Compliance weaknesses highlighted in Law Society of Scotland’s AML report 

The recently released annual report also emphasises the agency’s efforts to engage with issues around AML

The Law Society of Scotland just released its annual anti-money laundering (AML) report and the agency notes that it is an indicator of the “breadth and depth of its AML work undertaken in the public interest.”

The agency acknowledges that its goal is to build a Scottish legal sector effectively engaged with the issues around AML and which understands its risks and obligations. The hope is that this will compel its members to implement compliant policies, controls and procedures (PCPs) which will lead to a reduction in financial crime in Scotland.

Among the report’s key findings are areas that require improvement in understanding and underlying compliance.

These involve:

  • Little evidence that senior managers or partners engage sufficiently with AML issues such as the review and approval of PCPs
  • Insufficient detail in Practice Wide Risk Assessments (PWRAs) which means an inadequate risk-based approach
  • An absence of PCPs that demonstrate that customer due diligence (CDD) should be holistic in nature and tailored to mitigate the risks present in the client or transaction
  • Emphasis on the importance of assessing and documenting risk at a client/matter level, including nature, background, and circumstances
  • Misunderstanding of the additional measures required in higher-risk situations such as what constitutes effective Enhanced Due Diligence (EDD)
  • An inability to demonstrate understanding of the definitions and the application relevant to Source of Funds/Source of Wealth checks – and when these are appropriate
  • Misunderstanding regarding Beneficial Ownership and associated CDD requirements
  • Issues regarding compliant AML-related record-keeping and document management
  • A lack of understanding regarding the need for AML technology

“We continue to develop our supervisory regime, using an increasing variety of assurance techniques to expand our reach and coverage, and drive effective supervisory outcomes. This includes proactive use of stakeholder partnerships, intelligence and data sharing as appropriate to shape our risk-based approach to the work we do,” noted Graham Mackenzie, head of AML at the Law society of Scotland.

The Society’s AML Team indicated that AML is not a “zero-failure regime.” This is demonstrated by a recent criminal case that came to light, following a Law Society of Scotland investigation, that involved a football club revealed to have been the target for a sophisticated money laundering operation. The criminal group involved three solicitors who exploited vulnerabilities within the clubs, took advantage of lax due diligence procedures and established a troubling nexus between criminals, football and money laundering. 

The solicitors, Iain Robertson, Alastair Blackwood and David Lyons, were aided by  Mohammed Aziz and Robert Ferguson, and were all convicted and imprisoned for between 16 months to seven years. The operation involved hacking into the bank account of the owner of Derby County football club. Robertson’s law firm acted as a channel for nearly £1.5 million of illicit funds, of which almost £1 million was transferred from the account of an undisclosed millionaire football boss. The convicted individuals, including Robertson, denied the charges but were found guilty at the High Court in Glasgow.

The case highlighted the lack of robust due diligence procedures within football clubs. These  criminals took advantage of inadequate security measures, exploiting vulnerabilities to gain unauthorised access to sensitive financial information. The absence of stringent checks and balances allowed the illicit funds to flow through the law firm, leaving the football club owner allegedly unaware until his bank’s fraud team intervened. 

A Law Society of Scotland probe into the Robertson and Ross legal firm sparked four separate money laundering transactions. The case is a wake-up call for football clubs – and outwith to other vulnerable sectors in Scotland – to prioritise implementing effective due diligence protocols to safeguard their financial transactions.

In its report, the Law Society of Scotland says it is continuing its supervisory action to address weaknesses. The agency says that it will do this by using its observations and findings on the thematic review as a basis for publications and materials that will help guide and support its members such as FAQs (which it just released) toolkit items, blogs and Dear MLRO letters on specific topics. It will also conduct ongoing dialogue with firms during the course of supervisory assurance reviews. In addition, there will be AML presentations, conferences and seminars and queries and concerns will be answered through the “AML team Mailbox and Call Queue.”  The Society says that it will also release refreshed AML templates including PCPs, and Client and Matter Level Risk Assessment templates. 

Read the full report here

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.