Avoiding anti-money laundering pitfalls

CILEx Regulation identifies the most common anti-money laundering failings made by legal services organisations and gives advice on how to take action to protect you, your organisation and clients

The UK legal sector is facing increased scrutiny in relation to its compliance with anti-money laundering (AML) regulations. This rise in economic crime regulatory activity has been driven by a recognition of the evolving nature of economic crime which continues to grow in scale and complexity. According to figures from the National Crime Agency, fraud now accounts for over 40% of all crime in the UK (NCA website, September 2024).

We work to ensure all our regulated firms and the wider regulated community are compliant with the latest AML legislation within the scope of the Money Laundering Regulations 2017 (as amended).

It is important to remain vigilant to any potential AML breaches and take appropriate action to ensure that the correct policies, controls and procedures are in place to help protect you, your clients and your organisation.

What are the most common AML failings?

An awareness of the most common pitfalls can help you avoid non-compliance and potential disciplinary action. Being aware of what often goes wrong means you can review policies and provide targeted staff training, with a specific focus on those areas where AML breaches are most prevalent.

Inadequate practice-wide risk assessments

Many firms do not carry out comprehensive, documented practice-wide AML risk assessments (PWRAs) tailored to their specific business, services offered and client base. Many do not have sufficient client and matter risk assessments (CMRAs) in place.

Together, these documented risk assessment evaluations need to be carried out practice-wide, as well as for individual clients and specific matters, and are particularly relevant for high-risk areas such as conveyancing.

A detailed PWRA shows the firm understands its risk exposure and has taken steps to mitigate it, and a detailed CMRA helps to identify and mitigate specific risks associated with each client or matter.

Failure to carry out customer due diligence checks

Customer due diligence (CDD) and enhanced due diligence (EDD) checks are a legal requirement under AML regulations for legal professionals, helping prevent any illegal financial activities by ensuring that businesses fully understand who their clients are.

Please remember that the CMRA must be sufficiently detailed. Answers such as ‘yes’ or ‘no’ will not normally be sufficient. For example, in the case of recording an identity check, it should name the individual who undertook the check, specify the date and provide evidence of the documents checked. It should also explain who undertook the verification of the identity, when and how.

Inadequate checking source of funds (SOF) and source of wealth (SOW) 

Firms frequently fail to obtain adequate evidence of how transactions are funded, particularly in relation to high-value transactions and how clients have acquired their wealth. To verify SOF and SOW, firms must collect reliable documentation (such as payslips, bank statements or inheritance records), taking a risk-based approach. This verification is required for high-risk clients or transactions and should be documented and monitored continuously.

Lack of, or inadequate, AML policies, controls and procedures (PCPs)

Firms may be using generic policies not tailored to their specific practice area and may also fail to have fully compliant and up-to-date PCPs. A detailed policy shows a proactive and informed approach to AML compliance. Missing key components indicate poor risk management.

Even when policies exist, they are often not consistently followed or reviewed. This can also mean an over-reliance on manual processes. Outdated documents may not reflect current regulations or practices and therefore increase non-compliance risk.

Lack of an independent audit function 

The Money Laundering Regulations 2017 require some firms to establish an independent audit function (dependent on the size and nature of the firm) to examine and evaluate the adequacy and effectiveness of their AML function, monitor compliance and make recommendations. Firms can conduct a risk-based assessment within their PWRA, to determine whether an independent audit is required.

Inadequate record keeping and documentation

“Many firms do not carry out comprehensive, documented practice-wide AML risk assessments tailored to their specific business, services offered and client base”

Firms frequently fail to maintain adequate records of their risk assessment processes, due diligence efforts, and training provided to staff, making it difficult to demonstrate compliance.

Firms should maintain clear, up-to-date and accessible records of all AML risk assessments, due diligence checks and staff training to demonstrate robust and ongoing compliance with regulatory obligations.

Poor staff training

Employees often lack sufficient training on AML regulations, how to apply the firm's PCPs or how to identify and report suspicious activity. This can lead to a lack of understanding of their responsibilities.

Firms should provide regular, role-specific AML training to all employees to ensure they understand the firm’s PCPs and can confidently identify and report suspicious activity in line with regulatory expectations.

In meeting the firm’s requirement to maintain a training log, you need to ensure that the log is sufficiently detailed. A person auditing the log should be able to identify the source and nature of the training from the information the log contains. You will need to be able to justify that the types of training provided were appropriate for the firm and its staff and that the frequency of training is sufficient.

Inadequate ongoing monitoring 

Many firms fail to implement dynamic systems for ongoing monitoring of client relationships. This means they may miss changes in a client's risk profile or the development of suspicious activities. Firms should implement a dynamic, risk-based client monitoring system that continuously reviews client activity and profile changes to promptly detect and respond to emerging risks or suspicious behaviour.

Understanding your economic crime prevention obligations 

All legal services providers must continually assess their AML framework, train staff and review their policies to ensure regulatory compliance. Failure to do so could result in enforcement action and reputational damage.

Continuous vigilance, collaboration and adaptation are necessary to avoid regulatory pitfalls and maintain trust with clients and regulators, contributing to a safer UK financial system.

To ensure you understand your obligations and keep up-to-date with the latest economic crime legislation, look out for regular updates in the CRL monthly newsletter and on our economic crime content hub.

 

Further information:

Anti-money laundering regulation and guidance - CILEx Regulation

The threat of economic crime – CRL feature, CILEX Journal Autumn 2024

National Crime Agency; Fraud