Money laundering: 38% of firms are not compliant with regulations

During an anti-money laundering (AML) review you may be advised to tailor or amend your AML processes, and provided you engage with your AML supervisor, it can be a straightforward task, however if a positive culture is not driving these changes, you could open yourselves up to future failures.

“Culture is like DNA,” Clive Adamson, then Director of Supervision at the FCA and now chair and non-executive director at several large financial institutions, said 10 years ago. “It shapes judgements, ethics and behaviours displayed at those key moments, big or small, that matter to the performance and reputation of firms and the service that it provides to customers and clients.”

A decade ago, Adamson was addressing an industry conference about the need to build cultures that prioritise fair outcomes for customers alongside trust in the sector – a culture of doing the right thing rather than of ticking the right boxes.

“The responsibility for ensuring the right outcomes for customers resides with everyone at the firm, led by senior management, and not something delegated to compliance or control functions,” he said.

A critical review of AML compliance

During the course of conducting AML reviews over the past two years, the Institute of Financial Accountants (IFA) has identified common themes of firms non-compliant with the Money Laundering Regulations. These will be consistent with the findings of other professional bodies.

The IFA conducts reviews and assesses firms’ compliance with the Money Laundering Regulations 2017 (MLR). Its approach to AML supervision ensures effective monitoring of IFA-supervised firms and takes measures, when necessary, to secure compliance with the MLR.

Some 38% of firms reviewed were deemed non-compliant. Here we detail the key findings and common issues among these firms, as well as offering suggested remedies.

Regulation 18: Risk assessment

Regulation 18 requires firms to have a written firm-wide risk assessment, which has been approved by senior management and is reviewed annually.

Nine in 10 (89%) non-compliant firms did not have a written firm risk assessment or the document provided was inadequate.

Documents provided included blank client risk assessments as well as documents sourced from third parties, often websites, that had been copied and not tailored to the firm.

Where a firm risk assessment was in place, firms often do not appear to reflect on the information contained with the assessment and demonstrate appropriate mitigation processes.

Regulation 19: Suspicious activity reporting

Regulation 19 requires firms to have adequate written policies, controls, and procedures in place, including clear reporting lines for reporting suspicions.

Four in five (79%) non-compliant firms did not have appropriate policies and procedures in place and/or they were not tailored to the firm or reviewed on a regular basis.

Firms either had no written policies and procedures or had copied documents from other sources without removing incorrect references.

Another common theme is policies not actually reflecting the processes of the firm. They look to have been written as a one-off requirement without thought to the way the firm operates.

Firms could often not demonstrate how the AML policies and procedures had been communicated to employees.

Regulation 21: Internal controls

Regulation 21 requires firms to have appropriate internal controls. This is the responsibility of the Money Laundering Reporting Officer (MLRO) or Money Laundering Compliance Principal (MLCP). That responsible person is required to attend appropriate AML training and, if the firm has relevant employees, to complete an annual AML compliance review of the firms’ policies and procedures to ensure they are appropriate to the firm and its client base, and that the firm has appropriate resources including training requirements.

Some 91% of non-compliant firms had no annual AML compliance review and/or had not completed appropriate training. Relevant employees had generally not been screened or, if they had, it had not been recorded.

Regulation 24: Regular AML training

Regulation 24 requires all relevant employees to undertake regular AML training to recognise and deal with transactions which may be related to money laundering, as well as to identify and report anything that gives grounds for suspicion.

Nine in 10 (87%) non-compliant firms were unable to demonstrate that relevant employees (including sole practitioners) had undertaken appropriate and regular training.

Often firms incorrectly declared AML training relating to the software the firm uses – this training was often found to relate to the way the software works, rather than the ML regulations.

Regulations 27 and 28: Customer due diligence and client risk assessments

Regulations 27 and 28 relate to customer due diligence (CDD) and client risk assessments. In general, most firms understood the requirements, however 46% of non-compliant firms had issues in this area.

The most common failing was a lack of written client risk assessments where firms stated that they did not require the written assessments. Other issues included incomplete or inadequate client risk assessments that did not reflect the services provided or nature of the client, incomplete or non-existent know-your-client information, and/or no evidence of ongoing reviews or updates, all of which increase the risk that the firm could be exploited by criminals or become complicit in money laundering.

Regulations 40 and 41: Record retention and data protection

Other areas that firms regularly fail to demonstrate compliance on include regulations 40 and 41 which relate to record retention and data protection requirements.

Records relating to CDD and the business relationship must be kept for five years from the end of the client relationship and all records related to an occasional transaction must be retained for five years after the date of the transaction.

Before establishing a business relationship or entering into an occasional transaction with a client, a firm must advise the client of its data protection obligations and record this.

An example of best practice is where firms include an appropriate statement in Letters of Engagement or Terms of Business.

Help is at hand

The IFA provides regular AML training and a suite of AML templates for firms, as well as a dedicated AML support email

Firms should engage with their respective supervisors to seek support and advice.

Tim Pinkney is Head of Practice Standards at the IFA.