Why running identity checks does not make you AML compliant

In fact, identity verification checks (electronic or manual) are only a fraction of what you need to do.

Here, we outline the steps required to give you an overview of your remaining obligations, in accordance with AML regulations and the guidance set out in the Legal Sector Affinity Group (LSAG) guide.

AML leadership

You must appoint knowledgeable, authoritative people into the roles of money laundering compliance officer (MLCO) and money laundering reporting officer (MLRO) (section 4, LSAG).

They’ll oversee your AML framework and ensure compliance with regulations.

Steps to take

• Designate an MLCO to lead AML efforts
• Appoint an MLRO to manage internal suspicious activity reports (SARs)
• If you’re a sole practitioner, you fill both positions

Employee training

Every employee and agent of your business must have AML training on their legal obligations, recognising suspicious activities and your firm's policies, controls, and procedures (PCPs) (section 8, LSAG).

This must be an ongoing process, not a one-time activity.

Steps to take

• Conduct AML training for all staff, including specific senior management training
• Teach legal AML responsibilities and your firm’s specific PCPs
• Make AML training part of continuous employee education

Tailored AML PCPs

A one-size-fits-all approach is not sufficient. Your AML PCPs must be tailored to the specific risks and nature of your clients and consider the unique aspects of your business’ operations (section 4.8, LSAG).

Steps to take

• Devise AML PCPs specific to your business’ risk profile
• Give your team training based on these tailored AML PCPs

Business and client risk assessments

The guidance emphasises the importance of conducting thorough business and client risk assessments, to get an understanding of the specific AML risks that you face.

These assessments should be reviewed and updated regularly to reflect any changes (section 5, LSAG).

Steps to take

• Understand the AML risks associated with your whole business, service lines and departments and each client
• Periodically refresh all business and client risk assessments
• Adjust risk assessments for operational or client-base changes

Customer due diligence (CDD)

Current, accurate CDD information is paramount. This includes identity checks, understanding the nature of each client’s business and knowing the ultimate beneficial owner (UBO) (section 6, LSAG).

Steps to take

• Implement identity verification procedures
• Confirm UBO and screen against politically exposed person and sanctions lists
• Recognise that AML compliance is more than identity verification checks

Keeping detailed records

LSAG places a strong emphasis on meticulous record-keeping of all AML-related documents and decisions.

This practice serves as evidence of compliance for your supervisor or law enforcement (section 10, LSAG).

Steps to take

• Document all AML-related actions and decisions
• Keep detailed CDD records for the specified period

Suspicious activity reports (SARs)

Your business must empower employees to make SARs internally. The MLRO is responsible for evaluating these reports and deciding whether to file an external SAR (section 11, LSAG).

Steps to take

• Normalise reporting suspicious activities internally
• The MLRO assesses these reports, potentially making an external SAR
• Document the rationale when an external report isn’t made

Stay up to date

All your AML – from regular reviews of AML PCPs to up-to-date risk assessments – are required by LSAG, so you’re aligned with current laws and best practices (all sections, LSAG).

Steps to take

• Regularly review and update AML PCPs, training and risk assessments
• Document all updates to your AML