AML templates – tools or traps?
With 1 July now only a matter of months away, the pressure on many practitioners to implement an AML/CFT compliance regime alongside the daily running of practice is seeing an increasing demand for out-of-the-box, readymade solutions.
And, as is often the case when industries are faced with new regulatory obligations, self-designated experts, specialists and marketing materials are popping up in your inbox at an alarming rate.
At the end of the day, lawyers are no different to any other business suddenly faced with a new, unknown and highly demanding regulatory regime – they just want someone to tell them how to do it, and preferably how to do it cheaply and without too much effort. But here’s the rub. Lawyers – us, we – make our living advising and assisting clients manage their affairs and businesses legitimately, and how often do we sigh at that one client who wants to use the short-cut?
And so it is with AML/CFT compliance. Take shortcuts at your peril.
Two weeks ago, NZLS released a set of AML/CFT “templates”. Undoubtedly, it is a response to a huge demand and expectation from the profession, and done with the best of intentions, but I have grave reservations.
The fine print refers to the documents being samples and guides that should be adapted to a law firm’s particular circumstances but, for lawyers with limited knowledge about (or appetite for) AML/CFT, the big, bold, “get out of doing it” neon sign says “here they are, your templates to compliance”.
If you didn’t already know, I guess it’s pretty obvious now that I am not a fan of templates. But it isn’t because I think every firm needs to engage a consultant and spend months crafting an encyclopaedic-style programme. It is because I fear the consequences for those adopting the templates believing they will automatically address all the areas they need to, identify all their risks and, essentially, do their thinking for them. News flash – they won’t.
And the simple reason why is because you can’t template individual risk. You can provide guidance, you can probably provide a shell outline with prompts and cues, triggers and options – but there is no one-size-fits-all, compliant, cookie-cutter solution. At some stage, you have to get your hands dirty or, more to the point, your mind around the legislation, regulations and obligations as they relate to you and your practice. Just ask the first- phase entities.
Better still – ask all the companies internationally who have learnt this the hard way. And no, it isn’t limited to the big financial institutions like HSBC, Barclays, and Citibank (respectively, fined US $1.9 billion in 2012, £72 million and then another £284.4 million in 2015, and US $70 million in December 2017). In April last year, three partners of UK law firm Clyde and Co were fined for “honest and inadvertent” mistakes in complying with the UK money laundering regulations.
If you think I’m scaremongering, look at the advice of the supervisors. In its Q&A section, the FMA states: “Supervisors have not issued templates for risk assessments or AML/CFT programmes. This is because one size does not fit all.”
And if you need some specifics to alert you to the dangers of blindly adopting “templates”, here are a few of the areas I think create problems after a preliminary review of the NZLS documents:
1. The “MLRO”, “MLCO” and “deputy MLRO”. Any idea what each of these does, or whether you even need to have them? It isn’t in the documents anywhere I could see, and yet the terms appear variously throughout. MLRO is a term commonly used in the UK for the person appointed to file SARs, and Jersey requires both an MLRO and MLCO. For the record, our legislation refers to an AML Compliance Officer only.
2. The risk assessment template addresses risk only at industry level, rather than at the firm or practice level. The Act requires businesses to have regard to their specific risks. Section 58 does not require a reporting entity to consider factors related to its sector generally, it requires a firm to consider its clients, its services, the countries with which it deals. The template – beyond entering the firm’s name at the top – offers no prompts for details or insights into the firm’s practice against which risk might be properly assessed. Neither does it provide any clear methodology for assessing risk. In my opinion, it must be significantly adapted and extended to meet the required standard.
3. The so-called “Full Verification Form” provides limited guidance to staff, relying as many of the documents do on staff making their own decisions in reference to the supervisor’s guidance materials. More significantly, it covers only one of the three recognised methods of verification, and does not capture information about the nature and purpose of the business relationship, or the basis on which a person acting on behalf of a client is authorised.
4. The “Matter Risk Assessment” provides no methodology behind an assessment of high or increased risk, what either term means or the consequence of such a determination operationally. More worryingly, at one point it asks if the client has “been identified according to the firm’s procedures to your satisfaction”. Putting aside the fact that it is not clear from the documents what that procedure might be (as the user is simply referred to the Lawyers and Conveyancers Guideline, which does not itself specify the data sources that can be relied upon as that is a decision for each reporting entity), the form provides that if the answer is no, then the client is high risk. With respect, the client is not a high-risk client – they should not be a client full-stop. Section 37 of the Act prohibits reporting entities entering into a business relationship where CDD has not been completed.
5. The programme suggests an internal SAR reporting system. While it refers to the obligation to file an SAR within three days of a suspicion being formed, it does not in my view emphasise the likelihood that this will be triggered as soon as the internal SAR is filed. Nor does it draw particular attention to the assessment of whether, having determined the activity or transaction is suspicious, a report can be filed without disclosing privilege and if not, whether privilege is lost – all of which must also happen within the required three-day period.
6. The programme also incorrectly defines an occasional transaction as “a transaction that occurs outside of a business relationship and is equal to, or above, NZD 9,999.99”. An occasional transaction is most importantly a cash transaction, and the threshold is NZD 10,000 or more. And finally, just as a general observation, an AML/CFT programme is supposed to include adequate and effective procedures, policies and controls. This template commonly simply refers the user to the supervisor guidance which is not a firm’s policy, and doesn’t set out detailed processes and controls.
Industry bodies will invariably look to assist their members when they are faced with disruptors to business and potentially time- and cost-intensive regulation. However, the risk for practitioners who, in isolation, simply adopt these “templates” in the expectation that they will meet the required standard, is that they will fail to adequately detail, describe, explain and evaluate their risks and, as a result, implement systems and controls that are neither effective nor efficient.
Failure to comply with this legislation can have serious consequences. Punitive fines, damaged reputation, disciplinary action, loss of your practising certificate and, at worst, criminal proceedings. By all means, thank the NZLS and other professional bodies for their leadership, read and utilise what they provide, but recognise the limitations.
As for templates, I absolutely consider them traps. As prompts, aids or discussion documents, they may provide some (albeit, for the reasons discussed, limited) assistance as a tool in your own compliance exercise.
Note: since this article was written, there have been amendments made to the templates correcting certain errors. It reinforces the advice that templates should be used with caution, and the need to be aware of the version you are using.
Practitioners can learn more about their AML obligations with ADLS’ “AML/CFT Toolkit Series II”. The first session in this Series, “Audits and Assurance”, takes place on Thursday 8 March 2018. All the sessions from Series I are available On Demand. Click here for more information.