready for the rollout when it comes.

There are two principal aspects: first, the effect of the directive on those the SRA supervises; second, the way the SRA supervises them.

For example, the SRA will be required to do an annual return, and some approval processes will change.

Outside the specifics of the 5MLD, the team will:

  • continue the work on firm-based risk assessments
  • work to improve the number and quality of SARs sent by the profession to the NCA
  • be scoping some further thematic reviews. One candidate for these reviews that is likely to emerge is high-end conveyancing. Another is to look at 5MLD compliance a year or so after implementation (but to some extent, this depends on the Treasury’s timetable). There is unfortunately no information about likely dates for that implementation.

TCSP thematic review

To the impartial observer, there is a strong sense of disappointment (from the SRA) that comes from the report. What was the most surprising finding from your perspective?

The most surprising result from the TR was the very high level of referrals for disciplinary consideration (26 out of 59).

However, it’s important to emphasise that these are referrals within the SRA, not referrals to the SDT – that is a stage that is much further down the track.

The seriousness of the issues identified varies. It is our best hope and expectation that many of these issues are capable of being remedied in a reasonable amount of time, but much of this is in the hands of the solicitors concerned.

The largest issue by numbers relates to business risk assessment (either not having one at all or, alternatively, not having an adequate one).

However, that lack cannot be seen in isolation (or ‘cured’ just by writing a risk assessment (RA)).

Firms should have clearly stated risk thresholds that are products of the RA, and processes that support them.

Of the three AML-themed TRs, there were no referrals to disciplinary procedure in 2015, 12% last year and 44% this year. What has changed? What is getting so much worse?

Our hope is that this trend reverses, but part of the reason for the increase is the change in the requirements, as well as the change in regulatory focus.

The 2017/18 review was carried out shortly after the announcement of the MLR 17. It was reasonable at that point to give firms time to improve.

Now firms have no excuse for not fully complying.

Although the focus of the last TR was TCSP, many of the findings and recommendations were far wider and related to AML prevention more generally. Is there a danger that firms which do not offer those services might not read the report?

A number of work products came out of the TR, including the warning notice about the critical importance of a business RA, which has been widely publicised.

The bottom line is that MLROs and others interested in this area would benefit from reading the full review.

There are a number of publications and initiatives (Risk Outlook, COLP newsletter, the annual SRA Compliance Conference, Flag It Up and so on).

However, there is also a more general debate within the SRA about how information is disseminated to the profession – in particular, getting out timely alerts about important publications.

The TR quotes from the March 2018 sectoral risk assessment that “trusts or corporate structures which facilitate anonymity can help disguise the source … of money”. Could you clarify what “facilitate anonymity” means in practice? Isn’t there a difference between (a) structures which publicly appear anonymous but are quite open with those who need to know (for example, their solicitors) about ownership, management and control, and (b) the genuinely secretive and uninformative?

It is important that a regulator does not get drawn into what structures are suitable and unsuitable.

The important message is to reiterate the risk-based approach, a point which underpins most of the answers in this interview.

The new development is to show how consideration of risk at the highest-level filters down through processes to individual matters.

The reasoning process is important – does it make business sense? This is a question that can be applied in different ways, whether looking at an entity’s structure or at the proposed transaction, for example.

Business risk assessments

The SRA in the TR said that 400 firms had been asked for their RA and the deadline for sending them expired shortly before this interview. It is therefore early days, but could you comment on impressions so far?

It is too early to draw conclusions. The team will be going through all the submissions as a matter of priority and will consider the best way to communicate the key learning points with the profession.

This is likely to take the form of guidance with good/poor practice examples and is unlikely to be published before the autumn.

It is clear so far that a number of templates are being used, which puts the SRA in a dilemma. Should the SRA produce a suggested template that builds on the regulation, or let the regulation speak for itself?

It is likely that it will be the former, but the SRA will focus on regulatory compliance and not gold-plating. The intention is that any template will be suitable post-5MLD implementation.

The 400 firms were randomly selected from firms within the regulated sector, with the sample skewed to those with a risk weighting.

There’s some confusion about what should be in a firm’s RA. For example, a firm should refer to the SRA RA in its own RA because that is in the regulations. Reference to the national RA isn’t in the regulations: it might be good practice, but should absence be the source of criticism?

The SRA will not be telling firms what their risks should be, but we will be confirming (or not) that the RA meets the regulatory requirements.

The TR said that too many firms had an inadequate approach to their RA. It would be very helpful to give our readers some specific examples of what is adequate/inadequate over and above the general remarks in the TR.

The TR gives some clues. Keeping remarks general, the SRA would expect that if firms did a specific work type, particularly one that was high risk, this would be addressed in the RA – some firms did TCSP work but didn’t mention it in the RA, for example.

Another example is an office in a high-risk jurisdiction where the jurisdiction was not addressed in the RA.

Other issues

In the TCSP TR, the SRA was “only satisfied with 45 of the PEP [politically exposed person] processes we reviewed” – in other words, dissatisfied with 14 of the 59. What specific aspects of the processes were unsatisfactory, noting that PEPs existed on six of the 115 files inspected? This is a concern given that the risk-profile of PEPs can differ dramatically. What “processes” does the SRA expect firms to have for PEPs? Some firms use electronic verification, but it isn’t mandatory. What are firms not doing?

The SRA asked itself two questions:

  1. did the firm have a process to identify PEPs?
  2. did the firm know what to do if it found one?

Relying simply on an answer to “are you a PEP?” was not sufficient. This is another example of why it is important to get the RA right.

The risk thresholds and processes should be clear and understood.

The SRA expects to see questions about source of wealth and control over entities to be asked and to be recorded.

Due diligence of individuals or companies based in the UK is relatively straightforward. However, the further offshore one goes, the harder it is to obtain sufficiently robust evidence. Will the SRA be lobbying the government to improve the regimes that they can influence, such as Crown dependencies?

The SRA has observed the phenomenon in fieldwork.

We are supporters of better transparency that can help law firms effectively manage the risks around money laundering.

What exactly does the SRA expect to see evidenced on the file about source of wealth and source of funds (both terms not defined in the MLR 2017). There appears to be some confusion about this which it would be good to clarify.

The regulations are specific about establishing source of wealth for PEPs, and we expect to see firms following them and also remembering their Proceeds of Crime Act 2002 obligations.

Practitioners find the SRA website difficult to navigate, and the search function can be quite quixotic. Are there plans to have a dedicated money laundering page where anything AML-related can be found (even if it is a link to material elsewhere, such as Risk Outlook or news and so on)? The TCSP TR talks of offering support to the profession, but the first task must be making it easy to find. And are there any plans for a specific email service for MLROs/MLCOs? Often these are different people, with different roles, to the COLP or COFA (who have their own email news).

There is a long-term plan to allow practitioners to choose which alerts and services they subscribe to.

In the interim, the new team is looking at current services and welcomes feedback about what is useful.

It is clear that information is ‘consumed’ in different ways and so it is important to keep different channels open.

Resources can now be found under home/hot topics/money laundering and then clicking on the ‘resources’ tab.

One new development is a direct mail campaign coming soon under the banner ‘Assess, Report, Protect’.

A version of this article was first published in Legal Compliance in July 2019.