My view is that there are simply too many AML supervisors in the UK, and what you see is very patchy between the different regulators in the legal and other regulated sectors Martin Cheek
Even though people may stick with the traditional passport or driving licence, they are going to have to introduce systems, policies and procedures to check whether clients are PEPs or not Martin Cheek Anti-Money Laundering: Getting ahead of the compliance curve
Anti-Money Laundering Supplement 2017
IS AML COMPLIANCE DRIVING YOU NUTS?
There’s no need to make life complicated, you have three problems; we have one solution! We deliver AML, Sanctions & PEP checks “all-in-one” search, individual checks take 5 seconds, business checks take longer, 1-2 minutes! Daily monitoring of all your clients for Sanction & PEP changes for the lifetime of your contract is included at no extra cost. Automatic enhanced due diligence, biography, adverse media and photographic evidence is also included. You’d be nuts not to view our demonstration.
Call us now to book a free demonstration on:
0113 333 9835
THE ONLY AML RESOURCE YOU NEED
Or vist us online:
SMARTSEARCHUK.COM SmartSearch delivers UK and International Business checks, plus Individual checks along with Worldwide Sanction & PEP screening, daily monitoring, email alerts and full enhanced due diligence intelligence.
MODERN LAW
WELCOME hether you see anti-money laundering procedures as a vital security measure, an administrative headache, or somewhere in-between, the fact remains that law firms must remain compliant and that they need to conduct their AML, Know Your Customer and Customer Due Diligence checks in order to do so. These are potentially multistep processes that are about to become more complex, with the looming Fourth Money Laundering Directive set to make the checking of Politically Exposed Persons (PEPs) more stringent. It is therefore more important than ever for law firms to make sure they understand what is required of them in their AML procedures, and to make it as efficient and easy as possible to meet these requirements.
W
Through editing Modern Law Magazine, we get to look at numerous areas of the business of law, but it is only when producing these supplements that we’re able to take an in-depth look into one particular area, and it was eye-opening to learn how often law firms are being targeted by financial criminals as a result of the nature of their work and the money they handle. So it was also encouraging to see how much emphasis is being placed on preventing what could be something that those outside of the legal sector, including clients, may be unaware of.
Much of this emphasis is coming from platform providers, like SmartSearch, whose Managing Director, Martin Cheek, spoke to us about the current state of AML in the legal sector and what the implications of the Fourth Money Laundering Directive will be. Plus, we talked to Robert Bourns, President of the Law Society of England & Wales, who explained what the Law Society is currently doing to promote compliance among the firms it represents. We also spoke to one of these firms, more specifically Harrison Clark Rickerbys, and even more specifically Andrew Caldicott, to gather an insider insight into AML from a law firm’s perspective. You may or may not share the opinions of AML presented in the interviews and articles in this supplement, but hopefully you will agree that the magazine is useful and informative at a time when AML in the UK is about to undergo a legislative and technological transformation.
Brendan Gurrie, Editor, Modern Law Magazine. 01765 600909 | @ModernBrendan | brendan@charltongrant.co.uk
CONTENTS INTERVIEWS 5 Martin Cheek
Modern Law spoke to Martin Cheek ahead of the introduction of the Fourth Money Laundering Directive about the evolving role technology plays in anti-money laundering procedures and the importance of fulfilling AML compliance and due diligence obligations.
10 Andrew Caldicott
Andrew Caldicott spoke to Modern Law about the due diligence undertaken by Harrison Clark Rickerbys, and revealed how regulation, technologies and costs are all changing the way law firms approach AML procedures.
20 All for One or One for All
Robert Bourns, President of the Law Society of England & Wales, talked with Modern Law about the variety of methods and approaches firms can take to their anti-money laundering procedures to ensure they complete their due diligence and remain compliant.
Editorial Assistant Poppy Green
Project Manager Ellie Norrie
Events Sales Kate McKittrick
April 2017
Regular and efficient documentation of systems, processes and changes can ensure a firm remains fully organised, aware and compliant, as Eric A. Sohn details.
24 Digital isn’t the future. Digital is now.
Digitalisation of processes can save time, improve efficiency and help to meet constantly rising customer expectations. But, first and foremost, it is essential that firms ensure their basic compliance is in check before digitising more advanced processes, as Gary McVie warns.
26 Money Laundering Directive 4: Cleaning up UK politics – What does this mean to you?
Group Editor Brendan Gurrie
While anti-money laundering procedures are an integral part of a law firm’s compliance, the process is overcomplicated for many firms due to the numerous platforms they are using in order to remain compliant and conduct due diligence.
22 It’s the thought that counts
14 Robert Bourns
FEATURES
The fourth Money Laundering Directive will introduce due diligence for UK PEPs for the first time. John Marsden analyses why this is necessary, and how this new directive could restore faith in British democracy, from both inside and outside of the country.
29 Electronic Verification in a modern legal practice
Electronic verification is proving to be a necessity, rather than a luxury, for law firms in Scotland. With fraud on the increase, verification of identity and screening are becoming increasingly important, as Richard Farquhar explains.
Anti-Money Laundering Supplement 03
INTERVIEW
Martin Cheek Modern Law spoke to Martin Cheek ahead of the introduction of the Fourth Money Laundering Directive about the evolving role technology plays in antimoney laundering procedures and the importance of fulfilling AML compliance and due diligence obligations.
Q A
Why was the SmartSearch platform a necessary venture, and what were the challenges in establishing it?
We found in the legal market that law firms were using multiple vendors and different methods to verify either individuals or business clients. The traditional method is a passport, driving licence or utility bills for individuals. They would use Companies House for business checks, and then they would use third party suppliers to do their Sanctions and PEPs screening, which is a time consuming manual process and very labour intensive. You’re also reliant on the client supplying you with bona fide documents for you to record that information. Even with electronic verification, firms would be using multiple platforms to verify UK individuals and businesses, and additional products for Sanctions and PEPs screening and their Enhanced Due Diligence. We’ve consolidated all of that into a single platform. The regulation dictates a risk-based approach to money laundering, so it doesn’t specifically tell you how you should do it. Different firms have different approaches, and the larger and more complex the law firm, or the larger or more complex the client or the matter, the more time consuming it has become. So our goal and our modus operandi has always been to create a “one-stop shop” service to verify individuals and businesses, both in the UK and Internationally, and also incorporate full Sanctions and PEPs screening with ongoing daily monitoring. This dramatically reduces the amount of time firms need to validate, identify and verify the identity of their clients, saving them significant operational cost. The challenges in establishing this process came down to three main elements. The first challenge was selecting the right data partners to provide quality, reliable data. Importantly, some of the information can only be accessed under the money laundering regulations. Normally, if you’re not a member and you don’t supply data to a Credit Reference Agency (CRA) then you can’t access the CRA database, but there is a dispensation under the rules that allows non-members, like law firms, to access the data for fraud and AML purposes. It’s very similar when it comes to corporate clients and being able to validate Directors and Beneficial Owners at their home addresses, and this is some of the key data that we hold. We don’t just white label products, we take in raw data and derive new processes and products out of it. The next challenge was to develop the technology to consolidate a single view of all of these different data sets to give a comprehensive outcome. For example, whilst checking Experian and Equifax databases we simultaneously check Dow Jones whilst also applying Automated Enhanced Due Diligence to reduce the number of “false positives”. In addition to the processing, careful consideration has to be given to the storage of the data that defines the outcome. So the clever technology is in the processing, the storage and the on-demand retrieval of the verification outcome.
April 2017
We’re working with lots of major law firms and accounting firms, and their most precious asset that they entrust us with is their customer base. They want to ensure that their data is stored in a secure location where it can’t be hacked, so the next challenge was technology and security. Accordingly, we selected high security UK based data centres with all the appropriate accreditations to host our SmartSearch servers, and we established multiple operational locations to provide “mirrored fail safe service resilience” and traditional back up security of service. The final element is making sure that we’re always on the edge of the curve. Technology changes rapidly as we move through the process, so this challenge is just making sure that we’ve always got our eye out for additional data sets or additional processing matters. We’re constantly looking to refine the technology based on what customers want to see.
Q
How do anti-money laundering procedures impact different stakeholders in the Legal Sector, i.e. Solicitors, Barristers and Support Staff?
A
The money laundering regulations set out a risk-based approach, and you see that firms with very similar footprints in terms of clients, products and channels to market can adopt wildly different approaches. Some firms centralise it, and that takes away a lot of the pain from the front-end staff, the fee earners etc. Other organisations leave it down to the fee earners or the partners, and either they do the checks or their support staff do. The impact differs for different stakeholders depending on the initial risk assessment the firm has undertaken. Obviously, people feel differently about risk; some firms will establish a “belt and braces” solution and probably expedite ten times the amount of time and effort, making it painful for the stakeholders within the business, whilst others may take a more relaxed approach.
It’s interesting to note that a solicitor in Scotland or Northern Ireland will not be subject to independent AML oversight from a promotional or educational professional body
Anti-Money Laundering Supplement 05
The British crown territories, whilst subject to money laundering regulations, have absolutely vowed that they will not create any kind of register, public or secretive, for Beneficial Owners to declare themselves
INTERVIEW
Back in 2004, whoever drew the short straw got the position of the MLRO. Prior to the Money Laundering Regulations of 2007, it was very much a tick box exercise. That is evolving now as companies really start to begin to understand the risk-based approach
Q A
What do you think the Brexit effect will be on AML legislation in the UK?
I don’t think it will have any effect whatsoever. The UK has always copper bottomed any of the European Money Laundering Directives. We’ve always gone way beyond the minimum requirements laid out. I think the UK will actually create tougher money laundering legislation to ensure that we remain the Financial Hub of the World and a safe place to do business. Under the current Fourth Directive, member states are required to force businesses to keep details of their Ultimate Beneficial Owners; that is any individual that’s entitled to more than 25 percent of the profits, proceeds or share capital in the business. The UK has the business and innovation skills and has already committed to create a public register that anyone can view. The European Directive says that it really leaves obliged entities, i.e. regulated businesses, to be able to access that information, or obliged entities such as regulators or journalists in some cases.
Q
What are your predictions on Know Your Customer (KYC) and Customer Due Diligence (CDD) in the Legal Sector, and how will technology develop around KYC and CDD?
A
The KYC and the CDD requirements are there to make you find out about your customer, understanding important issues like where the source of funds are coming from for the transaction and whether that marries up to the matter that you’re being asked to look at.
My view is that there are simply too many AML supervisors in the UK, and what you see is very patchy between the different regulators in the legal and other regulated sectors
I mentioned earlier that there are still an awful lot of firms out there using traditional methods for KYC and CDD, such as passports, driving licences and utility bills. I foresee a logical progression to a more widespread use of electronic verification. A lot of firms in the UK have said that they just deal with UK individuals and citizens, and as we sit here today the Money Laundering Regulations only require you to check Politically Exposed People (PEPs) outside of the UK. When the Fourth Directive comes in, they will also be required to check PEPs in the UK. Even though people may stick with traditional passports or driving licences, they are going to have to introduce systems, policies and procedures to check whether clients are PEPs or not. I also see volume players now understanding that technology can be integrated directly into Case or Practice Management Systems, so it can save a considerable amount of time in rekeying information when switching from one platform to another and scanning, storing or saving images. The use of big data will start to become the norm with firms, as they will be able to analyse and monitor transactions in order to spot suspicious activity and define where their time, effort and resources are needed, as opposed to treating it as a standard tick box exercise.
Q A
How do you think a Risk Based Approach to anti-money laundering is implemented in Law Firms in the UK?
The Money Laundering Reporting Officer (MLRO) sits on a continuum of risk. Some have been highly risk averse, and therefore require fee earners to “belt and brace” policies and spend more time, effort and money on KYC requirements. At the other end of the scale there are those that pay lip service to them and probably leave the firm open to regulatory or criminal penalties. The real key for firms is that they need to do risk assessment correctly as an integral part of good business practice and often their risk policies are determined in isolation. Law firms probably want to work together and share good practice on what are acceptable risks, either in a particular client or a business matter. Money laundering doesn’t go on in the KYC and CDD aspects of the process, it goes on in the underlying transaction; what is this client asking you to do, where has the money come from, and is it consistent with what you know and understand?
Q
The UK Government has committed to create a Public Register of Beneficial Owners in the UK. How do you think this will be implemented, and what will its effects be?
A
I think it’s a start, but there are significant shortcomings to it. It will only contain an individual’s name, date of birth and nationality, and as I said the Fourth Money Laundering Directive now requires firms to ensure that they can check UK PEPs as well as International PEPs. So just knowing it’s John Smith, his date of birth and the fact that he’s British won’t help much with this. I think the problem with Ultimate Beneficial Owners (UBOs) comes when you have a very complex company structure, particularly when the UBOs are individuals or other firms registered in The Crown Territories, such as the British Virgin Islands. The British Crown Territories, whilst subject to money laundering regulations, have absolutely vowed that they will not create any kind of register, public or secretive, for Beneficial Owners to declare
April 2017
Anti-Money Laundering Supplement 07
INTERVIEW
Everyone’s probably seen the Mishcon de Reya case around the conveyancing transaction, and that stirred up a lot of interest about how solicitors can protect themselves and their clients from what seems to be a perfect transaction themselves. I think if an organisation wants to hide the true identity of their UBOs then it’s still very simple to do. This is a self-certification process, and I expect the criminals and money launderers won’t be putting their names into the public domain no matter what.
Q A
Is there enough emphasis on AML procedures from UK Legal Sector Regulators, and can this be improved?
Currently, the Solicitors Regulatory Authority (SRA) and 24 other supervising bodies are responsible for AML supervision in the UK. The SRA has identified a number of failings in its last assessment, such as failures to conduct appropriate identity checks and due diligence on source of funds and source of wealth. A recent report from Transparency International, called ‘Don’t Look, Won’t Find’, stated that they considered the SRA to have met the professional body supervisor tests. However, it’s interesting to note that a solicitor in Scotland or Northern Ireland will not be subject to independent AML oversight from a promotional or educational professional body. The SRA has the authority to issue fines, but only of up to £2,000, which is hardly a significant deterrent. And although they can refer cases to the Solicitors Disciplinary Tribunal, whose powers are wider than the SRA’s, my view is that there are simply too many AML supervisors in the UK, and what you see is very patchy between the different regulators in the legal and other regulated sectors.
Q
The Council of Mortgage Lenders currently state that electronic identity verification services may not be suitable for fraud prevention. Why do you feel this is?
A
Back in 2005, we got the Council of Mortgage Lenders to recognise the acceptable use of electronic ID services for anti-money laundering purposes. It was around this time that the Law Society was also recognising the acceptable use of electronic verification services. At that time, they had the old green card to cover mortgage fraud. When the SRA took over in 2007, they implemented the green card into their code of conduct. It was specifically Clause 3.19 (a) (i), which stated that if you are acting on behalf of the borrower and the lender; you need to protect yourself against mortgage fraud by checking that someone’s signature is genuine. Over time, the different requirements of AML and mortgage fraud have become confused or intertwined; they’re probably two sides of the same coin, but there are differing requirements. If we have a law firm dealing in those narrow circumstances of acting on behalf of the borrower and the lender, what most clients are doing now is using the Smart IDV app. This allows individuals to take perfect pictures of passports or driving licences and email them to the solicitor. They can then check the signature on that document against others, such as those on the lending or deeds documentation.
Q A
How do you see the role of the Money Laundering Reporting Officer (MLRO) changing in the Legal Sector?
It’s always evolving. Back in 2004, whoever drew the short straw got the position of the MLRO. Prior to the Money Laundering Regulations of 2007, it was very much a tick box exercise. That is evolving now as companies really start to begin to understand the risk-based approach, which again is more enshrined in the Fourth Money Laundering Directive. It is a constantly evolving process of managing all of the different types of risks that a firm faces; risks from the client and risks from the matter. The process can be internal, and not just related to money laundering, but across the board. The business not only looks at the money laundering risks, but also the potential indemnity risks. So it’s about constantly reviewing your policies and procedures, since there’s new case law coming out all the time; everyone’s probably seen the Mishcon de Reya case around the conveyancing transaction, and that stirred up a lot of interest about how solicitors can protect themselves and their clients from what seems to be a perfect transaction. Companies are starting to understand the reputational risk associated with money laundering, and a lot of the major firms with high reputational risk need to protect themselves from getting involved with anything that’s a little unsavoury.
Q A
What are SmartSearch’s future plans in the AML space?
We’ve got a number of developments underway as we speak. We are developing a source of funds application, which we see being particularly pertinent in the conveyancing sector, where individuals are gifting sums of money to a borrower in relation to a property transaction and the need to follow that money. But we will also be able to verify people’s income and where it came from, whether that be a one off lump sum of cash or multiple payments. The next thing that we’re developing is business credit reports and monitoring. Our view is that credit and AML are two sides of the same coin; AML Risk and Credit Risk are probably an item. New regulation is requiring banks to share account information, and a few of the credit reference agencies in the UK will be able to get access to the scores that are derived from this data. If you imagine most companies’ accounts are out of date for a minimum of somewhere between eighteen and twenty-four months, that’s a heck of a long time and a lot can change during that period. If we are able to create good business credit reports and combine that with good KYC business reporting and ongoing monitoring for changes in both credit and/or AML status, we will provide a much better early warning system for clients to manage their risk.
It is interesting to note that most, if not all, cases of mortgage fraud has been perpetrated and supported by fraudulent documentation. I am not aware of any cases of mortgage fraud where electronic verification has been used to perform the KYC and CDD verifications. It is very difficult to create a fictitious, verifiable electronic identity.
08 Anti-Money Laundering Supplement
April 2017
INTERVIEW
Martin Cheek Martin has been at the forefront of Anti-Money Laundering (AML) Regulation and the development of electronic solutions to automate AML Compliance since the first Regulations in 2004. As a qualified lawyer, he has a detailed understanding of the overriding regulations and the way they are interpreted by the various Regulatory Bodies. Martin was instrumental in developing one of the earliest electronic verification systems in 2004; as the Lead Executive he set up Callcredit Direct to deliver this early basic electronic AML verification service.
The SRA has the authority to issue fines, but only of up to ÂŁ2,000, which is hardly a significant deterrent
In 2009, Martin joined SmartCredit as Managing Director and started the development of a new multi-function AML platform known as SmartSearch, using the latest technology and top quality data to deliver individual and business searches in both the UK and International Markets. Uniquely integral real-time Sanction & PEP checking incorporates daily monitoring and user alerts along with automated enhanced due diligence. This new platform serves over 1,500 Client Firms and some 25,000 Users. SmartSearch has won multiple awards in recent years and has become a pre-eminent solution for Regulated Professional Firms. You will have to go a long way to find an individual who has a similar unique understanding of AML Regulation and Compliance and the foresight to apply this to efficient and cost effective electronic solutions.
April 2017
Anti-Money Laundering Supplement 09
The demands upon us have increased substantially over the years and will no doubt continue to do so in the Fourth Directive looming
INTERVIEW
Andrew Caldicott Andrew Caldicott spoke to Modern Law about the due diligence undertaken by Harrison Clark Rickerbys, and revealed how regulation, technologies and costs are all changing the way law firms approach AML procedures.
Q A
How has financial crime and money laundering evolved in recent years, and how are law firms adapting to meet this?
When it first began it was seen as an inconvenience, but these days it is very much part and parcel of our file opening procedures and our security. The demands upon us have increased substantially over the years and will no doubt continue to do so with the Fourth Directive looming. The criminals themselves have become ever more sophisticated, and it is a continuing game between those trying to do no good and those just trying to fulfil their obligations and prevent illegal behaviour.
Q A
What difficulties can firms face in fulfilling AML, KYC and CDD obligations?
It is quite a substantial business overhead these days. There are huge practical demands upon us, such as the logistical difficulties and the expense, making sure you keep all of your staff up to date with issues and problems that are arising, making sure that new starters are inducted into the procedures and making sure there is consistency across the whole team. We are a top one hundred law firm, and we have a significant number of people working in various different areas of law, so we try to make sure that everybody fulfils their duties and carries out proper checks on those who we act for. It is a major administrative headache; I would think that most firms would nod their head at this. While there are lots of things you would do in the normal service of your clients, this isn’t necessarily helpful to your clients. This is an obligation that is imposed upon you, and therefore you need to encourage the right approach for people to take it seriously and do it properly; you constantly have to be on their backs unfortunately.
Q A
How is technology evolving to support anti-money laundering procedures?
mind to check that another law firm is bona fide, but now it is a matter of routine in conveyancing cases, and perhaps that is in itself a sign of the times.
Q
Do you believe regulators are doing enough to promote AML procedures, and what more could they do to help law firms tackle financial crime?
A
I accept that we have to fulfil our duties imposed by the law, but, if I’m honest, I still privately resent that we are in effect having the government’s job delegated to us, and then have penalties for non-compliance. I accept and understand that we should know who we are acting for, and we shouldn’t support any criminal activity. My guess would be that 90% plus of lawyers would never dream of doing such a thing. All of this is delegated to us, and that responsibility and pressure put upon us is to avoid the state having to carry its own role. That might be a controversial thing to say, but that is what I think.
The criminals themselves have become even more sophisticated and it is a continuing game between those trying to do no good and those trying to fulfil their obligations and prevent illegal behaviour
It is evolving all the time! In part, that is due to technology moving on and in part to do with the competition in your industry. People are looking to offer something that is a little bit better than their competitors, as well as constantly having to change to meet the sophisticated nature of some of those people who are out to do no good. Less than a couple of years ago it would never have crossed my
April 2017
Anti-Money Laundering Supplement 11
INTERVIEW
We are always looking at ways to improve our security and our effectiveness but, just as we close one door, the criminals out there are looking at ways to open up another avenue
Q A
How will the Fourth Money Laundering Directive alter the way firms conduct AML?
It is often the way that rules and regulations are always being changed, and just when you have got a new set of rules, are fairly comfortable with them and have a system for them, then we have to review the whole thing. The truthful answer is that I don’t know for sure yet because we still don’t know for sure what the legislation looks like. I know we have a go live date of June, but I’m not aware that parliament have finished their act of parliament. I’ve seen plenty of reports, and I’m sure everyone has kept a look out in the two year lead up time we’ve had for this as to what it may involve. In short, we are going to have to review all of our procedures, our office manual and our whole system, and make sure we cover all bases required.
Q A
What are the advantages and disadvantages of a risk-based approach to money laundering?
The big advantage is that you can be subjective and you can evolve your own systems; we can bespoke our system, but the disadvantage is that we would normally like more reassurance that we are doing the right thing and in the right way. I think as lawyers, we often like the reassurance of knowing what the rules say. Another big disadvantage is that when you’ve got a significant number of people working for you doing all various different areas of law, you have to make sure that they are all taking it seriously and that they are all doing it correctly. You can’t be there watching over everyone’s shoulder all of the time. We have a central system where we review things, but it does concern me that it would just increase the onerous responsibilities on everyone and thus increase our duties as money laundering officers to have to police everything very carefully.
I accept that we have to fulfil our duties imposed by the law, but, if I’m honest, I still privately resent that we are in effect having the government’s job allocated to us, and then have penalties for non-compliance
Q A
Do you believe law firms should inform their clients about AML and CDD obligations?
Q A
Are law firms doing enough to train staff about the risks of money laundering and the importance of CDD?
Yes I do, in terms of what we have to check, not least because more often than not firms will try and pass some of the cost on. Obviously you are then obliged to tell them what that cost is for and what you’ve done. I believe it is helpful to do that, and most clients do understand, although equally most clients find it a pain when they do have to do it. Even as a money laundering officer, I must admit that I find it a pain! But yes, I feel we should inform them.
It is very mixed. We take it very seriously, we always have, and we make sure there is regular training. And that’s not just for fee earners, that’s for all staff: secretary, support, administrative staff, even the guy who looks after the post room all have money laundering training. We include it as part of our induction procedure. The difficulty comes with smaller firms; the total cost of paying for the electronic searches and checks and the cost of training is massive, and I have some sympathy for smaller firms with lower turnovers, because it is a huge cost.
Q
What other risks could affect the legal sector in the next twelve months, and how will Harrison Clark Rickerbys prepare for these?
A
It is hard to say sometimes, because sometimes you don’t even know the risk that’s there. We have a monthly compliance meeting, where we are regularly thinking about what could go wrong, what sort of issues are there, and we try and be ahead of the curve. We try and cater for those problems. The key issues at the moment are checking the validity of other law firms, fake transactions and cyber-crime; they are all high on everyone’s agenda. We are always looking at ways to improve our security and our effectiveness but, just as we close one door, the criminals out there are looking at ways to open up another avenue. You need to be constantly on the lookout, and constantly evolving to meet those threats as they arise. All the IT in the world we live in is a wonderful and great gift to humanity, but like all things, humans find a way of abusing it. It is an ongoing battle, and I don’t think we could ever afford to be complacent again. It is a scary time, a lot of firms would agree with that. The headline recently about Mishcon de Reya, a famous well-respected law firm, which was used by somebody pretending to be somebody else and selling a property for 1 million pounds, is worrying. We have our own specialist sector. We have ex-bank staff and all calls are directed to them so they can pick out the scams; we have numerous scam attempts every week. We are a prime target because of the nature of work we do and the amount of money we handle. We are a major target and I would accept that the legal industry was a little bit out of date some years ago. I think it has quickly caught up, and that it does take its responsibilities very seriously.
12 Anti-Money Laundering Supplement
April 2017
INTERVIEW
Less than a couple of years ago it would never have crossed my mind to check that another law firm is bona fide, but now it is a matter of routine in conveyancing cases, and perhaps that is in itself a sign of the times
Andrew Caldicott
It is often the way that rules and regulations are always being changed, and just when you have got a new set of rules, are fairly comfortable with them and have a system for them, then we have to review the whole thing
April 2017
I have been a Partner at the top 100 law firm of Harrison Clark Rickerbys for 22 years. During that time I have been the firm’s Managing Partner, its COLP and I’m currently its Money Laundering Officer. I have held that role for approximately a decade. I’m also heavily involved in the firm’s compliance monitoring and training team. I am a Solicitor Advocate and also head of the Family Law team and have a full time fee-earning role.
Anti-Money Laundering Supplement 13
Brexit is unlikely to have a significant impact and it would be an error to assume that once the UK has left the European Union it will gain wide-ranging powers to set its own rules to combat money laundering
INTERVIEW
Robert Bourns Robert Bourns, President of the Law Society of England & Wales, spoke with Modern Law about the variety of methods and approaches firms can take to their anti-money laundering procedures to ensure they complete their due diligence and remain compliant.
Q A
Why are law firms particularly vulnerable to money laundering and financial crime?
Criminals wishing to launder money and commit financial crimes target professionals, including law firms, for several reasons. Generally the vulnerability of the legal profession arises out of the nature of the services solicitors can provide, and the fact that solicitors handle a high volume of financial transactions, among others. For example, criminals may seek to abuse legitimate legal services provided by solicitors by engaging them when attempting to purchase real estate using the proceeds of crime, or to create complex corporate structures in an attempt to conceal the true ownership of criminal assets. Criminals might also attempt to involve a solicitor in a transaction in order to give their activities an appearance of legitimacy or credibility, or try to pass illicit funds through a firm’s client account and thereby obscure their origin. Money laundering can appear in many different forms, from sophisticated international groups attempting to conceal the proceeds of overseas corruption, through to smaller-scale money laundering by local drug dealers. As ever, unscrupulous individuals and enterprises will see benefit in subverting the reputation of the profession to their own ends. As such, it’s important for firms of all sizes to conduct a firm-wide money laundering risk assessment to ensure they’re aware of the specific risk relating to the services they provide and to undertake a rigorous evaluation of any clients requesting legal services subject to the Money Laundering Regulations 2007. What are the key warning signs of money laundering that firms should look out for?
Q A
Criminals are constantly developing new techniques to launder money, which means that no list of warning signs or ‘red flags’ indicating possible money laundering can ever be completely fool proof. As such, it’s essential that law firms adopt a risk based approach to identifying and preventing money laundering, in accordance with the money laundering regulations, and complete thorough due diligence checks.
the source of the client’s funds. Some examples of possible red flags include: clients behaving in a secretive manner or relying on intermediaries without apparent reason, clients engaging a solicitor for work outside their normal area of expertise, clients unexpectedly changing their instructions without justification or offering to pay much higher fees than usual, clients operating in high risk jurisdictions where corruption or criminal activity is prevalent and transactions involving funds that are disproportionate to the client’s known income. The presence of a red flag is not necessarily a basis for a suspicion of money laundering on its own, and should always be considered in context. However, when you do identify something unusual, you should consider asking further questions of your client and taking steps to satisfy yourself that no money laundering is taking place, although being careful not to tip off or otherwise breach regulatory provisions. For further information on money laundering warning signs, including those associated with particular practice areas, solicitors should refer to Chapter 11 of the Law Society’s Anti-Money Laundering Practice Note, which can be accessed via the Law Society website.
While we cannot know what the outcomes of the government’s negotiations with the EU will be, it is possible that the UK could agree to continue to adhere to EU standards in regulating financial services, including measures to combat money laundering
When looking out for red flags, solicitors should first take a step back and consider whether there are inconsistencies in the information a client has provided and whether there is anything unusual about the client’s behaviour, the nature of the retainer or
April 2017
Anti-Money Laundering Supplement 15
INTERVIEW
One area in which technology is helping to improve protection against financial crime and money laundering is electronic identity verification
Q
What effects will the 4th Money Laundering Directive have on the way firms conduct anti-money laundering procedures?
Q
A
A
The HM Treasury has only recently published draft Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, which are currently subject to consultation. So it is not possible to be certain about all of the Fourth Directive’s affects at present. One new requirement, that has been signposted for some time, is the need for all firms to have written AML risk assessments, which must be made available to supervisory authorities on demand. The Law Society has included this new element in its training for a number of years, so it is unlikely it will take many firms by surprise.
Q
Will a central register of beneficial ownership ultimately improve customer due diligence, and are there disadvantages to the proposition?
A
It is hard to say whether the UK’s central register of company beneficial ownership will ultimately improve customer due diligence (CDD). A register is only as good as the accuracy of the data that is on it, and there are currently no plans for the data to be screened or checked on entry. It also must be noted that, by the rules of the Fourth Money Laundering Directive, firms cannot solely rely on information on the register for the purposes of conducting CDD.
Q A
What is the Law Society doing to promote the importance of AML and CDD procedures to law firms?
The Law Society has put together a comprehensive package to promote the importance of anti-money laundering (AML) and customer due diligence (CDD) procedures, and to provide solicitors with practical support in complying with UK AML legislation. Most importantly, we have published a HM Treasury approved AML Practice Note, which sets out our view of good practice that solicitors can follow in order to comply with AML legislation. We also provide: a dedicated AML webpage with links to helpful articles and case studies, an AML ‘toolkit’ with practical information and procedural checklists solicitors can use, a bimonthly AML newsletter with a subscription in excess of 22,000, AML training events and networking groups for money laundering reporting officers across the country, and an AML Hotline, which gives advice to solicitors and receives more than 1,200 calls annually on AML issues. The best way to find out more about the importance of AML for law firms is by visiting the Law Society website.
Compliance with money laundering obligations is one of the greatest challenges for solicitors in the UK today
16 Anti-Money Laundering Supplement
Do you believe disciplinary procedures for firms failing to comply with their AML obligations are effective enough to ensure compliance? Compliance with money laundering obligations is one of the greatest challenges for solicitors in the UK today. Arguably, our solicitors face the strictest AML regime facing legal professionals anywhere in the world and can face criminal penalties for unwitting involvement in money laundering. On any objective comparative basis it would be hard to argue the potential penalties faced by lawyers for breaching AML requirements are not tough enough already. The current UK government seems to favour further increases in the scope of corporate liability in the financial crime space, which is an ongoing development that law firms must keep up with.
Q A
Will Brexit have an impact on legislation AML and CDD, and will firms need to change the way they approach this?
The extent to which Brexit will have an impact on anti-money laundering legislation and customer due diligence procedures is unclear and probably won’t be known for at least several years. However, in the short to medium term, Brexit is unlikely to have a significant impact and it would be an error to assume that once the UK has left the European Union it will gain wide-ranging powers to set its own rules to combat money laundering. This is because the UK is a member of the Financial Action Task Force (FATF), which sets worldwide standards to address money laundering and terrorist financing. It is FATF’s recommendations that provide the foundation for the EU’s money laundering directives, which in turn have been transposed into UK law. It should also be remembered that the UK has already taken the decision to go beyond the requirements of previous EU money laundering directives and ‘gold plate’ its anti-money laundering legislation. We know that the government intends to fulfil its obligation to transpose the EU’s Fourth Money Laundering Directive, which is due to be completed in June 2017. Finally, while we cannot know what the outcomes of the government’s negotiations with the EU will be, it is possible that the UK could agree to continue to adhere to EU standards in regulating financial services, including measures to combat money laundering.
Q A
How could technology help to improve protection against financial crime and money laundering?
Q A
How do you see money laundering changing in the future, and how will firms need to prepare for this?
One area in which technology is helping to improve protection against financial crime and money laundering is electronic identity verification. There are an increasing number of electronic verification services available to law firms to assist them with their ‘know your customer’ checks. While electronic verification can be a sufficient measure for compliance with money laundering requirements, it must be remembered that electronic identity verification will only confirm that someone exists, not necessarily that your client is the said person.
Criminals are constantly adapting and developing new schemes in order to launder money. Therefore it’s crucial for solicitors and other professionals to keep up to date with guidance from their supervisory bodies. One area likely to pose
April 2017
INTERVIEW
Money laundering can appear in many different forms, from sophisticated international groups attempting to conceal the proceeds of overseas corruption, through to smaller-scale money laundering by local drug dealers new challenges is the development of digital currencies, and the opportunities they offer for illicit use. At present, only a handful of law firms in the UK accept bitcoin and other cryptocurrencies as payment. However, when a law firm provides a service covered by the Money Laundering Regulations it must comply with customer due diligence requirements, which could involve checking the source of a client’s funds, including where payment is made in the form of cryptocurrency.
Q A
What are some of the other key risks firms need to be aware of in the next year?
The ability for the Law Society to keep its members up to date about current and upcoming risks relies heavily on the National Crime Agency to share useful data and intelligence on current AML trends. There are several current issues and proposed changes that firms ought to be keeping abreast of. These include: the proposed changes in the AML supervisory regime, the changes contained in the Criminal Finances Bill, the re-drafting of the UK’s National Risk Assessment and this year’s Mutual Evaluation Review of the UK by the FATF. All of these carry great relevance to law firms. The Law Society will provide updates on these issues in its AML Newsletter.
Robert Bourns Robert Bourns is the 172nd president of the Law Society of England and Wales. He took the post in July 2016 after being voted into office as deputy vice president in 2014.
Criminals are constantly adapting and developing new schemes in order to launder money. Therefore it’s crucial for solicitors and other professionals to keep up to date with guidance from their supervisory bodies
Robert has significant experience managing and developing a growing business across the UK, having been managing partner for six years, and senior partner for four terms, at TLT Solicitors. He specialises in employment law, particularly with associated regulatory law and commercial firm practice management. He also has experience practising as an advocate, having spent the early part of his career in criminal defence. Robert joined the Council of the Law Society in 2011 and is an elected member of the Management Board. He is one of five representatives for the City of London constituency, and is a member of the Law Society’s Equality and Diversity Committee. In his home city of Bristol, Robert is actively involved in a number of projects and pro bono work. He has been a trustee and chair of a Hospice for nine years, the founder and director of the Room 13 arts project and a trustee of Ablaze, a charity devoted to promoting levels of attainment and opportunity for young people in deprived areas. He is also the chair of Bristol’s Quartet Community Foundation and well-known in the area for his commitment to social justice.
April 2017
Anti-Money Laundering Supplement 17
Coming, ready or not...
The fourth Money Laundering Directive (MLD4) comes into force this June. Equifax Watchlist Check can provide both comprehensive customer screening and peace of mind. Be prepared. Call us on 0845 603 6772 or email ukmarketing@equifax.com
Equifax Limited is registered in England with Registered No. 2425920. Registered Office: Capital House, 25 Chapel Street, London NW1 5DS. Equifax Limited is authorised and regulated by the Financial Conduct Authority.
FEATURES
All for One or One for All While anti-money laundering procedures are an integral part of a law firm’s compliance, the process is overcomplicated for many firms due to the numerous platforms they are using in order to remain compliant and conduct due diligence. his is not another tale about the Three Musketeers, but a contrasting piece about multiple suppliers delivering an overall Anti Money Laundering (AML) solution, compared to one supplier providing a complete solution.
T
Let’s start by first understanding the types of verification checks that could be required by regulated businesses operating in the UK. Most of these businesses will trade with UK individuals or UK businesses, and some will trade with both. With the ease and growth of online trading, an increasing number of businesses will also trade internationally with individuals, businesses or both. With this complex and varied matrix of verification requirements, it is not surprising that a raft of disparate service providers have sprung up to satisfy specific or bundles of service requirements; only one or two providers offer the whole spectrum of service on one platform. If you then consider some of the data issues, the plot thickens.
Understanding datasets
Tier 1 data provides deep coverage. It’s the most accurate, up to date and reliable data. This would typically consist of Credit Reference Agency (CRA) data, which is contributed by the Banking & Financial Sector and compiled by the CRAs. A further source of tier 1 data is the full Electoral Roll, created by local authorities, acquired and compiled by the CRAs. The Royal Mail Postal Address File (PAF) Database provides household address verification without names. These datasets form the backbone for verifying individuals in the UK. Tier 2 & 3 datasets are likely to incorporate energy utility databases, telecoms directory databases and other private and public datasets including CCJs and bankruptcies. These datasets are typically updated infrequently, have lower coverage and are less reliable, however, they will typically be used to support lower cost solutions. The datasets required to support UK business AML checks are of a similar nature to those used for individual checks. Tier 1 data would include the Companies House Database to provide detailed information on incorporated businesses and name only information on Beneficial Owners and Directors, as their address detail is typically the registered office address. With unique clever technology, CRA data can be used to identify Beneficial Owners’ and Directors’ home addresses, and this enables an automated electronic AML process. Tier 2 data primarily relates to unincorporated businesses, and the major source of this data is directory information such as Thomson Local and Yell (Yellow Pages). When verifying Sole Traders, these are treated as individuals from an AML verification perspective and the aforementioned CRA data comes to the rescue.
20 Anti-Money Laundering Supplement
Large organisations clearly have the biggest challenges, where they are likely to endure legacy systems that continue to play a small but important part in the overall solution International challenge
International individual and business checks are a very different challenge, as comprehensive online data that goes to the level of detail required for AML verification is not freely available. For individuals, the use of documents and the electronic verification of those documents is much more commonplace. Business checks typically require freshly researched business reports on the target business, which explains why these are more costly. The final building block for a complete AML solution is the delivery of a global Sanction, SIP, PEP & RCA checking service. Be aware of some providers who simply check the HM Treasury Sanction List, as this is a fraction of the 1 million plus watch list records out there. Checking the watch lists, that incidentally change daily, is the easy part, and disappointingly most suppliers’ service stops here! Once you have a match with a prospective customer, then enhanced due diligence is required to ensure the matched person is not your new customer. This aspect of Sanction & PEP checking can consume a great deal of time and resource, and it’s much more convenient to take on another supplier that will provide this additional information. Indeed, a small number of suppliers provide this information, and 1 or 2 actually automate this part of the solution, saving you a great deal of time, aggravation and cost.
Changing watch lists
The final twist to all of this is the changes; with over 1,100 watch lists and 1million entries worldwide, you can be pretty sure that there are some watch list changes every day. The only efficient way to deal with this is to have a daily monitoring service that checks all your existing customers and alerts you to any new matches found. The system would then automatically perform the enhanced due diligence, record and communicate the outcome to the end user and compliance management. Yes, there is one service provider that delivers this level of service. You may now start to appreciate some of the complexities when you come to procure a global AML solution. This may also
April 2017
FEATURES
Where multiple supplier solutions are involved, there is inevitably conflict when contradictory outcomes occur, and this may be exacerbated where different solutions are preferred and used across different divisions explain why many organisations have contracted with multiple suppliers to provide a variety of solutions to satisfy their AML regulatory obligations. Large organisations clearly have the biggest challenges, where they are likely to endure legacy systems that continue to play a small but important part in the overall solution. The functionality from these may well be duplicated, with later solutions employed by a new MLRO or Head of Compliance or inherited from a recent acquisition, and the proliferation of part solutions is likely to continue at a pace. There are many challenges with multiple supplier solutions, none more so than working out which system delivers the most reliable and robust result. Some suppliers will use a waterfall solution, giving tier 2 & 3 data first priority, and if available they then access tier 1 data if no result is found. This practice delivers an outcome that is typically cheaper, but is likely to be less robust than a solution driven by tier 1 data only.
Contradictions, confusion and complexities
Where multiple supplier solutions are involved, there is inevitably conflict when contradictory outcomes occur, and this may be exacerbated where different solutions are preferred and used across different divisions. The question of updates or upgrades to one supplier system is also likely to cause some amusement, at best, or confusion and additional contradiction. Training on multiple systems brings a new degree of complexity, and upgrades or enhancements to one or more systems increases that complexity to another level. Automating the processes is another challenge that is only likely to be achieved via multiple APIs, assuming of course these are available. A great deal of work by your IT Teams would also be required, again assuming this resource is available on a timely basis. There are inherent commercial flaws in a multiple supplier strategy, one being several different agreements all terminating at different times, which makes it difficult to jump off the merry-goround. Each supplier is likely to require an annual licence fee and minimum service revenue commitments that have to be paid each year irrespective of usage. With your AML budget spread over multiple suppliers, you will dilute your buying power and the ability to negotiate volume discounts.
disciplines. For example, consider purchasing your individual AML checks from supplier A, your business checks from supplier B and C, your Sanction & PEP checks from supplier D; and If appropriate, and your international individual document checks from supplier E, and business checks from supplier F, who may also provide you with Sanction & PEP checks. With regard to your business checks in the UK, who provides you with the individual checks relating to Beneficial Owners and Directors? Is it supplier A, B or C? Do they all offer you a Sanction & PEP checking service and do you take them all, and if not, which supplier do you choose? How do you attempt to establish a Sanction & PEP monitoring service across these multiple disciplines, served by disparate systems and different suppliers? It can be done with a great deal of cost and internal IT development work, which is usually in very short supply and on a long waiting list. Just imagine an AML compliance world where you input a new client’s name and address and in 3 to 5 seconds you get a completed AML outcome already checked against worldwide Sanction & PEP watch lists. That system then continues to monitor that customer record against Sanction & PEP changes for the rest of your contract life at no additional cost. If and when a Sanction & PEP match is found, automated enhanced due diligence deals with the vast majority of those cases, leaving you free to concentrate on your business. Imagine also a similar service exists on the same platform to complete and deliver business checks in 3 minutes, with full Sanction & PEP checking, daily monitoring and automated enhanced due diligence services. And that same platform will deliver your international individual and business AML checks along with the same automated Sanction & PEP service, with the daily monitoring all under the watchful eye of a real-time dashboard that tells you how many customers you are monitoring and a summary of their current status. SmartSearch was created to give regulated businesses a single platform to perform all their Individual and Business AML verification, including PEP and Sanction checking and ongoing monitoring. Since the first search in 2011, SmartSearch has won 5 awards for technology and is used by over 1500 businesses, including 20% of the top law firms. This fast growth has been driven by continually developing the platform in response to client feedback and the ever-changing landscape of regulation. To this end, Smartsearch is already compliant with the 4th Money Laundering Directive (MLD4), which is due to be enacted into British Law in June this year.
The big missing word when you use a multiple supplier environment is control. It’s usually difficult for most users to synchronise multiple supplier solutions to deliver a seamless solution. This difficulty increases when you try and synchronise a joined up solution across multiple
April 2017
Anti-Money Laundering Supplement 21
FEATURES
It’s the thought that counts Regular and efficient documentation of systems, processes and changes can ensure a firm remains fully organised, aware and compliant, as Eric A. Sohn details. roducing documentation is an essential task that too often gets short shrift, especially when budgets get tight or goals get loftier. Documents, whether for short, medium or long-term use, provide a snapshot of a situation at a point in time, how a firm decided to proceed, and (optimally) why they chose that path. It improves maintainability of the status quo, aids employee alignment to corporate norms, and helps minimise the impact of staffing changes over time.
P
Perhaps most importantly for anti-money laundering (AML) and economic sanctions compliance functions, organisational documentation provides a bulwark of evidence against the oversight of auditors and regulators – evidence of thoughtful review and decision-making. While an outside reviewer may quibble with a company’s judgment call, documentation demonstrates that the choices were not capricious, and the reviewer response to any perceived gap is likely to be more measured than if no context had been provided. What types of documents are useful in keeping blemishes on the corporate record to a minimum, for corporate AML and sanctions compliance programs?
Policies, Procedures and Standards
These seem to be obvious things to document; what reviewer wouldn’t want to see formalised policy and procedure manuals? The larger point is that keeping demerits to a minimum relies on having standardised, repeatable parts of the compliance program, documenting those standards and (naturally) following them. Additionally, such standardisation improves quality by reducing variability, and enhances productivity. Policy and procedure documentation tells the end-to-end story of ongoing compliance processing. It should include components that document a number of different aspects of daily processing: • Each staff member is entrusted with specific functions based on their role and resources they may use to complete their ongoing work. Documenting those roles and limits of responsibility also simplifies staff onboarding and training efforts. • If the limits of a staff member’s autonomy is reached without resolving an open case, another person must then continue the investigation and resolution process. Escalations may also be required when a final decision is rendered, in order to effect the consequences of that decision. These may include business decisions to retain or terminate the relationship, account closures, or notification of external entities such as regulators or law enforcement. The conditions under which such escalations occur, to whom an item is escalated, and how that is accomplished so the person assuming responsibility for the case understands the actions to be taken in order to further its resolution, need to be documented so that items are handed off effectively and efficiently. • Similarly, as alerts are determined to be valid sources of risk (or even merely very likely to be valid), other parts of the organisation may need to be made aware of them. The timing of notifications to be sent to other parts of the firm, such as
22 Anti-Money Laundering Supplement
The functionality of compliance systems used by all but the smallest firms can be tailored. Companies should document each configurable element, the choice made for each option and a justification for that choice legal counsel or senior management, and what level of detail those notifications contain, should be properly documented. The process by which regulatory or other external notifications are managed, and by whom, should also be memorialised and kept up to date as organisational norms and regulatory requirements change. • Routine systems procedures require documentation as well. This may include capturing how system updates of software and compliance data are performed (and when); business continuity procedures and testing plans; procedures for any periodic processing, regular backups, and system maintenance; and reporting schedules and distribution. • Although not a required element of this documentation, having standards for explanatory comments added during manual processing of alerts is helpful in ensuring consistency and clearly demonstrating that consistency to reviewers of the program. These can be as minimal as stressing which elements need to be contained in comments, or as prescriptive as defining a list of fixed text or codes that provide the explanation for a given circumstance.
Operational Documentation
Daily operations need to produce documentation that demonstrates that the policies and procedures produce corresponding results. It is invaluable to internal and external reviewers, being the primary resource consulted when questions arise about the handling of specific items. Documentation produced out of compliance operations includes: • Evidence (e.g. system and/or application logs) that scheduled compliance screening or monitoring background tasks ran as expected. This includes documentation, both on a system and a per-record basis, for each discrete operation performed, such as screening against sanctions lists or PEP databases, or checking an account’s transactions against configured AML typologies. • Audit trail information of automated and manual processing of generated alerts, including any manually-entered comments which explain why an alert was handled in that manner. •
System Configuration
The functionality of compliance systems used by all but the smallest firms can be tailored. Companies should document
April 2017
FEATURES
Daily operations need to produce documentation that demonstrates that the policies and procedures produce corresponding results. It is invaluable to internal and external reviewers, being the primary resource consulted when questions arise about the handling of specific items each configurable element, the choice made for each option and a justification for that choice. Where possible, test data that backs up the justification should be included. For example, running a representative sample of data through a list screening system using various settings for the matching technology could demonstrate why the chosen setting provides sufficient rigor for the firm’s risk posture. In particular, the decision to employ false-positive reduction techniques requires careful documentation. Whether the alert to be allowed to pass unobstructed is very specific (e.g. all references to Casablanca in payments to a Moroccan bank assumed to be the city, not the sanctioned ship) or very generic (e.g. bypassing organisational acronyms like SEP or GLG), documenting each decision that assumes some level of risk is essential to minimising the likelihood of negative review comments.
Change Management
Because the potential impact of poorly implemented changes to compliance systems is so significant, change management is an area that requires extensive planning and documentation. Change management paperwork, in addition to required sign-offs from staff and/or management, needs to include plans to verify proper implementation, staff and/or management notification procedures; and contingency plans (such as reversion to prior versions of application software) if flaws are found during implementation.
Program Testing
Systems of controls require validation, both before initial implementation and for each change made to them. That is true for both internally-developed and third party program components. The evidence of completed validation tests, and sign-offs by company management, are an important part of demonstrating that not only do things perform as intended, but that the firm understands the different possible results. It highlights additional attention to detail which, given the critical nature of risk management and compliance operations, is central to proving thoughtfulness and diligence. Program testing documentation includes: • Use cases, which document the branches that an operational workflow process (and system flows) can take, help ensure that all process steps occur properly during normal processing. Where possible, these should include error cases to ensure that they too are handled in a predictable manner. • Test data, to be effective, needs to be designed to exercise each branch of the designed use/cases. A comprehensive set of test data, while it may require adjustment as processing requirements change, can be used for regression testing of systems and processes as well as functional testing of new features and functions. • Documentation of test results should include the use cases, associated test data, expected result, and a sign off when each test is successful. As well as documenting the results of testing, this documents responsibility for those results.
Training
Training is a key pillar of any compliance program, being one of only a small handful of hard requirements for AML programs. Training documentation includes a few basic elements:
April 2017
• All training materials, both hardcopy and electronic, used by instructors and/or students • Training course attendance logs, including date • Post-training certification tests and each student’s results • Procedures for staff who haven’t completed required training
Regulatory Change Procedures
As regulations and regulatory expectations change, they potentially need to drive change to the current program. Documenting regulatory changes, actual or perceived, and preparing an impact analysis shows a firm to be engaged and responsive to evolving regulatory needs. Implementing changes on the basis of that analysis requires the same planning and documentation as any other project.
The Little Details: Change Notation and Version Histories
Documents are dynamic; over time, as conditions, capabilities and the understanding of both evolve, so do the documents that drive the who, what, where, why and how of business. Once the initial version of each document is finalised, each subsequent version must adequately document what is being changed and why. Especially in the light of the New York Department of Financial Services’ recent regulations, which require anti-money laundering programs to be regularly reviewed and updated, it is vital to make reviewers’ jobs easier. This requires a pair of components to be part of any documentation effort: • Each document should retain a version history that logs editor name, date, version number and reason for change • Each section being changed must, in some way, explain what the previous version of the document contained and why it was changed It is important to note that these elements need not be in the actual document, but must be able to be tied back to it. For example, document change management systems may be able to capture or generate these historical details of a document as it evolves.
Recycle-Me-Not
Each published version of a document is a business record from a point in time. Retaining obsolete versions of documents (or being able to generate them systematically) is important when explaining to an auditor or regulator the state of the business as of a certain date, as well as demonstrating the firm’s changing understanding of its regulatory requirements, risks and response.
Investing in Stability
Good documentation that encompasses information needed by all staff and management involved in compliance activities aims to make all aspects of the program well understood. When that goal is reached, surprises in compliance operations are minimised, which reduces error frequency and severity, and productivity increases. It even leads to greater employee satisfaction and engagement from a greater feeling of control over daily activities. Documentation needs to be recognised as a core activity, and not a peripheral one, that should be stressed in the proper construction of a compliance program. Eric A. Sohn, CAMS, director of business product, Dow Jones Risk & Compliance, New York, NY, USA.
Anti-Money Laundering Supplement 23
FEATURES
Digital isn’t the future. Digital is now. Digitalisation of processes can save time, improve efficiency and help to meet constantly rising customer expectations. But, first and foremost, it is essential that firms ensure their basic compliance is in check before digitising more advanced processes, as Gary McVie warns. ustomer service is the most important remit for any business. Failure to give your customers a great customer experience can impact your brand reputation and hinder loyalty. In a fast-paced personalised era, people expect simple, instant and easy interactions. This isn’t isolated to any specific task; everything from purchasing groceries, applying for a credit card, to buying a house matters.
C
The challenge
It is important for any law firm to combine changes to behaviours and regulations in order to create a customer orientated strategy that drives loyalty, efficiency and compliance. With customer expectation and governance hanging over business strategy and processes, it can become a convoluted mix of services. At the front end, customer details and personal interactions may be swift, personalised and customer friendly, but then obstructed by slow, manual and inefficient processes in the background.
The rise of digital
First and foremost, digital isn’t new. The internet has been around so long most people can’t remember life without it. In fact, Experian recently commissioned a survey that suggested that those older than 65 are the biggest users of the internet when it comes to account management such as online banking. This isn’t surprising considering they were the first true adopters of digital some 30 years ago, and this amplifies the length of time it has been around. What it looks like today is very different to 20 years ago, and firms need to consider the advances and speed of change that digital provides. Society continues to embrace new uses of technology and people are increasingly turning to digital channels as a means of contracting and consuming products and services. Digital complements the pace and expectation of the customer and is a great way of enabling a quick, consumer friendly engagement mechanism. But, with digital being so broad and omitting the need for personal interactions, it needs to be embedded into all customer touch points to deliver a better experience. However, its delivery and implementation would benefit from a strategy that aligns to all processes, systems and software that organisations use for delivery. For law firms, some processes can’t be digitally administered, and therefore it is important that any digital strategy is considered amongst any governance and process needs. A good approach would be to look at the individual components and identify where digital can support and add value to the customer experience; the result could lead to less churn and higher customer retention.
Less haste more speed
With the vast majority of people working 9-5, being able to personally engage with you may cause challenges and delays. But how do you balance the need for speed with legalities? Areas like consented data sharing will make processes much quicker, for example when buying a house, as lenders can validate
24 Anti-Money Laundering Supplement
Experian recently commissioned a survey that suggested that those older than 65 are the biggest users of the internet when it comes to account management such as online banking income and expenditure quicker in order to proceed to offer. The pressure will then be put on the conveyancer to replicate this speed of process and initiate completion much quicker. It is fair to say however, that due to process and checks, time restraints will be outside of the direct control of the conveyancer, and therefore firms have a challenge of refining all areas within their control to excel the overall experience. Digital delivery is one area where firms can enhance the speed of process, but other areas, such as online identity validation, will also enable a faster receipt of identity documents, without missing vital checks and compromising compliance.
Know your customer
Fraud derived from legal services is often high value. Last year, mortgage fraud rose through an increase in identity theft, which puts added pressure on legal firms to ensure they know who they are dealing with and to prove they can authenticate them. In April 2016, two conveyancing firms were held jointly liable for the sale of a property where someone had stolen the real owner’s identity. Not only was this costly, but it was evidenced that neither party (buyer or seller) followed the necessary Anti-Money Laundering regulation to prevent the fraud. In large, the days of a dedicated individual managing all customer legal affairs have passed, and you will no doubt have moved to a more skilled and specialist approach to the specific areas of law you provide. As such, getting to know the individual by personal interaction has diminished, and law firms need to consider new and compliant ways of meeting the same standard of validation by different processes. What’s important is you are assured you ‘know your customer’ and you can validate and prove your processes to enable this. It is important to not confuse excellence with protocol, and digital doesn’t replace the need for personalised and inperson contact.
Convenience vs. compliance
ID verification has changed. Today, it’s not uncommon we see fingerprints being used to authenticate access into secure accounts like bank accounts, social media accounts being used to ‘create’ new accounts and passwords becoming a thing of the past.
April 2017
FEATURES
Getting to know the individual by personal interaction has diminished, and law firms need to consider new and compliant ways of meeting the same standard of validation by different processes Compliance is only increasing. The objective, regardless of which regulation, is generally aligned to one thing: the customer. This includes their protection, their best outcomes and the value they receive in exchange for a service. The 4th Anti Money Laundering initiative is yet to be fully outlined, and some elements within it are currently unclear. But, what is clear is the need for more rigorous checks to authenticate an individual. General Data Protection Regulation (GDPR as it is commonly abbreviated to) is another regulation that is set to transform processes in order to standardise and protect data and the individual who owns it. Fundamental changes, such as the right to be forgotten at any point, the right to be informed of data use or the right to obtain copies of a person’s personal data form the basis of its remit. This instils a more layered, uniformed and customer owned approach. It also enforces better storage of data, including security, and better value from the use of data that the individual controls. These aren’t the only regulations that are being revised and developed. Compliance is an area that will continue to give organisations challenges when it comes to the process of implementation. Organisations would be wise to consider how their current processes are developed and how they can adapt them when a change happens. This will enable a consistent and adaptable strategy that doesn’t contain friction and complies with regulation.
Balancing legacy
As a result of the constantly changing landscape, businesses
April 2017
can’t afford to take years to develop processes to meet the customer expectation and those of the regulator. The difference in two years could be huge; businesses need to consider the future, but also the now. Legacy and long-term strategies need to be balanced to give the right mix of customer consideration and excellent customer strategies. In a world which is being heavily fuelled by data and digital, and growing, organisations need to get the basics right. These basics can develop a foundation that excels customer expectations. Furthermore, it can enable you to identify who you are working with and who the customer actually is; commonly known as achieving a single customer view.
The future is today
The future of ID verification is now. Businesses need to understand how they go about updating processes and replicating business models to make the change. These changes will only result in better customer retention, satisfaction and service levels. Data, digital and customer expectations are all components of the demands of today’s customer. Looking to the future, organisations should be considering strategies that are flexible, adaptable and customer focused. Firms would be best to consider the customer outcome and customer interface before the technology. Technology is evolving fast and the future may bring huge differences in how technology is contracted to deliver a need. However, it is this need that organisations need to understand; the how is second. Gary McVie is Director at Experian Identity & Fraud.
Anti-Money Laundering Supplement 25
FEATURES
Money Laundering Directive 4: Cleaning up UK politics – What does this mean to you? The Fourth Money Laundering Directive will introduce due diligence for UK PEPs for the first time. John Marsden analyses why this is necessary, and how this new directive could restore faith in British democracy, from both inside and outside of the country. he Fourth Money Laundering Directive (MLD4) will be significant to all regulated businesses based in the UK for a number of reasons, depending on their sector. However, one overriding item of significance will offer UK regulated sectors a challenge to processing and diligence efforts with the extended requirements specifically regarding Politically Exposed Persons (PEPs).
T
So what is this challenge, and why is it so important to the prevention of corruption and financial crimes? Some organisations are already doing what’s necessary, but I wholly expect that a raft of changes will happen in every business’s processes and systems. MLD3 introduced the definition of a PEP but excluded domestic politicians. The Joint Money Laundering Steering Group (JMLSG) guidance notes provide a further definition of a PEP, which breaks down to a political figure, including organisational involvement (outside of politics) at a national or international scale, their close relatives and associates. This has been practiced for some years, albeit, under a risk-based approach and excluded UK politicians.
The problem with UK PEPs
Going forward, under MLD4, we cannot ignore UK PEPs or their close associates and relatives. In the UK, we have a relatively simple identity without a key reference number, such as those available across nearly all other European countries. We do not have a national ID scheme and HM Government access to core identifiers, such as passport numbers (which changes on new issues of the document) or NI numbers. These are not identifiers. A UK legal identity is best classified around name, address and date of birth. Of course, address, and even date of birth, is not always available on the lists internationally and nationally, so your screening processes should be designed around the matching of name, residency, nationality and date of birth, but not too tight that you miss legitimate ‘hits’. We are working in a ‘fuzzy’ match world, where the definition of what data is used and how the data is matched becomes the single biggest concern from a compliance perspective. Are we hitting the right people all of the time? And then operationally, of foremost concern is, are we hitting the wrong people too often? After all, the cost of a false positive review is estimated by a number of bodies as between £15-£35 per case, so some will run into thousands of pounds of resource and spend. Consider this: most UK political figures and their UK relatives have UK familiar names and they all have associates, who will largely be British and therefore have names familiar to the British public. This means, to search properly and by the regulations, you are going to hit many UK people, create more false positives and spend more time and resource dealing with this aspect of the regulation.
26 Anti-Money Laundering Supplement
More than ever, we need to know that our politicians are playing by the rules, and they need to know we are watching them closely Even if you had the systems and processes locked down to do this already, the risk-based approach should, and probably did, mean that a UK politician was of lower risk and therefore easier to dispel or to lower the levels of enhanced due diligence practiced, which means that your processes and risk assessments need to adapt to the new regime.
Why?
Now let’s take a step back. Why are we doing this? I find it intriguing that some countries, such as Spain, had already adopted a domestic screening requirement down to town and district level. And whilst not all records in the main data providers hold the national ID, it does make screening a little more precise. Why did Spain take this approach? It’s relatively simple; they needed to address political corruption and bribery. Before we assume that UK politicians are beyond such behaviour, we need to remember the expenses scandal, which included numerous members of Parliament. Whilst mostly low-level fraud, it was fraud nonetheless, and therefore all activities with regulated entities must be closely examined. Surely these individuals have a duty to be open about their financial dealings? And should have enhanced due diligence applied? And their close relatives and associates must also be examined for any signs of corruption. In some regards, this regulation is long overdue. I think we should also consider the impact of Brexit. After all, we’ll be giving powers back to UK politicians, which could increase the chance that bribery and corruption could happen at home. Cast your mind back to 2009, when a Sunday Times exposé revealed Lord Taylor’s willingness to intervene in the legal process for fees. This must be spotted and stopped. In fact, why the UK is only just implementing requirements on domestic politicians is a big question and potentially long overdue. More than ever, we need to know that our politicians are playing by the rules, and they need to know we are watching them closely. This leaves the issue on the table that our regulated sector is being forced to become an extension of the police and investigatory
April 2017
FEATURES
I think we should also consider the impact of Brexit. After all, we’ll be giving powers back to UK politicians, which could increase the chance that bribery and corruption could happen at home authorities. I can see no other way that the UK can apply such diligence without the help of the business community, and in particular businesses in the regulated sectors for money laundering. As there are so many financial dealings with many different organisations, a consistent approach across all regulated entities will allow us to ensure our economy is as clean as can be.
patriating powers back to the UK Government. Besides which, we’ll be far from ‘out of the EU’ by June.
Besides, this is a global initiative and the UK faces the prevention of corruption aside our peers in other jurisdictions. The UK needs to be as respectable as possible to support our reputation as financiers of the world.
What will be interesting is the UK politicians’ reactions to adopting MLD type regulations beyond EU membership. We can already witness politicians expressing disgust at the fact that they should be monitored in this way, and their close associates and relatives will be also viewed with some caution in their financial dealings.
Getting the balance right
Dealing with the new requirements is a challenge, one in which technology can help. The choice of a screening solution and how your organisation matches against which data becomes hugely important. The balance between excessive intervention, which creates friction to the customer experience, and operational cost against the prudence our regulated sectors need to ensure we spot corruption, is absolutely vital in the running of a business. The country faces unique challenges through the understanding of a UK identity, but we can move forward with the application of the new directive without huge expense or detriment to customer experience, if we do it right. The key aspects to consider are: • Your screening solution must be robust, inclusive of UK politicians, and the matching routines finely tuned for a UK population • Your ability to investigate ‘hits’ should be robust and helpful to operators • You must consider your existing customer base and the risk classifications made previously need to be re-considered • You need good systems to monitor activity on accounts and great understanding of the ‘usual’ business you might expect from an account, particularly important where a PEP is trading with you, albeit good practice regardless. Equifax has been carefully preparing to assist our clients with all of these challenges, as we’ve known that this regulation was coming for two years before its enforcement in June this year. It’s safe to say that the grace period and preparation has already been, so in June you need to be ready.
We expect anti-money laundering directives will be regulation that remains robust as it can be as the UK needs to maintain parity with the rest of the world to facilitate our financial industries.
Personally, I believe the regulation is in the UK’s best interest and our politicians should embrace the fact that they’re monitored because they hold political power. Some of the blogs are wholly indicative that we as the voting public should make sure they aren’t above the law. History shows us that some are capable and willing of abusing their positions in order to gain financially. Those who take positions of power need to be watched closely to ensure there is a fair and equitable government in place. I do not like the fact that we have suffered scandals, such as Lord Taylor in 2009 and the huge embarrassment of the expenses scandals; the UK is in the spotlight for both domestic and international corruption. If we are to be seen as a great democracy for which we have been traditionally known, it’s up to everyone within the UK to play their part in making sure that our politicians are policed and that they know this is happening. One last passing thought, from the esteemed politician Lord Acton, back in 1887, who said, “Power tends to corrupt, and absolute power corrupts absolutely. Great men are almost always bad men.” We are about to hand almost absolute power back to Westminster. Aside from the fact we need to modernise this statement, ‘as great women can also be bad women’, I suspect it was less of an issue of sexism when Lord Acton made this statement in 1887. Let’s help those in power to be great and not bad. The MLD4 regulations make this mandatory for good reason, and embracing the sentiment behind the regulation is more fundamental to our social wellbeing, now than ever before. John Marsden is Head of Fraud and Identity at Equifax.
The bearing of Brexit
The triggering of Article 50 to leave the EU has no bearing. MLD4 is just a catch up to a global standard and indeed, the UK cannot ignore domestic political corruption, especially now we’re re-
April 2017
Anti-Money Laundering Supplement 27
Verify and protect your customers' with instant ID checks When carrying out identity checks, we know you want to give your customers the fastest, easiest and most secure experience possible. Combined with increased regulation, such as Anti-Money Laundering, Prove-ID verifies the identities of individuals in the UK and Internationally in real-time. This means you can provide better identity checking services, for you and your customers.
Key features • Spot and stop fraud with confidence • Real-time verification offers a hassle free customer experience • Access premium global data sources • Easily integrated into your existing processes
For more information please contact us 0844 4815 888 info@experianidentityandfraud.com www.experian.co.uk/identityandfraud
Experian Ltd is authorised and regulated by the Financial Conduct Authority. Experian Ltd is registered in England and Wales under company registration number 653331. The word “EXPERIAN” and the graphical device are trade marks of Experian and/or its associated companies and may be registered in the EU, USA and other countries. The graphical device is a registered Community design in the EU.
CASE STUDY
Electronic verification in a modern legal practice Electronic verification is proving to be a necessity, rather than a luxury, for law firms in Scotland. With fraud on the increase, verification of identity and screening are becoming increasingly important, as Richard Farquhar explains. he delivery of legal services is ever changing. The marketplace remains competitive, but an increase in compliance obligations means that it may not be worth any legal practice taking the time to create a proper strategy on how to manage compliance risk effectively and efficiently. Therefore, it is not surprising that more practices are looking at electronic verification as part of their arsenal against the ever increasing risks of financial crime, and ensuring they are compliant.
T
Knowing Your Client (KYC) has been an important part of legal agency long before the emergence of money laundering. However, with fraud on the increase and a greater use of financial sanctions, verification of identity and screening are increasingly important. Traditionally, solicitors have tended to verify identity by obtaining documentation from a customer that vouches their name, address and date of birth. This is usually a copy of photographic identification, along with some other documentation sent via post, both from a prescribed list. This is a relatively safe method of ensuring identity verification, but even then it has never been fool proof. There are high calibre forgeries and counterfeit identity documents out there that often require equipment to identify them as false, not to mention some poor quality fake documents that will reach staff that have not had regular and up-to-date awareness training. There can be a risk that the address verification is no longer current, and this does not in any way screen a client for financial sanctions or any other relevant classification. While this often will not result in sanction or liability for a legal practice, it is nonetheless an administrative burden and still carries elements of reputational risk.
It is not surprising that more practices are looking at electronic verification as part of their arsenal against the ever increasing risks of financial crime, and ensuring they are compliant
Having access to electronic verification can be a useful tool to address these vulnerabilities. The benefits are numerous and include:
Ability to screen the customer to identify if they are Politically Exposed Persons (PEPs)
Under the Money Laundering Regulations 2007, there is a requirement to apply enhanced due diligence if your customer is a PEP (Regulation 14). I do not plan to turn this article into a discussion on PEPs, but there is a requirement for every legal practice in Scotland to put within their policies and procedures a statement about what they do to identify PEPs (Regulation 20 (2)(c)). The draft 4th Money Laundering Directive is going to alter the position on PEPs and it is highly likely that it will make far more people in the United Kingdom qualify as a PEP. Scottish legal practices are going to have to factor this change into their AML policies and procedures. Whether a legal practice screens or not, it will have to mention PEPs in the AML Policy. Screening for PEPs is therefore not only potentially useful from a compliance perspective, but also from knowing who your client is or who they are related to.
Ability to screen the customer to identify if they are a financial sanctions target
There are financial sanction targets living in the United Kingdom. The situation between Russia and Ukraine brought into focus the fact that sanctions can be applied to any person within any country, relatively quickly, and the profession needs to be able to manage this changing risk, especially on those rare occasions where instructions involve making payments to, or receiving payments from, foreign jurisdictions. Scotland is seeing an increase in funds coming from foreign jurisdictions, and legal practices located close to universities often find themselves instructed by students being funded by family residents outside of the United Kingdom. Is it reasonable in these situations that the practice carries out no financial sanction screening? Does any legal practice want to try to give this explanation to the Treasury after it has made funds available to a target? Anyone can view the HM Treasury’s Consolidated List of Financial Sanctions Targets for free, but this would be a separate step from identity verification and requires staff to understand how to use the HM Treasury Lists. The more work being undertaken at Client On-boarding, the less efficient the system.
Assistance in verifying identity of those not attending your office
When a customer is not physically present for identification purposes, the customer will generally need to be subject to the application of enhanced due diligence measures. Requiring your customer to see another professional to have their identification
April 2017
Anti-Money Laundering Supplement 29
CASE STUDY
The situation between Russia and Ukraine brought into focus the fact that sanctions can be applied to any person within any country, relatively quickly, and the profession needs to be able to manage this changing risk certified can be a burden on your customer, albeit this is often a necessary burden if they are unable to attend your office.
ongoing monitoring (including scrutiny of funding) and to identify and properly manage red flag indicators.
Electronic verification providers can check details provided by your customer and can be used to verify copy identification sent to the practice. This can negate the need for the customer to attend another professional, but not always, and care must be taken in this high-risk situation.
If you are contemplating using electronic verification, make sure you understand the data sources used by any electronic verification service provider you approach, and understand exactly what you are getting for your money, as this can vary depending on the provider.
Assistance in ongoing monitoring
If you are satisfied that electronic verification is not for you, then consider how you might want to go about carrying out screening should the need arise. Remember, it is still important that your legal practice AML policy and procedures have a statement, even if it is just a sentence that covers what you do about PEPs.
Whether it is carrying out part of the due diligence on a third party providing funds or reviewing or updating your customer’s status, both of these events can cause considerable work for little gain. Depending on your electronic verification provider, you can often arrange for alerts that would tell you if a person you recently did a search against becomes a financial sanction target or PEP. Depending on the information available to the provider, they may send you other useful alerts as well. Some providers allow you to carry out company due diligence and monitoring as well as making it easy to identify changes to directors or shareholders of your corporate clients. Company monitoring is available without being attached to electronic verification of identity.
Finally, keep an eye out for the changes to AML legislation concerning PEPs. The new legislation regarding AML should be implemented in June 2017. Richard Farquhar is Risk, Compliance and Training Manager at Harper Macleod LLP.
Some legal practices simply use electronic verification as a supplemental check in high-risk matters, or where triggers have been identified during the risk assessment that has prompted the need to use screening. This provides additional comfort where a risk assessment has identified a potential issue.
Better data integrity
My own practice’s use of identification verification has helped us identify wrongly input data on our Practice Management Software. A failed verification report is investigated and requires a review of the matter. While it makes up a low percentage of the reasons for a fail, one of the reasons is incorrectly recorded data. This verification process can root out typographical errors, transposition errors, misreads and often that the client has accidentally provided historic rather than current data.
Electronic Verification
To be effective, electronic verification must be used correctly. Too many legal practices seem to believe ordering a verification report on their customer and placing this on the file is all they need to do to comply with the Money Laundering Regulations 2007. This is not the case, and it will still be necessary to examine risk, carry out
With fraud on the increase and a greater use of financial sanctions, verification of identity and screening are increasingly important
30 Anti-Money Laundering Supplement
April 2017
Stay Ahead of Sanctions
Sanctions Ownership Research is a unique data set which identifies companies owned or controlled by OFAC (SDN & SSI) and EU listed individuals and entities, helping you go beyond literal sanctions and comply with regulatory guidance. Our research team has identified companies in over 125 countries that fit regulatory definitions and best practice, delivered in structured formats for use within your payment or client screening applications. dowjones.com/risk Š 2017 Dow Jones. All Rights Reserved.
DO YOU KNOW THE TRUE IDENTITY OF YOUR CUSTOMERS?
Our AML check will confirm it in 5 seconds! Business checks take longer; 1-2 minutes Sanction & PEP screening is automatically included in our AML service. We also include daily monitoring with automated enhanced due diligence at no additional cost.
Call us now to book a free demonstration on:
0113 333 9835
THE ONLY AML RESOURCE YOU NEED
Or vist us online:
SMARTSEARCHUK.COM SmartSearch delivers UK and International Business checks, plus Individual checks along with Worldwide Sanction & PEP screening, daily monitoring, email alerts and full enhanced due diligence intelligence.