AML Templates - Tools or Traps?
With 1 July now only a matter of months away, the pressure on many practitioners to implement an AML/CFT compliance regime alongside the daily running of practice, is seeing an increasing demand for out of the box, ready-made solutions.
And as is often the case when industries are faced with new regulatory obligations, self-designated experts and specialists are popping up in your inbox and marketing materials at an alarming rate.
At the end of the day, lawyers are no different to any other business suddenly faced with a new, unknown and highly demanding regulatory regime – they just want someone to tell them how to do it, and preferably how to do it cheaply and without too much effort. But here’s the rub. Lawyers – us, we – make our living advising and assisting clients manage their affairs and businesses legitimately, and how often do we sigh at that one client who wants to use the short-cut?
And so it is with AML/CFT compliance. Take short-cuts at your peril.
Last week the NZLS released a set of AML/CFT “templates”. Undoubtedly it is a response to a huge demand and expectation from the profession and done with the best of intentions, but I have grave reservations.
The fine print refers to the documents being samples and guides that should be adapted to a law firm’s particular circumstances, but for lawyers with limited knowledge about, or appetite for AML/CFT, the big, bold, “get out of doing it” neon sign says here they are, your templates to compliance.
If you didn’t already know – I guess it’s pretty obvious now that I am not a fan of templates. But it isn’t because I think every firm needs to engage a consultant and spend months crafting an encyclopaedic style programme. It is because I fear the consequences for those adopting the templates believing they will automatically address all the areas they need to, identify all their risks and essentially, do their thinking for them. News flash – they won’t.
And the simple reason why is because you can’t template individual risk. You can provide guidance, you can probably provide a shell outline with prompts and cues, triggers and options – but there is no one size fits all, compliant cookie cutter solution. At some stage you have to get your hands dirty, or more pointedly, your mind around the legislation, regulations and obligations as they relate to you and your practice. Just ask the first phase entities.
Better still – ask all the companies internationally who have learnt the hard way. And no, it isn’t limited to the big financial institutions like HSBC, Barclays, and Citibank. In April last year three partners of UK law firm Clyde and Co were fined for “honest and inadvertent” mistakes in complying with the UK ML regulations.
If you think I’m scaremongering, look at the advice of the supervisors. In its Q & A section, the FMA states: “Supervisors have not issued templates for risk assessments or AML/CFT programmes. This is because one size does not fit all”.
And if you need some specifics to alert you to the dangers of blindly adopting “templates”, here are a few of the areas I think create problems after a preliminary review of the NZLS documents:
The MLRO, MLCO and deputy MLRO. Any idea what each of these does or whether you even need to have them? It isn’t in the documents anywhere I could see and yet the terms appear variously throughout. MLRO is a term commonly used in the UK for the person appointed to file SARs and Jersey requires both an MLRO and MLCO. For the record, our legislation refers to an AML Compliance Officer only.
The risk assessment template addresses risk only at industry level, rather than at the firm or practice level. The Act requires business to have regard to their specific risks. Section 58 does not require a reporting entity to consider factors related to their sector generally, it requires a firm to consider its clients, its services, the countries with which it deals. The template - beyond entering the firm’s name at the top – offers no prompts for details or insights into the firm’s practice against which risk might be properly assessed. Neither does it provide any clear methodology for assessing risk. In my opinion, it must be significantly adapted and extended to meet the required standard.
The so-called “Full Verification Form” provides limited guidance to staff, relying as many of the documents do on staff making their own decisions in reference to the supervisor’s guidance materials. More significantly it covers only one of the three recognised methods of verification, and does not capture information about the nature and purpose of the business relationship or the basis on which a person acting on behalf of a client is authorised.
The “Matter Risk Assessment” provides no methodology behind an assessment of high or increased risk, what either term means or the consequence of such a determination operationally. More worryingly, at one point it asks if the client has “been identified according to the firm’s procedures to your satisfaction”. Putting aside the fact that it is not clear from the documents what that procedure might be (as the user is simply referred to the Lawyers and Conveyancers Guideline which does not itself specify the data sources that can be relied upon as that is a decision for each reporting entity), the form provides that if the answer is no, then the client is high risk. With respect the client is not a high-risk client - they should not be a client full-stop. Section 37 of the Act prohibits reporting entities entering into a business relationship where CDD has not been completed.
The programme suggests an internal SAR reporting system. While it refers to the obligation to file a SAR within three days of a suspicion being formed, it does not in my view emphasise the likelihood that this will be triggered as soon as the internal SAR is filed. Not does it draw particular attention to the assessment of whether having determined the activity or transaction is suspicious, a report can be filed without disclosing privilege and if not, whether privilege is lost – all of which much also happen with the three-day requirement.
The programme also incorrectly defines an occasional transaction as “a transaction that occurs outside of a business relationship and is equal to, or above, NZD 9,999.99”. An occasional transaction is most importantly a cash transaction and the threshold is NZD 10,000 or more. And finally, just as a general observation, an AML/CFT programme is supposed to include adequate and effective procedures, policies and controls. This template commonly simply refers the user to the supervisor guidance which is not a firm’s policy, and doesn’t set out detailed processes and controls.
Want to add a caption to this image? Click the Settings icon. Industry bodies will invariably look to assist their members when they are faced with disruptors to business and potentially time and cost intensive regulation. However, the risk for practitioners who in isolation simply adopt these “templates” in the expectation that they will meet the required standard, is that they will fail to adequately detail, describe, explain and evaluate their risks and as a result implement systems and controls that are neither effective nor efficient.
Failure to comply with this legislation can have serious consequences. Punitive fines, damaged reputation, disciplinary action, loss of your practicing certificate and at worst, criminal proceedings. By all means, thank the NZLS and other professional bodies for their leadership, read and utilise what they provide, but recognise the limitations.
As templates, I absolutely consider them traps. As prompts, aids or discussion documents, they may provide some (albeit, for the reasons discussed, limited) assistance as a tool in your own compliance exercise.
 Respectively fined US $1.9 billion in 2012; £72 million and then another £284.4 million in 2015; US $70million in December 2017.