Listen to a podcast about this: https://anchor.fm/ingemar9/episodes/Independent-AML-Audit-e1dv675
Did you know that the vast majority of Solicitors firms are required by the SRA to carry out an Independent Audit of their AML Policies, Controls and Procedures? (If they decide they do not need to they will need to justify that to the SRA.)
In the SRA “Anti-Money Laundering (AML) Visits 2019-2020” review of 74 solicitors’ firms between September 2019 to October 2020 the SRA found that only a fifth had ever conducted an AML Audit.
Regulation 21 of The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 requires the relevant person to:
1(c) establish an independent audit function with the responsibility:
(i) to examine and evaluate the adequacy and effectiveness of the policies, controls and procedures adopted by the relevant person to comply with the requirements of these Regulations;
(ii) to make recommendations in relation to those policies, controls, and procedures; and
(iii) to monitor the relevant person's compliance with those recommendations.
You may do this internally, but it should not be carried out by the MLRO or the MLCO or anyone else responsible for maintaining the AML function within the firm. You may have the review done externally but should use someone with sufficient expertise as it remains your responsibility to the SRA to ensure this is done effectively. Quite a bit to organise!
We recognise that for many smaller firms this will be a headache and you will not have someone with sufficient expertise who can do this who is not involved in the AML function in the firm. Larger firms may wish to have the rigour or external audit.
What we will do
1. An Interview with the MLCO & MLRO (who may be the same person)
2. A Review of AML Policies, Procedures and Controls
3. Review a number of sample files (if required)
4. Interview some staff members (if their files were reviewed)
5. Report in writing on our findings with Recommendations
6. Follow Up Remote Review to ensure the recommendations have been implemented
All work is carried out remotely unless by separate arrangement.
If you go for a similar Sanctions Regime Independent Compliance Audit at the same time we offer a discounted combined price of £1,500 + VAT (which would mean a discount of £245 + VAT on the combined price)
(This is on the assumption of 1 office & up to 50 staff. If there are more offices you wish to have included, the charge will be £250 + VAT per additional office. There will be an additional charge of £250 + VAT for each 25 staff over 50 in number, but this will not duplicate to the office charge.)
Contact Us: Ingemar: 07887 524507 or [email protected]
We can also help with other aspects of your compliance, for example
(Sanctions Regime compliance - see separate services for this on our website.)
Just ask - we can also bespoke around your needs.
What we expect
We consider that Regulation 21 should be interpreted as follows:
• Size: Only at the very smallest practices will a Regulation 21 audit not be appropriate to the firm’s size. All other practices who carry out regulated work must establish an audit function.
• Nature: We expect most firms to carry out an internal audit. If firms consider they do not need to carry out an audit, they will need to justify this based on their size and nature. We consider that the following are some indicators that a firm is of a nature that requires an audit:
o Having more than one office.
o Having fee earners who focus on an area of regulated work e.g. conveyancers.
o The partners being responsible for others’ compliance with the regulations.
• Independent: This does not necessarily mean engaging a specialist agency or consultancy, though that is an option. Firms should make sure that, as a minimum, those with responsibility for maintaining their AML framework are not those auditing it. As well as an external entity, this could for example be:
o a senior member of the firm who does not carry out regulated work
o an MLRO from another firm
o an office manager with no regulatory or fee-earning role
o a reciprocal arrangement between small firms to review each other’s compliance
• Adequacy: The audit must check whether the firm’s policies, controls and procedures are:
o up to date with the law, regulations and regulatory guidance
o suitable for the work the firm carries out
o appropriate to the firm’s size and nature.
• Effectiveness: The audit should consider whether the firm’s policies, controls and procedures are being followed and are serving their intended purpose. This is difficult to evidence without a review of files.
• Make and monitor recommendations: The auditor must be of sufficient seniority to police this and make sure that any recommended measures are put in place. If an external provider is used, the recommendations should become
the responsibility of a suitably senior and independent person within the firm.
• Regularity: The regulations do not specify a time period for audit. We would suggest an audit:
o of policies, controls, and procedures when the regulations change
o following revision of the firm’s policies, controls and procedures
o following any other major change at the firm (for example a merger with another firm)
o at a regular interval determined by the size and nature of the firm, for some an annual basis may be appropriate
• In many cases, we found that the file reviews we undertook did not reflect the firm’s policies and procedures. Time and effort spent drafting and implementing policies might prove to be wasted if fee earners are unaware of them or ignore them. We suggest that a compliant audit, including file reviews, is likely to be the best way to make sure that policies are being followed.
• Where firms engage an external agency to conduct an audit, it is for them to ensure that it meets the requirements of Regulation 21. The responsibility to produce a compliant audit remains with the firm and cannot be transferred.