AML: making the most of your audit

Effective implementation of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on Payer) Regulations 2017 (the “AML Regulations”) requires certain internal controls to be put in place in any regulated organisation, including law firms. One of those controls is a requirement in some cases for an audit function. This article examines the audit function and offers some guidance as to its use.

Regulation 21 states that, where appropriate with regard to the size and nature of its business, a firm must establish an independent audit function with the responsibility “to examine and evaluate the adequacy and effectiveness of the policies, controls and procedures adopted by [it] to comply with the requirements of [the AML Regulations]”.

The audit function may be an external or internal resource; but where it is internal, it must be independent of the team responsible for ensuring compliance with the regulations. The auditor must have the necessary authority to access all relevant materials (policies, client files, internal procedural notes etc), to make recommendations and to monitor compliance.

For some firms, bringing in an external resource to provide challenge to the internal compliance function may be more efficient than the artificiality and cost of creating a second independent internal team.

It would be prudent to record (in a board minute or the like) the deliberations, and associated reasoning, together with all material factors that justify the firm’s response to the requirement for an audit function, including decisions as to how that function is resourced, its duties, and accountability within the firm’s management structure.

Twin objects

Broadly speaking, in the context of the AML Regulations the audit function can be seen as having two objectives:

• first, to review the infrastructure a firm has put in place – i.e., the policies, controls and procedures (“PCPs”) in response to the regulations (let’s call this the “macro audit”);
• secondly, to assess how well those PCPs are being implemented in practice (the “micro audit”). Put crudely, it is one thing to have a shiny set of written policy and procedural documents, but they are of little value if they are not being properly adhered to. A firm needs to be able to demonstrate good implementation and compliance.

By now, most firms should have completed – or at least have in hand – a first macro audit of their PCPs, and they should be in the course of implementing any remedial action identified in that audit. The macro audit should be updated periodically, the particular timeframe being dependent on the size and nature of the business.

Any update audit should look at whether the recommendations of previous audits have been implemented; whether any new requirements of the regulatory authority (the Law Society of Scotland or, in England & Wales, the SRA) have been put into effect; whether changes in legislation or best practice (e.g. as a result of any reported cases) have been taken into account; and also whether the firm’s PCPs have been updated to take account of any changes in technology, the firm’s business model or practice areas, which should, in any event, be reflected in an updated AML risk assessment.

For the micro audit, best practice would require a regular review – perhaps on a monthly basis – of a selection of client matter files, to assess whether and how the firm’s PCPs are being implemented. Some larger firms will have an in-house audit function that can fulfil this role. While smaller firms may not be able to sustain that level of permanent resource, they should still consider having micro audits carried out regularly, either by an experienced and senior practitioner in their firm who commands internal respect, or by an external consultant. Micro audits should look at a client file in its entirety, or alternatively adopt a thematic approach with a particular focus on any area that the firm may see as of heightened risk (e.g. source of wealth, proper completion of risk assessments etc).

Positive potential

Overall there are two key points to have in mind. One, it is important that the firm has given proper thought as to the scope of the audit function that is appropriate for the size and nature of its business, taking into account its obligations under the AML Regulations and the degree of exposure it has identified in its AML risk assessment. Separately, there needs to be in place a clear process – e.g. by an upgrade of systems, change of procedures or internal controls, or enhanced training (or maybe a combination of these) – which ensures that the issues identified in any audit are properly and promptly addressed.

The AML audit function should not be regarded as a burden or a tick box exercise. Properly resourced and culturally embedded in the firm with strong support at senior management level, it’s a vital tool to help ensure that potential legal, financial, ethical and reputational traps are avoided.