The Law Society has now issued its revised guidance on compliance with anti-money laundering and terrorist financing requirements in the light of the Money Laundering Regulations 2017 (“MLR 2017”) and so has enabled firms to finalise their policies in this area to ensure continued compliance with these important obligations. The scope of the advice has been broadened from being merely a Law Society practice note to being aimed at the legal profession as a whole, and so has been published as the Legal Sector Affinity Group. The advice has also been submitted to HM Treasury for its approval, the significance of this being that once approved the court would be obliged to take into account in any prosecution whether the defendant had been acting in accordance with the applicable guidelines from their relevant supervisory body.
All in all there are few surprises in the guidance and we believe that no changes are required to the draft risk assessment forms and policies that we made available to our subscribers in July, just after the regulations took effect on the 26th June. Points of interest, however, for MLROs and others with compliance responsibility are:
The risk based approach
Chapter 2 of the note, dealing with the risk-based approach to compliance with the Money Laundering Regulations, has been re-worked and now contains more detailed guidance on assessing the firm’s risk profile and some of the more important factors that should be borne in mind when so doing. Some fairly familiar advice on “mitigating factors” can also be found at para 2.4, including to avoid disclosing client account details so far as possible and restricting cash payments. Suggestions are also made in relation to some of the higher risk work types which should be read in conjunction with chapter 12 on “money laundering warning signs”.
The introduction to this chapter stresses that although adopting a measured and risk-based approach is key to complying the MLR 2017 it is not appropriate for the statutory disclosure obligations under the Proceeds of Crime Act 2002 and the Terrorism Act 2000. Here specific legal obligations apply and making disclosures to the NCA on a merely defensive basis could be seen to be a breach of professional duties.
Independent audits
One of the new requirements which caused concern for many firms was the requirement for an independent audit function on the regulations at r.21(1)(c). Not only does the note confirm the interpretation that the checking should merely be independent of the person being audited rather than having to be conducted by someone who is an outsider to the practice, but it also suggests that “smaller practices are unlikely to need such a function” at all (para 3.4.2). This interpretation is based on the reference in r.21 to the internal controls needing to have “regard to the size and nature” of the organisation in question, and will no doubt come as a relief to many such firms that might have wondered how they would resource such an exercise.
Customer due diligence
Turning to the all-important CDD processes the option of conducting CDD by electronic verification checking only, surprisingly perhaps, remains despite the acknowledgement at 4.3.3 that this “will confirm only that someone exists, not that your client is the said person”. The other option of somebody from the firm, or even from elsewhere in the regulated sector, “signing in” the client from personal knowledge also survives and can be particularly useful in relation to the obligation to maintain ongoing monitoring.
Politically exposed persons (“PEPs”)
One of the more significant changes in the regulations was the extension of PEP status to domestically based individuals. This will make the issue of how to deal with PEPs a more frequent concern than it had been to date and it was thought that a greater degree of checking for PEP status would now be required. The note instead recognises that this issue will arise more often than before, when PEP status depended on international roles only, but continues to advise that the steps to be taken can again be “risk-based and proportionate”. Where the risks of encountering PEPs are low, therefore, “you are not required to conduct extensive investigations to establish whether a person is a PEP” and (as before) “you may simply wish to ask clients whether they fall within any of the PEP categories”. Where there is a higher risk of encountering PEPs, however, the use of one of the electronic verification search agencies is encouraged. All such databases should now highlight PEP status but the note rightly observes that none of them can guarantee “100% certainty” and so firms need to continue to be alert to such issues on a matter by matter basis (para 4.12.2.2).
Data protection
Still one of the more difficult issues to resolve is the extent to which enhanced data protection obligations will affect archiving practices. The regulations require that CDD records – both the checks undertaken and also the transaction records (matter files) – needed to be maintained for five years but should then be destroyed. A initial problem is deciding five years from when? The MLR 2017 provide that the five year period should run from the end of the occasional transaction or the termination of the business relationship, but these essentially banking terms are confusing when applied to legal practice and difficult to apply. Perhaps recognising this the note now suggests a 10 year “backstop” date at 4.8 where there is an ongoing business relationship, but in terms simply that firms are not required to maintain such records for longer than this time rather than that they must be destroyed thereafter.
We suggested in our guidance issued in July that firms might overcome the potential problem of having to take files out of storage to delete the CDD evidence after five years, only then to have to re-archive them for another year or more to satisfy the standard six year storage period, by obtaining the client’s consent to store any copy documents for the usual retention period through their terms of business documentation. This we still consider to be possible as the option of gaining the client’s consent on this issue is stated to be a valid exception at r.40(5), whereas the equivalent requirement in the first draft of the regulations was to the client’s “express consent”. This higher standard would obviously have placed a greater burden on firms in their communications with clients on this issue. Unfortunately, both terms are referred to in the note and this will require clarification: at 3.6.1 the client’s “express consent” is stated to be required to exceed the five year storage period but at 4.8 the client is required merely to have “given consent” to the firm so doing. We have referred this point to the Law Society and will refer back any response when we hear from them.
Infolegal subscribers can access a more complete version of this guidance on the Infolegal Compliance Hub.