SRA Money Laundering Audit – Are You Ready?
The thought of an SRA money laundering audit may scare you. But regulators are becoming more proactive in their role as AML supervisors. Many firms have had the pleasure of discussing the AML procedure, probably over tea and a biscuit, with the SRA. So what can you expect when the SRA calls you?
It should be emphasized at this point that the SRA may have selected your company for one of two reasons. The first reason is that they want to take a close look at your AML controls, perhaps in relation to a recent violation or complaint. The second is that your business is subject to the Money Laundering Regulations (2017) (or MLR) and now you are one of thousands of businesses that are routinely investigated.
As you know, the fight against money laundering has been a priority issue for the SRA in recent years. Proactive AML supervision is designed to reinforce AML standards across the profession. It also provides the SRA with the data it needs to trace back to OPBAS (Office for Professional Body Anti Money Laundering).
First you get the call
When the SRA first makes contact, they will usually offer you a few dates to respond with availability. They are unlikely to show up, unannounced, at your doorstep. Naturally, even the most organized companies will want to give themselves enough time to prepare and thus choose the most distant date. No surprise there.
What next? Blind panic? Well, let’s be super optimistic at this point and view the impending visit as an opportunity to align your AML ducks.
If you know you’re not up to date, or you’re worried that something may have slipped under the radar with all the recent legislative changes (and subsequent ones), read on…
Fortunately, there are no rules as to how often law firms should update their policies or review their procedures. Unsurprisingly, this area has been deliberately left vague, so that each law firm applies the “risk-based” approach essential to its AML framework.
However, now is the time to absorb, refresh and re-implement recent AML changes.
If, on the other hand, you’ve managed to keep up with the changes (kudos, you!), you may even have future dates in mind for an overhaul of your existing systems. Don’t forget to follow this. Failure to review things according to your policy may tell the SRA that your AML framework is not working.
What the auditor will examine
So what exactly will the SRA want to see during one of these visits?
Routine SRA surveys are “uploaded” in terms of assessing your AML framework. You will need to submit all of your policy documents prior to the visit. You will probably be asked the following:
- Enterprise-Wide Risk Assessment (FWRA)
- Sometimes referred to as practice-wide risk assessment or PWRA, this is the cornerstone of your AML controls. You must have one in place to comply with the Regulations.
- Starting with a template is fine, but you need to adapt it to the risks your business faces.
- Make sure the document is reviewed according to your policy.
- If not already done, your risk assessment should include a reference to the Advice from the Legal Industry Affinity Group (LSAG).
- See our risk assessment checklist here.
- Policies, Controls and Procedures (PCP)
Including client and business risk assessments and your main AML (anti-financial crime) policy document.
- Related policy documents
Including reference to the Criminal Finances Act 2017 and how you store your customer data.
- Lists of fee recipients
Whose work is subject to the Money Laundering Regulations and their “live” business.
- Training records
- To include all “concerned” staff. Make sure your MLRO and MLCO are trained and familiar with the LSAG Rules and Guidelines.
- What is the process? What solutions have been deployed to manage the risk?
- Keep records of all AML updates you release within the company, to show how you remind staff of their responsibilities.
- Employee Screening
This is an ongoing requirement and not just something that happens at the recruitment stage.
- CDD registrations
Are they organized centrally or on the customer’s question? Do your employees know how often the CDD is updated? This should be clear in your AML policy.
- Procedure of source of funds and wealth.
How do you demonstrate this and capture the perceived risk?
- SAR and MLRO records.
The SRA will be interested in how many SARs you have completed. Remember that the absence of SAR may indicate that your training was not effective. It’s also a good idea to keep records of any cases you’ve declined.
- Minutes of Board meetings where anti-money laundering is discussed.
The SRA wants to see anti-money laundering high on the compliance agenda.
You will want to have easy access to all of your AML policy documents if and when the SRA knocks on the door.
When we perform audits under Regulation 21, some customers have difficulty locating everything we ask for because it is hidden away in another manual. For example, it makes sense that an employee selection policy (mentioned above) should be in the HR manual, but obviously these things can cause delays.
Now would be a great time to make sure all of your AML policy documents are listed in a central registry. And for extra Brownie points, you can hyperlink to the latest version, rather than scouring the docs for the most up-to-date ones.
During the visit, you can expect the SRA to interview some of your employees and review a selection of their live business. This can be anyone from partner level to junior staff.
Is it time to refresh the formation? Would your staff be able to talk confidently about the company’s AML controls?
When reviewing records, the ARS will look for:
- customer service letter
- Ledger of customers
- Identity and verification documents. Is the conference call part of your process? If so, where is it documented?
- All electronic verification results and how returned questions were handled. What has been done to further investigate false positives? How was this resolved?
- Any unwanted Google searches or results kept on file.
- All business searches
- Proof of source of funds and wealth
- Client and deal risk assessments and how risk is managed throughout the transaction lifecycle.
Once the investigation is complete and the regulator has all the information it needs, it will write to you again with its findings. We have seen them highlight areas of good practice, as well as areas of change, as well as timelines for implementation.
Companies that “fail” an SRA audit face enforcement action. Fine levels have increased and the SRA now has the power to fine a business (or individuals) up to £25,000.
Perhaps the worst is the reputational damage. The SRA publishes AML enforcement details, which will be made available to your customers, staff, accreditation bodies and insurers.
We are expert regulatory law firms, supporting firms with outsourced compliance and risk management services.
Complimentary 30-minute compliance and AML consultations available. We do not provide legal advice.