Should you carry out an internal or external AML audit?

All UK law firms subject to the Money Laundering Regulations are required to establish an independent audit function to examine, evaluate and make recommendations regarding the adequacy and effectiveness of their practice’s anti-money laundering and counter-terrorist financing policies, controls, and procedures. This can be carried out via an internal or an external auditor.

According to the Money Laundering Regulations, an AML audit for law firms does not need to be conducted by an external auditor; however, over 50% of firms do choose this method. When one additionally considers LSAG guidance, conducting an external audit makes a lot of sense. LSAG guidance stresses: 

  • The audit should not be conducted by the firm’s own compliance team or MLRO/MLCO
  • The audit may not be conducted by the team who did the original work
  • Those conducting the audit must have expertise in Anti-Money Laundering and Terrorist Financing regulations

It is highly unusual for smaller firms to have such experts who are not already part of the compliance team who did the original work. It is also unlikely that a smaller firm will have the time to divert staff from essential business. 

While a larger firm might be able to satisfy the SRA requirements without conducting an external audit, a smaller firm will often find they must conduct an external audit to ensure full compliance with the SRA’s requirements. 

Audits made simple, with Compliance Office

Our partners at Compliance Office have the expertise needed to help you conduct an independent, tech-enhanced AML audit, in accordance with the latest Legal Sector Affinity Group (LSAG) guidance. Their team keeps its pulse on the latest AML requirements and your audit will be completed by former practising solicitors with many years of experience in law firm regulation, often former SRA staff.

You won’t need to worry about dedicating extra time and internal resources to this critical process and you’ll be free to enhance your compliance controls and fully adhere to regulatory requirements.

Once the audit is completed, you’ll receive a detailed report as well as an action plan that will help your firm address any weaknesses.

With years of expertise in SRA conduct, money laundering and accounts rules, as well as access to a suite of templates and training solutions, Compliance Office’s SRA consultants can assess weaknesses and solve problems with speed and efficiency. Our AML audits involve a comprehensive set of checks on your policies, files and staff knowledge, replicating SRA audits.

Contact Compliance Office

How Omnitrack can help you with independent audits

VinciWork’s AML client onboarding solution, powered by our powerful tracking and reporting software, Omnitrack, offers one central platform to complete client risk assessments, due diligence and ongoing monitoring. 

Omnitrack’s AML solution enhances both the risk assessment and document collection aspects of client onboarding. Our template workflows adapt to the specific risks posed by each client, based on factors such as jurisdiction, type of entity and industry. This allows you to make informed choices about each client using the risk-based approach. Our comprehensive workflows incorporate industry-specific guidance, for example, LSAG for law firms. The flexibility of Omnitrack lets you choose the default workflow most appropriate to your business. The workflow can be customised to suit your own areas of practice and risk scoring system. Our team will guide you through every step of the process.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.