Why is there a crisis of AML compliance in law firms?

Data from the SRA shows less than a third of law firms are fully compliant

The SRA’s annual report highlighted a sobering statistic that less than a third of law firms inspected, 30%, are fully compliant with the anti-money laundering regime, with just over half, 51% partially compliant. Nearly a fifth, 19%, were actually found to be non-compliant.

The compliance failures at firms which fell foul range from a lack of proper policies and procedures, failing to undertake robust risk assessments on the client or matter, and deficiencies with source of funds checks.

Despite repeated warnings from the regulator, firms are also still not compliant with the firm wide risk assessment.

One of the key reasons highlighted by the SRA is a lack of staff training, while half of firms do not update their AML policies annually, with some referring to outdated legislation or defunct government departments. This follows a recent multi-million pound fine from the FCA against a financial services firm that had policies in place referring to regulations which were twelve years out of date. 

Another reason for this crisis of compliance among law firms is inadequate CDD measures at the start of a business relationship, and poor client onboarding. This continues with little to no on-going monitoring in favour of a tick box mentality and systems which allow for transactions to progress without oversight or internal review. 

A use of off-the-shelf AML policies which are not tailored to a firm’s specific needs have been found by the SRA. With fines totalling nearly £140,000 in the last twelve months and new fixed penalty notices against lower-level breaches, the SRA has the ability to undertake enhanced enforcement against non-compliant and under-compliant firms. 

Nor does the SRA have many qualms about going after larger firms. In the space of a few weeks in the summer of 2023, both Dentons and Clyde & Co were accused of AML breaches. Last year, the SRA fined Mischon de Reya £282,500 with costs for multiple AML failings, partly for allowing a client account to be used as a banking facility. 

Dentons have been accused of “failing to take adequate measures to establish client’s source of wealth and/or funds” while acting for a “politically exposed person or his associated entities between approximately May 2013 and June 2017”.

Clyde & Co have suspended the partner under investigation and who has been referred to the Solicitors Disciplinary Tribunal. 

Given the failures in AML compliance at every level of the legal industry, from large firms to High Street outfits, there are legitimate questions to be asked over what is causing this crisis of AML compliance.

But the SRA offers a way out. Start with strong client onboarding and maintain good on-going monitoring throughout the relationships. Review policies at least once a year. Carry out firm-wide, client and matter risk assessments, and train all staff regularly on AML compliance. 

Fighting money laundering is hard, but there is a playbook for firms to follow.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.