What happens to law firms that breach money laundering regulations?

A leading law firm was fined £232,500 by the SRA, and ordered to pay the SRA’s investigation costs of £50,000 for breaching the Money Laundering Regulations 2017. What does this mean for AML compliance, and what lessons can be learned for compliance?

How did the law firm breach the money laundering regulations?

Between September 2015 and September 2018 the SRA found that the firm in question carried out serious breaches of the relevant money laundering regulations and the SRA’s rules. These included several failings.

Failure to maintain customer due diligence records

Failure to retain customer due diligence (CDD) for a minimum period of 5 years: The firm believed that customer due diligence was obtained for certain clients, but the firm did not retain the hard copy file of such documents and no electronic copy of the records was retained.

Not all client documents were obtained: Some documents, but not a full set of CDD documents were obtained in relation to a corporate vehicle. 

Failure to conduct enhanced due diligence

Failure to conduct adequate Enhanced Due Diligence, or adequately apply enhanced ongoing monitoring: Certain transactions that the firm carried out presented a “higher risk of money laundering or terrorist financing”, but enhanced customer due diligence (EDD) and ongoing monitoring was not adequately applied.

The firm did not secure full CDD before each relevant transaction took place: The firm secured CDD in relation to the ultimate beneficial owner in a transaction but, because it opened each matter file in the name of a different entity in the corporate structure, the firm did not secure full CDD for each special purpose vehicle before each relevant transaction took place.

Failure to have firm-wide risk assessments in place

No firm-wide risk assessment in place: When the SRA requested a copy of the firm-wide risk assessment the firm did not have a risk assessment in place. The practice-wide risk assessment wasn’t put in place until March 2019, and wasn’t provided to the SRA until May 2019.

AML training was not carried out: A former partner at the firm had not received mandatory training as required by anti-money laundering regulations. The absence of training was due to personnel absence but there was no contingency plan in place for AML training if such personnel absence occurs.

Permitting a client account to be used as a banking facility

Permitting the client account to be used as a banking facility: The firm accepted four payments in the firm’s client account but they should not have been permitted under the SRA accounts rules.

Confusion with funds being used to discharge the firm’s fees: The firm improperly transfers funds belonging to one entity to the client ledger for another entity, which was then used to discharge the firm’s fees and disbursements in relation to the latter entity.

Failure to send notifications before transferring funds out of a client account: The firm did not send a bill of cost or other written notification to relevant entities before two invoices were raised and paid out of monies held in client accounts.

How the law firm mitigated their fine

In making their decision, the SRA emphasised certain actions that the firm took resulted in the basic penalty being reduced by the maximum allowable 40% discount. The mitigating factors taken by the firm included:

  • Cooperating with the SRA’s investigation
  • Not profiting from the breaches
  • Retrospectively providing relevant CDD documents
  • Amending internal policies and procedures 
  • Introducing and investing in new, more sophisticated IT systems which involve increasingly centralised record-keeping 

In SRA’s 2020-2021 anti-money laundering work in numbers:

  • 273 potential anti-money laundering breaches were reported to the SRA
  • 85 firms were visited by the SRA
  • 168 desk-based reviews were carried out by the SRA

The reports of potential breaches most commonly involved:

  • No AML risk assessment
  • Failure to carry out source of funds checks
  • Failure to carry out customer due diligence
  • Failure to carry out identity checks

It was found that the main causes of AML breaches were:

  • Inadequate policies, controls and procedures
  • Lack of supervision or training 
  • Staff not following procedures
How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.