SRA fines law firm for AML compliance failures

The firm was issued a £5,000 penalty following an investigation by the Solicitors Regulatory Authority into money laundering and terrorist financing risks.

In a clear demonstration of the SRA’s willingness to flex its new fining powers, the SRA has penalised Settle-based Goad & Butcher for six years of anti-money laundering failures. The firm has also had conditions imposed on its authorisation. This comes after previous efforts to bring it into compliance failed.

According to the SRA, since June 2017 the firm failed to have in place a documented and compliant firm-wide risk assessment or compliant policies, controls and procedures. This is contrary to the 2017 Money Laundering,Terrorist Financing and Transfer of Funds Regulations. The firm then failed to have sufficient regard for the SRA’s warning notice on firm-wide risk assessments in May 2019.

In June 2021, the firm agreed to terms of a compliance plan but apparently did not comply with the plan. The SRA said the firm’s conduct was “a wilful breach of its regulatory obligations which has persisted for more than five years” and had the potential “to cause significant harm to the public interest and to public confidence in the legal profession.”

The SRA stated that the firm’s persistent failure to comply with the regulations indicated that its breaches related to systemic issues within the firm. The financial watchdog noted that its conduct was likely to be repeated if conditions weren’t set.

In addition to the £5,000 financial penalty, the firm was ordered to pay costs of £600. The conditions imposed on Goad & Butcher’s authorisation are to produce a revised and compliant Firm-Wide Risk Assessment and to update the firm’s AML PCPs to ensure these are compliant with money laundering regulations. These need to be done within a month.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”