Has the SRA shifted its focus?

The SRA updated its sectoral risk assessment. Here’s what your firm needs to consider

Money laundering and the financing of terrorism are risks to most firms and the means by which criminals target law firms to commit these crimes are becoming increasingly sophisticated. Solicitors are forced to keep pace with the methods of financial crime – to adhere to regulations and to protect their clients and the public interest. Unsurprisingly, the Solicitors Regulation Authority (SRA) encourages firms to undertake regular risk assessments.

This past March, the SRA updated its sectoral risk assessment on anti-money laundering (AML) and terrorist financing. Law firms are required to take a risk-based approach, which means that they need to assess their risks and focus their resources on the areas or products that are most likely to be used in financial crime.

In the most recent update, the SRA identified new risks:

vendor fraud
pooled client funds
third-party managed accounts
irregular methods of transferring funds

Sanctions were placed under its own risk heading and reference was made to the risk of modern slavery in relation to cash-based industries. Additional references to AI and cybercrime were added and positions in regards to domestic PEPs were updated.

According to Andy Donovan of Compliance Office, the point of this update is to guide law firms’ considerations of what risks are posed to them. In his newsletter, Donovan notes that changes to the sectoral risk assessment do not necessarily mean changes to a firm’s firm-wide risk assessment but it is worth checking in on where the SRA has shifted its focus in case your firm in particular is impacted. In addition to the new risks the SRA highlighted, it is significant that sanctions were given their own risk heading. This signals the importance the regulator gives this area.

More recently, in May, the SRA published Anti-money laundering: Get the basics right, where it reinforced the basics of AML compliance. Specifically, it focuses there on what firm-wide risk assessments and client/matter risk assessments are and how to conduct and record them, as well as customer due diligence (CDD), policies, controls and procedures and suspicious activity reporting (SARs).

Compliance Office newsletter

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”