Feature

posted 11 Jun 2004 in Volume 7 Issue 2

Money-laundering compliance: A risk-based approach

The Money Laundering Regulations 2004 have recently come into force, extending anti-money-laundering controls across the profession. Failure to implement and document money-laundering procedures may lead to criminal sanctions and an irreparable loss of reputation. Frank Maher, a partner at Legal Risk, considers the impact of the regulations and how a risk-based approach can help protect firms from the dangers of falling foul of the law.

Shark-infested waters are a poor place to learn to swim, yet many money laundering reporting officers (MLROs) fear that they are in similar territory.

Top international practices are finding that the day-to-day challenges to money-laundering compliance are every bit as demanding as they feared, with their partners telling them that the rules they have laid down are in some way unworkable. Practical issues affect corporate and litigation firms too; it is not just a problem for high-street practices.

The potential loss of livelihood for individuals and reputational damage for firms inevitably cause a huge fear factor. Given the complexity of professional practice, the inevitable question is where to start?

Even if you plan your strategy, things may still go wrong. But the benefit of taking a risk-based approach is that in addition to reducing the risk of things going wrong in the first place, you may have better prospects of avoiding prosecution and civil liability or, if unfortunate enough to be prosecuted, may have more prospect of persuading a jury of your innocence.

Those with clients in the corporate sector that think they are relatively safe need only cast their minds back to some of the prosecutions here and abroad following high-profile corporate collapses and illicit share-price support schemes to realise how easily their work could lead them into dangerous waters. Although those cases preceded the new money-laundering legislation, the wide ambit of the new laws could mean prosecutions in future cases include money-laundering charges too.

Late-night working may dull the senses of even the most seasoned corporate lawyer allowing mistakes to be made that with hindsight can appear quite obvious.

It is essential that practitioners identify the vulnerabilities, both generally and specifically as they affect your firm, and identify the likelihood of them occurring. It goes without saying that the likely impact of anything going wrong will in all cases be high – the only difference may be the length of the sentence.

What appears, therefore, to be good practice is in fact underlined by the Money Laundering Regulations. Under Regulation 3, all firms in the regulated sector must establish such procedures of internal control and communication as may be appropriate for the purposes of forestalling and preventing money laundering. The Law Society guidance1 advises that this means that each firm must consider how it conducts its practice and whether, in addition to the arrangements for reporting and training2, there are any procedures that should be introduced to satisfy this Regulation 3 requirement.

The risk-based approach to implementing a money-laundering strategy has been endorsed in other sectors, notably by the Joint Money Laundering Steering Committee and the Financial Services Authority, and there is every reason for professional firms to adopt a similar approach. Indeed, Regulation 3 might be interpreted as making it mandatory.

It is also important that the procedures, decisions made and the reasons for them are documented. This will help practitioners learn from their experience and, through introducing consistency of approach, should ultimately help mitigate some of the cost of compliance.

The MLRO is unlikely to know all the clients and may have little understanding of the practical aspects of the work of all the firm’s departments, which may include those giving the firm the greatest exposure. There is a case for the initial assessment of risk being done by a working party drawn from the firm’s fee-earning and accounts departments. The people involved in the process should be of sufficient seniority and experience to identify the risk and help the MLRO in his or her job of communicating the message to the rest of the firm.

Problem areas include cancelled transactions. Conveyancing solicitors and their staff need to be alert to the risk of receiving money as part payment for a property purchase, which does not then proceed at the last minute, perhaps because the client says he has been advised there is a structural problem or an issue such as a road development of which he says he was previously unaware; the client then asks for the deposit to be refunded. Aborted transactions are an area that the firm may, therefore, as a matter of policy, wish to flag up as requiring further investigation.

However, firms will need to have regard to the fact that their obligations under the Proceeds of Crime Act are not by any means limited to the ‘professional’ criminal but cover the full ambit of criminal activity, including companies assisting in the purchase of their own shares, and tax evasion. It is this that presents the biggest problem for the average practitioner, with, for example, the particular problems of matrimonial practice caused by the extensive obligations on the parties for the fullest disclosure.

Whatever systems and policies are put in place, they should not be viewed as a stand-alone, money-laundering, risk-management policy, but as integral to the firm’s systems.

Firms also need to consider how they will react to changing circumstances, for example, a client changing address during a transaction. If the client is moving to the new house they are buying and on which the solicitor is acting, that is only to be expected. But it is not enough for firms to adopt a simple tick-box approach to compliance and assume that because they have satisfied the requirements on identification checks, that this is the end of the matter. Although the regulations do not require a further check during the currency of the transaction, practitioners also need to be aware, as a completely separate issue, the wider picture on compliance.

Consider this scenario, which is not as uncommon as might be supposed: a husband instructs the solicitor to act on the sale of the jointly owned matrimonial home. The solicitor has acted for both husband and wife on the purchase in recent times and does not repeat his identification checks. So far so good in relation to money-laundering compliance, though all may not be well on other fronts. In fact, the marriage is breaking down and the husband is purporting to sell the house without his wife’s knowledge, intending to make off with the proceeds. Realising belatedly that the solicitor will write to them with documents for signature, he rents another house and tells the solicitor they have moved out. The rented address is very near the house they are selling, and when asked about the temporary move, the client is evasive.

The solicitor is not required by the regulations to carry out another identification check but the additional facts – the rented address nearby and the unsatisfactory response – may make him or her enquire whether client and solicitor are about to become involved in an arrangement. The solicitor needs to consider the position most carefully because this will give rise to issues of notifying NCIS, deciding whether to continue to act or not, whether or not to seek NCIS consent, and tipping off.

Turning back to the identification issues generally, firms may wish in any event to consider what they regard as acceptable evidence. For example, the Law Society’s guidance includes the following in the list of acceptable evidence: “Cheque drawn on an account in the name of the client with a bank in the UK or EEA.”

Not only are cheque books stolen daily, but the adequacy of the checks carried out by banks, or lack of it, has come under the spotlight, with millions of pounds in fines being levied by the Financial Services Authority. In none of these cases so far has there been any suggestion of the bank’s complicity in actual money laundering; the fines have been levied either for inadequate checks being made or lack of a sufficient audit trail to show that the required checks have in fact been undertaken. Solicitors need to consider the big picture here – not just being concerned to tick a box to show that they have done the requisite checks and can prove it, but the need to be on the lookout for exposure to the wider risk of money-laundering offences, both on the notification side and the risk of being involved in an arrangement. The writer has considerable doubts about the adequacy of this evidence.

The Law Society’s guidance has not been approved by the Treasury and is not binding on a court, though courts may have regard to it. There can be no real grounds for confidence in the identity checks, which may – or may not - have been carried out decades ago, and it would seem highly imprudent to accept this without other evidence.

All the systems and policies in the world will not help unless they are applied rigorously in practice, however, and that leads on to two further considerations – training and auditing for compliance.

The issues covered here involve a variety of policy decisions. There is no single off-the-shelf policy that can work for all firms given the enormous variety in firms’ practices.

Firms will wish to consider whether to make established clients go through identification procedures. Most will probably opt not to do so in the majority of cases, though many banks have had no such reservations about requiring existing customers to prove their identity.

Those who are considering conversion to a limited liability partnership should, however, bear in mind that although firms that carry on relevant business falling within sub-paragraphs (a) to (e) of Regulation 2(2) do not have to verify the identity of clients with whom they had formed a business relationship before 1 April 1994, the Law Society guidance advises3 that this transitional provision is likely to apply only to firms that were subject to the 1993 Regulations. It must, therefore, follow that firms that incorporate must carry out identification checks on clients of the former partnership.

Documentation

Compliance will mean that firms will have to document their procedures and the application of them in practice. This will help practitioners learn from their experience and, through introducing consistency of approach, should ultimately help mitigate some of the cost of compliance.

MLROs will wish to document the factors they have considered in deciding whether or not to make a disclosure or seek NCIS approval to a transaction for at least five reasons:

If a decision not to disclose subsequently proves to have been mistaken, it may assist in justifying to the authorities the stance taken at the time;

If a decision to disclose subsequently proves to have been mistaken, it may assist in resisting a client’s claim or complaint, whether for breach of confidentiality, delay or loss of a transaction;
If external legal advice is needed, or advice from insurers, it will help in giving proper instructions;
It will assist in a structured review of policies and procedures to ensure the firm is learning as much as possible to protect it and its clients’ interests;
It will help demonstrate compliance with the requirements of Regulation 3 (the requirement to establish procedures of internal control and communication).

Firms will also need to ensure they have a documented audit trail showing all changes that have been made to their policy, office manuals and training material, and how and when those changes were communicated to each and every member of staff.

Establishing a written policy will help maintain consistency, not only between decisions made by the MLRO and his or her deputy, but also between individual case handlers and indeed in the MLRO’s own decision making. In a paper entitled ‘Lawyers as Risk Managers’, Andrew M Whittaker, general counsel to the Financial Services Authority, says: “Any organisation needs to work on the basis of a single, consistent view of the law. Any other approach would be dysfunctional. So we need procedures to ensure that the advice we give is consistent. This does not mean that consistency is a virtue above all else. There is no virtue in being consistently wrong or consistently right, but unhelpful. If we are to aim for consistency, we need to recognise that this is as much an issue for the first person who gives advice on a subject as for those who do so afterwards.

It means talking to colleagues, thinking round the subject and ensuring that the conclusions we reach work all round, not just in the particular case before us. This is a necessary part of our accountability as a legal team, rather than a collection of sole practitioners.”

It is not possible or desirable to try and identify every problem scenario at the outset. What is required is an attempt at identifying the issues that are most likely to occur, with a measure of protection against the rest.

Auditing for compliance

Self-evidently, it is no use having the finest money-laundering policies in the profession if they are not being applied. Many firms already undergo audit by external assessors for quality systems such as Lexcel, ISO 9001 or by the Legal Services Commission. Those firms and others may have internal audits. Those that do not may wish to consider whether they should start now to see that their procedures are being followed.

Is it possible, for example, for staff to act for friends and relatives without going through the normal file-opening processes? General experience of law firms suggests that it is rather easy – with either no file being opened on the accounts system at all, which rather defeats the protection on which many firms rely, or by ‘laundering’ a matter through a ‘miscellaneous’ or ‘general’ file, either opened in the name of the client or the fee earner concerned. General files of this type are lethal – the examples are legions of claims with inadequate documentation, untraced documents, disputes as to whether the solicitor was ever instructed at all, conflicting evidence on the extent of the retainer, or no engagement letters. The list is endless.

All this has to stop. A trawl of matters for those with ‘general’ or ‘miscellaneous’ in their description is a worthwhile exercise, but once such checking is known, other ways to beat the system will doubtless emerge and random file selection will always be an important part of audit, though it should not be the only basis of file selection.

Is it possible for new matters to be undertaken for existing clients without going through the normal procedures? Again, this offers opportunities for non-compliance, particularly if your client-identification checks are only carried out in relation to ‘relevant business’. A client may instruct you on, say, a personal-injury matter without any checks being carried out, and then instruct the firm to act on a conveyancing matter. The solicitor can easily be lulled into a false sense of security.

Rules that prevent chargeable time being recorded until a matter has been opened properly may help, although there are too many rogue practitioners who regard rules as being there for everybody except themselves.

The only truly safe course is to undertake the checks for all clients. An area where we are helping some professionals is auditing their compliance with money-laundering procedures. A quick audit of one firm revealed 70-per-cent non-compliance in checks on new clients. In light of this, have you assessed your firm’s compliance?

Although there is insufficient data yet to think of benchmarking, it may not be surprising if the authorities give thought to this at some point in the future. They may be surprised, for example, if a firm with a high-volume conveyancing practice and a large matrimonial practice makes no notifications at all in the first year.

Having trained all your staff, do you test them to see they have understood the training? There are many ways of doing this: web-based testing systems are available from as little as £10 plus VAT per head and by helping you focus training expenditure on where it is needed, it may help save cost in the long run.

Other aspects

There are many other areas that firms will need to consider but which space does not permit discussing here. Examples include record keeping, an area where many eminent firms let themselves down badly. The sanctions for failing to retrieve files from storage may in future include criminal ones.

The ‘reasonable excuse’ defence, privilege issues and involvement of insurers are further areas that need careful thought and planning. Most of the points outlined above involve policy decisions by the firm. In practice, this will necessitate the firm documenting its risk assessment and how it is going to proceed.

It is also highly desirable that the policy is reviewed at least annually to see that it is still appropriate in the light of any changed regulations, reported decisions, Law Society guidance and practical experience, changes in the firm’s practice, and changes in practice generally. Firms with accreditation under the Lexcel 2004 standard will include this in their annual review of risk in any event.

If the firm has a reasonable policy, which has been applied, then even if sometimes things go wrong, it will greatly enhance the prospects of avoiding prosecution or, if the worst comes to the worst, explaining the position to a jury.

Reference:

At paragraph 6.1
Discussed in paragraphs 3.16 – 3.27 of the guidance
At paragraph 3.49

Frank Maher is a partner in Legal Risk. He can be contacted on frank.maher@legalrisk.co.uk