This is the sixth blog in series to help law firms grapple with the latest Legal Sector Affinity Group (LSAG) guidance on the Money Laundering Regulations.
In this series, we looked at some key points from the LSAG Guidance on the Money Laundering Regulations 2017. This included the different types of risk assessment which firms should undertake, as well as the general importance of the risk-based approach. We also discussed the need to undertake CDD on clients, and the various levels which can be applied in different situations (standard, simplified or enhanced).
In this, the last in our six-part series, we will address some of these points from a more practical perspective, and look at how technology can both save you time and help you remain compliant. We will also set out some of the potential problems posed by the use of technology, and explain how these can be averted.
CDD and ongoing monitoring
One area in which the LSAG Guidance specifically advises using technology as an aid is ongoing monitoring. In a recent blog in this series, we said that as well as applying CDD at the outset of client relationships, the Regulations also require firms to undertake some form of ongoing monitoring involving:
- An analysis of whether a client relationship – or transaction – has proceeded as anticipated, and is in keeping with your knowledge of the client’s business affairs
- A periodic review of the information and documents held in relation to a specific client.
Firms tend to deal with the first aspect of ongoing monitoring by undertaking transaction, or matter-level risk assessments. If this is completed properly and is not merely a tick-box exercise, there should be occasions where it leads to the reevaluation of a client’s risk profile, which could, in turn, lead to applying a higher level of CDD than when the client was initially onboarded.
However, it is the second aspect of ongoing monitoring with which many firms tend to struggle. Many firms use multiple platforms as part of their AML process. With risk assessment forms and CDD documents often stored in two separate locations, and a third platform used to generate reminders, time can be wasted trying to collate and review all the information held for a particular client.
This is why a centralised AML system can be so invaluable. Risk assessments, client due diligence documents and reminders can all take place in one system, making it easy to undertake periodic reviews on all clients, without any slipping through the cracks. A good system will also ensure clients are automatically flagged as awaiting ongoing monitoring at different intervals since their last review, depending on risk level.
In addition to assisting with AML compliance, technology can also help with data protection laws, ensuring you don’t keep clients’ personal data for longer than necessary.
‘Just in time’ training
Anti-money laundering rules are complex, and requirements can vary greatly, depending on factors such as the client entity, jurisdiction, and service you are providing. As many fee earners and compliance staff only undertake comprehensive AML training once a year, it can be hard for them to know the correct approach in every scenario. This inevitably leads to partners spending billable hours discussing the level of due diligence which should be applied, or the risk level assigned, to a particular client.
Whilst static risk assessment and CDD forms often include some guidance, time can be wasted sifting through information that isn’t relevant to the situation or fee earner at hand. A software system can use conditional logic to prompt users, with guidance notes helping them through the onboarding process, ensuring relevant information only appears when needed.
Potential pitfalls
In the second blog in this series, we looked at one problem posed by automated AML processes: inadvertently refusing clients based on discriminatory grounds, such as nationality. Another potential danger with the use of technology is dealt with in a section of The LSAG Guidance entitled “Inappropriate use of scoring”. In the guidance’s example, risk is assessed across five categories (geographic, client, etc.), with each scored between 0 and 20. An automated system may only categorise clients as ‘high risk’ if their overall score is 50 or higher. However, this is problematic, as if two risk factors score 20/20, and the remaining three score 3/20, the client would not be categorised as ‘high risk’ even though there would almost certainly be some red flags with such a client. Accordingly, whilst technology can be a useful compliance aid, there are dangers to be aware of.
No matter which system you use, you should consider avoiding a fully automated process. Rather than receiving an automatically generated risk level, fee earners and compliance staff alike should be helped by a system that raises ‘red flags’ identified in any of the information they have gathered from a client. But the ultimate decision as to the money laundering threat posed by a client should be made by a human being.
How Omnitrack can help
Our AML Client Onboarding solution can help with the issues addressed in this blog:
1. Ongoing monitoring
Submissions can be amended at any time during a client relationship whenever new information is discovered, or a client’s details change. Client details can be extracted from the client onboarding form, and populated into the matter-level risk assessment. This can then be used to identify matter-specific risks and see whether they are in line with the client’s anticipated risk profile.
2. Just-in-time training
Omnitrack’s built-in guidance helps users through the onboarding process. Whilst users are initially presented with only a short summary of the rules, they are also able to access more comprehensive guidance pages by clicking on external links. This means more experienced staff need not be bombarded with unnecessary information, whilst others can receive some ‘just in time’ training when onboarding a new client.
3. Avoiding the pitfalls of automated scoring
After completing a client risk assessment, users are prompted with a suggested initial client risk level. In our template workflow, the levels are high, medium and low, but these can be customised, with further levels added if required. The automated suggestion is based on both the answers to individual risk factor questions, as well as the client’s overall risk score, thus avoiding the “Inappropriate use of scoring” problem mentioned above.