Why independent AML audits matter

The SRA requires UK law firms subject to the Money Laundering Regulations to carry out independent AML audits on a regular basis. In this blog post we’ll explain what an independent AML audit is and why they are important.

What is an independent AML audit?

An independent AML audit is an examination of a firm’s anti-money laundering systems. It is not a financial audit, but rather a test carried out by an impartial body to assess whether a firm’s AML and anti-terrorist financing policies, controls and procedures are up to date, comply with regulations, and are functioning correctly. It can be seen as one of the components of an effective anti-money laundering program.

Who needs to carry out an independent AML audit?

According to LSAG guidance, SRA law firms must carry out independent audits of the adequacy and effectiveness of their AML policies, controls and procedures “where appropriate to the nature and size of the practice”. Ultimately, each firm will have to consider whether they need an independent audit, based on their size, the nature of their business, and their level of confidence in how well those that are responsible for AML are ensuring that the firm is complying with AML policies, controls and procedures. Usually, the larger the firm, the more difficult ensuring this compliance becomes for the internal AML staff, whether it be the Money Laundering Compliance Officer, Reporting Officer, or Head of Risk, to do. In terms of the nature of the business, the firm should consider their level of risk. The more high-risk matters or high-risk clients the firm deals with, the more likely it is that independent audits should be done.

How often do independent AML audits need to be carried out?

LSAG guidance recommends taking a risk-based approach to the conducting of independent audits, suggesting that it is appropriate to undertake them at regular intervals, i.e. annually. Along with making sure they’re carried out at regular intervals, it may be necessary to conduct widespread or more targeted audits when there have been changes to the practice’s risk profile, structure or services provided since the last audit.

For certain areas, such as those found in a risk assessment to pose a higher risk, LSAG guidance recommends undertaking a targeted audit on a more frequent basis. For example, some high-risk areas might include management strategies, the alignment of the business’s policies and procedures with the regulatory framework, customer onboarding and due diligence procedures, or transaction monitoring systems and procedures.

Practices should keep a record of all audits and these should be made available to their supervisors as requested.

What are the benefits of undertaking independent AML audits?

  • They provide the business with an objective, unbiased view of their status with regard to the effectiveness of their AML/CFT strategy.
  • The objective, systematic, report provides informed and practical recommendations that the business will be able to put into place
  • The practice of carrying out regular independent audits can improve the firm’s image with clients, investors, and regulators
  • Insights and recommendations from the independent audit can be integrated into the firm’s processes and procedures, to raise awareness among staff and throughout the firm, thus helping to optimise the business
  • With regular audits, firms can ensure that any shortcomings in their AML/CTF strategy are identified and dealt with in a timely manner before being found out in a regulatory examination, and thereby avoiding any unnecessary fines or reputational damage.

What should they be checking for?

An independent AML audit will be assessing whether the firm’s AML policies, controls and procedures are up to date, in compliance with the regulations, and functioning adequately in practice. Subsequent audits could include a statement on the firm’s progress in terms of implementing any recommendations in the past audit, and how well such recommendations were implemented. Also, practices must undertake screening of relevant employees at both the pre-employment stage and on an ongoing basis.

Audits made simple, with Compliance Office

Compliance Office has the expertise needed to help you conduct an independent AML audit. Their team keeps their pulse on the latest AML requirements and your audit will often be administered by former SRA staff.

With years of expertise in SRA conduct, money laundering and accounts rules, as well as access to a suite of templates and training solutions, Compliance Office’s SRA consultants can assess weaknesses and solve problems with speed and efficiency. Our AML audits involve a comprehensive set of checks on your policies, files and staff knowledge, replicating SRA audits.

Contact Compliance Office

How Omnitrack can help you with independent audits

VinciWork’s AML client onboarding solution, powered by our powerful tracking and reporting software, Omnitrack, offers one central platform to complete client risk assessments, due diligence and ongoing monitoring. 

Omnitrack’s AML solution enhances both the risk assessment and document collection aspects of client onboarding. Our template workflows adapt to the specific risks posed by each client, based on factors such as jurisdiction, type of entity and industry. This allows you to make informed choices about each client using the risk-based approach. Our comprehensive workflows incorporate industry-specific guidance, for example, LSAG for law firms. The flexibility of Omnitrack lets you choose the default workflow most appropriate to your business. The workflow can be customised to suit your own areas of practice and risk scoring system. Our team will guide you through every step of the process.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.