This guidance is designed to help legal professionals and firms comply with the Money Laundering Regulations 2017 (as amended).
The guidance 1 The status of this guidance and terminology used 2 Background 3 High-level compliance principles 4 AML governance and policies, controls and procedures 5 AML risk assessments 6 Client due diligence 7 Technology 8 Training 9 Internal controls 10 Record keeping and data protection 11 Suspicious activity reporting 12 Other duties 13 Legal professional privilege 14 Civil liability 15 Supervision 16 Money laundering offences 17 Terrorist property offences 18 Red flags and warning signs 19 Glossary Annexes Acknowledgements
The guidance has two parts:
2b and 2c are to be read alongside part one of the guidance. 2a is designed to be read independently of part one.
The Legal Sector Affinity Group (LSAG) reviewed and redrafted the guidance following the implementation of the EU 5th Money Laundering Directive.
LSAG is made up of the legal sector’s regulatory and representative bodies:
The guidance was last updated in March 2023. Find out what's changed
HM Treasury approved the guidance in July 2022.
The addendum to the 2023 guidance provides information about changes in legislation and contains observations on best practice. It is provided as an update and to illustrate how LSAG's attitude towards regulation is developing over time.
The Money Laundering Regulations 2017 were amended by the:
The guidance replaces our practice note on anti-money laundering and previous versions of the guidance.
Browse the interactive guidance using the navigation on the left-hand side of this page or download a PDF version.
This guidance replaces previous guidance and good practice information on complying with anti-money laundering (AML) and counter-terrorist financing (CTF) obligations.
This guidance is issued by the Legal Sector Affinity Group (LSAG), which comprises the AML supervisors for the legal sector.
The authors will aim to keep this guidance up to date with new legislation as it comes into force, but this guidance cannot be regarded as a definitive statement of the law or of the effect of the law, and does not comprise, and should not be relied on as giving, legal advice.
It has been prepared in good faith, but neither the legal sector supervisors nor any of the individuals responsible for or involved in its preparation accept any legal responsibility or liability for anything done in reliance on it.
Practice units are not required to follow this guidance. However, legal sector supervisors will take into account whether a legal professional has complied with this guidance when undertaking its role as regulator of professional conduct, and as a supervisory authority for the purposes of the regulations.
You may be asked by your regulatory body to justify a decision to deviate from this guidance.
Some independent legal professionals are authorised and regulated by the Financial Conduct Authority (FCA) because they are involved in mainstream regulated activities: for example, advising clients directly on investments such as stocks and shares. Those professionals should also consider the Joint Money Laundering Steering Group's guidance.
In accordance with sections 330(8) and 331(7) of the Proceeds of Crime Act 2002, section 21A(6) of the Terrorism Act 2000, and Regulation 86(2)(b) of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, the court is required to consider compliance with this guidance in assessing whether a person committed an offence or took all reasonable steps and exercised all due diligence to avoid committing the offence.
This guidance uses “must,” “should” and “may” throughout to contextualise how to understand the various directions.
The terms have the below meanings:
Must – a requirement in legislation or a requirement of a regulation or other mandatory provision. You must comply, unless there are specific exemptions or defences provided for in relevant legislation or regulations.
Should – good practice for most situations. These may not be the only means of complying with the requirements and there may be situations where the suggested route is not the best option.
If you do not follow the suggested route, you should be able to justify to supervisors why your alternative approach is appropriate, either for your practice, or in the particular instance.
May – an option for meeting your obligations or running your practice. Other options may be available and which option you choose is determined by the nature of the individual practice, client or matter. You may be required to justify why this was an appropriate option to your supervisor.
This guidance has been written both as a result of the changes made to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 by the Money Laundering and Terrorist Financing (Amendment) Regulations 2019 that came into force on 10 January 2020 and an extensive review of the previous guidance by the Legal Sector Affinity Group (LSAG).
These iterative pieces of legislation will be referred to collectively as “the regulations” throughout this guidance.
The guidance has two over-arching goals:
It is not the intention of this document to cover every eventuality. In reviewing it, we have aimed to strike a balance between specificity where helpful and providing the tools that legal practices need in order to deal with any given scenario. The risk-based approach (RBA), which is a long-established principle within anti-money laundering (AML), acknowledges that every situation is different and that the legal practitioners and practices themselves -are best placed to understand the risks and deal with them proportionately.
The guidance is separated into two parts:
The guidance for barristers in Part 2 has been written recognising the specific nature of the bars and the risks to which they are exposed. In particular, it recognises that most barristers are self-employed, do not engage directly with the lay client and are limited by regulation in the scope of practice, which means that they do not hold client money or manage their clients’ affairs.
Barristers should read Part 2 in the first instance, drawing on Part 1 for further detail where relevant.
Likewise, the Part 2 guidance makes clear that most work undertaken by notaries (or in Scotland, solicitors acting solely in a notarial capacity) in their core role as public certifying officers will fall outside the scope of the regulations.
The regulations set out requirements which must be adhered to. These, in addition to the compliance principles below, should be viewed as the “building blocks” for creating robust AML policies, controls and procedures (PCPs).
The guidance in Part 1 and Part 2 provides additional information and support to help in adhering to these principles.
All legal practices must consider whether their business brings them into scope of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (as amended), through any of the qualifying activities but particularly those stated in R12.
If a legal practice deems itself to be in scope, it is a “relevant person” for the purposes of the regulations. We will generally refer to a relevant person as a “practice” throughout the guidance.
All relevant persons must demonstrate to their supervisor that they have adopted a risk-based approach to the management of money laundering (ML) and terrorist financing (TF) risk within their businesses.
This guidance is intended to address issues faced by relevant persons that are drawn into scope of the regulations.
The following compliance principles are the key areas to address when trying to ensure a practice is compliant with the Regulations.
Practices must have:
The practice must have clearly documented PCPs based on their practice-wide risk assessment which include:
The practice must have clearly documented PCPs based on their practice-wide risk assessment which include:
The practice must have clearly documented PCPs based on their practice-wide risk assessment which include:
The practice must have clearly documented PCPs based on their practice-wide risk assessment which include:
Where appropriate to the size and nature of the practice:
This section outlines the anti-money laundering (AML) roles, responsibilities, and appointment of senior individuals in a practice including the money laundering reporting officer (MLRO), money laundering compliance officer (MLCO), and beneficial owners, officers, and managers (BOOMs), as well as some of the structures that practices must or should put in place (such as training and independent audit.)
Note that sole practitioners will fulfil the responsibilities of all role holders mentioned in this section, but rather than having any duty to report matters internally within their practice, they must instead record such information in writing (such as records of SARs).
The regulations specify the roles and responsibilities of certain individuals in a practice. These are the:
Under R26, you must gain approval from your supervisor for all BOOMs at your practice before the practice can undertake any of the activities that fall under the regulations.
Those acting as BOOMs without approval could be subject to summary conviction and a prison term of up to three months or a conviction on indictment and a prison term of up to two years.
in relation to a practice, means a person who has control, authority or responsibility for managing the business of that practice, and includes a nominated officer (MLRO).
Without contravening or limiting the definitions in the regulations, the individuals you should particularly consider seeking approval for as BOOMs include:
The test that must be applied by supervisors is whether an applicant has been convicted of any of the offences in Schedule 3 of the regulations. If the applicant has no such conviction, the supervisor must approve the application, and can apply their own processes to assess the application.
The updated regulations require applications to include “sufficient” information for the supervisor to determine whether the test is met. You must follow the directions of your supervisor and provide them with the information they require to establish that the applicant does not have any relevant convictions (this will often take the form of a criminal record check).
Approval must be granted prior to any activity that would bring the practice or the individual into the scope of the regulations. This is equally relevant to established practices as new ones. Established practices must seek approval for new BOOMs before they take up their role.
Individuals may not be able to port their approval from one practice to another and should clarify the processes and specifics of this with their own supervisor.
If an approved BOOM is convicted of a relevant offence under Schedule 3 their approval will cease to be valid and:
When someone ceases to act as a BOOM, you should notify your supervisor within 14 days.
R21(3) requires all practices to have a nominated officer (MLRO) to receive disclosures for possible submission to the National Crime Agency (NCA) under Part 7 of POCA and TACT.
R21(6) provides that there is no requirement to appoint a MLRO if you are an individual who provides regulated services, but do not employ or act in association with anyone else. In this case, the duties of the MLRO will fall with you.
Your MLRO should be:
The MLRO may be a member of the board of directors (or equivalent senior management body) or able to attend their meetings and should be able to directly report to the board on how the practice is fulfilling its obligations and compliance work in this area.
You should consider whether the person you are appointing has access to sufficient resources in order to be able to effectively fulfil the role, especially if the MLRO is also undertaking other duties.
Practices authorised by the Financial Conduct Authority (FCA) must obtain the FCA's approval for the appointment of the MLRO as this is a controlled function under section 59 of the Financial Services and Markets Act 2000.
Your MLRO is responsible for ensuring that information leading to knowledge or suspicion, or reasonable grounds for knowledge or suspicion of money laundering is properly disclosed to the NCA. The decision to report, or not to report, must not be subject to the consent of anyone else. Your MLRO may liaise with the NCA or law enforcement on whether to proceed with a given transaction or what information may be disclosed to clients or third parties.
The MLRO has a personal responsibility to ensure they fulfil their duties and may be subject to conviction under section 331 of the Proceeds of Crime Act, 2002, for a failure to disclose information to the NCA.
A range of factors, including the type of practice, its size and structure, may lead to the MLRO delegating certain duties regarding the practice's AML/CTF obligations.
All practices must consider arrangements for temporary cover when the MLRO is absent. You may appoint one or more deputy MLROs where appropriate in order to ensure the work is sufficiently resourced and continuously covered. The MLRO and any deputies must have unrestricted and direct access to the NCA SARs online system and the internal records of SARs at the practice.
An MLRO may also be empowered with further duties under delegation from senior management or the board of the practice; however, the delegating party will retain accountability. For example, an MLRO may be appointed responsible by the board or MLCO for the creation, management and review of the practice’s PCPs under R19.
An MLRO should consider whether and in what form the content of their disclosures to the NCA should be reported to senior management or their board.
The identity of the MLRO and deputies should be known to all relevant staff and should be noted in the PCPs.
The MLRO should submit an annual report (more frequent reporting may be determined appropriate by the board or equivalent senior management body) setting out:
The MLRO may also be the appropriate person to record the AML compliance responsibilities of individuals at the practice.
In accordance with R21(8), a practice must establish and maintain systems which enable it to respond fully and rapidly to enquiries from law enforcement agencies as to:
In responding to enquiries, practices must consider the privileged nature of any information they hold before sharing it.
Record keeping that meets the requirements of the regulations will help a practice to comply with these requirements. A practice may appoint the MLRO as the lead person to act as liaison with law enforcement.
R21(1)(a) requires that where appropriate to the size and nature of the business, a practice must appoint a member of the board (or equivalent management body) or member of the senior management team (the ‘board-level person’) as being responsible for the practice’s compliance with the regulations. This role is commonly known as the money laundering compliance officer, or MLCO.
The general focus of this role is being a lead within the senior management of the practice, supporting the work of the MLRO and ensuring that the AML efforts of the practice have appropriate oversight and engagement at the highest level.
The MLCO should have:
You may appoint the same individual to fulfil both the MLRO and MLCO roles.
However, the larger, the more complex and the higher the risk exposure of the practice, the greater the rationale is for appointing separate people to the roles, in order to better resource the compliance efforts. This should be balanced against the possible advantages and synergies of having one person fulfil both.
The MLCO may delegate some of the operational aspects (though never responsibility/accountability) of the day-to-day AML compliance of the practice to the MLRO or other individuals. These delegations must be documented, and roles/responsibilities clearly defined.
When appointing people to the MLRO/MLCO roles, senior management should have regard to the risk of any possible conflicts of interest they may face (particularly with any fee-earning duties the MLRO/MLCO may retain) and address this in the policies of the practice. This may be adequately addressed by the general conflicts of interest policy in the practice.
Senior management should also have regard to the amount of resource they have dedicated for the purpose of allowing their MLRO and MLCO to adequately fulfil their duties (for example, time and access to support staff).
In considering the issue of resource, it is worth highlighting that although it may not be common practice, there is nothing to prevent MLRO/MLCO roles rotating among a group of individuals, as long as they all meet the requirements. This can be particularly advantageous when rotating the lead role (MLRO) among a group of deputies, as it spreads resource demand while also ensuring deputies are experienced at taking over the lead when required.
Senior management refers to any officer or employee of the practice with sufficient knowledge of the practice’s ML/TF risk exposure and of sufficient authority to take decisions affecting its risk exposure.
Senior management should ensure the MLRO/MLCO has:
Senior management must mitigate and effectively manage their ML/TF risks via the implementation and approval of PCPs (R19(2)(b)). Reporting by MLROs may assist senior management in their efforts to assess and address the practice’s efforts to this end.
Any decisions made by senior management on issues of AML compliance should be documented and tracked over time. The PWRA should be signed off by senior management along with all revisions of this document.
It is important that the senior management of a practice is informed and engaged with their responsibilities under the regulations. They should consider any information their MLRO/MLCO shares with them about ML/TF risk.
Senior management are also responsible under the regulations for providing approval for the practice to be able to establish or continue a business relationship with a PEP or a close family member or known associate of a PEP or to enter into business relationships with clients established in high risk third countries.
You must inform your supervisor of the identity of your MLRO (this must be a specific individual) and, where relevant, your MLCO within 14 days of appointment (R21(4)(b)).
You must also inform your supervisor of any subsequent appointments to either of those positions within 14 days. If you are operating a rotating model of MLROs among more than one person, the above requirement to inform your supervisor must be met whenever a new person takes over the lead position.
Note that an MLRO will automatically be a manager and must therefore be approved as a BOOM (R26) prior to their appointment. If you are using a rotating model, you should consider all the individuals among whom the role is rotating as BOOMs and get them approved as such.
R19 requires that practices establish and maintain written PCPs for identifying, managing and mitigating the risks identified in the PWRA (see 5.3 for more information on the PWRA) and, if separate, the proliferation financing risk assessment. The PCPs must be proportionate to the size and nature of the practice unit, documented and must be approved by senior management (this approval should be documented). PCPs should be reviewed and updated regularly. You must record all changes made to these documents over time.
The PCPs must set out your practice’s approach to practical AML, CTF and CPF compliance activities. They must be communicated and made available to all relevant employees, unambiguous and clearly worded. Their content should form one of the core elements of your relevant AML training for all relevant employees, and you must record the steps undertaken to communicate them to relevant employees within your practice.
PCPs must include procedures for the identification of matters that:
The PCPs must document the practical steps your practice will take when these instances are identified.
They must also set out your procedure for assessing and mitigating the risks of introducing new technology into your practice (see section 7).
PCPs must document the firms approach to compliance across the following areas:
Practices must ensure that they regularly review and update their risk assessment and PCPs.
Monitoring compliance will assist you to assess whether the PCPs that you have implemented are effective in identifying and mitigating risks within your practice. Issues which should be addressed include:
Practices (except sole practitioners) must also have PCPs clearly setting out the process and requirements for making a disclosure to the NCA under POCA and the Terrorism Act. For further details on suspicious activity reporting see section 11.
Where a practice is a parent undertaking of a group, it must ensure that its PCPs apply to all branches or subsidiary undertakings. This includes those located outside the UK, and all branches established outside the UK, which carry out activities that would fall in the regulated sector in the UK. Steps must be taken to communicate PCPs to all relevant non-UK branches or subsidiary undertakings.
Where the subsidiaries or branches are in an EU state, the PCPs need to reflect the requirement that that these subsidiaries and branches must follow the local law transposing the 5th Money Laundering Directive. The parent undertaking will be held responsible for the conduct of its subsidiaries and branches.
Subsidiary undertakings or branches of a parent in a non-EU country which does not impose equivalent AML requirements must ensure that they impose UK-equivalent requirements where legally allowable.
If local laws prevent application of equivalent requirements the parent undertaking must:
Practices must have:
A core principle of AML compliance is taking a risk-based approach (RBA). In short, an RBA refers to adjusting the level and type of compliance work done (frequency, intensity and/or amount), to the risks present.
In order to apply an RBA, it is necessary then to have information on the risks inherent to your practice and in any particular client or matter – and the pertinence of these risks which is why these assessments are so important.
If you have not fully assessed the risks present across your business or in any particular client or matter, you cannot then apply appropriate controls to mitigate those risks adequately and effectively.
The resulting benefits of this approach include:
Please be aware that the RBA does not apply to reporting suspicious activity, because POCA and the Terrorism Act lay down specific legal requirements not to engage in certain activities (without appropriate consent) and to make reports of suspicious activities once a suspicion is held. Equally it does not apply to the UK and international sanction regime, where requirements are absolute, as opposed to risk-based, in nature.
Being used to facilitate money laundering and terrorist financing poses many risks, including:
These risks must be appropriately identified, assessed and mitigated, like any business risks facing your practice.
Consideration should be given to the resources that can be reasonably allocated to implement and manage an appropriately developed RBA.
For example, a sole practitioner or other smaller practice would not be expected to devote an identical level of resources as a large practice. Instead, the sole practitioner would be expected to develop appropriate systems and controls and an RBA proportionate to the scope and nature of the practice and its clients.
Just because a practice is smaller and serves a smaller quantity of clients at any given time does not necessarily mean that it is lower risk. Smaller practices may be targeted more than large law practices by money launderers, as they may be perceived as lacking resources to effectively guard against them. Equally, smaller practices may practice higher risk types of work, develop a niche in services or have cultural, social or language connections or other features which may be attractive to money launderers.
Finally, it is worth keeping in mind that risk is a judgement relying on considering multiple factors holistically. Generally speaking, a single factor may not automatically make a matter or client high risk in and of itself. Exceptions include where a client or counterparty is based in a HRTC or is a PEP. It should be all the risk factors taken together that informs whether a matter or client is deemed to be high risk.
The assessing of ML/TF risk is an important requirement of the regulations and a vital step in protecting your practice. There are three important levels of risk assessment:
As new risks are identified at matter/client level, these should inform and allow the updating of higher-level assessments: the client risk assessment and/or the PWRA.
To see the infographic about this topic, please refer to the live page.The relationship between the various levels of risk assessment
Under R18(1) a practice must carry out and maintain a documented (written) PWRA to identify and assess the risk of ML/TF to which it is subject. This is separate to assessments of risk for individual clients or matters. Your PWRA must be made available to your supervisory authority upon request.
Under R18, the PWRA must address risk factors relating to:
You must also take into account information made available to you by your supervisory authority’s sector risk assessment including information published under R17 and R47, likely including the information from the national risk assessment prepared under R16.
The PWRA is the central reference point for how a practice protects itself from money-laundering and terrorist financing. The better the quality of the PWRA, the easier it will be for the practice to take a RBA to protecting their business, which allows for greater efficiency and efficacy.
The PWRA must be comprehensive, tailored to the practice, accurate and kept up to date.
For the avoidance of doubt, the PWRA must be a distinct written document. You should retain copes of all previous versions of your PWRA for reference and to evidence your continued compliance.
Your PWRA should be reviewed, discussed and approved by senior management. All steps taken to review the risk assessment must be recorded and the date of last review should be recorded.
Templates may be used and can be useful tools to help compliance. You may contact your supervisor to check if they recommend a specific template.
Some supervisors have also observed that some high-quality risk assessments have avoided a template approach, helping them to tailor the PWRA directly to the needs of the practice.
It is also worth noting that documents detailing the AML policies, controls and procedures are not in and of themselves a compliant PWRA or a suitable proxy or alternative for one. The PWRA should guide the development of effective, risk-based PCPs under R19.
As with other risks, a crucial factor when assessing proliferation financing risk is to understand the background, context and rationale of the client and the transaction the practice is being asked to undertake.
In so doing, you can then assess risks accurately and in context and take proportionate mitigation measures or implement controls as required.
Some of the service areas at heightened risk exposure to proliferation financing include:
When considering geographic risk, the two most obvious jurisdictions to consider are Iran and the Democratic People’s Republic of Korea (North Korea), due to the relevant UN security council resolutions against them.
In recent years, there has also been clear evidence of proliferation by other jurisdictions including Syria and Russia (particularly with regards chemical weapons as referred to by the UK’s Counter Proliferation Programme strategic priorities).
Other things to consider as being of high proliferation financing risk include clients or matters involving:
In assessing proliferation financing risk, you will need to address the same five aspects of risk required to be assessed in a PWRA, namely:
As well as addressing the mandatory risk areas listed in R18, and the other mandatory documents (information published by your supervisor including where relevant content from the national risk assessment) you should consider any general issues raised in SARs made by your MLRO and consult the key people (including partners, fee earners but also compliance staff or others dealing with AML-related risk assessment or administration) in your organisation to understand any risks they may have identified.
It is important to recognise that any amount of exposure to areas of higher risk may impact on the risk profile of the practice.
Your PWRA may also include consideration of:
| Practice A | Practice B |
|---|---|
| A diverse range of clients | Smaller range of clients |
| Domestic and international clients | Mostly domestic and local clients |
| Domestic/international matters | Mostly domestic and local matters |
| Many different teams/departments | One team in one office |
| Large number of non-natural clients | Mostly private individual clients |
| Non-face-to-face relationships | Mostly face-to-face relationships |
| Higher value matters | Lower value matters |
| PWRA | |
| More in-depth PWRA split by department/team and the services each team offers and clients it serves | Single PWRA for whole practice. Likely to be shorter and simpler |
Example of how risks and the written assessment of these risks may differ across two different practices
The PWRA should provide a general overview of the practice, addressing its key features, including:
| Does the practice have a high turnover of clients? |
| Does the practice mostly deal with clients face to face? |
| Does the practice act for clients across both criminal and civil matters? |
| Does the practice have clients who may be subject to simplified due diligence, such as public authorities or FCA registered financial institutions? |
| Does the practice have PEPs on its client list? |
| Does the practice have clients who run high cash turnover businesses or high-value goods businesses, or operate in higher risk sectors? |
| Does the practice undertake work for corporate clients who have complex or multiple layers of ownership, or have links to international/offshore jurisdictions? |
Sample questions to consider in the general overview section of the PWRA
The PWRA is a living document and should be kept under continual review.
A practice should undertake periodic reviews (at least every one to two years) to help maintain the accuracy of the PWRA and review emerging risks. It is also important to ensure that the PWRA reflects changes in the practice.
R18(4) requires you to record all steps taken to review the PWRA, which may include consideration of any changes to the level of risk to the practice pertaining to each of the five risk areas listed in the Regulations.
These steps may include interviews with appropriate individuals across the practice, and reviews of recent client/matter risk assessments in order to assess whether these have an impact on the overall risks to the practice etc.
You should consider triggers for a review to include:
For the avoidance of doubt, a review may determine that no changes are needed, but the review, the decision and the reasons for the decision not to change the PWRA should all be appropriately recorded.
The following risk factors should be addressed at any level of your practice’s risk assessments but must be considered in the context of your PWRA.
When assessing client risk factors, you should begin by considering your client base.
Identification of the ML/TF risks associated with certain clients or categories of clients, and certain types of work will allow you to determine proportionate controls to mitigate them.
Factors which may affect the level of risk associated with your client base are set out below and should be listed as considerations in your PWRA.
You should take into account the duration and nature of your client relationships, particularly in the context of your business.
For example, a practice whose main business is high-volume conveyancing would be expected to have a very different client turnover to practices offering boutique or specialist services to a smaller number of clients.
This may vary across the different areas of your business, and this variation should be reflected in any risk ratings you make.
If you tend to have shorter relationships and a higher client turnover, you may conclude that your practice does or will not have the opportunity to understand the client’s circumstances or background in any detail, therefore the lack of a long and/or strong client relationship meaning your practice may face greater inherent AML risk, and vice versa.
PEPs, their family members and their known close associates may present a higher risk than non-PEPs as they may be at greater risk of abusing public office for private gain and further, a PEP may use the services of the legal sector to launder the proceeds of this abuse of office.
If you act for a PEP or an entity which may be owned/controlled by PEPs, or commonly provide services which may be attractive to PEPs, you should address this directly in your PWRA and client assessments, as well as any mitigating steps you may take to guard against the risks.
Within the UK, the roles signifying that someone is a PEP are now defined in the FCA guidance (FG 17/6). Further information regarding PEPs can be found in section 6 of this guidance.
You should take into consideration the elevated risks attached to certain sectors when carrying out your assessments (see below).
Certain sectors have been identified by credible sources as giving rise to an increased risk of corruption and, in some countries, are subject to international or UK, UN or EU sanctions.
A new business in any sector that presents significant financial barriers to entry or may be seen as entering a new or unproven market should be considered as potentially higher risk.
Where an entity has access to an illegitimate source of funding, it may find it easier to establish itself in a difficult business environment. For the avoidance of doubt, a sector is not necessarily high risk simply because it has significant financial costs to entry.
Sectors that may indicate higher risk, particularly when coupled with a high-risk jurisdiction include (but are not limited to):
Clearly not all work in these sectors will be higher risk in all instances, but it is essential to be aware of the higher risks inherent in these industries so that practices can implement appropriate and proportionate CDD and ongoing monitoring procedures.
Practices should consider and document whether any of these sectors are involved as part of the client or matter risk assessment and adjust risk ratings accordingly.
Where an entity is supervised for AML itself (high value goods businesses, crypto-asset wallet providers etc.) to a comparable standard, this may be seen as presenting reduced risk.
You should consider whether your practice frequently acts for clients who operate or benefit from high cash turnover operations as these may be appealing to criminals seeking to launder money.
Non-business entities may fall into this group also, including charities, where funds are coming from multiple sources and are difficult to verify, though this may be of greater risk in a terrorist financing context.
Equally, you should consider the potential risks where a client has low cash turnover, but an unexplained large cash balance.
Geographic risk refers to the countries or geographic areas in which your business operates, receives funds from or where clients reside. It may also extend to considering any social, cultural or language ties which might increase a link to a known high risk jurisdiction country or geographic area.
In assessing this risk at PWRA level, you may want to consider the following questions:
HRTCs are listed at Schedule 3ZA of the regulations. This list will change from time to time: make sure you are using the most up-to-date version.
The regulations mandate prescriptive steps where your client is established in a HRTC or in relation to any relevant transaction, as defined at regulation 33(3)(b). See section 6 for more on this.
You should note that there may be other jurisdictions that present a high risk of ML that are not on this list.
Resources to help you consider whether a country is high risk include:
FATF in particular provides a source of valuable information on the relative risks associated with particular jurisdictions in its system of mutual evaluations, which provide an in-depth description and analysis of each country’s system for preventing criminal abuse of the financial system. It also produces a list of jurisdictions with ‘strategic deficiencies’ in their money laundering initiatives and a list of jurisdictions with 'low capacity', the latter being countries which have economic or sociological constraints preventing them from implementing AML/CTF measures effectively.
In addition, information is publicly available regarding countries that present bribery and corruption risks and those regarded as secrecy jurisdictions or jurisdictions that permit the use of nominee shareholders.
The consolidated sanctions list, also details the countries in which sanctioned individuals and organisations are based, which may also provide an indication of the relative risk of each jurisdiction.
You should list all of the countries to which your practice is exposed in your PWRA and give a risk rating to each one. Being exposed to a country includes offering services, facilitating a matter involving or having clients established in that country.
For the avoidance of doubt, prohibiting clients from outside of the UK or that are not UK-nationals, is not a requirement of the regulations. Geographic risk is primarily associated with jurisdiction, which may or may not extend to a client that has exposure to that jurisdiction, depending on the circumstances.
It is important to consider the levels of exposure your practice and any clients may have to higher risk jurisdictions. For example, a practice that has a significant proportion of its business connected to or in association with a country of higher risk, may have a greater risk exposure than a practice that only has one client, who uses only some ancillary services from that same jurisdiction. Practices should consider this along with the relative risks posed by the legal services offered to clients from such jurisdictions. On the other hand, experience of working in a high-risk jurisdiction can help practices to identify risks, while those with only a minor exposure may lack such experience and may struggle to correctly identify risks.
Increasing globalisation means the likelihood that the work you do will involve other jurisdictions and the international dimension may not always be obvious. You should bear this in mind when assessing geographic risks and whether a client or matter may involve a higher risk jurisdiction.
Country risk factors should feature prominently in a PWRA. Key issues to consider are whether the jurisdictions in which your clients, or the beneficial owners of your clients, are based or operate their businesses:
Where your clients or the beneficial owners of your clients are based or operate their business in low risk jurisdictions this should also be reflected in the PWRA.
It is also important to consider whether your practice is involved in multi-jurisdictional matters. Money launderers are commonly attracted to matters which move money or value across borders, in order to obscure ownership and frustrate investigations.
If you do not have the ability or expertise to effectively assess the risk posed by a particular jurisdiction, you should consider whether it is appropriate to continue to act in relation to clients or matters associated to those jurisdictions.
Please note that jurisdictional risk is not an assessment of a client's nationality. Not accepting business solely due to a client's nationality is unacceptable and may lead to charges of discrimination and/or create access to justice issues for your practice.
It may also be necessary to consider risks posed by non-nations that for whatever reason may pose a different risk to the nation within which they sit: for example, regional jurisdictions such as Darfur in Sudan.
You should consider the following questions:
The national risk assessment highlights that independent legal professionals face the greatest potential risks in the following areas:
Consideration should be given to whether the practice undertakes work with exposure to these risks and this should be documented in your PWRA accordingly.
Other factors to consider are the value, complexity and nature of work in these areas in the context of the client and/or the nature of the work that your practice normally undertakes.
According to law enforcement authorities and the national risk assessment, the sale and purchase of real estate is a common method for disposing of or converting criminal proceeds.
Real estate is generally an appreciating asset and the subsequent sale of the asset can provide an apparently legitimate reason for the existence of the funds. Property matters are an attractive method of laundering criminal proceeds because:
Transfers of real estate from one owner to another without the exchange of funds, may present an equal risk to the purchase of property.
You should consider the risk that criminals may attempt to misuse your client account. Putting the proceeds of crime through your client account can give funds the appearance of legitimacy, as the subsequent transfer will show as having originated from a regulated legal practice. It will also help obscure the audit trail of funds whether the money is sent back to the client, on to a third party, or invested in some way.
Introducing cash into the banking system can be part of the placement stage of money laundering. The risk of this occurring, along with the controls in place at the practice to prevent this happening, should form part of your PWRA.
Generally speaking, you should avoid accepting cash payments to your client account in relation to transactions. If you do choose to accept these as a policy of your practice, it should be considered high risk within the PWRA particularly where large in size (for example, above £1,000).
At a client or matter level, you should establish source of funds for any cash payments and treat the funds on a risk-sensitive basis.
There may be valid reasons for accepting cash into the client account (for example, access to justice or in cases of domestic disputes) reasons for accepting any cash payment should be clearly documented.
Company and trust structures may be exploited by criminals who wish to retain control over criminally derived assets while creating impediments to law enforcement agencies in tracing the origin and ownership of assets.
Criminals may ask legal professionals to create companies and trusts and/or to manage companies and trusts, to provide greater respectability and legitimacy to the entities and their activities.
Your PWRA should consider the practice’s exposure to this type of work, and the risks involved– especially where the practice undertakes complex company or trust work for clients involving higher risk jurisdictions. This is particularly important where beneficial ownership or nature of business can be obscured or anonymised, or the use of nominees or bearer shares is permitted.
Shell companies are corporate entities that do not have any business activities or assets. They may be used for legitimate purposes such as serving as a temporary transaction vehicle. However, they can also be an easy and inexpensive way to disguise beneficial ownership and the flow of illegitimate funds and so are attractive to criminals engaged in money laundering.
You should consider it as high risk if a client engages your services only in connection with the routine aspects of forming an entity, without seeking further legal advice on the appropriateness of the corporate structure and related matters.
In jurisdictions where members of the public may register companies themselves with the company registry, the engagement of a legal professional to register the company (or to use the practice's address) may indicate that the client is seeking to add the appearance of legitimacy to a company.
Other services to consider in risk assessments are:
Many practices have both an AML-compliant client onboarding (take-on) process and a separate process for those areas of activity outside the scope of the regulations. This is permissible, but it does create a risk.
The risk is that if a client is onboarded via an AML non-compliant process for out-of-scope work, and then transferred over to AML in-scope services, there is likely to be a need to apply further due diligence, in order to bring the original due diligence up to the required standard.
To mitigate this risk, practices may either have clear and robust PCPs in place to manage the transition or conduct full AML-compliant CDD regardless of the nature of the matter. This would enable a client to be transferred more easily between a practice’s out-of-scope and in-scope services.
Legal professionals may receive funds that are either overpayments, or completely unasked for deposits. You should give consideration to the possibility that any unsolicited payment or unexpected overpayment may have been engineered for the purposes of ML and treat these instances appropriately (including consideration of the submission of a SAR as appropriate).
A repayment of funds from a legal professional's account may help to legitimise the proceeds of crime.
Such instances should be recorded in an appropriate place: for example, in a client or matter risk assessment, or in the records of the MLRO.
One way to deal with such matters is to set an internal value threshold, beyond which greater consideration must be given to whether the circumstances prompt suspicion and a subsequent disclosure to the NCA. Except in exceptional circumstances, funds received in such a manner should only be returned to the source from which they were received.
R31(2) confirms that you are not prevented from repaying money deposited in your client account, provided that if you have suspicion of ML, you obtain consent/DAML from the NCA for the transaction.
If you display your client account details freely, for example, on your letterhead or a website, the risk of them being abused by criminals is greatly increased. This is something you should avoid.
| Questions to ask when assessing inherent delivery channel risk for your PWRA |
|---|
| What percentage of its business is conducted on a non-face-to-face basis? |
| Does the practice undertake work which is conducted through intermediaries or other third parties? |
How you deliver your services must be considered in your PWRA. You should consider this along the following lines:
You should consider this as a risk factor when you carry out your PWRA. You should also consider how you mitigate the risk: for example, by using an EID&V platform.
It may also extend to the remote methods (for example, telephone, email, live video) you use to contact your client, as not all methods provide the same level of anonymity. Contact that is limited to text-only should be considered as higher risk.
When you act for clients without meeting them, you must be satisfied that it makes sense in all the circumstances that you have not met the client and you should be comfortable that you can mitigate the risks of identity fraud. You should consider whether any form of EDD may be appropriate.
Use of an appropriate EID&V platform to mitigate the risks of not being able to meet a client can be helpful but is not in itself a guaranteed or automatic solution to these challenges. A clear understanding of the limitations of such tools is needed if they are to be used correctly. See section 7 for more information on this.
You should consider the types of transactions you facilitate, particularly with regards the complexity and the risk that there may be parties to the transaction that you are not able to identify.
This is a potentially complicated area of risk and you should seek to set out what are the most common types of transaction for your practice, and how you rate the risk of transactions that fall outside of these scenarios.
For example, you may want to set out the common range of values for the transaction you are normally involved with, and other characteristics such as residential conveyancing transactions in a certain area. You would want to set out the risks involved with this activity and any other common areas of practice and consider what the risk levels may be for activities that fall outside of these clearly assessed areas.
PWRAs may be based on inherent risks or can be taken further in order to identify the residual risk facing your practice, after taking into account the inherent risks and the controls and other mitigatory factors in place. Stating the inherent risks, mitigating measures, and residual risk can make it easier to review and adapt the risk assessment in future.
You may find it helpful to rate a particular risk on a three-tier basis of low, medium or high or on a more granular scale in order to better differentiate between factors and their relevance to the practice. Whichever rating system you choose to use, it is important to keep the approach consistent throughout the document to allow comparability across risk types.
Alternatively, you may wish to record the risk narratively. However, this may make a consistent approach to risk management more challenging.
While risk assessments can be useful tools, they are only as effective as their application.
Ultimately the aim of risk assessments is to help you meet the requirements that you must:
If the risk assessments are not properly used when assessing client or matter risks, or do not inform the PCPs you have in place, your practice will be exposed to the risk of abuse by criminals.
PWRAs should be the basis and cornerstone for the development of effective, risk-based PCPs under R19.
Furthermore, it should be made widely available and understood by all fee earners undertaking activities under the regulations as well as all other relevant employees.
It is not expected that a practice seeks to eradicate all financial crime risk. However, it must ensure that the PCPs adopted as a result of the assessments are appropriate in light of the risks faced. Comprehensive and documented PWRA and client/matter assessments combined with written records of decisions made on individual clients and matters will enable you to justify your decisions and actions to law enforcement and your supervisor.
For each client and matter you should (as per the FATF Guidance for a Risk Based Approach for Legal Professionals):
Regulation 28(12) states that: the ways in which a relevant person complies with the requirement to take CDD measures, and the extent of the measures taken must reflect the PWRA.
As such, you must record a risk assessment for every client you act for as a part of CDD. In doing so, you should consider which of the risk factors (detailed in section 6) are relevant in the case of a specific client, paying particular notice to where your PWRA suggests they may be high risk, or if the PWRA does not address certain risks at all. In the case of the latter you should consider reviewing and updating your PWRA to reflect the new risks.
Your initial risk assessment should always be performed at the beginning of a client relationship in conjunction with performing CDD.
However, for some clients, additional information to inform the risk profile may only emerge once further information becomes available or the relationship/matter progresses. Practices should be aware of this and incorporate this into their risk assessment procedures.
Information learned while acting for the client should also inform your client and matter risk assessment.
The better you know your client and understand your instructions, the better placed you will be to assess risks, spot suspicious activities and protect your practice.
R28(13) requires that in assessing the level of risk arising in a particular case you must take into account:
Fundamental to any assessment of client risk is an assessment of whether the client’s financial circumstances, main business activities, and source of wealth and source of funds align with the background and wider profile of the client. You should detail these considerations in your client/matter risk assessments.
Other considerations and factors relevant to client risk assessments are whether:
The above list is not exhaustive, and where such businesses are regulated for AML purposes, or traded on a publicly traded exchange, this may provide some mitigation of risk and comfort to the practice.
You should also assess and have regard to whether negative/adverse media or press coverage is apparent regarding the client. This can be readily checked by conducting research on the client (for example, via straightforward web searches) the nature and intensity of which should be done to a degree appropriate to the risks identified.
Consideration should be given to the source (including the profile of the particular media or press outlet) of allegations and its reliability/veracity, along with the relevance, timings and seriousness of any allegations.
In order to have confidence in the results of any media check, you should be satisfied that the overall CDD material for your client is reliable and allows you to identify the client and verify their identity.
Other areas of client risk tie in with matter types or types of service, including unusually complicated matters, matters that lack an obvious economic purpose or are in some other way unusual. You should consider how you might ensure that your staff can identify any warning signs alongside other relevant training as a mitigation to be recorded in your PWRA.
| Are there any features in the matter which may represent higher risk? |
| Is the matter generally complex in nature? |
| Is the matter undertaken at short notice, within a short timescale or involving high volumes? |
| Does the matter involve new sources of finance – anything unregulated for example involving crowdfunding platforms or some aspects of bitcoin/cryptocurrencies? |
| Does the matter involve trust or other legal entity company formation, management or service provision? |
| Is the matter routine for the practice, and if not, does a lack of experience or expertise add to the risk? |
| Do the source of funds or the parties to the matter frequently change? |
| Is the matter longer term in nature, or does it involve funds being locked in for substantial periods of time? |
| Is the matter publicly funded by the UK or similarly reputable government? |
| Is the matter publicly funded from jurisdictions where corruption is prevalent? |
Matter risk sample questions
Matter risk assessments should focus on the specific risk factors that a matter presents, beyond the client risks already identified.
It may not be necessary to undertake a written risk assessment for every matter. A matter risk assessment is less likely to be needed where:
Matter risk assessments will help you to consider whether you are comfortable acting and, if so, to adjust your internal controls to the appropriate level according to the risk presented. For example, different aspects of your CDD controls may be adjusted to meet the different risks identified.
If, having conducted the necessary due diligence, you assess the matter as being high risk, you may require fee earners to monitor the matter more closely.
Both client level and matter level risk factors should be considered when composing a matter-level risk assessment tied to a specific piece of work.
These factors include when:
Risk assessments should document the circumstances and the identified risks with reference to the PWRA, rate the risks, and justify these ratings with a supporting rationale. They should not be a tick-box exercise.
A category-based approach can be taken with high/medium/low ratings applicable to given categories (for example, conveyancing matters of value £1,000,000 or more are high risk). A practice may develop a client/matter risk assessment template in order to help those legal professionals making risk assessment decisions. Where this approach is adopted, internal guidance and training on the use of the template should be provided including how to assess the background and circumstances of the client and matter, and all key risk factors. Make sure that the use of a template does not lead to a tick-box approach to risk assessments.
Where legal professionals are involved in longer term matters, risk assessments should be undertaken at suitable intervals across the life of the matter on a risk-sensitive basis, to ensure no significant risk factors have changed in the intervening period (for example, new parties to the matter, changes in ownership and control, new sources of funds etc.).
When weighting risk factors, practices should take a holistic approach and make an informed judgement about the relevance of different risk factors in the context of a particular customer relationship or occasional matter.
This often results in practices allocating different ‘scores’ to different factors.
For example, a practice may decide that a client’s personal links to a jurisdiction associated with higher ML/TF risk adds seven points, but the high-risk nature of the service sought only adds five. In this way, the final score takes account of both factors in proportion.
Ultimately, the weight given to each factor is likely to vary across practices, clients and matters.
Care should be taken if using a 'matrix style' or scoring approach where there is cumulative addition of risk ratings, to produce an overall risk score. This may lead to inappropriate minimisation of serious risks in the context of lower ones.
In any scoring system, you should consider whether it may be appropriate to have automatic high-risk triggers, that make a client or matter high risk, regardless of whether they meet a score threshold or not.
In this example, there is a cumulative scoring system, with each risk area assessed out of 20.
Two factors score a maximum score but, because all the others are zero, it will not meet the threshold and be rated lower risk.
The fact that the first two categories get a maximum risk score mean that assigning an overall risk rating of low (because it does not meet the threshold) may, depending on the nature of the risks, be inappropriate.
High risk threshold = 50
Geographic risk 20/20
Client risk 20/20
Delivery channel risk 0/20
Transaction risk 0/20
Products services risk 0/20
Total score = 40/100
Where either, or both, the customer and the service are considered to carry a higher risk of money laundering or terrorist financing, it may be appropriate to consider the overall risk of the matter as high risk. You should clearly document the reasons for any deviation from this approach. Dependent on the nature of the deviation you will want to consider if this is documented on a matter-by-matter basis or as part of your PWRA.
When weighting factors, practices should ensure that:
Where a practice assesses the risk of a particular factor differently from the national risk assessment or any piece of supervisory guidance – for example, due to the nature of the practices’ mitigating activities and/or PCPs – this should be clearly documented in their PWRA.
An overall conclusion of the risk of the client/matter should always be reached after all relevant risk factors have been considered, before determining what is the overall risk category and the appropriate level of mitigation controls to be applied.
There is no prescribed approach to the recording of risk assessments. However, they must be written down so that you can evidence them to your supervisor.
What is important is that risk assessments are adequately documented, all relevant factors are considered, and decision-making/rationale is recorded. An overall risk level of the particular client/matter must be recorded, and the assessment should be signed (manually or digitally) and dated by the individual who has conducted it.
Risk assessment documentation should be kept up to date, be clear in providing an audit trail of the decision-making process, methodology and rationale – in order to demonstrate adequate consideration of risks to the practice’s its supervisor, law enforcement or the courts.
Risk assessments should be:
As per the requirements of R28(12) the result of the client and matter risk assessments will dictate the level and extent of due diligence undertaken on a client or matter.
As per R33(1) where the client/matter is assessed as being of higher risk, EDD must be applied.
In all other cases, due diligence as per the requirements of R28 and R29 must be applied.
In certain lower risk situations, SDD may be applied, in line with requirements under R37.
Further information on what this means in practice can be found in section 6.
Having assessed the ML/TF risks your practice faces, you should then consider any risk mitigating controls that you can implement to manage these risks.
You can find some common risk mitigation controls below.
Introduce a means of identifying potentially higher risk factors and do detailed internet-based research on higher risk clients and beneficial owners.
Probe, evidence and document source of funds and wealth in higher risk cases, including where shareholders have no apparent online presence, but the matter value is substantial.
Please see section 6 for further information
Always ensure that you comply with the client account rules of your regulator.
Prohibit the use of your client account without delivery of accompanying legal services and include a process to ensure that information about all payments is cross-checked where possible.
Ensure completion of CDD before taking money on account, including adequately understanding the matter.
Avoid disclosing your client account details until you are ready to accept a payment/transfer and discourage clients from passing the details on to third parties. Ask them to use the account details only for previously agreed purposes.
Prohibit or restrict cash payments. Large payments or a series of smaller payments made in actual cash may be a sign of money laundering.
You should consider establishing a policy of never accepting cash payments. If this is unavoidable, you should set a limit above which you will not accept cash payments.
Clients may attempt to circumvent such a policy by depositing cash directly into your client account at a bank. You may consider advising clients in such circumstances that they might encounter a delay in completion of the final matter or in the return of their funds.
If a cash deposit is received without solicitation, you should consider making a disclosure to the NCA.
Where money is accepted into the client account in respect of a matter or from a client on account and the matter is aborted, carefully consider the level of risk analysis and CDD conducted at the outset, the legitimacy of the matter and the parties to it, and the circumstances of the aborted matter. You should not return funds without considering the need to make a SAR.
You should only return funds to the original sender of those funds and not to any other designated person except in exceptional circumstances (for example, the death of the individual).
Ensure appropriate checks are made and the rationale for and size of a matter and any payments into your accounts by third parties is clearly understood before any third-party payments are accepted into the client account. You should make enquiries into sources of funding from other parties and always be alert to warning signs.
Seek to understand all aspects of the matter, including undertaking appropriate due diligence on the parties involved in line with regulatory requirements, and understanding the source of funds/source of wealth used.
Keep up to date with emerging issues. It may be useful to review resources from relevant regulators in other countries to supplement knowledge in this area.
Provide information and/or training, where appropriate, to staff on these updates so that they are better equipped to spot issues.
Be aware of higher risk jurisdictions where ownership may be concealed.
If a prospective client simply requests you to undertake the mechanical aspects of setting up a trust, company or charity, without seeking legal advice on the appropriateness of the company structure and related matters, you should conduct further investigation.
Ensure you understand the entities concerned, including, where relevant, source of funds and wealth of the trust or company to minimise the ML risk.
Provide information and/or training, where appropriate, to staff on possible red flags and their duties as a company/trust manager.
Seek to understand the commercial rationale/reason for the matter structure.
If you have been asked to sit on the board of an entity in another country, you should consider asking a trusted and knowledgeable source with local knowledge whether it is consistent with local/cultural norms or if there is a legal reason. If you do need to rely on another source to advise you in this way, you should consider whether you have appropriate expertise to be working in this area.
The practice must have clearly documented PCPs based on their practice-wide risk assessment which include:
Undertaking appropriate client due diligence (CDD) is required under R27, and is one of the key controls you have, to protect your practice from money laundering and terrorism financing (ML/TF) risks.
CDD is the collective term for the checks you must do on your clients, which may differ depending on the circumstances. It is holistic in nature, and is wider than simply undertaking identification and verification of clients.
Aside from any specific CDD requirements you must take under the regulations, the amount, type and level of CDD undertaken should reflect and mitigate the nature of particular risks inherent in each client, transaction or matter.
Practices must be able to demonstrate to their supervisory authority that these CDD measures are appropriate in mitigation of these risks, by recording their reasoning and actions in this regard.
Useful information in regard to understanding the nature and purpose of a relationship may include:
Beyond adherence to the regulations, there is a natural incentive for practices to establish with confidence who their client is and the details of any transaction they are involved in or facilitating. It will protect them from unintentionally facilitating a range of financial crimes or being defrauded themselves.
Identifying and verifying clients, is also essential for a practice to be able to accurately report suspicious activity to the National Crime Agency (NCA), identify politically exposed persons (PEPs) or other high-risk individuals, and ensure the practice is not undertaking business in breach of applicable sanctions regimes.
In relation to CDD, the policies, controls and procedures (PCPs) of your firm should be set out clearly, in writing in a way that is accessible to all relevant staff in your practice.
There is no provision in the regulations for waiving CDD requirements on the basis of long-standing or personal relationships. Taking this approach will not satisfy the requirement to undertake independent verification, though these factors may inform your risk-based approach.
You are required to apply CDD for services in scope of the regulations when:
The regulations as amended prescribe further situations where you must re-apply CDD for existing clients. These arise when you have any legal duty in the course of the calendar year to contact a client to review information:
The duty also arises where a practice has a duty to contact the client under the International Tax Compliance Regulations 2015.
There may be several indicators that a client is establishing a business relationship, as opposed to the matter being an “occasional transaction” including but not limited to:
The definition of business relationship under the regulations requires the legal practitioner to have an expectation at the time the contact is established, that the relationship will have “an element of duration” (R4). This should be interpreted in the broadest sense, as it is reasonable to assume that any legal professional will have an expectation of possible further business from any initial contact made with a client. When dealing with a client for the first time, you should assume that a business relationship is being formed unless you has explicit reasons to know that this is not the case: that there will not be an “element of duration.”
The nature of the relationship should be recorded in the client risk assessment. Any reasons for not applying CDD must be clearly recorded and this will in practice be in the rarest of exceptions.
For the avoidance of doubt, any company formation on behalf of a client immediately implies the establishment of a business relationship as per R4(2).
A transaction that falls outside of a “business relationship,” is known as an occasional transaction.
By definition it can only apply where a practice-client relationship lacks an expectation of an “element of duration”. For this definition to apply, the relationship must be limited to a single service provided at a certain point in time.
It will still be necessary to undertake CDD for an occasional transaction where it has a value of 15,000 Euros or more. This 15,000 figure only relates to the sums involved in the transaction(s) and does not include legal fees or distributions.
Due to the ongoing duties a practice would have in most foreseeable circumstances, this definition is not likely to apply to the relationship between a legal practice and a client for any transaction.
It may apply in the case of a limited ancillary service, provided as a one-off or in some examples of notarial work in particular. Please see Part 2 for more information on notarial work.
If your client is represented by an intermediary, agent or representative (someone purporting to represent them), you must comply with R28(10) and identify and verify the intermediary's identity and their authority to act on behalf of your underlying client.
Examples of someone purporting to represent might include:
In the absence of factors that give rise to a concern, an employee of a company would not be considered to be ‘purporting to instruct’. A risk-based approach should be taken to the level of identification verification applied. Authority to instruct can be addressed by an engagement letter or equivalent but it should come directly from the underlying client (including where instructed by an employee of the company).
Even where someone does not purport to act on someone else’s behalf, you should consider if it is possible there may be an underlying client that is the recipient (potentially by proxy via another professional service provider) of your services on more than a single isolated basis. If you think this is possible, you should satisfy yourself that you have identified and verified who the underlying client is or establish a suitable reliance arrangement with the professional you are dealing with.
You should ensure you understand who your client relationship is with. There may be times when an intermediary is your client (in that your contract is with them) but the intermediary’s client is the ultimate beneficiary of your work and advice. The regulations make clear that a “beneficial owner” is the individual on whose behalf a transaction is being conducted and you should treat such a client as a beneficial owner, including undertaking reasonable measures to identify and verify their identity. This is different to a situation where an entity refers a client to you (see below).
Where the intermediary is an entity, you may consider whether you need to undertake ultimate beneficial ownership checks on a risk-based approach.
See 6.14.9 for how to identify and verify individuals in these situations.
The difference between the circumstances described in 6.6 and making referrals to another practice is described in the below table.
This table relates to solicitors only – for arrangements relating to barristers and advocates, please consult the relevant section in Part 2.
If you are instructed by a law firm, or other professional intermediary, the law firm/professional intermediary are your client, and you will need to undertake CDD on them.
If the effective beneficial owner of the advice is that law firm's/professional intermediary's client, you should consider the risks and identify/verify their client as you would any other ultimate beneficial owner. This could include understanding the checks the intermediary has carried out.
Where a legal practice or other intermediary refers a client to you and you have the direct relationship with the client, you should treat the referred entity as the client and carry out CDD on them as the client in the usual way.
You may wish to consider, having regard to the risks (and regulated status of the referring entity), whether a reliance agreement with the referring entity is appropriate in the circumstances.
CDD must be completed before you:
A legal practice should ensure that CDD has been completed as early as possible, before any money has been taken from the client, though money on account of costs/fees may be accepted on a risk-sensitive basis.
Conducting CDD as early as possible also helps you to avoid any delays further along in the matter and will help you in your duty to report suspicious activity, at an early stage. This can help protect you from needing to submit a suspicious activity report (SAR) seeking a defence against money laundering (DAML) to return funds that have been paid into your client account, where you have a suspicion the funds may be the proceeds of crime.
R30 requires you to verify your client's identity, the identity of any person purporting to act on their behalf and that of any beneficial owner, before you establish a business relationship or carry out a transaction which amounts to 15,000 Euros or more (subject to R30(3)(a)).
R31 provides that if you are unable to complete CDD in time, including identification and verification, you must:
For the avoidance of doubt, you should consider a failure to apply CDD under R28(10) (persons acting as agents) as also triggering the above requirements in R31.
If you are unable to complete CDD, you must in addition to terminating any existing business relationship consider making a disclosure to the NCA.
You cannot seek consent from the NCA to proceed with a transaction solely because you have been unable to complete CDD measures as required by R28 and reporting a matter to the NCA is not a substitute for your responsibility to complete CDD. Although you should consider making a disclosure to the NCA where you have been unable to complete CDD, this does not mean you are automatically required to submit a SAR. For further information refer to section 11.
There are exceptions to the timing requirement and the prohibition on acting for the client until CDD has been completed.
Where there is a delay in completing CDD you should consider why, and whether this gives rise to a suspicion which should be disclosed to the NCA.
A practice should document any occasion where CDD was delayed in the matter risk assessment and take appropriate mitigatory steps in order to manage any risks this may create.
In the event that you think either of the below exceptions apply, you should consider and record your reasoning as to why.
However, when acting for a:
you must collect proof of registration (for example, via the client) or an excerpt from the relevant register before commencing a business relationship even when relying on an exception to the timing requirement.
R30(3) provides that verification of the client and the beneficial owner may be completed as soon as practicable after contact is first established, during the establishment of the business relationship if:
This should be considered in the context of the points in 6.8 of this guidance.
If there is little risk of money laundering (due to the nature of the client or transaction) thus allowing a delay in CDD completion, the reasons for this view must be included in the client and/or matter risk assessment, along with any mitigations you have put in place for this.
Consider your PWRA when assessing which work, if any, can be undertaken prior to verification being completed. This exception does not apply if your matter is an occasional transaction.
R31(3) provides that the prohibitions in 31(1) do not apply where:
"An independent legal professional or other professional adviser is in the course of ascertaining the legal position for their client or performing the task of defending or representing that client in, or concerning, legal proceedings, including giving advice on the institution or avoidance of proceedings."
We interpret this to mean that this exception does not generally apply to transactional work but may be relevant when considering work undertaken as a tax adviser or when ascertaining the legal position an anticipation or preparation of early stages of transactional work or early stages of representation or provision of legal advice on other topics.
R28 requires that you must:
Identification of a client or a beneficial owner is simply being told or otherwise coming to know a client's identifying details, such as their name and address.
Verification is obtaining evidence which supports this claim of identity.
R28(12) provides that to comply with the requirement to take CDD measures, you must reflect:
Verification should be completed on the basis of documents or information which come from a reliable source, independent of the client. There are a number of ways in which you may verify a client's identity including:
You need a reliable source(s) to verify your client’s identity, which is independent of the client: for example, a passport or driver’s licence, or, in the case of a corporate entity, evidence of registration from the relevant registry or reputable company services provider.
You are permitted to use a wider range of sources when verifying the identity of the beneficial owner and understanding the ownership and control structure of the client.
Sometimes only the client or their representatives will be able to provide you with this information. You may consider whether the documents or information should be certified as accurate by a professional regulated for AML to an equivalent standard.
R28(9) confirms that the register of people with significant control, or the confirmation statement, which is published on the Companies House website, cannot be solely relied upon for the purpose of identifying or verifying the identity of the beneficial owner of a company or LLP client. Remember, if you are not satisfied with the information you have on the identity of your client/beneficial owner, you should not undertake business with that client, (or cease business if an existing client) as per the requirements of R31.
Documents should be in date if an expiry date is given, and recently dated (taking a risk based approach) if no expiry date is given. Expired documents should not be relied upon in the absence of any others but may be useful in support.
You must not ignore obvious forgeries, but you are not required to be an expert in forged documents. You may however consider providing relevant employees with appropriate training and equipment to help identify forged documents where relevant to the processes of your practice where proportionate to the risk.
You may make use of guidance on how to identify a forged document from the issuing body, or a similarly reputable source. For example, the Passport Office issues such information, and current bill formats are available on utility provider websites.
As technology has developed, use of electronic identification and verification (EID&V) tools have become more common. While you can never outsource your ultimate responsibility, EID&V tools can be useful in protecting your practice.
R28 sets out minimum requirements for EID&V processes to be regarded as reliable sources in applying CDD.
Meeting the definitions in the (R2014/910/EU of the European Parliament and of the Council of 23rd July 2014) as below:
Electronic identification – means the process of using person identification data in electronic form uniquely representing either a natural or legal person, or a natural person representing a legal person.
Trust service – means an electronic service normally provided for remuneration which consists of:
– and being secure from fraud, misuse and capable of providing an appropriate level of assurance that the person claiming a particular identity is in fact the person with that identity, to a degree that is necessary for effectively managing and mitigating any risks of money laundering and terrorist financing.
There is further information available on this in section 7.
The name, date of birth and current address of a natural person should all be identified and p ractices may use government photo-card identification (including passports or driving licenses) to verify these details.
To do this, you should obtain either:
The requirement to obtain suitable verification should not preclude access to legal services, especially to vulnerable, elderly or disadvantaged clients. In these situations, where it is not possible to obtain such documents, consider the reliability of other sources and the risks associated with the client and the matter. See the “Clients unable to produce standard documentation” section below.
Where you are reasonably satisfied that an individual is nationally or internationally known, for example, because they are a public figure or a well-known celebrity (that you can confidently recognise them as the person they are purporting to be), a record of identification may include a file note of your satisfaction about identity, including an address. You should consider whether the individual may be a PEP, or family member or known close associate of a PEP.
The following sources may be useful for verification of UK-based clients:
Where you are provided with an electronic copy of a document (such as a downloaded bank statement) you should continue to take a risk-based approach while being conscious that its value as proof of address may be less than a standard hard copy.
Part of the reason to accept documents such as a hard copy posted bank statement and letters from government agencies is to demonstrate that the individual has access to the property to which they were delivered. Part of that comfort is removed when print outs of electronic statements/bills are used. This does not mean that such print-outs cannot be accepted but this loss of comfort should be considered on a risk-sensitive basis.
If documents are in a foreign language, you should take appropriate steps to be satisfied that the documents in fact provide evidence of the client's identity and more generally that you understand what they say. Unless you have a sufficient level of understanding of the language, you should consider engaging the services of a translator.
You should be mindful that some aspects of an individual’s identity (particularly name and/or sex) may change over time for entirely legitimate reasons, for example due to a change in sex or gender, or due to other life events such as a marriage or discretionary change of name. Such changes should not be used as a reason to withhold legal services in isolation, or necessarily interpreted as an indicator of higher AML risk.
In the case of persons you cannot meet face-to-face, consideration should be given to any geographic/jurisdictional (which could be at a regional or national level) risks this may present (see risk assessment section of this guidance for further information).
The client's address may be identified or verified via:
When you do not meet the client, you should consider the reason for this and whether this represents an additional risk which should be taken into account in your risk assessment of the client and the extent of the due diligence measures you apply. EID&V may be a particularly useful tool in these circumstances.
Sometimes clients are unable to provide standard verification documents. The purpose of the regulations is not to deny people access to legal services for legitimate transactions, but to mitigate the risk of legal services being used for the purposes of ML. You should consider whether the inability to provide you with standard verification is consistent with the client's profile and circumstances or whether it might make you suspicious that ML/TF is occurring.
If you decide that a client has a good reason for not meeting the standard verification requirements, you may accept a letter from an appropriate person who knows the individual and can verify the client's identity.
Where other professionals use your services, in their capacity as a professional (for example, when representing a client or on behalf of their practice) you may consider using simplified due diligence (SDD) as per R37.
Where other professionals use your services in their capacity as a private individual, you will still need to complete full due diligence on them as you would with any other private individual. In order to verify their identity and business address you may consult their professional directory or register along with other sources. Being a regulated professional should not lead to automatic treatment as being low risk in all cases.
You may consider the section on SDD in this context.
In accordance with R28(10) where a person (the intermediary, agent or representative) purports to act on behalf of your client, you must:
Someone employed by your client (depending on their position or seniority) or a director of your client may be considered as having apparent or ostensible authority to provide instructions on behalf of the client, though you may seek comfort of this on a risk sensitive basis. They should not be considered to be intermediaries, agents or representatives.,Where it is not clear or apparent what their authority to instruct on behalf of the client is, CDD should not be considered to be complete.
For further information please also refer to 6.6 and 6.7.
R28(3A) states that where the customer is a legal person, trust, company, foundation or similar legal arrangement the relevant person must identify the customer and take reasonable measures to understand the ownership and control structure of that legal person, trust, company, foundation or similar legal arrangement.
This requirement means tracing ownership back to any ultimate beneficial ownership of the entity by a natural person(s). You must then take reasonable measures to verify the identity of the beneficial owner.
"Reasonable measures" means risk-based, proportionate and effective in mitigation of the identified ML/TF risks inherent in the client or matter being undertaken.
When considering this test of reasonableness, you should consider whether you are comfortable that you would be able to demonstrate and evidence the extent to which you have sought such information and verification, to your supervisor upon request. It should not be misinterpreted as an allowance to not fulfil your duty to understand the full ownership and control structure of the client.
Where applicable having regard to the circumstances, you should verify the identity of the beneficial owner to the same standard as that applied to clients who are natural persons, as described in 6.14 and 6.14.4.
In other, lower risk situations and in limited circumstances (such as when the relevant person already knows and has previously verified the identity of the beneficial owner) taking reasonable measures to verify the beneficial owner may mean, for example, taking verification information from non-independent sources (such as non-certified documents or information from reputable websites).
To evidence why identification of beneficial owners through personal identity documents is not undertaken, it is important to document your overarching understanding of the individual's background, circumstances and nature of the transaction.
It is important to note that you are seeking to verify the beneficial owner's identity, not simply that the identity in question is a beneficial owner.
Where you have been unable to verify the identity of the beneficial owners of a non-natural person, you should consider the reasons for this and whether this should lead to a disclosure to the NCA. Further consideration should be given to whether to act or continue to act for the client, particularly where the complexity of the structures is out of your normal scope of business or make completing CDD difficult.
You should record all of your considerations as a part of the client or matter risk assessment; for more information, see section 5.
You must identify and verify:
Furthermore, the practice must take reasonable measures to determine and verify the law to which the company is subject, and its constitution (whether set out in its articles of association or other governing documents) and the full names of the board of directors (or if there is no board, the members of the equivalent management body) and the senior persons responsible for the operations of the body corporate.
A practice must collect proof of registration (for example, via the client) or an excerpt from the relevant register before establishing a business relationship with a:
Discrepancies in this information must be reported to the registrar; see section 12 for more details.
Where the client is beneficially owned by another person, the practice must also:
These reasonable measures for verifying the identity of a non-natural person may be easier to undertake for smaller entities where the beneficial owners may be more accessible. For larger entities where the beneficial owners may be more difficult to contact directly, EID&V may be of significant help when verifying their identities.
Where a company is well-known, or regulated for AML to a standard equivalent to which you are subject to in the UK, you may consider that the level of ML/TF risks are low and apply CDD on a risk-based approach. For listed companies, see below.
Where you commence acting for a wholly owned subsidiary of an existing client, you may refer to the CDD file for your existing client for verification of details of the subsidiary, provided that the existing client has been identified to the standards of the regulations or to a similar standard in another jurisdiction.
You must obtain and verify the:
In accordance with R28(5), if the company is listed on a regulated market it is not necessary to:
This may also be applied to a majority-owned subsidiary of such a company where you have established the nature of ownership via an independent and reliable source.
For a wholly owned subsidiary of a listed company you will also require evidence of the parent/subsidiary relationship. Such evidence may be:
“Regulated market” is defined as follows:
“specified disclosure obligations” means —
If a regulated market is located within the EEA, there is no requirement to undertake checks on the market itself. Under a risk-based approach you may wish to simply record the steps taken to ascertain the status of the market.
Consider a similar approach for non-EEA markets that subject companies to disclosure obligations which are contained in international standards equivalent to specified disclosure obligations in the EU. Jurisdictional AML risks should also be considered – see the risk assessment section of this guidance for further information.
Following an assessment that the client is low risk it will be sufficient, for a listed company, to obtain confirmation of the company's listing on the regulated market.
Such evidence may be:
Where a listed company is owned by multiple parties that are themselves held on a regulated market(s), this does not need to be treated differently to a listed company that is a wholly owned subsidiary of one, except that you need to collect the details of all owners as above.
When assessing a listed company’s relationship with a market, you should have regard to whether a company’s ownership is only partially available on a market (only a percentage is publicly held). In this context, you should consider seeking further information about any owners whose relationship is not through a regulated market on a risk-sensitive basis. In other words, a company having any proportion of a listing on a regulated market however small, does not mean you do not need to check other owners.
The regulated market in the UK is the London Stock Exchange. You may consider whether it is appropriate to treat companies listed on other markets in the same way as those meeting the definition of “regulated markets” on a risk-sensitive basis. For example, AIM is not a ‘regulated market’ but you may consider, on a risk-based approach, treating it as such.
Where further CDD is required for a listed company (when it is not on a regulated market or where you otherwise deem it necessary) consider the nature of the risks presented and obtain additional information/comforts to address those risks. This may include obtaining relevant information or particulars of the company's identity or business practices.
Verification sources may include:
You are still required to conduct ongoing monitoring of the business relationship with a publicly listed company to enable you to spot suspicious activity.
Companies whose listing does not fall within the above requirements should be identified in accordance with the provisions for private companies.
Private companies are generally subject to a lower level of public disclosure than public companies. In general, however, the structure, ownership, purposes and activities of many private companies will be clear and understandable.
Sources for verifying corporate identification may include:
R43 requires UK companies not listed on a regulated market to provide information about their identity on request, including their articles of association or other governing documents and information about beneficial owners.
Obtaining CDD material for these companies may be more difficult, particularly regarding beneficial ownership where ownership is held in jurisdictions where no publicly available corporate registers are available, or ownership can be otherwise concealed through the use of nominees. If this is the case, it should be taken as an increased risk factor and may warrant the application of enhanced due diligence measures.
The company's identity should be established in the same way as for UK private and unlisted companies.
Where you are not obtaining original documentation, you should consider the need for further comfort on authenticity on a risk-based approach. Certification of documents does not automatically guarantee documentation is genuine.
These obligations set out below, apply to all trusts including will trusts and personal injury trusts.
In the UK, trusts do not have legal personality. As such, a trust cannot be your client. When advising in relation to a trust, your client may be:
Your client(s) will be the person to whom you owe your duty of care and who will receive the benefit of your advice.
Where an express trust has yet to be established and you are providing tax or transactional advice to a prospective settlor in anticipation of creating a trust, your client will usually be the settlor. Your responsibilities to verify the identity of the client and their source of funds, is then no different to any other client, except that you will also need to understand the nature and extent of the assets that will be settled on the trust.
Where you are instructed in relation to an existing trust, when applying CDD: you must obtain and verify the identity of your client including beneficial owners where applicable:
If the trust is a relevant trust for registration, you must also identify potential beneficiaries.
If, when you carried out CDD in relation to a trust (or legal entity/arrangement other than a body corporate) the beneficiaries were designated as a class you must establish and verify the identity of any beneficiary before you are involved in the payment to, or exercising of rights of, a specified beneficiary.
When applying CDD to a trust, or any other legal arrangement/entity which is not a company, involving a class of beneficiaries, you must always verify the identity of the beneficiary or beneficiaries before any payment is made to them or they exercise their vested rights in the trust or legal entity/arrangement (R 30 (7)).
If the identified beneficial owner is an entity, you may need to understand who its ultimate beneficial owners are, depending on the entity's status (whether it is a company or some other type of entity).
The extent of the measures you take to identify the ultimate beneficial owner of one of the trust’s defined ‘beneficial owners’ will depend on its role in relation to the trust. The ultimate beneficial owner of a settlor, protector or sole beneficiary entity should be fully identified.
R6(1) implies that individual beneficiaries need not be identified in CDD unless it has been determined that they will benefit from the trust. That is, unless and until they have a vested interest in the capital of the trust.
If you do not note all individual beneficiaries named in the trust deed or any associated document on the basis that their benefit from the trust has not yet been determined, you must identify any named class of beneficiaries, by its description. For example:
As CDD can only take account of circumstances at a point in time, you should note the names of all discretionary beneficiaries (including those who have yet to acquire determined interests) named in the trust deed and any document from the settlor relating to the trust, such as a letter of wishes. Their interests may vest (or otherwise be determined) while you are acting in relation to the trust, thus bringing them within the group of individuals who need to be noted in CDD as beneficiaries, as defined in R6(1)(c).
When considering the identity of those in whose main interest a trust is set up or operates and there are several classes of beneficiary, consider which class is most likely to receive most of the trust property. For example:
When in doubt about which class has the main interest, you should identity all classes.
However, where you act in relation to a discretionary trust, if you decide against noting in your CDD the names of individual beneficiaries who are named in the trust deed or any associated document on the basis that their benefitting from the trust has not yet been determined, you will need to seek regular updates from your client, as part of your on-going monitoring measures on a risk based approach. This may include when and whether beneficiaries’ interests in the trust will be or have been determined.
The wider approach, involving noting all beneficiaries and potential beneficiaries named in the trust deed and any associated document at CDD outset, may therefore be preferable from the outset.
R6(1)(e) brings any individual who has control over the trust within the definition of the beneficial owners of a trust and they will therefore need to be identified when you act in relation to a trust.
R6(2) defines control as a power, whether exercisable alone, jointly or with the consent of another, under the trust instrument or by law to:
R6(4)(b) specifically excludes from the definition of an individual who has control over a trust an individual ('P') who has control solely as a result of:
If you or your practice on occasions acts as (as opposed to for) a trustee of a taxable relevant trust, pursuant to R44 you will need to maintain accurate and up-to-date records of all beneficial owners and potential beneficiaries of the trust.
Even if your practice is also acting for the trustee(s) and has applied CDD, this may involve you in more extensive investigations.
A taxable relevant trust is:
If you form a business relationship in your role as trustee with a relevant person, which could be an advisory relationship with your practice (if it is subject to the regulations), you will need to inform the relevant person that you are acting as a trustee and, on request, provide the relevant person with information identifying the trust’s beneficial owners and potential beneficiaries.
That obligation lies on (external) trustees of relevant trusts who enter into transactions in relation to which you or your practice are required to apply CDD or who form a business relationship with you or your practice (if you are subject to the regulations). This should assist you in your compliance with your CDD obligations and is another reason why it makes sense to extend your CDD in relation to a relevant trust's beneficial owners also to cover potential beneficiaries.
Otherwise, from a reputational risk and advisory perspective, as law enforcement authorities may gain access to information not only about the trust’s beneficial owners as defined in R6(1) but also the names of those individuals who are referred to in any document from the settlor, such as a letter of wishes, relating to the trust, it is prudent to note such wider information in your CDD records where you act for any client in relation to a relevant trust, and where you act in relation to any trust.
Applying CDD where you act in relation to an existing trust should generally involve your having sight of the trust deed or documents which relates to it and obtaining an appropriate understanding of their content. In some circumstances, this understanding of the content may come from an explanatory note provided by another professional regulated for AML to a similar standard. The rationale for obtaining such evidence in this manner should be documented.
In low-risk situations (as determined by appropriate and thorough documented risk assessment) you may be able to record an account of the terms of the trust given by the client or another regulated person who has had an involvement with setting up or managing the trust. However, before doing so, you should be assured that the reason for your not being provided with the trust deed and any document which relates to it makes sense in all circumstances, is recorded by you and is not indicative of a higher risk of ML.
You will also need to assure yourself that in identifying the trust’s beneficial owners, the client or other regulated person, as appropriate, had proper regard to whether they included any individual (other than the settlor, the trustees and the beneficiaries) who has control over the trust, and potential beneficiaries.
A partnership, other than in Scotland, is not a separate legal entity, so you must obtain information on the constituent individuals.
Where partnerships or unincorporated businesses are well-known, reputable organisations, with long histories in their industries and with substantial public information about them, their principals, and controllers the following information may be sufficient:
You must still verify the identity of the partnership’s beneficial owners.
R5(3) provides that in the case of a partnership (but not a limited liability partnership) the following individuals are beneficial owners:
Relevant points to consider when applying R5(3) are:
You should also consider whether there are any other registries on which you may be able to verify the details of the partnership.
Other partnerships and unincorporated businesses which are small and have few partners should be treated for identification and verification purposes in the same way as private individuals (that is, identifying and verifying each partner). Where the numbers are larger, they should be treated for identification and verification purposes in the same way as private companies.
Where a partnership is made up of regulated professionals, it may be sufficient to confirm the practice's existence and the trading address from a reputable professional directory or search facility with the relevant professional body. Otherwise you should obtain evidence on the identity of at least two partners and evidence of the practice's trading address. You must still verify the identity of the partnership’s beneficial owners.
For a UK LLP or SLP, you should obtain information in accordance with the requirements for companies as outlined above as these are treated as corporate entities.
Careful consideration should be made regarding clients where partners themselves are overseas entities, particularly where these overseas entities are located in jurisdictions where no publicly available corporate registers are available, or ownership can be otherwise concealed through the use of nominees or similar structures. This is particularly relevant where the vehicle is used to hold assets or is involved in transactional or other potentially high-risk activities, or conversely, where no discernible business activity can be determined, from internet searches or other sources. Such factors may be indicative of shell companies and are likely to be indicative of higher ML risk. You should give consideration to why the use of such structures may not be legitimate and the nature and purpose of the business. Your client may be able to help you understand this. Information obtained should be considered in light of other CDD information available.
Where you have assessed the client risk to be higher risk because of its structure or factors as above, then you must put in place enhanced due diligence and ongoing monitoring.
Foundations may or may not have legal personality. You should investigate whether this is the case and whether it is appropriate to take on the foundation as your client or whether your client should be the board of trustees or another party involved with the foundation.
If the foundation lacks legal personality, you should approach CDD, as you would where you act for a client in relation to a trust. R6(5) provides that ‘beneficial owner’ in relation to a foundation or other legal arrangement similar to a trust, means those individuals who hold equivalent or similar positions to the (defined) beneficial owners of trusts.
Charities may take a number of forms. In the UK, you may come across five types of charities:
For registered charities, you should take a record of their full name, registration number and place of business. Details of registered charities in the UK can be obtained from:
Other countries may also have charity regulators which maintain a list of registered charities. You may consider it appropriate to refer to these when verifying the identity of an overseas charity.
For all other types of charities, you should consider the business structure of the charity and apply CDD appropriately. You may also get confirmation of UK charitable status from HMRC. Further, in applying the risk-based approach to charities it is worth considering whether it is a well-known entity or not. The more obscure the charity, the more likely you are to want to view the constitutional documents of the charity, along with any other documents that may clarify the individuals in control and its status.
Due to the numerous examples of charities and not-for-profit organisations as fundraising vehicles for terrorist organisations, you may want to also consult HM Treasury's consolidated list of persons designated as being subject to financial restrictions to ensure the charity is not a designated person.
Another point to consider is source of funds, in that charities may fund transactions effectively through crowdfunding, which can make a source of funds check difficult to complete. Taking a risk-based approach, you should consider whether you need to seek information as to who those individuals or entities are that are funding the charity, particularly those contributing larger percentages or amounts.
When acting for the executor(s) or administrators of an estate, you should establish their identity using the procedures for natural persons or companies set out above. When acting for more than one executor or administrator, you should verify the identity of at least two of them. You should also get copies of the death certificate, grant of probate and any letters of administration.
If a will trust is created, and the trustees are different from the executors, the procedures in relation to trusts will need to be followed when the will trust comes into operation.
Places of worship may either register as a charity or can apply for registration as a certified building of worship from the General Register Office (GRO) which will issue a certificate. Further, their charitable tax status will be registered with HMRC. As such, identification details with respect to the church or place of worship may be verified:
Schools and colleges may be a registered charity, a private company, an unincorporated association or a government entity and should be verified in accordance with the relevant category. The Department of Education maintains lists of approved educational establishments which may assist in verifying the existence of the school or college.
Many of these bear a low money laundering risk, but this depends on the scope of their purposes, ownership structure, activities and geographic spread.
The following information may be relevant to the identity of the club or association:
Documents which may verify the existence of the club or association include:
The ML/TF risks associated with public authorities vary significantly depending on the nature of the retainer and the home jurisdiction of the public authority. It may be simple to establish that the entity exists, but where there is a heightened risk of corruption or misappropriation of government monies, greater monitoring of retainers should be applied.
The following information may be relevant when establishing a public sector entity's identity:
Under R37(3) the fact that the client is a public administration or publicly owned enterprise is one of the factors to consider when deciding whether it is low risk and whether to apply simplified due diligence. It will usually be appropriate to apply simplified due diligence to UK public authorities and to some non-UK public authorities, particularly those in the EEA.
You may wish to consider the UK Financial Services Joint Money Laundering Steering Group (JMLSG) guidance Part 1 as a useful source of information on possible ways to apply CDD on the above entities, and across a broader range of other entity structures. You should note though that in the context of legal services, the LSAG guidance takes precedent.
A beneficial owner is normally an individual who ultimately owns or controls the customer or on whose behalf a transaction is being conducted. In respect of private individuals (that is, a natural person), the client themselves may be treated as the beneficial owner, unless there are features of the transaction, or surrounding circumstances, that indicate otherwise.
Therefore, if your client is an individual, you may want to consider whether they are acting on their own behalf. A question to ask yourself in this context and more generally is: “do the services I am being asked to provide make sense given what I know about the client?”
R5(1) defines the beneficial owner of a body corporate, other than a listed company, as meaning:
any individual who:
This does not apply to a company listed on a regulated market. It does apply to UK limited liability partnerships.
Regulation 6(1): in relation to a trust, the regulations define the beneficial owner as each of:
In relation to a foundation or other legal arrangement similar to a trust, the beneficial owners are those who hold equivalent or similar positions to those set out above in the case of trusts.
In relation to a legal entity or legal arrangement which does not fall into the above, the beneficial owners are:
Unincorporated associations and foundations are examples of entities and arrangements likely to fall within these requirements.
When applying this, relevant points to consider are:
You should be alert to the risk that a corporate entity can also be subject to control by persons other than shareholders. Such control may rest with those who have power to manage funds or transactions without requiring specific authority to do so, and who would be in a position to authorise changes to internal procedures and control mechanisms. Depending on the control structures in an entity, this could be a senior role operating without actual or effective supervision or another entity.
You should remain alert to any person or entity with such powers while you are obtaining an understanding of the ownership and control structure of the corporate entity and make such further enquiries you need in order to understand the control structure. Monitor situations within the retainer where control structures appear to be bypassed or unduly complex on a risk-sensitive basis.
Beneficial owners must be identified, and reasonable measures must be taken to verify their identities so that you are satisfied you know who the beneficial owner is and that they are in fact the beneficial owner in question.
In complex structures, practices may have to look through layers of ownership (and consider any associated dilution of that ownership) to arrive at any natural persons owning or controlling the client entity.
It is important to review both shareholdings and voting rights in respect of beneficial ownership, along with understanding the class and value of shares any individual holds.
Where the shareholding of an entity indicates that no one owns or controls over 25% of a client you may wish to consider whether it is appropriate that the senior manager (for example, CEO, board, controlling mind of the company) be considered as the beneficial owners under R5(1))(a) and (c). This is subtly different to the requirements of R28(8) and would not necessarily raise a concern of extra risks as the circumstances of R28(7) might.
When conducting CDD on a client, you will need to identify any beneficial owners as defined above. This may be undertaken by obtaining:
It is not enough to solely rely on the information contained in a company’s register of persons with significant control. You should consider what is the appropriate level of verification required on a RBA.
These reasonable measures to verify a beneficial owner may differ to those you may use to verify the identity of a client that is a natural person. For example, you may not require passports or driving licenses in these circumstances, but EID&V may present an effective way to verify the identities of beneficial owners.
It is for your practice to determine a tailored and risk-sensitive approach that is appropriate to ensure you are satisfied you know who a beneficial owner is and that you fully understand their relationship with the non-natural person.
If you cannot identify the beneficial owner (where they have 25% or more holding of the company), you should consider whether this makes the client or matter higher risk and treat it accordingly and consider whether you should continue to act for the client.
If you cannot identify a beneficial owner pursuant to the above despite having exhausted all possible means of doing so or if you are not satisfied that the person is the beneficial owner, you must then take reasonable measures to verify the identity of the senior responsible manager of the body corporate. Depending on the circumstances, it may be that you have already concluded this is the case on the basis that the individual “exercises ultimate control over the management of the body corporate” under R5(1)(a), although you should note that the scope of R5(1)(a) is not limited to this scenario.
In practice, this may be the chief executive officer or president of the group, or someone else in the executive team with high-level responsibility for the running of the relevant aspect of the body corporate.
You must also record:
R6(9) says a beneficial owner generally means any individual who ultimately owns or controls the client or on whose behalf a transaction is being conducted.
In most cases, it is presumed that the client is acting on their own behalf, unless the features of the transaction indicate that they are acting on someone else's behalf. As highlighted above you should make enquiries when it appears the client may be acting on behalf of someone else.
Situations where a natural person may be acting on behalf of someone else include:
You should be alert to the possibility that purported agency relationships are actually being utilised to facilitate a fraud, leading to possible encounters with the proceeds of crime. Understanding the reason for the agency, rather than simply accepting documentary evidence of such at face value, will assist to mitigate this risk. Where a client or retainer is higher risk, you should obtain further verification of the beneficial owner's identity in line with the suggested CDD methods to be applied to natural persons.
This may also include where a legal practice commissions your services on behalf of someone else.
Where you have adequately assessed ML risk to be lower, it would not be generally proportionate to conduct independent searches across multiple entities at multiple layers of a corporate chain to see whether, by accumulating very small interests in different entities, a person finally achieves more than a 25% interest in the client corporate entity. Nevertheless, you must be satisfied that you have an overall understanding of the ownership and control structure of the client company. This provision does not apply in any situations of higher risk, where EDD should be applied.
A bearer share is a form of equity (a stock or share in a company or equivalent) wholly owned by whoever holds the physical stock certificate. Given this, there is no way to confidently or consistently register the owner of the stock nor track transfers of ownership.
These pose a much higher risk of money laundering as it is often difficult to identify beneficial owners and such companies are often incorporated in jurisdictions with lower AML/CTF regulations. You should consider whether the risk posed is acceptable for your practice before proceeding.
If you do proceed, you must adopt procedures to establish the identities of the holders and material beneficial owners of such shares and ensure you are notified whenever there is a change of holder and/or beneficial owner (who they are held on behalf of).
This might be achieved by:
Ultimately it is for your practice to determine the confidence you can place in any assurances that the bearer shares will not be used to hide ML/TF; however, extreme caution must be exercised. Bear in mind that the issuance of bearer shares has been banned in the UK since May 2015, primarily due to ML and transparency concerns. EDD and ongoing monitoring should be performed and practices must be able to demonstrate the effectiveness of controls in place to their supervisor.
Where a practice does undertake work for clients where beneficial ownership is held in the form of bearer shares, this should be articulated in the PWRA.
Whenever you are instructed by someone involved with an existing trust to advise in relation to it, you must extend your CDD to the trust’s beneficial owners.
You should take a risk-based approach to verifying the identity of the ultimate beneficial owner(s) of a professional trustee entity (as they should have no interest in the assets placed in trust). Higher-risk indicators may be where the professional trustee entity is unregulated or where the professional trustee is not independent of the settlor (for example, family offices). Where such factors are present, reasonable measures should be taken to verify the identity of the beneficial owner(s) of the trustee. Lower risk factors may be where the professional trustee is itself a regulated entity (or owned by one) or is large, well-known and/or listed on a regulated market. In such low-risk instances, you should not need to identity and verify beneficial ownership of the professional trustee, although you should document the rationale for your actions.
R28(4) requires a relevant person to identify the beneficial owner "of a client" which is beneficially owned by another person. R6(1) defines "the beneficial owners in relation to a trust" as the settlor, the trustees, the beneficiaries (or class of beneficiaries) and any individual who has control over the trust. Although your client will not actually be the trust (because a trust does not have legal personality), if you advise any client in relation to a trust, the Regulations require you to understand who the trust's other beneficial owners are, as defined in R6(1).
A fundamental element of CDD is understanding the nature, background and circumstances of the client, including their financial position – and making an assessment as to whether the legal services provided to the client are in keeping with your understanding of that background and circumstances.
The extent to which you must obtain, review and evidence your client’s financial position is dependent upon the risk profile of the client or matter. In EDD situations this requirement is more stringent.
The financial circumstances of a client can broadly be categorised into source of funds (SoF) and source of wealth (SoW).
A practice must scrutinise transactions on a matter-by-matter basis, with the objective of understanding what the SoF are for transactions you undertake on behalf of a client. This is a fundamental aspect of holistic CDD. It is important to remember that understanding the SoF and SoW is a key protection for your practice, and it should be approached as an opportunity to protect your practice from being used for money laundering.
The type of documentation accepted to verify SoW or SoF should depend on the level of ML/TF risk presented by the customer. The higher the risk, the more comprehensive and reliable documents you obtain should be.
Taking a risk-based approach, you may consider funds remitted from a legal practice regulated for AML to equivalent standards as the regulations as being of lower risk.
You must take adequate measures to check SoF and SoW as a part of EDD when applied to PEPs. You should also consider doing so as a part of ongoing monitoring of any business relationship (whether high risk or otherwise). You should also apply a SoW check in other applications of EDD on a risk-based approach.
It is good practice to check the SoF even if a business relationship as defined in the regulations has not been formed, and the matter is an occasional transaction. It should be considered that checking SoF is a useful practical tool for protecting your practice generally.
It is important to document the SoF checks conducted on each client or matter – this may be by way of the collation of information/evidence obtained, and/or the inclusion of a file note outlining what checks were undertaken, what evidence obtained and the conclusions derived from these checks.
SoF and SoW do not mean the same thing, although there can be significant overlap between the two and they do not exist in isolation to each other.
Source of funds refers to the funds that are being used to fund the specific transaction in hand – that is, the origin of the funds used for the transactions or activities that occur within the business relationship or occasional transaction.
The question you are seeking to answer should not simply be, “where did the money for the transaction come from,” but also “how and from where did the client get the money for this transaction or business relationship.” It is not enough to know the money came from a UK bank account.
For further reference, see point 87 in the following FATF guidance.
The types of data and documents that you use for verification of SoF will vary depending on the circumstances and the information that the customer provides to you.
The SoF pertains directly to the funds that are being used to fund the specific transaction in hand: the origin of the funds used for the transactions or activities that occur within the client’s business relationship with you. Checking this means ascertaining where those funds came from, how they were accumulated by the client and ensuring on a risk-based approach that they are not the proceeds of crime.
SoF is not simply be limited to knowing from which financial institution the funds in question may have been transferred, except where the financial institution is providing financing for the transaction (for example, via mortgage). It should also not be limited to checking that the client’s name matches the name on the account.
In addition to documenting the:
the information obtained should be substantive and establish a provenance or reason for having been acquired: for example, salary, gift, etc.
Acquiring bank statements, wills, full payslips, audited financial accounts showing funds disbursed to the client, sales/purchase agreements, receipts of other transactions or similar documentation may all be useful in establishing SoF. Establishing income from share capital, business activities, a bequest of gift, etc. can also help you.
In circumstances where a client declares that they have been given funds for a transaction from a third party, you may wish to record information relating to that original transaction too. You may verify this by requesting bank statements and other relevant documentation relating to this transfer.
SoF can often be difficult to determine without some understanding of the SoW of the individual. This can particularly be the case where the funds for a transaction have become mixed with other funds in an account. Here, to understand the SoF, you may need to have an awareness of the SoW of the individual, although your level of confidence in the source of wealth in such a case, should be considered on a risk based approach.
The source of wealth refers to the origin of a client’s entire body of wealth (that is, total assets).
SoW describes the economic, business and/or commercial activities that generated, or significantly contributed to, the client’s overall net worth/entire body of wealth . This should recognise that the composition of wealth-generating activities may change over time, as new activities are identified, and additional wealth is accumulated.
You should seek to answer the question: “why and how does the individual have the amount of overall assets they do – and how did they accumulate/generate these?”
For further reference, see point 88 in the following FATF guidance.
SoW is a holistic appraisal as to where an individual or an entity has derived their overall wealth (the origin of their entire body of assets), rather than any specific portion of it.
To check SoW in a low/medium risk transaction, you may be comfortable identifying the SoW by asking and recording how the client has accrued their wealth or by verifying the client’s business interests through public searches. For low/medium risk transactions in relation to companies and other body corporate clients, you could be comfortable that the intended transaction is consistent with what you know about the company. For guidance in establishing SoW in higher risk situations see 6.18.3.
For further information on SoW requirements, see the EDD section below.
In-depth guidance on SoW and SoF requirements has been issued by the Wolfsberg Group.
R33 provides that you must apply enhanced due diligence (EDD) and enhanced ongoing monitoring in addition to the CDD measures required in R28, where:
In high-risk situations warranting the application of enhanced due diligence, it may be appropriate to examine beneficial owners with less than 25% ownership if you have concerns regarding the ownership structure or feel that the ownership structure is a pertinent risk factor, to fully understand control and ownership interests in the client.
The regulations specify that you must take measures to examine the background and purpose of the transaction and to increase the monitoring of the business relationship where EDD is required. The regulations are not prescriptive about exactly what must be included in EDD, with the exception of clients that are PEPs.
As per R33(5), EDD may include (while not being restricted to):
In the case of a high-risk third country (HRTC), EDD is more restrictive.
If you are establishing a business relationship with a client in a HRTC, you will need to apply the EDD including the steps below. You will also need to apply the steps below when either your client or the counterparty is established in a HRTC where you are undertaking an occasional transaction (within the meanings of R27(1)(b) and (2)).
In these circumstances, EDD must include:
If a client with whom you have a business relationship (not in a HRTC) is engaging in a transaction where the counterparty is based in a HRTC, you should consider the risks this presents and whether it is appropriate to apply EDD to the transaction.
You should also consider whether it is appropriate to go beyond the above minimum requirements, particularly in circumstances of higher risk or where you have identified red flags. This may include for example seeking greater verification of the client’s identity, background and circumstances from independent and reliable information sources. It may also mean lowering beneficial ownership thresholds below 25% or conducting further screening or adverse media searches on directors or beneficial owners of the client.=
(Please also see 16.7.3)
An important additional EDD measure should include understanding the financial situation of the client – in practice, this means taking additional measures to understand the SoW as well as the SoF of the client.
You should consider the level and nature of verification required in light of the risks posed by the client, transaction and/or business relationship.
As part of your EDD process you should verify the SoW with evidence obtained from the client and/or independent sources until you are comfortable that you understand where the client's overall wealth has been derived from and (to the best of your knowledge) that it is legitimate. You should document your rationale in a file note.
When addressing SoW, you should consider whether the SoW is commensurate to your client in general: does it make sense that the client in front of you obtained their wealth in the way that they have advised you?
The SoW refers to the origin of a client’s entire body of wealth (total assets). This information will usually give an indication as to the volume of wealth the client would be expected to have, and a picture of how the person acquired such wealth.
It does not however require you to account for all of a client’s assets, but to build a rationale and reasoning as to why they have such wealth and to provide assurance that it was obtained through legal means. This will help you to establish whether the transaction makes sense.
In many complex scenarios it may be difficult to determine original sources of wealth, possibly accrued many years ago. In such scenarios, reasonable efforts must be undertaken to obtain relevant information from the client, and this must be reviewed in light of other risk factors, such as jurisdictional/geographic risk, adverse media, PEP status and transaction type (especially transactions which may help obscure the ownership or transfer of assets).
Although a practice may not have specific information about assets not deposited or processed by them, it may be possible to gather general information from commercial databases or other open sources.
Where the client’s SoW is not readily apparent, the first step in establishing either SoF or SoW is asking questions of your client and where appropriate seeking independent verification and corroboration of information across a variety of sources, to build a picture of the clients background and circumstance which may require asking questions of the client.
Actions taken, documentation and materials reviewed, and decisions taken (including rationale) must be clearly recorded. These may be reviewed at a later date by your supervisor or other relevant authorities.
Where you cannot successfully establish the SoW in higher risk situations, you should consider ceasing to act for the client and whether you need to submit a report to the NCA.
Enhanced ongoing monitoring is automatically required whenever EDD is applied.
One aspect of keeping transactions under review is to ensure they are still in line with the CDD information held on the client, and information contained in the client and matter risk assessments. Whatever controls you have in place to monitor other business relationships, may be intensified in order to apply enhanced monitoring.
This may include:
You should ensure that funds paid into your client account come from an expected source and are for an amount commensurate with the client's known wealth and with what is expected to be deposited in relation to the matters on which you act for them.
You must apply EDD measures in any business relationship with a person established in a HRTC or where you are undertaking an occasional transaction (within the meanings of R27(1)(b) and (2)) where either party is established in a HRTC.
The UK defines which countries are considered HRTC under the regulations. The list of countries is available online.
Being “established in” a country means:
However, this requirement does not apply if:
Note that not all countries where there may be a higher risk of ML are HRTC for these purposes. Other jurisdictions may equally pose higher ML risks – these should be assessed as part of client and matter risk assessments, and additional EDD measures should be applied accordingly.
EDD is also required where there is a higher risk of ML/TF. In determining whether there is a higher risk of ML/TF in a given case, you must take into account the risk factors set out in R33(6), along with the outcomes of your practice-wide, client and matter risk assessments.
Instances of high risk as detailed in your supervisor’s risk assessment and in the national risk assessment also require EDD to be applied.
Please see the features outlined in section 5 and 18 of this guidance for further information. You should consider the situation in context of the CDD information held on your client, including their background and financial circumstances.
When assessing whether there is a high risk of money laundering or terrorist financing in a particular situation, and the extent of the measures which should be taken to manage and mitigate that risk, relevant persons must take account of risk factors including, among other things—
As well as considering the risks identified above, you should have regard to any of the risk factors discussed in section 5 that may be present in a given client or matter.
Politically exposed persons (PEPs) present risks as they have the opportunity to use their political position to enrich themselves through corrupt activities. In order to treat PEPs in a risk-based way, it is a precondition that you can correctly identify them.
A PEP is a person who has been entrusted within the last year (or for a longer period if you consider it appropriate to address the risks in relation to that person) with one of the following prominent public functions by a public institution, an international body, or a state, including the UK.
Listing of PEP roles R35(14):
In addition to the primary PEPs listed above, a PEP also includes (R35(12)):
Middle ranking and junior officials are not PEPs. In the UK, only those who hold truly prominent positions should be treated as PEPs and the definition should not be applied to local government, more junior members of the civil service or military officials other than those holding the most senior ranks. This should be borne in mind as many commercially available PEP checking tools may have a much lower threshold for considering an individual a PEP.
In the government consultation on 5MLD, it was strongly suggested that the FCA’s guidance on PEPs should be the standard across the board.
Section 2.16 of this FCA guidance sets out the FCA’s view of what categories of person should be treated as PEPs in the UK (building on the above).
R35(1) requires you to have appropriate risk management systems and procedures to determine whether a client or beneficial owner is a PEP.
Practices must take a risk-based approach to identifying PEPs.
To assess your risk of encountering a PEP, you must take into account your PWRA, the level of risk of ML/TF inherent in your business and the extent to which that risk would be increased by a business relationship with a PEP.
In larger or more specialist practices where it may be reasonably expected to undertake work on behalf of PEPs in the normal or regular course of business, frequency and intensity of PEP screening should be increased (potentially using an established commercial provider), both at the outset of the matter and an ongoing basis. Many practices use services that can run checks against PEP databases which they maintain.
Where you have a higher risk of having PEPs as clients or you have reason to suspect that a person may actually be a PEP contrary to earlier information, you should consider conducting some form of electronic verification.
The range of PEPs is wide and constantly changing, so any EID&V will not give you total certainty. You should have reference to section 7 when considering the possible confidence you may place in the abilities of any EID&V tool.
Regardless of the result of any single check you should consider the wider possibility that your client is a PEP.
In practices where undertaking work on behalf of PEPs is unlikely or a very rare occurrence, it may be acceptable to use publicly available or open sources. Checking for PEP status should be undertaken on a risk-based approach, in light of other CDD information held (such as employment) which may lead to the practice suspecting PEP status.
Simple measures may include:
Other indicators that may indicate your client is a PEP include:
Where you suspect a client is a PEP but cannot establish that for certain, you should consider what steps you could take in order to resolve this uncertainty. If you are not able to resolve the issue to your satisfaction, you may consider (on a risk-based approach) applying aspects of EDD procedures (as a lack of clarity as to whether a person is a PEP could, in and of itself, be indicative of a heightened risk of ML).
It is worth reiterating from the outset that family members of PEPs, and known close associates of PEPs, must be treated as PEPs in terms of the due diligence you apply.
You should apply the same standard of investigation when identifying whether someone is a family member of a PEP, as you do for a PEP.
R35(15) sets out a different process for “known close associates.”
“For the purpose of deciding whether a person is a known close associate of a politically exposed person, a relevant person need only have regard to information which is in its possession, or to credible information which is publicly available.” This means that you are only expected to be able to identify a known close associate where the information you already hold tells you that this is what they are, or if it is publicly available.
In deciding what risk mitigation to apply you must (R35(2)) take account of:
PEPs may pose a higher risk, by virtue of having a greater potential opportunity to be involved in corruption, due to the positions or access to public funds they hold. Being a PEP should not preclude access to legal services, provided the practice undertakes the necessary EDD measures.
When there is a PEP relationship (including where a PEP is a beneficial owner of a client and where a client or its beneficial owner is a family member or known close associate of a PEP), the regulations specify that you must take the following steps to deal with the heightened risk:
Where you have a beneficial owner who you know to be a PEP, you should consider on a risk-based approach what extra EDD measures you need to take when dealing with that client.
Where the client is a state-owned entity and the PEP in question is only a PEP due to their position in the state-owned entity, you may consider whether this mitigates the risks present.
The guidance is aimed at practices supervised by the FCA, but you should take it into account in accordance with R35(4)(b)(i).
R3(1) defines 'senior management' as: "An officer or employee of the relevant person with sufficient knowledge of the relevant person's money laundering and terrorist financing risk exposure, and of sufficient authority to take decisions affecting its risk exposure."
The FCA guidance referred to above sets out its view as to who, for the purposes of the regulations, should be treated as coming within the definition of senior management.
For legal practices, senior management may be:
Other individuals may fall into this category depending on the nature and structure of your practice.
Senior management may delegate the application of their roles to other suitably senior and competent individuals however they remain ultimately responsible and accountable. You should advise those responsible for monitoring risk assessments that a business relationship with a PEP has begun, to help their overall monitoring of the practice's risk profile and compliance.
For sole practitioners, you should appropriately record your decision; for example, as a conclusion to the client or matter risk assessment.
Under R37, you may be allowed to relax the type, timing and extent of measures undertaken under CDD where a matter is eligible for simplified due diligence (SDD). You must continue to monitor the relationship and transactions to ensure that SDD continues to be appropriate.
You must carry out sufficient monitoring of the relationship or transaction to enable you to detect any unusual or suspicious transactions.
Earlier iterations of the regulations listed circumstances where one could apply SDD. While the factors below no longer signify that you can automatically apply SDD, they may still indicate entities which may qualify.
It may also be useful to consider these in the context of determining that SDD would not be appropriate, regardless of other circumstances that may be present.
SDD is the lowest permissible form of due diligence and must only be used where you have determined that the client presents a low risk of ML/TF.
You must record your reasoning for why you have determined that it is appropriate to use SDD via your client or matter risk assessment. It may be that due to factors recognised in your PWRA, it may not be appropriate for your practice to use SDD at all.
When assessing whether there is a low risk of ML/TF such that SDD can be applied, you must take into account:
For further details on the factors to consider when assessing whether to apply SDD, see R37.
Conversely, you should not apply SDD where the client is not:
You must cease SDD and apply a higher standard of due diligence if:
R28(11) requires that you conduct ongoing monitoring of business relationships.
Ongoing monitoring is defined as:
You must also be aware of obligations to keep clients' personal data updated under the Data Protection Act 1998 and the GDPR or their equivalent.
In order to comply, you may:
You should operate a system of regular review and renewal of CDD and take a risk-based approach to such activity. You should consider reviewing (although not necessarily redoing) CDD upon each new matter. Where there has been a significant gap between instructions (anything above a year may be considered a significant gap in relation to those clients or transactions assessed as higher-risk), you should consider refreshing the CDD.
You must update the CDD when you become aware of any changes to the client's identification information. This would include change of name, address, beneficial owner or business.
In accordance with R27(9), you must apply (or reapply) CDD to existing clients on a risk-based approach and when you become aware that the circumstances of the existing client have changed.
In determining this, you must take into account:
It may also be necessary to undertake ongoing monitoring through the course of a single matter – particularly where there is an element of duration to the matter, and parties to the matter, or the SoW/SoF involved may have changed.
Each time a practice engages in ongoing monitoring (which may or may not include full reverification) it should record:
Bear in mind also that the regulations as amended prescribe further situations where you must re-apply CDD for existing clients – these being when a practice has any legal duty in the course of the calendar year to contact a client under the International Tax Compliance Regulations 2015 or to review information:
R40 requires you to keep records of your CDD, EDD and SDD documents. You must also keep information and sufficient supporting records in respect of any transaction which is the subject of any ongoing monitoring.
See section 10 for information relating to record keeping and retention requirements.
Reliance has a specific meaning within the regulations and relates to the process under R39 where, in certain circumstances, you may rely on another person to conduct CDD for you, subject to their agreement.
Reliance does not necessarily mean obtaining certified copies of documentation from other regulated professionals for due diligence purposes.
You should note that you remain liable for any non-compliance with CDD requirements when you rely on another person. For this reason, you should view reliance as a risk as, if things go wrong, it is you that will be held responsible. It may not always be appropriate to rely on another person, especially where there is a higher risk of ML, requiring EDD measures.
The benefit of reliance is that in certain circumstances it may allow practices to avoid duplication in complying with their CDD obligations and facilitate a client’s swift and convenient access to legal services.
You cannot rely on due diligence carried out by another party without fulfilling the qualifying conditions below.
For the avoidance of doubt, any assumption that funds are not the proceeds of crime because they have come from a UK-based bank which would have applied its own CDD, is incorrect and may be viewed as a breach of requirements by your AML supervisor.
In order to rely on another regulated person to apply CDD measures you must as a precondition, obtain from them all the information (though it should be noted not the underlying documentation) needed to satisfy the requirement to apply CDD measures in accordance with R28(2) to (6) and (10).
Subsequently you must:
If you choose to rely on another professional, you should ask for written confirmation of the CDD measures and enquiries the other person has undertaken to ensure that they actually comply with the regulations. You should also consider whether they have applied a consideration of risk and approach to mitigation similar to your own.
In practice, if you are relying on the confirmation of a third party you must obtain:
If you routinely rely on CDD checks done by a particular third party, it is good practice to request sample documents to test their reliability.
This is particularly important when relying on a person outside the UK. Before relying on a person outside the UK you should satisfy yourself that the CDD has been conducted to a standard compatible with the 5th Directive, taking into account the ability to use sources of verification and jurisdictional specific factors.
You should be aware that the risk assessment of the person you are relying on may not match your own, and therefore commensurate due diligence/enhanced due diligence may not have been applied.
Another relevant person may seek to rely on the CDD checks you have completed, and this will more likely be the case where you instruct such a person on behalf of your client. In such a situation you should consider whether you wish to enter into an arrangement to allow the relevant person to rely on your CDD checks, noting that it may be beneficial for your client.
Before agreeing to enter into such an arrangement, you should ensure that:
You may wish to consider adopting an exclusion of liability clause as part of the arrangement allowing reliance between you and the other party.
Before granting reliance, you should also consider whether, by doing so, you would be breaching a contract with another party, such as an electronic verification service provider.
You can only rely on relevant persons as defined under the regulations.
You can only rely on a person in an EEA state if they are:
You can rely on a person who carries on business in a third country, other than a HRTC, only if they are:
subject to requirements in relation to CDD and record keeping equivalent to those laid down in the 5th Directive; and
supervised for compliance with those requirements in a manner equivalent to section 2 of Chapter VI of the 5th Directive.
You cannot rely on a third person established in a country that has been designated by the European Commission as a HRTC, unless:
Even then, you should consider whether the location of the branch or subsidiary, impacts on the risk of relying on that third person and whether it is still appropriate to rely on them. This should also be reflected in your matter risk assessment.
Many practices have branches or affiliated offices (“international offices”) in other jurisdictions and will have clients who utilise the services of a number of international offices. It may not be proportionate for a client to have to provide original identification material to each international office.
Some practices may have a central international database of CDD material on clients to which they can refer. Where this is the case you should review the CDD material to be satisfied that CDD has been completed in accordance with legislation in that jurisdiction. Relevant members of the practice must have access to this information, particularly the MLRO/MLCO. If further information is required to be in full compliance, you should ensure that it is obtained and added to the central database. You should also ensure that the CDD approval controls for the database are sufficient to ensure that all CDD is compliant.
A central database of CDD may also aid international practices in compliance with all relevant, global sanctions requirements, including screening of client information.
Other practices may wish to ask their international office simply to provide a letter of confirmation that CDD requirements have been undertaken with respect to the client. This may be acceptable provided that:
Finally, practices without a central database may wish to undertake their own CDD measures with respect to the client but ask their international office to supply copies of the verification material, rather than the client themselves. This may not be considered reliance but may be considered outsourcing. Outsourcing is permitted under R39(7), on the condition that the arrangements with the outsourcing provider provide that you remain liable for any failure to apply CDD measures.
It is important to note that you will need to have in place a process for checking whether a person passported into your office is a PEP (or family member or known close associate) and, if so, to undertake appropriate EDD measures and enhanced ongoing monitoring.
UK-based practices will have to undertake their own ongoing monitoring of the matters they act on, even if an international office is also required to do so.
The UK has many different international trade sanctions against individuals and groups. These sanctions are written into law, and compliance with them is mandatory, albeit outside of the regulations.
When CDD information held is accurate, up-to-date and reliable it will facilitate accurate screening against sanctions lists, where appropriate.
HM Treasury maintains a consolidated list of asset-freeze financial restrictions in force in the UK. Practices can access this list, register for updates and obtain further information on financial restrictions.
Please note that the US Office of Foreign Assets Control sanctions lists, and regimes are not included in this list, but may apply to your practice.
See further information on obtaining a licence from HM Treasury to undertake transactions with or on behalf of persons or entities subject to financial restrictions.
While not specifically required by the regulations, we consider it useful for you to tell your client about your AML/CTF obligations. Clients are generally more willing to provide information when they are made aware of requirements upfront and see it as a standard requirement as part of the normal course of business.
You may wish to advise your client of:
Consider the manner and timing of your communications, for example whether the information will be provided in the standard client care letter.
It can be difficult to explain to clients why your practice needs the information it does in order to fulfil your responsibilities. It may be of use to point clients (particularly natural persons who may not be familiar with the requirements legal professionals are subject to) towards the below wording in order to help explain why you need this information from them. Further information may be available on your supervisor’s website.
“Legal professionals in the UK must verify who their client is when providing certain services. If they are suspicious of the underlying transaction, they have a duty to report this to the National Crime Agency.
A legal professional may also need to establish the source of funds and source of wealth of a client.
Prior knowledge that a legal professional may have of their client may not always be relied upon for these purposes and verification of these details must be established.
Failing to comply with these requirements may have serious consequences, such as a fine or imprisonment, for the legal professional.”
When a practice acquires the business and customers of another practice, either as a whole, or as a portfolio, the acquiring practice should be aware of the AML risks inherent in the acquired portfolio and the strength of controls which were in place to mitigate these risks.
The acquiring practice’s due diligence enquiries should include some sample testing in order to confirm that the customer identification procedures previously followed by the
acquired practice have been carried out correctly. However, it is not necessary for the identity of all existing customers to be re-verified, provided that:
In the event that:
verification of identity will need to be undertaken as soon as reasonably possible for all transferred customers, in line with the acquiring practice’s risk-based approach.
You may wish to consider how much you can rely on any of the CDD done by the practice being acquired.
The practice must have clearly documented PCPs based on their practice-wide risk assessment which include:
There is a large range of regulatory and compliance-related technology (commonly referred to as 'RegTech') available to legal practices, to help them comply with their AML/TF duties.
These tools can be loosely split into three categories:
Some of these are free to use; however, many of these are services made commercially available by third parties - the market for these is both diverse and growing.
Please note that the Legal Sector Affinity Group does not endorse any one service provider, and these services may not be subject to statutory regulation.
While these tools can be helpful, they are not a guaranteed solution to AML/TF issues or risks nor a guarantee that by using them you are in compliance with the regulations. Responsibility will always ultimately sit with the legal practice and practitioner.
The relative merits of free/open source, commercial, in-house or external systems should be understood, along with the capabilities and limits of any system ultimately chosen. The decision should be based on the complexity and risk profile of the practice and consideration should be made to tailoring the system functionality according to the risk profile of the firm.
When choosing a solution, ongoing control and support should be considered along with system capability to integrate with existing systems and its ability to undertake different types of manual and automated screening.
Legal practices may wish to make use of technology, particularly electronic identification and verification (EID&V) tools in order to help fulfil their obligations under the regulations.
Use of EID&V tools may be helpful in that they:
In an increasingly digital age, it is clear that non-face-to-face customer onboarding can no longer be viewed as always high risk (although it remains a key risk factor to be assessed in the context of the wider relationship) – a more nuanced approach should therefore be adopted to these types of relationships.
The use of EID&V is increasingly viewed as being as robust as traditional verification methods (physical documentary evidence such as passports, driving licences, etc.). Electronic verification methods are becoming increasingly more secure and sophisticated and may in fact be lower risk than traditional means in some circumstances. They can be used both at client on-boarding stage and as a tool for ongoing monitoring and the reapplication of CDD.
The use of EID&V is not without risk – for example, with respect to cyber and data security, fraud or privacy. Benefits and risks should be understood by anyone using EID&V.
EID&V is also sensitive to human error, and mistakes of data input can lead to the incorrect individual being checked. Practices should consider the risks of this and how they mitigate: for example, dip sampling past files to check accuracy, ideally by another individual at the practice. Practices should also be alert to any surprising results that may indicate human error at the data input stage.
It is not acceptable to simply run a search on a prospective or current client and file it as having completed the identification and verification process, without consideration of the wider risks (see section 5). Practice units must bear in mind that identification and verification is one element of overall customer due diligence requirements necessary under the regulations.
To comply with R28, the regulations state that due diligence information may be regarded as obtained from an independent, reliable source when "it is obtained by using electronic identification means" via a process that "is secure from fraud and misuse". The source must also be able to provide assurance that the person claiming a particular identity is in fact the person with that identity, to a degree that is necessary for effectively managing and mitigating any risks of ML/TF.
It should be noted that other systems, which do not fully comply with the requirements above, may be used as part of a suite of systems and controls, which in combination satisfies the requirements of R28.
A practice should be able to adequately demonstrate to its supervisor that any electronic verification system or process used, properly establishes your customer’s identity, rather than just establishing that the identity exists.
This may be viewed in terms of three separate stages:
A practice may mitigate inherent risk by corroborating electronic verification with some other CDD material, including private information known only to the client. Increasingly, the use of other strong evidence, such as biometric identification may be an effective way of reducing these risks.
Some electronic verification providers can offer a higher degree of comfort than others – particularly where multiple sources of data are used, and sources use robust underlying data sources, where individuals are forced to prove identity in some way. Data from one source alone is unlikely to be a strong verification method.
Firms must remain alert to (and account for) the fact that some electronic verification sources rely solely on publicly recorded and unchecked information, submitted directly by the individual or sources controlled by the individual. Where there is other information or evidence to suggest that the information obtained is inaccurate or incorrect, this must be taken into consideration in deciding whether it meets the test in the regulations.
“Negative” information sources used by EID&V providers (such as deceased persons lists or information originating from established fraud databases) may also help a firm gain comfort in the verification of a client’s or beneficial owners’ identity by EID&V.
Firms should also ensure they are aware of, and comfortable with how often the information provided is refreshed.
Ultimately, the firm must decide whether the level of comfort derived from a particular system is adequate to mitigate the risks of ML/TF or fraud to which the business is exposed – as documented by the practice wide risk assessment.
Any practice must develop an in-depth understanding of any tools they choose to incorporate into their ML/TF risk mitigation processes. They should consider their advantages and limitations and factor these into the practice’s risk-based approach to CDD.
The firm should be able to demonstrate an adequate understanding of:
When considering whether to use a provider, a practice should:
Many digital ID providers will provide a tiered service, allowing practices to subscribe to varying levels of verification which should be utilised in proportion to the level of risk presented by any given client/matter.
Greater technical reliability should be employed for higher risk ML/TF situations, and conversely, lower risk ML/TF situations may permit use of systems with lower levels of assurance for the purposes of SDD.
When making this determination, you may also consider whether the provider:
FATF guidance recommends providers of EID&V seek assurance testing and certification by the government, an approved expert body, or another internationally reputable expert body. You should ask whether the digital provider has certification or assurances like this – and the reasons why if they do not – before subscribing to their services.
In this context, an ‘assurance level’ measures the level of confidence in the reliability of an EID&V system and its components.
Depending on the nature of the checks undertaken, when using EID&V, you may not be required to obtain consent from your client, but they should be informed that this check will take place.
Robust, ongoing training of staff is important, commensurate to their roles and responsibilities within the organisation.
Staff who are responsible for conducting searches using an electronic verification system must be adequately trained to ensure the validity and accuracy of client data input, and that all necessary data is submitted in the right fields.
Staff responsible for evaluating and making decisions on sanctions, PEPs or adverse media screening outputs must be adequately trained with regards to what those outputs mean, and what further actions may be required to ensure required verifications are obtained.
Specific training should be given to employees undertaking an active role in due diligence procedures or discounting/escalating potential screening matches.
Practices should ensure that they have access to or have a process for enabling relevant authorities such as law enforcement or supervisors to obtain, the underlying identity information and evidence or digital information needed for identification and verification of individuals.
Practices should ensure the system and use of personal data by the system is compliant with all relevant regulations – including payment of the data protection fee to the UK Information Commissioners Office (ICO) in compliance with the UK data protection legislation.
The firm should ensure the system and use of personal data by the system is compliant with all relevant regulations – including registration with the ICO in compliance with the UK data protection legislation.
Other positive certifications which may give comfort include registration with an independent, international standards organisation such as the International Organization for Standardization (ISO), International Electrotechnical Commission (IEC), Faster Identity Online (FIDO) Alliance, or the OpenID Foundation (OIDF) or with industry-specific organisations such as the International Telecommunications Union (ITU) or the Global System for Mobile Communications.
Access rights to the system must be rigorously controlled and may use standards such as two-factor authentication (2FA) as a means of ensuring security.
EID&V tools can be used to screen employees. They can verify their claim of identity, and also check their names against PEP, sanctions and adverse media lists held by the provider. Screening of relevant employees is a requirement in R21 (depending on the size and nature of the firm) of the regulations where practices are required to assess the "conduct and integrity" of an individual both before and during their employment. See section 9 for further information.
Open-source (free) and commercially available databases can also be useful for conducting due diligence on non-natural persons or legal entities. These can be helpful particularly when establishing background, business type, structure, and control and ownership of legal entities both domestically and overseas.
Issues to consider when using company registry checkers:
Responsibility and accountability for any screening measures deployed should be established at senior management level. These responsibilities should be documented.
Practices should take a risk-based approach to sanctions, PEPs and adverse media screening.
Decisions made in respect of the nature, depth and level of screening tools and systems deployed should include consideration of the size and nature of the practice unit.
Small firms, with limited exposure and lower risk profiles, may deploy open source, free or off-the-shelf sanctions, PEP and adverse media screening tools and solutions. Those practices with higher exposure or risk profiles should consider more complex, comprehensive or bespoke solutions.
Furthermore, screening may not be necessarily appropriate for all client types, products and services offered. Screening should therefore be considered in areas where it will be most useful and effective. As the sanctions regime is absolute, practices should ensure there are other appropriate measures in place to ensure they do not undertake unauthorised business with sanctions targets in areas of less risk. This may include open sourced searches.
Risk factors in determining what type of screening should be conducted may include:
Sanctions, PEP and adverse media screening cannot stand in isolation and governance frameworks should be applied in conjunction with other financial crime control processes.
Screening effectiveness is conditional on the reliability and accuracy of the data input. The reliability and accuracy of the data input is, in turn, conditional on the quality of due diligence undertaken.
Therefore, screening systems and controls should fit into a wider, holistic approach to financial crime risk mitigation, where interfaces and interdependencies between PCPs are considered.
One key example of this is how the accurate collection and verification of CDD is critical in effective screening.
These should be established and informed by the firm’s legal requirements and risk exposure and made readily accessible to all relevant staff.
Where a firm is multi-jurisdictional, consideration should be made to the application of a business-wide policy, therefore assisting the application of minimum group standards at a local country level.
Practices should further document what datasets must be screened (for example, clients, counter parties to a matter, beneficial owners, directors of corporate clients) and the frequency and timing of screening (at onboarding and as part of ongoing monitoring) – along with roles, responsibilities, escalation routes and sign-offs.
Where appropriate, procedures should cover operational data, technology and screening considerations such as the maintenance, age and management of data and lists used, the functionality and administration of systems, and management of alerts generated.
Policy/procedures should be reviewed periodically in order to ensure any changes across the business are reflected (such as new CDD/EID&V collection processes) new legislation is considered, and developing risks are mitigated.
The accuracy and completeness of data input into screening tools is crucial. Consideration should therefore be given to ensuring data is sent/received accurately from other systems and mechanisms for cleansing data where necessary before input, are robust.
Any data used must also be sorted correctly to ensure that relevant attributes are used in the process.
Pre-screening procedures should include measures to prevent the intentional tampering of data or manual circumvention entered into the screening tool.
When using a commercial screening provider, a practice must be aware of how the screening is being conducted, against which lists and what filters/rules are being used to generate or limit the number of alerts.
Any system or screening tool implemented should also have the capability to 'fuzzy match' – the ability to screen and identify names and other datasets with minor alterations such as reverse order, partial text and abbreviations. It should also be able to recognise non-Latin scripts, such as Chinese characters or commercial code data. Matching should be customizable to ensure minimisation of false positives.
Importantly, systems must produce relevant management information (MI) and performance reporting metrics along with all necessary information to allow decision-making and investigation at post screening stage.
Considerations must include the efficient prioritisation and management of potential matches and false positives, and the escalation and investigation of potential matches by suitably trained and skilled staff.
Procedures and controls for blocking client business or transactions must be developed should confirmed sanctions matches be found, along with procedures to escalate and report to relevant authorities.
Procedures for escalation of PEP matches for senior management approval should also be introduced.
Management information regarding investigation outcomes must be available to enable senior management decision-making, determine screening effectiveness and to satisfy regulatory requirements.
Regular review of screening processes should be undertaken where appropriate.
Screening frameworks such as policies, risk assessment, training and investigation/escalation processes should be tested, along with data integrity and the screening functionality itself.
For larger, more complex practice units, new technologies such as biometrics, machine learning or the use of artificial intelligence may be considered as part of an overall AML control environment. In addition to overarching considerations described in the preceding guidance, consideration should be given to the below factors.
The use of biometric indicators such as facial recognition software as part of an overall identity verification process is now widely used across various industries, and may be considered proven technology, helpful in meeting a practice’s AML obligations, especially in non-face-to-face situations, remote client take-on situations.
Where used, consideration must always be given to the use and storage of such data, where collected, stored and retained.
The use of machine learning and artificial intelligence may be helpful in some high-volume businesses, particularly in regard to reducing numbers of false positive screening PEP/sanctions/AM matches or discounting potential matches which have arisen.
Where a practice considers the use of technology as useful and viable in the context of their business, careful consideration must be given to the timeliness, quality and accuracy of data used within the system, in order to ensure the validity of output – along with the filters/settings used by the system deployed to identify potential matches.
Machine learning by its very nature learns from historic data and outcomes, and therefore may have limited use in predicting future outcomes. This is particularly important to consider where the outputs of automated systems may create a risk of discrimination against prospective clients based on protected characteristics or any other access to justice issues.
You may consider it appropriate to undertake an equality impact assessment in order to examine any such issues in depth.
The practice must have clearly documented PCPs based on their practice-wide risk assessment which include:
Your staff members and others that provide services to your customers are your most effective defence against your firm becoming inadvertently involved in money laundering or terrorist financing.
Providing them with adequate training, in order to equip them with appropriate AML awareness, skills and knowledge is a key part of your AML controls, and an important way to mitigate the risks your practice faces.
R24(1)(a) requires that you take appropriate measures to ensure partners, relevant employees and any agents you use for the purposes of your regulated business:
In deciding what measures are appropriate, you should consider the size and nature of the business and the areas of risk identified in, and outcomes of your PWRA.
You should also consider questions relevant to any other form of training including:
A practice should set the answers to these questions out in a written training policy, which should be reviewed and updated as needed.
Sole practitioners must ensure that they are trained in appropriate areas in order to adequately protect their practice from money laundering risks and should record all relevant training undertaken.
The regulations require that all relevant employees and agents you use are trained. A relevant employee or agent for the purpose of training is someone whose work is:
You may decide to treat all employees as relevant employees which will bring the added benefit of allowing more fluid internal transfers of staff across roles and work area.
Support staff (such as those who deal with clients, handle client money or otherwise assist with compliance) have an important role in identifying AML red flags. Again, training should be appropriate for each post holder and business area, and relevant to the risks they are likely to come across.
You may decide that, for example, those members of staff who undertake cleaning, maintenance of offices or catering do not require training.
Staff or agents who undertake work relating to documents and electronic information, such as information technology and records staff, should be made aware of the law relating to data protection, as it relates to money laundering, as required under R24(1)(a).
While there is no explicit requirement in the regulations for MLROs or MLCOs to receive training beyond that which should be widespread in a practice (as per R24), a practice should consider whether it is appropriate for MLROs/MLCOs to complete extra training or relevant professional AML-related qualifications in order to competently carry out their duties.
Particularly with regards MLROs, particular attention should be paid to the technical requirements of making disclosures to the NCA including any and all guidance they issue on submissions.
The MLCO and MLRO should both monitor publicly available information on best practice such as thematic reviews by their supervisors and reports relating to enforcement actions.
The regulations include agents as being subject to the requirements on training, but the term 'agent' is undefined.
Our interpretation is that the intent of this is to ensure that a lack of a straightforward or traditional employer-employee relationship does not automatically mean the individual is exempt from the training requirements.
If an individual works in the manner of an employee, albeit under a different relationship (such as independent contractor) then you should treat them as an employee for training purposes.
In law, an agent is a person who is authorised to act for you as principal through employment, by contract or apparent authority. The agent can bind the principal by contract or create liability if he/she causes loss or injury while acting within the scope of the agency.
Therefore, your agents may include consultants, other law firms you instruct and temporary contract lawyers working in your firm.
However, if the agent is also a relevant person within the meaning of the regulations then, taking a proportionate and risk-based approach, it may be sufficient to check with them that they have undertaken the relevant training themselves and retain a record of this check. You should also include a term to this effect in your agreement with the agent.
There is a distinction between an agent and someone with whom you merely have a contract for services, such as a stationery supplier or external caterer.
The level of control you exercise over the person is important; if they have less discretion in how to undertake their role, they are more likely to be an agent.
If an individual works in the manner of an employee in your firm, albeit under a different relationship (such as under temporary contract) then you should treat them as an employee for training purposes. See further guidance below:
A service provider:
Ultimately it is for a practice to ensure that anyone that may fall into the bracket of employee or agent, has the required training.
Your AML/CTF training programme should enable employees and agents to identify and detect when risk indicators are present and relevant changes in client activity by reference to risk-based criteria.
The training should include:
It is important to tailor training to the specific roles and responsibilities of relevant staff and the AML risks of your practice – as identified in your PWRA.
It is best practice for all relevant employees to receive some level of AML training.
Training should be targeted so that relevant employees and agents understand the risks posed by the services they provide and the types of clients they deal with. This is particularly important for those dealing with higher risk clients or undertaking higher risk work.
In addition, you may consider providing relevant employees and agents involved in the client identification and verification process with training and equipment to help identify forged documents or refer them to the guidance provided by the UK Home Office.
Other examples may include training in red flags and risk indicators for those involved in the risk assessment process.
Training may include:
The MLRO/MLCO of your practice is responsible for the content, roll-out and completion of AML training across the practice and ensuring that relevant employees and agents complete it.
You should consider how to assess training outcomes, so that the MLRO/MLCO/senior management can be reasonably confident of the adequacy of that training, and that key messages in relation to regulatory requirements and the policies, controls and procedures of the practice have been delivered effectively.
New relevant employees and agents should be trained as soon as possible after they join, ideally as part of their induction process and before undertaking any regulated work.
All employees and agents should receive training at regular and appropriate internals both to update on new developments and to refresh existing knowledge.
You should take a risk-based approach to determining how often specific, role-based AML training should take place, although some form of high level basic AML awareness/refresher training should be taken annually across all relevant employees. The form this takes will vary, including such examples as listed under 8.4.
The frequency and depth of AML training over and above this should be based on:
Frequency and depth of specific AML training should be guided by the level and types of risks as documented in the PWRA.
In addition, practices should be aware of internal staff transfers. Where staff roles or responsibilities change, their training needs may change. This should be considered and addressed by the practice as soon as possible after a member of staff has moved internally.
You must keep a comprehensive written record of all training undertaken at the practice including:
This information must be made available to your supervisor, upon request.
Where appropriate to the size and nature of the practice:
R21(1) sets out three internal controls which practices are required to adopt where it is appropriate “with regard to the size and nature of its business”.
These controls are designed to help businesses that may be larger or more complex than others, by ensuring that there are ways to ensure risks introduced by a practice’s size and/or complexity can be recognised and mitigated.
It also will apply to practices engaged in higher risk services as assessed in their PWRA.
Not all practices are expected to adopt these measures, though if you consider that you do not need to adopt these, you should record your reasoning as to why.
You may have to justify to your supervisor how and why you do not meet this requirement, considering how your firm will not benefit from the extra protections that these measures might provide.
You do not need to implement these internal controls if you do not employ or act in association with any other person (R21(6)): for example, if you are a sole practitioner who does not employ any staff nor use any agents.
Factors you may consider when determining whether it is appropriate to apply the controls include:
Please see section 4 for guidance relating to the appointment of a money laundering compliance officer.
The purpose of an independent audit function is to examine, evaluate and make recommendations regarding the adequacy and effectiveness of the practice’s AML/TF policies, controls, and procedures (PCPs).
Independent audit should not be confused with requirements under R19(3)(e) – the ongoing monitoring and management of compliance with PCPs.
The person/s conducting the audit may not necessarily be external to the practice but must be independent of the function being reviewed.
Where a practice seeks the services of an external auditor/consultant, they should be satisfied regarding the specific AML/financial crime knowledge, skillset and experience of that person/organisation, to ensure the adequacy and effectiveness of the audit undertaken.
Sampling of client/matter files should be undertaken on a risk-based approach, in accordance with the risks identified, and the outcomes of, the PWRA.
Sample sizes must be sufficient to demonstrate effective assurance of the practice’s PCPs, across all locations, client/matter types.
You should take a risk-based approach to determining the frequency of an independent audit. It may be appropriate to undertake audits at regular intervals, for example, annually.
You should consider whether an audit is required based on the time elapsed and the changes to the practice’s risk profile, structure and services provided since the last audit.
This is particularly relevant should a practice take-over or merge with another business.
For those areas/clients or matters which pose the highest risks (as per your risk assessments) you should consider undertaking a targeted audit of these areas, on a more frequent basis than the wider practice.
Practices should keep a record of all audits and make this available to their supervisors as requested – this should include:
The above is not an exhaustive or definitive list and a practice should consider what screening checks are appropriate for them.
Checks must be in relation and relevant to the individual’s ability to carry out their functions effectively and in compliance with firm’s obligations under the regulations.
All checks that may be done on appointment may be appropriate to recheck during employment on a risk-sensitive basis.
Practices should be aware that relevant employees will include the MLRO/nominated officer and specialist compliance staff – but may also extend to other partners/staff responsible for risk assessments, client due diligence or other AML-related controls.
Screening must be carried out both before the appointment is made and during the course of the appointment.
The screening and the amount of verification of information provided should be proportionate to the individual’s role in the business, and the level of independent authority and decision-making involved in the role.
A 'relevant employee' in the context of screening is someone whose work is relevant to your practice's compliance with the regulations or who is otherwise capable of contributing to:
An inclusive approach should be adopted to screening, as it will provide assurance that staff of a practice can adequately perform their duties and thus help a practice protect itself. This should also provide the benefit of allowing a practice to more fluidly transfer staff internally.
As in other matters, practices should ensure that any information collected for the purposes of screening, are held securely and in line with data protection legislation.
All practices (including sole practitioners) must be able to demonstrate to their supervisor that they have adopted a risk-based approach to the management of AML/TF risk within their businesses.
In practice, this means retaining documents and records to demonstrate this.
Retaining accurate and comprehensive records is also important for facilitating cooperation with law enforcement and potentially defending yourself against criminal prosecution.
While many aspects of the regulations are about protecting your practice from being used for money laundering, the primary intent of this section is to help you to protect your practice against action from your supervisors or law enforcement.
If in doubt, write it down.
In trying to apply a risk-based approach, it may occasionally be unclear as to what the correct course of action is. In such cases, you should always record the issues you considered in arriving at a decision.
This section outlines these documents and sets out the specific conditions for their retention.
Beyond the specific documents mentioned, you should retain records of anything that can help you demonstrate compliance with the regulations to your supervisor. This may include recording any comments or considerations which have been made while considering and completing these documents.
These requirements should be integrated with the general data protection procedures of your practice and not run contrary to them. This includes any data-sharing agreement you may have with other practices.
This section also considers data protection legislation, but for more detailed information on data protections see this guidance on the requirements of GDPR.
Practices must have clearly documented policies, controls and procedures (PCPs) which include procedures relating to record keeping and related data protection requirements.
| Risk assessments |
| Customer due diligence and enhanced due diligence |
| Policies, controls and procedures |
| Training |
| Internal controls |
| Record keeping |
| Reliance |
| Data protection |
Areas of focus for record keeping in PCPs
Regulation 19 (PCPs) requires you to maintain, in writing, PCPs to mitigate ML/TF risks.
You must regularly review these PCPs and maintain a record in writing of:
These PCPs must address reliance and record keeping.
If the practice already has a data protection/retention policy, you must ensure that it complies with these requirements.
Regulation 40(2) requires you to keep the following in relation to CDD:
The records that you must keep include those relating to:
Depending on the size and sophistication of your practice's record storage procedures, you may wish to:
R28(16) requires you to be able to demonstrate to your supervisory authority that the extent of the measures that you have taken to satisfy requirements under this regulation are appropriate in view of the risks of money laundering and terrorist financing.
Keeping appropriate records of your decisions, at the time that CDD was conducted, will help you to demonstrate that you have applied a risk-based approach in a reasonable and proportionate manner.
Consistency of record keeping is particularly important in areas that produce higher volumes of information, such as client and matter risk assessments and CDD/EDD.
Consistency in these areas ensures that your practice can find and readily interpret information when required.
You should also consider the requirements of other applicable regulators, particularly in relation to cross border transactions and working in areas which may be subject to oversight by overseas regulators.
You must retain the records for five years beginning on the date on which you know, or have reasonable grounds to believe:
You are not required to retain the records relating to a transaction which occurred as part of a business relationship for more than 10 years.
On expiry of this period you must delete any personal data, unless:
Many practices will wish to retain the complete file of papers, including CDD records, for a period exceeding the five years specified in R40(3).
For example, your practice’s retention policy may specify longer retention times to take account of the expiry of limitation periods for potential negligence actions against the practice.
If there is any variation on the period prescribed in R40(3), the client’s consent must be obtained.
This consent clause may be contained in your engagement letter or terms of business and should be signed or otherwise acknowledged by the client.
R20(1)(b) requires you to maintain PCPs for data protection on sharing of information within a group about customers, customer accounts and transactions.
The use of CDD information held by other parts of the same organisation is permissible.
Where one part/branch/subsidiary of the same UK organisation seeks to use CDD held by another part, this should be clearly documented and recorded on file, and the underlying information must be readily and easily accessible by the part of the organisation seeking to rely on it.
Where one part of the organisation ceases to have a relationship with a client, CDD information should be kept and transferred to any other part of the business which continues that relationship.
Where CDD information is held by the practice in other jurisdictions, and the UK branch/practice seeks to use this information, care should be taken by the UK branch/practice that information held meets the necessary requirements under the Regulations.
No foreign data protection limitations should hinder access to this information by the UK practice, or by UK law enforcement agencies upon valid request.
Should such limitations be in place, the UK branch/practice cannot use this information and should themselves conduct appropriate CDD.
Where the practice undertakes multiple transactions for a specific client, you do not need to keep duplicate CDD records in each file. You can hold information in a central file.
This approach may help to ensure:
R40(6) says that where another relevant person relies on you under R39 for the completion of CDD measures, you must keep the relevant documents as specified in R40(3) and (4) and immediately make available information and documents set out in R40(7) to (9).
Reliance is covered further in section 6.
R18(4) requires you to keep an up-to-date record in writing of all the steps you have taken to identify and assess the risks of money laundering and terrorist financing which your practice is subject to.
This is the case for your practice wide risk assessment and any client or matter risk assessments you undertake unless your supervisory authority notifies you in writing that such a record is not required.
Under R28(12) the way in which you comply with CDD requirements must reflect your assessment of the level of risk arising in a particular case and your practice-wide risk assessment under R18.
Therefore, under R28(16) you must be able to provide the risk assessment, the information on which that risk assessment was based and your records to your supervisory authority on request.
You should also retain dated records of firm wide risk assessments and policies, procedures and controls, both to be able to understand the development of your compliance approach and to be able to evidence this to your supervisor.
R19, R21 and R24 require you to maintain, in addition to a record keeping policy, a record in writing of PCPs relating to:
You should keep comprehensive records of suspicions and disclosures because disclosure of a suspicious activity is a defence to criminal proceedings.
Such records may include notes of:
You should ensure these are held securely and you should avoid retaining them on the client and/or matter file in such a way that they are freely accessible.
If the practice undertakes internal re-organisation, or is involved in acquisition, mergers or divestments, it is important that all records remain easily retrievable and accessible, both during and after such structural changes.
There is a balance to be struck between ensuring your practice handles data responsibly while meeting the requirements in the regulations and ensuring those that need access to information, can have it.
You should ensure that records are held securely to avoid being inappropriately disclosed to a client or anyone else, and to avoid possible offences of tipping off or prejudicing an investigation. This may be achieved by maintaining controlled access to information to those that need it to meet their responsibilities.
For example, if files are held electronically, you may use appropriate passwords and limited access rights in order to limit who has access to information.
Under R41(1), any personal data that you obtain for the purposes of the regulations may only be processed for the purposes of preventing money laundering or terrorist financing.
The Data Protection Act 2018 applies to you. It allows clients or others to make subject access requests for data held by you. Such requests could cover any disclosures made.
Each subject access request must be considered on its own merits in determining whether, in a particular case, the disclosure of a suspicion report is likely to prejudice an investigation and, consequently, constitute a tipping-off offence.
Schedule 2, part 1, sub-section 2 of the Data Protection Act 2018 states that you do not need to provide personal data where disclosure would be likely to prejudice the prevention or detection of crime, or the apprehension or prosecution of offenders.
This ‘crime and taxation’ exception would apply where granting access would amount to tipping off. This may extend to suspicions that have only been reported internally within the practice.
Prior to the Data Protection Act 2018, this crime and taxation exception was contained within section 29 of the Data Protection Act 1998.
The Information Commissioner issued guidance on section 29 exceptions but, at the time of publishing this guidance, has not updated the guidance since the Data Protection Act 2018 became law.
There is a statement on the ICO website stating that the Information Commissioner considers this guidance, as well as others, to still be useful.
If you decide that the crime and taxation exception applies, you should document the steps you took to make this assessment in order to respond to any enquiries by the Information Commissioner.
In determining whether the exception applies, it is legitimate to take account of the fact that although the disclosure does not provide clear evidence of criminal conduct, when viewed in isolation, it might ultimately form part of a larger jigsaw of evidence in relation to a particular crime.
Under R41(3) you cannot use personal information which you obtain for the purposes of complying with the regulations for any other purpose unless you are authorised to do so under another piece of legislation, or you have the person's consent.
Any consent given needs to be easily rescindable by the person and you should highlight this to the person in question including explaining how they would contact you to withdraw consent.
In addition, you are required to provide new clients with the information specified in section 44 of the Data Protection Act 2018 and a statement that any personal data received from the client will only be processed for the purposes of preventing money laundering or terrorist financing and any other purposes to which they have consented.
You should consider whether your practice should seek specialist advice in order to comply with your data protection responsibilities.
The suspicious activity reporting (SAR) regime for money laundering and terrorist financing is administered by the United Kingdom Financial Intelligence Unit (UKFIU) which sits within the National Crime Agency (NCA).
The NCA is a law enforcement body which networks with other law enforcement agencies and is responsible for dealing with serious and organised crime within the UK.
The UKFIU receives, processes and, where necessary, triages SARs within law enforcement.
The intelligence that law enforcement receives from SARs is vital to tackling crime and to gaining an insight into current and emerging threats to the UK.
Legal practices have a key role in providing quality intelligence where they come across suspicious activity.
The SARs regime should not be used defensively, for example to get permission to continue with a transaction where you have been unable to complete CDD but should instead be used to provide quality information that can prevent and disrupt criminal activities.
All persons within the regulated sector have obligations under POCA and the Terrorism Act 2000 (TACT), to make disclosures of suspicions of money laundering, terrorist financing and terrorist property offences. Money laundering reporting officers (MLROs), have specific additional obligations.
Any individual working within the regulated sector must make an internal disclosure to their MLRO if they know or suspect or have reason to know or suspect money laundering or terrorist financing is taking place.
In addition, any person outside the regulated sector may make a SAR about suspected money laundering or terrorist financing.
Everyone should consider whether the client or the practice is at risk of having committed any of the principal offences under sections 327 to 329 of POCA and sections 15 to 18 of TACT.
The duty to report suspicions via a SAR to the NCA are important, but practices should always be vigilant against committing all relevant POCA offences.
A SAR is the name given to a disclosure to the NCA under either POCA or the Terrorism Act.
Practices in the regulated sector must appoint a MLRO. If you are a sole practitioner, you are the MLRO by default.
Upon appointing an MLRO, you must inform your supervisory authority within 14 days.
See section 4 for guidance as to the selection and responsibilities of the MLRO.
You should have a process for staff to make the MLRO aware if they have knowledge or a suspicion of money laundering. You may find it helpful to have a standard internal disclosure form for employees to use to notify the MLRO if they come across suspicious activity.
As the MLRO, you should consider the information provided, ask further questions if necessary and consider whether you have a knowledge or suspicion of money laundering or terrorist financing that would, subject to privilege, require a SAR to be submitted.
You must submit a SAR:
You must submit the SAR as soon as is practical after you have formed this knowledge or suspicion.
You should also consider whether there may be a case of attempted fraud. Subject to privilege and confidentiality, if you find a clear case of fraud you should alert Action Fraud
Further guidance on the what constitutes suspicion and more detail on the relevant offences is set out in sections 16 and 17.
If the SAR is in relation to an internal breach you may also have a requirement to report to your supervisor where you may have breached your regulatory requirements.
You should check with your supervisor whether you have an obligation to notify them where you have formed a knowledge or suspicion of money laundering or terrorist financing involving your practice or another regulated practice.
If the MLRO decides not to submit a SAR after receiving an internal disclosure, for example because the information does not meet the threshold for suspicion, your MLRO should make sure that they have documented the reasons for their decision and keep records of this along with the original internal disclosure.
This will help you demonstrate compliance with your obligations or could help you to submit a SAR further down the line if you do develop a suspicion.
You should use SARs online wherever possible. This securely encrypted system provided by the NCA allows you to:
SARs can still be submitted in hard copy, although they should be typed and on the preferred form. You will not receive acknowledgement of any SARs sent this way.
Where you require consent/DAML, you should send by fax as opposed to by post.
The NCA encourages you to use the SARs online system wherever possible.
To speed up consideration of your SAR, it is important to use the correct NCA glossary codes for each reason for suspicion in your report.
The UKFIU periodically provides updated glossary codes and reporting routes and it is best to check the NCA website for the latest information. The latest glossary codes are available here.
Many of the glossary codes may not apply unless you have a suspicion criminal property relates to a specific predicate offence.
The UKFIU has agreed to establish an analytical code (a subset of glossary codes) for “technical” breaches that a legal practice may encounter in transactional work.
The code (0589-LS) may be used if the kind of criminal property identified relates to minor, technical regulatory offences that are unlikely to be pursued by law enforcement (for example the breach of a tree preservation order).
A good quality SAR can help prioritise urgent cases and investigations and provide intelligence to feed into typologies and identify trends.
Missing or inaccurate information reduces the overall effectiveness of the SAR. It can also have a negative impact on identifying the subjects correctly.
If your SAR is deficient, or does not contain the requisite information, the UKFIU may send you further correspondence, either closing the matter or seeking additional clarification.
You should include the information below in your SAR, where known. If you do not know crucial information, for example an individual’s name, you should state “unknown” and repeat that this is unknown in relevant sections throughout the SAR.
Subject identifiers, for example:
The NCA can provide a defence against money laundering (DAML) charges or terrorist financing, commonly known as “consent”.
It is important to remember that a granted consent from the NCA does not:
You only receive consent to continue working on a matter to the extent to which you asked for it. So, it is vital that you clearly outline all the remaining steps in the transaction that could be a prohibited act.
When specifying acts for which you are seeking consent, be careful to include anything that may amount to aiding and abetting the client.
If you are seeking consent, it is important to specify whether you are seeking it for yourself, for your client, or both. Your request should make clear who is seeking consent for each prohibited act.
In addition to the information outlined above, it is important to both tick the consent box and use the code for DAML SARs. This indicates to the NCA that the SAR requires immediate attention.
Use XXS99XX if you are seeking consent to deal with property valued more than £3,000 and XXGVTXX for sums less than £3,000.
You should include any other relevant glossary codes.
You also need to provide:
The prohibited act is the key difference between a SAR and a DAML SAR. For example, moving money from a client account back to a client where you suspect they may have gained it via unlawful means.
An example of a “reason for suspicion” may be:
Glossary Code: ““XX S99XX, XXPROPXX”
“I am submitting this SAR as the client is purchasing a property and I have concerns relating to the origin of the funds coming from overseas transactions. The reason for my money laundering suspicions are that…"
You should also consider adding other useful information such as previous SAR reference numbers if they relate to the client/matter.
A submission should also conclude with any intended next steps – for example, exiting relationship, monitoring events etc.
Once you submit a SAR, the NCA has seven working days, known as the “notice period” starting the day after the SAR is submitted to look at the SAR and ask for more information if necessary.
If consent is refused, you will enter a moratorium period of a further 31 calendar days.
If you need consent sooner, you should clearly state the reasons for the urgency in the initial report.
Within the notice and moratorium period you must not undertake a prohibited act. However, this will not prevent you taking other actions on the file, such as writing letters, conducting searches, etc.
You cannot seek status updates for a DAML unless there is a life-threatening situation or there is a potential for significant harm – as this may divert NCA resources away from other situations of this type and fast-tracking high priority SARs could be delayed.
The UKFIU has seven days to update you on your DAML and unnecessary requests for progress checks slows down the whole process for all SAR regime stakeholders.
If the NCA does not respond in the seven-day period, you may consider that you have what is known as “deemed consent” (section 335(2) of POCA.)
The NCA may also send you one of the following letters:
You must not say anything about an internal disclosure or SAR which could prejudice an investigation. If you do so, you could be guilty of an offence under POCA section 333A or TACT section 39.
When considering if you can discuss with your client that you have submitted a SAR about them you will need to fully consider the sections on tipping off and prejudicing investigations in sections 16 and 17.
A legal professional will not commit a tipping off offence under section 333A if the disclosure is to a client and it is made for the purpose of dissuading the client from engaging in conduct amounting to an offence (as per section 333D(2)).
It can be extremely challenging to explain delays to clients while waiting for a response from the NCA.
You must not complete the prohibited act while you are awaiting a response. This underlines the importance of making a SAR as soon as possible.
As highlighted above, you may still be able to take some actions provided those actions do not of themselves involve a prohibited act.
You should note that protection from civil liability exists in this situation, arising from POCA section 338(4a) which states “Where an authorised disclosure is made in good faith, no civil liability arises in respect of the disclosure on the part of the person by or on whose behalf it is made”.
You may discuss the SAR if doing so would not prejudice an investigation, although you should take caution in doing so.
POCA also sets out some additional situations where you may disclose the contents of the SAR. Please refer to the sections on tipping off in sections 16 and 17 of this guidance.
The Criminal Finances Act 2017 made important changes to the moratorium period under POCA.
Section 336A of the amended POCA enables the moratorium period to be extended by court order and section 336C provides for an automatic extension of the moratorium period in certain cases.
The moratorium period allows law enforcement agencies to gather evidence to determine whether further action, such as restraint of the funds, should take place.
The NCA may require further information to be able to undertake proper analysis and make an informed decision on whether to investigate.
The court (Crown Court in England, Wales and Northern Ireland and the Sheriff Court in Scotland) may only grant an extension of the moratorium period upon an application by a senior officer if it is satisfied that:
The application must be made by the senior officer before the end of the moratorium period. The court may extend the moratorium period by a further 31 days, meaning the total moratorium period at this stage may be up to a maximum of 62 days. The length of the extension should be based on the four requirements set out above.
The court may hear further applications to extend the moratorium period (for further 31-day periods) provided that the total number of extensions does not exceed a period of 186 days over and above the initial 31-day moratorium period. In total this means that the moratorium period can be a maximum of 217 days.
The court may exclude an interested person (or anybody representing that person) from any part of a hearing to extend the moratorium period.
The court may also order on application that specified information is withheld from an interested person (or anybody representing that person). The court must exclude any interested person from an application to withhold specified information.
An interested person is either the person who made the SAR or any other person who appears to the senior officer to have an interest in the relevant property.
The first category is straightforward but the second could in effect be the client of the practice or any other third party who may have an interest in the underlying property.
The court may withhold the specified information only if it is satisfied that there are reasonable grounds to believe that a SAR would lead to the following:
In practice this means that a person that has made a SAR may be excluded from participating in the hearing of the application to extend the moratorium period.
A possible difficulty here is whether they can sensibly either take instructions from their client (see risks of tipping off below) or take their own action to minimise the risks of a lengthy moratorium period with the risks of tipping off that may bring, given they may not have access to all of the information.
You should carefully assess the risks of continuing to take instructions in these circumstances and ensure that any decision is taken with the knowledge of relevant individuals in your practice (such as the MLRO and/or MLCO.)
Once you are on notice of an application to extend the moratorium period, you may inform your client of the existence of the application to extend the moratorium period without committing the tipping off offence.
However, you are permitted to disclose "only such information as is necessary for the purposes of notifying the customer or client that an application… has been made" and no more than that.
In effect the risks of tipping off are still present as you must not disclose the content of the SAR to the client, or even the reason for your suspicion.
You should be careful in dealing with clients and third parties to make sure that you do not tell them anything about a SAR which may prejudice an investigation.
If you are seeking to challenge an application to extend time, then you should also consider whether you may properly do so without taking instructions and generally whether it would be in the best interests of your client to do so.
If an application is made under section 336A and the initial 31-day moratorium period would end before that application is heard by the court, then the moratorium period is automatically extended to the date the court determines the application.
Also, if an appeal is made against a decision to extend the period and the moratorium period ends before that appeal is heard, then the moratorium period is automatically extended to the date when the appeal is heard.
However, the maximum period of any such automatic extension is a period of 31 days from the date when the period would otherwise end.
If an application is made under section 336A and is refused and if the period would otherwise end before the end of five days after that hearing, then the period will be extended for a further five days from the hearing date.
This is presumably a safeguard for the investigating authority to take any further action (such as a restraint order) before the period again expires.
For DAML enquiries, all contact with the UKFIU DAML Team is via email: DAML@nca.gov.uk.
For queries regarding SAR Online/general enquiries you can contact the UKFIU helpdesk by phone on 0207 238 8282 and select option 2 or 3, or by email at ukfiusars@nca.gov.uk.
The NCA is required to treat your SARs confidentially. Where information from a SAR is disclosed for the purposes of law enforcement, care is taken to ensure that the identity of the reporter and their practice is not disclosed to other persons.
If you have specific concerns regarding your safety if you make a SAR, you should raise this with the NCA either in the report or through the helpdesk.
If you have concerns about your immediate safety following the making of a SAR, you should contact your local police.
If you fear the confidentiality of a SAR you made has been breached, call the SARs confidentiality breach line on 0800 234 6657.
The Criminal Finances Act 2017 amended POCA to introduce sections 339ZB to G to provide a gateway for sharing information between persons and entities in the regulated sector on a voluntary basis and making joint disclosure reports (super SARs).
At present, these information sharing provisions have only been commenced for financial and credit institutions and not legal professionals.
The provisions seek to encourage the sharing of information across the private and public sectors to combat money laundering by providing protection for what would otherwise be a breach of confidentiality if certain conditions are fulfilled.
Where information is requested from one regulated person by another on a voluntary basis there are requirements imposed to notify the NCA.
After information has been shared, a joint disclosure report can be made to the NCA on behalf of the parties both disclosing and receiving the information, a so called ‘super SAR’.
Making either a required notification or a joint disclosure report will be treated as satisfying the requirements of sections 330 and 331 to make a disclosure in the regulated sector.
Note, however, that when you are advising on a proposed transaction, you may submit a SAR on behalf of your firm and your client, subject always to an analysis of the tipping off provisions.
Compliance with the regulations generally falls under a few headings, including assessing risk, undertaking due diligence, training staff, etc. There are a handful of further duties that may arise due to a practice being in scope of the regulations.
These are discussed here and mainly concern complying with the requirement to register certain entities and other duties that arise from the existence of such registers (for example, reporting discrepancies.)
You must comply with Part 5 of the regulations if:
Under R42(2)(a) a UK body corporate is defined as "a body corporate which is incorporated or formed under the laws of the UK or a part of the UK". This includes but is not limited to:
Under R43(1), if your practice is a body corporate and it enters into a relevant transaction or forms a business relationship with another person to whom the regulations apply then you must provide that person with the following information on request:
The obligation to provide this information also applies to your clients who are UK body corporates when they enter relevant transactions or form a business relationship with your practice, which may assist you in your conduct of CDD.
If the identity of individuals or the above information changes during the course of the business relationship, then you must notify the other person within 14 days of the date on which you or the relevant body corporate became aware of the change.
The regulations impose obligations on trustees of "relevant trusts" to maintain accurate and up-to-date written records relating to the trust's beneficial owners and potential beneficiaries and provide certain information about those beneficial owners and potential beneficiaries to relevant persons and law enforcement authorities on request.
The trustees must also provide this information to HMRC through the Trust Registration Service (TRS) each tax year in which the trustees incur a liability to UK tax in relation to trust income or assets.
The information on the Trust Register will be available to law enforcement agencies in the UK and EEA member states.
A relevant trust is:
An EEA-registered trust is a trust whose beneficial ownership information is required, by article 31.3a of the 4th Money Laundering Directive, to be held in a central register set up by an EEA state other than the UK.
A taxable relevant trust arises when the trustees of a relevant trust have incurred a liability to UK tax in relation to trust income or assets in a given tax year.
Where you act (including occasionally) as a trustee of a taxable relevant trust, you will need to maintain written records and provide the information specified in the regulations to HMRC annually and to relevant persons with whom you enter into relevant transactions or business relationships and law enforcement authorities on request, the information specified in the regulations.
A trustee or settlor is resident in the UK if it is a UK body corporate or, if the trustee is an individual, he or she is resident in the UK for the purposes of one or more of the below-mentioned UK taxes.
All taxable relevant trusts must be registered.
A taxable relevant trust is a UK express trust or a non-UK express trust which has UK source income or UK assets which the trustees are liable, even if only occasionally, to one or more of the following UK taxes in relation to trust income or assets: income tax, capital gains tax, inheritance tax, stamp duty land tax, land and buildings transaction tax or stamp duty reserve tax.
Bare trusts (a trust in which the beneficiary has an absolute right to the capital and assets within the trust and income thereby generated) and implied trusts (a trust which arises by operation of law, so a resulting trust or a constructive trust) are not relevant trusts and are therefore not subject to Part 5 of the regulations.
The trustees of a relevant trust are obliged to maintain accurate and up-to-date written records of all the trust’s beneficial owners, who will include its:
The concept of individuals who have ‘control’ over the trust is defined in R6(2) and encompasses individuals who have a power (exercisable alone or jointly) under the trust instrument or by law to:
Where the beneficial owner or potential beneficiary is an individual (but note, not where they are a class), the trustees must note and record:
If the individual does not have a national insurance number or unique taxpayer reference, you should record the individual’s usual residential address. If that address is not in the UK, the individual’s passport number or identification card number should be recorded, with the country of issue and the expiry date of the passport or identification card. If the individual does not have a passport or identification card, the number, country of issue and expiry date of any equivalent form of identification.
Where the beneficial owner is a corporate body, the trustees must note and record:
The trustees must also note and record the following information in relation to the trust:
The details of trust assets have to be based on market value at the date on which the asset(s) was placed in the trust by the settlor, when the settlement was first created. To keep administrative burdens on trustees to a minimum, HMRC is not expecting any formal valuation but it would expect trustees to provide an accurate estimate of the market value of the assets. If trustees are registering a trust where the value of assets were notified to HMRC previously through either a 41G form or SA900 tax returns then trustees should complete the “Other asset” field using the term – “Already notified”, leaving all other asset fields marked as “£1”. The details of trust assets have to be provided only once, at the first point of registration.
The information for taxable relevant trusts must be provided—
Information provided in relation to beneficial owners should be current at the date the register is updated and not as at the tax year which triggered the registration. There are certain obligations on trustees in the regulations to provide third parties with the records and update third parties of a change to the records, which they hold on beneficial owners and potential beneficial owners, within 14 days.
Where a trustee of a relevant trust is acting as a trustee and enters into a transaction or forms a business relationship with a relevant person, they must inform that relevant person they are acting as trustee. They must also provide that relevant person with information identifying the beneficial owners of the trust and any other person named in a letter of wishes on request.
R44(3) imposes an obligation on the trustees to notify the relevant person of any change in the identity of the beneficial owners and potential beneficiaries (including persons named in letters of wishes, which may be revised informally and frequently) within 14 days of the date on which any one of the trustees became aware of the relevant change.
Aside from the obligation to provide HMRC with information on 31 January following the end of each tax year, the trustees of a relevant trust are also obliged by R44(5) to provide information about the beneficial owners and potential beneficiaries of the trust which they have recorded, directly and ‘on request’ to any law enforcement authority in compliance with the deadline set by the law enforcement authority (listed in R44(10). The trustees of a relevant trust may be approached by law enforcement at any point.
Where the trustees are professional trustees (being paid to act as trustees), which is likely to be the case if you or your practice is acting as a trustee, they must retain the records referred to above for a period of five years after the date on which the final distribution is made under the trust.
They must then delete them unless each named beneficial owner and potential beneficiary in the records consents to longer retention or where longer retention is required by law or for the purposes of court proceedings.
Please note that this may result in your practice having one retention period for its CDD records, including where it acts in relation to a trust for trustees, and a different retention period for records which it is required to hold when it acts as a trustee.
The trustees of a taxable relevant trust need to provide all the information which they must record on the trust and its beneficial owners and potential beneficiaries as set out above to HMRC.
Trustees should note that the register-reporting obligation only arises if the trustees incurred a liability to pay any of the specified UK taxes in relation to trust income or assets in the preceding tax year. So, a trustee of a non-UK trust which only generates a UK tax liability in the form of a 10-yearly inheritance tax charge need only report to HMRC on or before 31 January which falls after the tax year in which the inheritance tax charge falls due (in each case).
Trustees that submit the trust tax return will be asked to confirm in Q20 of the return whether they have registered or updated the details of their trust on the TRS.
The TRS is an online register and allows trustees to submit information about their taxable relevant trust online. For further information on how to register a trust on the TRS, trustees should visit the GOV.UK website.
Trustees will also be obliged to make a ‘no change’ declaration to HMRC annually on or before the 31 January which falls after any tax year in which the trustees are liable to pay any of the above mentioned UK taxes if there has been no change to the information provided to HMRC.
HMRC is obliged to share the trust data with any UK law enforcement authority. The following organisations are listed as UK law enforcement authorities in the regulations:
If you or your practice acts as (as opposed to for) a trustee of a taxable relevant trust, pursuant to R44 you will need to maintain accurate and up-to-date records of all beneficial owners and potential beneficiaries of the trust. If your practice is also acting for the trustee(s) and has applied CDD, this may require you to collect extra information.
If you form a business relationship in your role as trustee with a relevant person, which could be an advisory relationship with your practice (if it is subject to the regulations), you must inform the relevant person that you are acting as a trustee and, on request, provide the relevant person with information identifying the trust’s beneficial owners and potential beneficiaries.
That obligation lies on (external) trustees of relevant trusts who enter into transactions in relation to which you or your practice are required to apply CDD or who form a business relationship with you or your practice (if you are subject to the regulations). This should assist you in your compliance with your CDD obligations and is another reason why it makes sense to extend your CDD in relation to a relevant trust's beneficial owners to cover potential beneficiaries.
Otherwise, from a reputational risk and advisory perspective, as law enforcement authorities may gain access to information not only about the trust’s beneficial owners as defined in R6(1) but also the names of those individuals who are referred to in any document from the settlor, such as a letter of wishes relating to the trust, it is prudent to note such wider information in your CDD records where you act for any client in relation to a relevant trust, and, indeed where you act in relation to any trust.
Trusts that do not meet the definition of a taxable relevant trust also have obligations:
Any beneficial owner or named potential beneficiary must provide the following:
The above information must be provided—
unless the beneficiaries have not yet been determined (for example, because the beneficiary is a class) in which case the information does not need to be provided until the beneficiaries have been determined.
If the beneficial owner is a legal entity, they must provide the following information:
If Type A and Type B have a controlling interest in a third country entity, they must provide:
and if they subsequently acquire an interest in a third country entity, they have 30 days to provide this information. If any of the information provided changes, there is a 30-day window to update the register.
Before establishing a business relationship with a:
a practice must collect an excerpt of the register which contains full details of any information specified in paragraph 1A.
That is, information relating to beneficial owners of the customer or where a registered overseas entity – information relating to registrable beneficial owners specified under Schedule 1 to the Economic Crime (Transparency and Enforcement) Act 2022) which is held on the register at that time, or must establish from its inspection of the register that there is no such information held on the register at that time.
You will not be able to view the full register, but may request an excerpt when dealing with a registered trust.
The proof of registration must include information relating to their beneficial owners, and where the customer is an overseas entity registering ownership of UK property, the beneficial owners they are required to register under the Economic Crime (Transparency and Enforcement) Act 2022.
This information must be updated whenever you are undertaking ongoing monitoring or refreshing due diligence on your client.
If the firm finds a material discrepancy between information relating to the beneficial ownership of the entity which it collects as above, and information which becomes available to it whilst carrying out its duties under the ML Regulations (during its onboarding process), the discrepancy must be reported to Companies House (R30A(3)).
Practices that encounter such discrepancies while fulfilling their AML duties must report them, but it is not a requirement for practices to actively seek out such discrepancies.
This responsibility to report does not apply where the information is subject to legal professional privilege.
Discrepancies must be reported when establishing a new business relationship, but also at any other point at which the practice becomes aware of a discrepancy while carrying out its duties under the regulations: for example, in the course of ongoing monitoring.
Discrepancies should be reported to Companies House (via the online reporting tool available on the Companies House website) or in the case of trusts to HMRC as soon as possible.
It is not tipping off to discuss the discrepancy with your client or advise how to rectify it. We would interpret “as soon as possible” as giving the practice time to report the discrepancy to the client, with the understanding that the client could quickly amend the discrepancy, thus negating the need to notify the registrar.
Any hesitation or resistance by the client in this regard would hasten the need to report the discrepancy.
Furthermore, from 1 April 2023, only discrepancies which are "material" are reportable, so not typos or minor spelling mistakes.
Schedule 3AZA states that a material discrepancy is one which satisfies the condition in paragraph 2, including one which is in a form listed in paragraph 3.
The condition in paragraph 2 is that the discrepancy "by its nature and having regard to all the circumstances, may reasonably be considered:
"Details of the business of the customer", may include identifying information related to the entity (entity name), or individuals within the entity (date of birth or name of an officer of the entity).
The following specific examples have been set out as meeting the above test:
Where you conclude that a discrepancy does not require a report to be made you should document that as part of your CDD record and/or client/matter risk assessment.
If you are using reliance on another entity to undertake CDD on your behalf, you can also use this reliance arrangement for them to report discrepancies on your behalf. Also, as with CDD, you can outsource this function to a service provider though you will remain responsible for your firm’s compliance.
This chapter is relevant to any lawyer 1 considering whether to make a disclosure to the NCA under POCA.
The first principles of legal professional privilege (LPP) recognise the importance of the right of an individual to claim and maintain the confidentiality of their communications with a lawyer for the purpose of obtaining legal advice and representation.
As such, LPP is “a fundamental human right long established in the common law” 2 . Its centrality to the professional relationship between lawyer and client is recognised throughout the world 3 .
However, aspects of the application of the law in this area can be complex and the consequence of the lawyer making the wrong decision as to its application can be personally, and professionally, significant.
Lawyers should be careful to determine the basis on which their client may make a claim to LPP based on the relevant qualification of the lawyer concerned and, also, the context of the exchange.
Although LPP is usually understood as a common law protection afforded to clients of barristers, solicitors, the fellows of the Chartered Institute of Legal Executives (CILEX) 4 , and foreign lawyers 5 LPP may also be conferred by statute 6 (sometimes only for limited purposes), as in the case of licensed conveyancers 7 , patent 8 and registered trade mark attorneys 9 .
The extent to which LPP attaches to a notary’s records has not been the subject of a legal decision in England and Wales and is an evolving area of law. Notaries should therefore consider seeking specific legal advice based on the particular circumstances of a given situation if it appears LPP may apply 10 . In addition, there may also be circumstances in which a client may claim litigation privilege (see discussion below) which does not require a party to the communication to be a lawyer or other legal professional 11 .
Sections 327 to 329, 330 and 332 of POCA contain provisions for disclosure of information to be made to the NCA.
Further, a recent amendment, sections 339ZB to G, allows for the voluntary sharing of confidential information to both the NCA, and to other persons carrying on business in the regulated sector when the disclosure may assist in determining any matters in relation to a suspicion of money laundering activity.
Legal professionals also have a duty of full disclosure to their clients. However, sections 333A and 342 of POCA prohibit disclosure of information in circumstances where a SAR has been made and/or where it would prejudice an existing or proposed investigation.
It is, therefore, important to understand the interplay between LPP and the disclosure obligations under POCA.
Whilst the first principles are relatively straightforward to articulate, each situation turns on its own particular facts and context 12 .
LPP is a complex area of law and subject to change. An understanding of LPP and how it is being applied is central to the decision as to whether to make a disclosure under the POCA 13 . It is not enough to assume that an exchange must be covered by LPP; there must be an active assessment as to its application.
This complexity in definition is compounded by the inclusion of the narrowly defined statutory “privileged circumstances” exemption under section 330, which is sometimes confused with common law LPP.
The lawyer is under a duty to both defend LPP whilst, in the context of AML/CTF, being alert to any suspicion or knowledge of money laundering that may displace this primary duty.
Given the potential vulnerability of the lawyer when making such an assessment and, potentially, the need to establish a defence to a subsequent non-disclosure offence, the precise steps taken by the professional to establish whether LPP applies are critical.
The chapter examines the tension between the professional duties of the lawyer and the provisions of POCA in marginal cases.
Similar tensions also arise with respect to the Terrorism Act as to when LPP applies and prevents disclosure under the relevant legislation.
A systematic decision-making process, based on case law and statute, will help the lawyer to demonstrate compliance with all relevant professional and regulatory obligations, not just those under POCA.
This chapter aims to provide a practical framework to support the decision-making process of the lawyer as they determine whether, in the context of the mandatory reporting obligations under POCA, a particular document, or conversation, is subject to LPP. You will find it helpful to read the guidance note together with the decision-making template at section 13.8.1.
It is not, however, a substitute for a detailed review of all case law and legislation relevant to a specific case.
The application of legal professional privilege is often complex and fact sensitive.
If you are in any doubt as to whether legal professional privilege applies in the context of the case in which you act, you should seek independent legal advice as part of your decision-making process.
Seeking legal assistance in this manner, or assistance from your money laundering reporting officer, does not constitute a breach of your retainer with the client, the rules of professional conduct or the provisions of the Proceeds of Crime Act 2002 or the Money Laundering Regulations (as amended).
This chapter should be read in conjunction with section 11 of this guidance (suspicious activity reporting). As stated above, if you are still in doubt as to your position, you should seek independent legal advice.
LPP is a privilege against disclosure, ensuring clients know that certain communications with legal professionals cannot be disclosed.
LPP protects the personal right of the client to refuse to give evidence about a discussion with their lawyer, or to withhold a document from production, on the basis that the exchange is subject to LPP.
LPP arises in recognition of the client's fundamental human right to be candid with their legal adviser 14 , without fear of later disclosure of their communications to their prejudice.
It is an absolute right, protected both by the common law and by human rights obligations and cannot be overridden by any other interest, although it can be waived (by the client alone) or, abrogated by the clear terms or the necessary implications of a specific statutory provision 15 .
The importance of LPP to the rule of law was described by Lord Scott in Three Rivers District Council v Governor and Company of the Bank of England (No 6) in the following terms:
“….. in the complex world in which we live there are a multitude of reasons why individuals, whether humble or powerful, or corporations, whether large or small, may need to seek the advice or assistance of lawyers in connection with their affairs; they recognise that the seeking and giving of this advice so that the clients may achieve an orderly arrangement of their affairs is strongly in the public interest; they recognise that in order for the advice to bring about that desirable result it is essential that the full and complete facts are placed before the lawyers who are to give it; and they recognise that unless the clients can be assured that what they tell their lawyers will not be disclosed by the lawyers without their (the clients') consent, there will be cases in which the requisite candour will be absent. It is obviously true that in very many cases clients would have no inhibitions in providing their lawyers with all the facts and information the lawyers might need whether or not there were the absolute assurance of non-disclosure that the present law of privilege provides. But the dicta to which I have referred all have in common the idea that it is necessary in our society, a society in which the restraining and controlling framework is built upon a belief in the rule of law, that communications between clients and lawyers, whereby the clients are hoping for the assistance of the lawyers' legal skills in the management of their (the clients') affairs, should be secure against the possibility of any scrutiny from others, whether the police, the executive, business competitors, inquisitive busy-bodies or anyone else (see also paras. 15.8 to 15.10 of Adrian Zuckerman's Civil Procedure where the author refers to the rationale underlying legal advice privilege as "the rule of law rationale"). I, for my part, subscribe to this idea. It justifies, in my opinion, the retention of legal advice privilege in our law, notwithstanding that as a result cases may sometimes have to be decided in ignorance of relevant probative material.”
However, LPP does not extend to everything legal professionals have a duty to keep confidential. LPP protects only those confidential communications that fall within the definition of LPP, which is a “single integral privilege” (Three Rivers 6).
However, within this definition, two essential types of LPP are recognised, legal advice privilege (LAP) and litigation privilege, and both have different characteristics in their scope and application as discussed below 17 at 13.10.1
A legal professional is obliged, professionally, at common law and, often, contractually within the retainer, to keep the affairs of clients confidential and to ensure that all staff do likewise. The obligations extend to all matters revealed to a legal professional, from whatever source, by a client, or someone acting on the client's behalf 18 .
As a general rule, there are certain exceptional circumstances in which a legal professional’s general obligations of confidence may be overridden, for example by a court order for disclosure.
However, certain types of confidential communications can never be disclosed unless statute permits this expressly or by necessary implication 19 or some very limited exceptions apply. Such communications are those protected by LPP.
When LPP attaches to a communication:
On first principles, once LPP is established, it is absolute.
The only issue is whether it has attached at all or, having attached, been specifically abrogated by statute, waived by the client or an exemption applies, such as the furtherance of a criminal purpose exemption (see below).
As stated above, two essential types of LPP are recognised at common law:
Communications, whether written or oral, between a legal professional (acting in their capacity as a legal professional) and a client/the client’s agent for the purpose of that communication, are privileged if they are both:
Communications are not privileged merely because a client is speaking or writing to you. The protection applies only to those communications which directly seek or provide advice (or are part of what the Court of Appeal in Balabel v Air India called the “continuum of communications” 21 resulting from seeking that advice) or are given in a legal context, that involve the legal professional using their legal skills and which are directly related to the performance of the legal professional's professional duties.
The Court of Appeal summarised the key points in Balabel as follows:
“…once a legal context is established, LAP applies, not just to those communications which expressly seek or give legal advice, but also to the “continuum of communications” between a lawyer and client aimed at “keeping both informed so that advice may be sought and given as required”. 22
All communications between a legal professional and his or her client relating to a transaction in which the legal professional has been instructed for the purpose of obtaining legal advice are covered by advice privilege, notwithstanding that they do not contain advice on matters of law and construction, provided that they are directly related to the performance by the legal professional of their professional duty as legal adviser of his or her client. [Three Rivers District Council and others v the Bank of England [2004] UKHL 48 at 111]
This means that where you are providing legal advice in a transactional matter (such as a conveyance) the advice privilege will cover all:
the client, including any working papers and drafts prepared, if they are directly related to your performance of your professional duties as a legal adviser in providing legal advice. However, there is a limitation in that the fruits of that advice, such as a draft contract, lease, or conveyance will not be covered by LPP 23 unless draft would reveal, or provide an indication, as to the nature of the legal advice itself.
It is important to keep in mind four principles when deciding whether legal advice privilege applies:
This privilege 27 , which is wider than legal advice privilege since it extends to communications with third parties, protects confidential communications made after litigation has started, or when it is reasonably in prospect, between any of the following:
These communications must be for the sole or dominant purpose of litigation, for any of the following:
An original document not brought into existence for these privileged purposes and so not already privileged, very rarely becomes privileged merely by being given to a legal professional for advice or other privileged purpose. See CAA v R(Jet2.com) at para100 (vii).
It is important to note that where a communication, although not itself created for the purpose of seeking or providing legal advice, might realistically disclose either the advice sought or given, that communication may nevertheless be privileged: CAA v R (Jet2.com) at para 107 (for example, a summary of legal advice made for a board meeting).
Further, in connection with LAP, where you have a corporate client, communication between you and the employees of a corporate client may not be protected by LPP if the employee cannot be considered to be 'the client' for the purposes of the retainer.
As such, some employees will be clients, while others will not [Three Rivers District Council v the Governor and Company of the Bank of England (No 5) [2003] QB 1556] and more recently, Director of the Serious Fraud Office v Eurasian Natural Resources Corporation Limited [2018] EWCA Civ 2006.
In a corporate context, particularly where in-house lawyers are involved, the privilege attached to a communication between lawyer and client may be inadvertently lost if dissemination occurs internally between a lawyer and those who would not be regarded as ‘the client’. This is especially the case where the dissemination is widespread and by email or other forms of electronic communication.
It is not a breach of LPP to discuss a matter with your nominated officer for the purposes of receiving advice on whether to make a disclosure.
LPP protects advice you give to a client on avoiding committing a crime [Bullivant v Att-Gen of Victoria [1901] AC 196] or warning them that proposed actions could attract prosecution [Butler v Board of Trade [1971] Ch 680].
LPP does not extend to documents which themselves form part of a criminal or fraudulent act, or communications which take place in order to obtain advice with the intention of carrying out an offence [R v Cox & Railton (1884) 14 QBD 153].
The iniquity exception can occur in both a civil context and does not, necessarily, involve the commission of a criminal offence. 29
For instance, see further examples in Dubai Aluminium Co Ltd v Al Alawi [2005] Civ 286 (an attempt to cover up fraud in civil proceedings); Kuwait Airways Corp v Iraqi Airways Co [2005] EWCA Civ 286 (invented alibi).
In BBGP Managing General Partner Ltd & Brown Global Partners [2010] EWHC 2176 (Ch), Norris J stated as follows:
“the wrongdoer has gone beyond conduct which merely amounts to a civil wrong: he has indulged in sharp practice, something of an underhand nature where the circumstances required good faith.”
In Barrowfen v Patel & others [2020] EWHC 2536 (Ch) the judge 30 stated that:
“It is well-established that the exception is not confined to crime or fraudulent misrepresentation but extends to fraud "in a relatively wide sense": see Barclays Bank plc v Eustice.” 31
In Barrowfen, alleged breaches of the duties of a director under the Companies Act 2006 came within the iniquity exception,
“By analogy with BBGP I consider that the iniquity exception is engaged where breaches of sections 172 to 175 and 177 of the Companies Act 2006 are alleged against a director and the allegations involve fraud, dishonesty, bad faith or sharp practice or where the director consciously or deliberately prefers his or her own interests over the interests of the company and does so "under a cloak of secrecy". 32 ”
It is irrelevant whether you are aware that you are being used for that purpose [Banque Keyser Ullman v Skandia [1986] 1 Lloyds Rep 336].
The crime/fraud exception is, essentially, a negation of LPP rather than an exception to it. LPP simply cannot attach as it is an abuse of the usual professional relationship between lawyer and client.
“The deception of the solicitors, and therefore the abuse of the normal solicitor/client relationship, will often be the hallmark of iniquity which negates the privilege.” Popplewell, J JSC BTA Bank v Ablyazov [2014] EWHC 2788 (Comm) para 93.
It is not just your client's intention which is relevant for the purpose of ascertaining whether information was communicated for the furtherance of a criminal purpose.
It is also sufficient that a third party intends the legal professional/client communication to be made with that purpose (for example, where the innocent client is being used by a third party) [R v Central Criminal Court ex p Francis & Francis [1989] 1 AC 346].
If you know the transaction that you are working on has the intention of furthering a criminal offence, you risk committing an offence yourself. In these circumstances, communications relating to such a transaction are not privileged and should be disclosed.
If you merely suspect a transaction has the intention of furthering a criminal offence, the position is more complex. If the suspicions are correct, communications with the client are not privileged. If the suspicions are unfounded, the communications should remain privileged and are therefore non-disclosable.
If the fraud/crime exception applies, then the exchange cannot be privileged. However, in order to arrive at the fraud/crime exemption, it is necessary to consider the nature of the suspicion. A “vague feeling of unease” 33 or “surmise or conjecture” 34 is insufficient 35 .
If you suspect you are unwittingly being involved by your client in a fraud, the courts require clear evidence before LPP can be displaced [O'Rourke v Darbishire [1920] AC 581 36 ].
The sufficiency of that evidence depends on the circumstances: it is easier to infer a prima facie case where there is substantial material available to support an inference of fraud.
While you may decide yourself if prima facie evidence exists 37 , you may also ask the court for directions [Finers v Miro [1991] 1 WLR 35].
Quite separately from LPP, POCA recognises another type of communication, one which is received in 'privileged circumstances'.
Privileged circumstances under section 330 should not be conflated with the common law concept of LPP.
Privileged circumstances under section 330 operates merely as an exemption from certain specific provisions of POCA.
Although in virtually all cases the communication may also be covered by LPP, it is not necessarily the case. This is, however, a statutory exception with a narrow application It does not have a blanket application.
The privileged circumstances exemptions are found in the following places:
Although the wording is not exactly the same in each section, the essential elements of the exemption are:
The defence covers 'legal professional advisers' and their employees.
Consider the crime/fraud exception (13.6) when determining what constitutes the furthering of a criminal purpose.
Section 330(6) operates, essentially, as a defence to the obligation to make a disclosure. Its status is important in the analysis. The section establishes that there is no offence under section 330 if there is a reasonable excuse for failing to make a disclosure.
Disclosure is prevented if the material is subject to LPP. Presumably, depending on the facts, failure to interpret section 330 correctly could also form a reasonable excuse for failing to make a disclosure under section 330(6)(a).
Consequently, given the difficulty in interpretation, it is important to record your decision-making process to rebut any allegation of a failure to make a disclosure under s330.
If there is evidence of the formation of a genuine, but mistaken belief that the information was subject to the privileged circumstance exemptions, the legal professional or the professional legal adviser may be able to benefit from the exemption under section 330(6).
Originally, section 330(6) only applied to legal professionals but has been extended to “relevant professional advisors”. It is important to note, however, that this is a narrow statutory defence and it does not provide any protection in relation to a section 327 to 329 offence.
Finally, section 330(9A) protects the privilege attaching to any disclosure made to a nominated officer for the purposes of obtaining advice about whether a disclosure should be made.
The differences between the statutory exception of privileged circumstances under section 330(6) POCA and common law LPP have several significant operational ramifications.
When advice is given or received in circumstances where litigation is neither contemplated nor reasonably in prospect, except in very limited circumstances, communications between you and third parties will not be protected under the advice arm of LPP.
Privileged circumstances, however, exempt communications regarding information communicated by representatives of a client, where it is in connection with you giving legal advice to the client, or the client seeking legal advice from you. This may include communications with:
You should consider the facts of each case when deciding whether or not a person is a representative for the purposes of privileged circumstances. The precise definition of “representative” in this context is, of course, fact sensitive 39 .
There may be circumstances in which a legal adviser has received information which is subject to legal professional privilege, but which does not fall within the definition of privileged circumstances.
There are occasions in which a lawyer may, whilst retained to represent client A, hold information that is privileged as between client B and their own lawyer.
There are occasions in which such information is shared subject to a contractual provision that LPP is not waived (Gotha City v Sotheby's (No 1) [1998] 1 WLR 114).
In such circumstances, the legal professional representing client A would not be able to rely on privileged circumstances, but the information might still be subject to LPP, unless the crime/fraud exemption applies.
As indicated above, the fundamental principles of LPP 40 refer to its “absolute” status. Lord Taylor, in R v Derby Magistrates stated, “I am of the opinion that no exception should be allowed to the absolute nature of legal professional privilege, once established.” 41
There can be complexity in applying LPP its status as a long-established concept backed by a substantial body of case law was highlighted in R v Derby Magistrates.
Furthermore, although lawyers have disclosure obligations under a number of regimes, it is important to ensure that LPP is respected in relation to all of those regimes.
There is a tension between the disclosure obligations under POCA and the all-encompassing duties of client confidentiality and the duty to protect LPP in connection in circumstances in which there is, unusually, a question as to whether LPP has been established or whether there is an operative exception, such as the iniquity exception, discussed above.
Further, the burden of making the decision falls on the lawyer with the potential for both regulatory and criminal sanction should the lawyer make the wrong decision.
If the lawyer discloses, without good reason, there is a breach of client confidentiality and LPP and a potential claim in damages as well as a small prospect of regulatory sanction. Conversely, a failure to disclose may result in criminal sanction against the lawyer under POCA.
What follows is a discussion of the tension between the disclosure obligations under POCA and the operation of LPP. It is important, however, not to overstate the nature of such tension, which may only be present in a relatively limited number of cases at the margins.
The first problem for the lawyer is structural. POCA and its disclosure obligations, is, in large part, based on a financial services framework in which there is a duty of confidentiality but not LPP. LPP brings an added tension to the analysis.
It is a tension recognised by the Financial Action Task Force (FATF) as, despite the clarity of a first principles approach, the application of LPP in marginal cases is far from clear.
“There may be cases in which these professionals conduct activities that are clearly covered by the legal privilege (i.e. ascertaining the legal position of their client or defending or representing their client in judicial proceedings) alongside activities that are not covered by it. In addition, within a single matter, privilege may attach to some but not all communications and advice.” 42
The second problem relates to the definition and application of common law LPP which is complex in itself. The decision to disclose is made in a context in which the case law surrounding common law concepts of the nature of legal advice and assistance, relevant legal context, dominant purpose, even the definition of the client, are nuanced 43 .
The statutory definition of “privileged circumstances” in section 330(6) POCA is narrow but easy to conflate with LPP. The concept of “suspicion” which triggers the consideration of LPP is problematic; what, exactly is an “irresistible inference” that there is sufficient, perhaps circumstantial evidence, that a suspicion has been triggered 44 .
The court in Da Silva recognised this problem when it stated that:
“the essential element in the word "suspect" and its affiliates, in this context, is that the defendant must think that there is a possibility, which is more than fanciful, that the relevant facts exist. A vague feeling of unease would not suffice." 45
On a practical basis, there is little consideration in the case law of the decision-making process of the lawyer in deciding whether information is, or is not, subject to LPP or provided in privileged circumstances.
A stable protocol or framework is of importance to the lawyer who may have to defend their analysis at a future date.
Thirdly, the duty to consider LPP in the context of AML reporting obligations is active rather than passive.
The structure of the legislation (a reporting obligation and subject to an exception or an operative defence) points to a need actively to consider whether LPP applies, rather than simply assume that it must do so.
This active consideration was highlighted in a commentary on LPP and professional secrecy by FATF, which stated:
“In situations where legal professionals are claiming legal professional privilege or professional secrecy, they must be satisfied that the information is protected by the privilege/professional secrecy and the relevant rules.” 46
The duty is discharged by active engagement with the question of when LPP applies and the extent to which there is enough information for the lawyer to be satisfied that it may properly be asserted.
Therefore, there must be some tangible evidence that this analysis has been done. It is helpful to record that analysis, but care is required as to circulation and storage of the record to avoid the potential for subsequent unintended disclosure.
Finally, there is a lack of clarity as to whether a genuine, but mistaken belief that LPP applies in a particular circumstance could form a “reasonable excuse” defence 47 in the event of action against the lawyer for failure to make either a required 48 or an authorised disclosure 49 .
The following approach is intended to support the decision-making process and to provide evidence of the lawyer’s active engagement with the issue of whether or not to make a disclosure under POCA.
Given the conceptual and operational challenges involved in the decision as to whether to disclose, it is possible only to design a high-level decision-making protocol to support legal professionals through this process, based on an analysis of the case law and available evidence.
Each case will turn on its own facts and merits, and it is not possible to be prescriptive. However:
1) What is the nature of the retainer or client engagement?
In order to determine the question of whether an exchange or document is subject to LPP, it is important to define the precise nature of the engagement or retainer between the legal professional and the client. This forms the first step in the assessment process as to whether a document or conversation is subject to legal professional privilege 50 .
Although not conclusive, the written retainer, and any variation, should provide an indication as to the relevant legal context in which legal advice and assistance is to be given.
It should provide clarity as to the identity of the client and the focus of the work in a schedule or annex.
Computerised time recording work activity codes, if sufficiently granular, may also provide useful evidence of the way in which the work generated.
2) Is the claim to LPP based on statute or the common law?
The precise ambit of the claim to LPP is determined either by the application of common law principles outlined throughout this chapter in the case of solicitors, barristers and chartered legal executives, by statutory extension for patent attorneys 51 , registered trade mark attorneys 52 and licensed conveyancers 53 .
The claim to privilege by statutory extension is limited to the activities and context set out in the relevant statute.
For most lawyers, the claim will be based on the common law, but there are statutory extensions to some legal professionals. In addition, could there be a claim to “privileged circumstances” under section 330 on a coextensive or independent basis?
Note, also, the right of the client to the protection of LPP is also a fundamental human right both at common law and under article 6 (right to a fair trial) and article 8 (respect for family and private life) under the European Convention on Human Rights (ECHR).
3) Are the LPP tests satisfied?
Are all elements of either “branch” of LPP fulfilled (legal advice or litigation) in relation to the document or exchange being considered? 54
Does the analysis link to the original retainer?
Has there been any development in the retainer to the extent that the document or discussion may fall outside the broad protection of LPP and be disclosable?
What is the brief or role of the lawyer, beyond the strict definition of the retainer, and the nature of the “relevant legal context” in which the “continuum of communication” has taken place?
Furthermore, despite the variation of the retainer, express or implied, is the relevant material nevertheless subject to LPP in a manner not envisaged by the original retainer?
Is LPP applicable at all (for example, is there prima facie evidence of furtherance of crime, fraud or any other conduct capable of satisfying the crime/fraud exception?
(4) Is this a “marginal case” that requires additional scrutiny? 55 If, so activate a “marginal case” protocol
In the vast majority of cases, the position will be clear. There will, however, be marginal cases, especially in transactional work. If so, would an additional view from another lawyer (or counsel) be of assistance.
It may also be possible to use section 330(9A) in some circumstances to obtain advice from the MLRO without making a disclosure under POCA.
Record the rationale for any decision – this will provide evidence of the decision-making process and may, in addition, assist in any consideration of a reasonable excuse defence in the future.
You may find it helpful to complete the template/questionnaire set out below to record the decision-making process.
What are the specific terms of your retainer/terms of engagement with the client?
What have you been asked to do for your client?
How has the retainer developed? What is the nature of the "relevant legal context" and the "continuum of communication" in relation to the document or conversation?
DECISION 1
Communication is covered by LPP
DECISION 2
Communication received in "privileged circumstances" within POCA
Crime/fraud exception does not apply/no statutory abrogation and cannot make a disclosure without a breach of (i) retainer and (ii) code of conduct set out above. You are exempt from making a disclosure to the NCA.
DECISION 3
Communication not privileged but confidential
DECISION 4
Marginal case
If the communication is covered by LPP and the crime/fraud exception does not apply, you cannot make a disclosure under POCA.
If the communication was received in privileged circumstances and the crime/fraud exception does not apply, you are exempt from the relevant provisions of POCA, which includes making a disclosure under POCA.
If neither of these situations applies, the communication will may still be confidential.
However, the material is disclosable under POCA and can be disclosed, whether as an authorised disclosure, or to avoid breaching section 330.
Sections 337 [in force] and 339ZF of POCA permit you to make such a disclosure and provides that you will not be in breach of your professional duty of confidentiality when you do so.
1 The term "lawyer" is used throughout this note to refer to legal professionals as recognised in the Legal Services Act 2007.
2 See comments by Lord Hoffmann in R (on the application of Morgan Grenfell & Co Ltd) v Special Commissioner of Income Tax [2002] 1 AC 563.
3 See, for example, United Nations Basic Principles on the Role of Lawyers (1990), the International Bar Association Core Principles of the Legal Profession (2018) and the Council of Bars and Law Societies of Europe Charter of Core Principles of the European Legal Profession (2018). Note, also, the right of the client to the protection of LPP is also a fundamental human right both at common law and under article 6 (right to a fair trial) and article 8 (respect for family and private life) under the European Convention on Human Rights (ECHR).
4 See comments by Lord Neuberger in R (on the application of Prudential plc and another) v Special Commissioner of Income Tax [2013] UKSC 1 at paragraph 29 as to the ambit of such protection which, he states, "includes members of the Bar, the Law Society, and the Chartered Institute of Legal Executives (CILEx) (and, by extension, foreign lawyers). That is plain from a number of sources, which speak with a consistent voice."
5 In PJSC Tatnef v Bogolyubov and others [2020] EWHC 2437 (Comm), Mrs Justice Moulder confirmed in relation to foreign lawyers that "the only requirement in order for legal advice privilege to attach is that they should be acting in the capacity or function of a lawyer or as expressed by Lord Neuberger in Prudential at [19], it should relate to: "communications passing between a client and its lawyers, acting in their professional capacity, in connection with the provision of legal advice."
6 Statutory extension in this area is often framed in terms that the relevant professional had been acting "in like manner" as "the client's solicitor" such as in s190 Legal Services Act 2007 in the context of litigation.
7 See s33 Administration of Justice Act 1985.
8 Copyright Designs and Patents Act 1988 s280.
9 Trade Marks Act 1994 s87.
10 You should also consult relevant guidance issued by your regulator relating to the nature and effect of legal professional privilege for your specific legal qualification.
11 LPP is the right of the client, not the lawyer, and, consequently, protects an unrepresented person – see R (on the application of Kelly) v Warley Magistrates' Court [2007] EWHC 1836 (Admin); 1 Cr App R 14 per Laws LJ at 18.
12 It is not possible to provide a detailed analysis of LPP in this note. For detailed analysis, see Bankim Thanki QC et al The Law of Privilege (3rd edition) (Oxford University Press, 2018) and Colin Passmore Privilege (4th edition) (Sweet & Maxwell, 2019).
13 See FATF Guidance for a Risk-Based Approach: Legal Professionals (June 2019) p11.
14 See Lord Taylor's discussion of the absolute nature of LPP in R v Derby Magistrates' Court ex parte B [1996] 1 AC 487 at 540.
15 See Bowman v Fels [2005] EWCA Civ 226 para 87: "much stronger language would have been required if s328 could be interpreted as bearing the necessary implications that legal professional privilege was to be overridden".
16 See Three Rivers District Council v Governor and Company of the Bank of England (No 6) [2004] UKHL 48 AT 36; [2003] 1 AC at 508.
17 In addition to legal advice privilege and litigation privilege, there are other types of privilege, such as joint and common interest privilege, without prejudice communications and the privilege against self-incrimination, which are nevertheless significant.
18 See, for instance, the helpful commentary in the SRA Guidance note: Confidentiality of Client Information (25 November 2019) which states: "The duty of confidentiality applies to information about your client's affairs irrespective of the source of the information. It continues despite the end of the retainer or the death of the client when the right to confidentiality passes to the client's personal representatives. Confidentiality will attach to all information given to you, by your client or a third party, in connection with the retainer in which you or your firm are instructed. Should you have information unrelated to the retainer, this may not be covered by your duty."
19 See the comments of Lord Hobhouse on the meaning of "necessary implication" in R (Morgan Grenfell) v Special Commissioners of Income Tax 1 AC 563: "It is accepted that the statute does not contain any express words that abrogate the taxpayer's common law right to rely upon legal professional privilege. The question therefore becomes whether there is a necessary implication to that effect. A necessary implication is not the same as a reasonable implication as was pointed out by Lord Hutton in B v DPP [2000] 2 AC at 481. A necessary implication is one which necessarily follows from the express provisions of the statute construed in their context. It distinguishes between what it would have been sensible or reasonable for Parliament to have included or what Parliament would, if it had thought about it, probably have included and what it is clear that the express language of the statute shows that the statute must have included. A necessary implication is a matter of express language and logic not interpretation."
20 See comments of Lord Neuberger in R v Prudential SCIT [2013] UKSC 1 at para 17. Scottish lawyers should refer to Micosta SA v Shetland Islands Council [1983] SLT 483 and the comments of Lord President Emslie at p485 – the privilege is superseded where fraud or some other illegal act is alleged, and the lawyer has been directly concerned in carrying out the transaction in issue.
21 See comments in Balabel v Air India [1988] Ch 317 at page 330D-331A.
22 See Hickinbottom LJ in CAA v R (Jet2.com) [2020 EWCA Civ 35 at para 68. See also the summary at para 69.
23 Note the comments of Watkins LJ on the status of what he described as "conveyancing matter". The court noted the absence of any authority on the point, but doubted that "any was needed for the proposition that the document known as the conveyance is not clothed with privilege and I do not see why conveyancing matter, as I have called it, can validly be said to be, seeing that in my opinion in common sense it cannot be called advice consisting as it does of records of the financing of the purchase of, in this case, a house." See R v Inner London Crown Court ex parte Baines & Baines [1988] QB 579.
24 Balabel v Air India [1988] 1 Ch 317 Taylor LJ.
25 CAA v The Queen on the application of Jet 2.com Limited [2020] EWCA 35 at para 69.
26 Three Rivers (No 6) [2004] UKHL 48 per Lord Scott at para 46.
27 In Scotland, the broadly equivalent concept is privilege post litem motam.
28 See e.g. Lord Carswell in Three Rivers (No 6), para 102 [2004] UKHL 48, describing "communications between parties or their solicitors and third parties".
29 The exception is also engaged where there is an attempt to hide the proceeds of crime.
30 See also the comments of Tom Leech QC (sitting as a Chancery judge) Barrowfen v Patel & others [2020] EWHC 2536 (Ch).
31 Barrowfen v Patel & others [2020] EWHC 2536 (Ch) at para 33.
32 Barrowfen v Patel & others [2020] EWHC 2536 (Ch) at para 35.
33 R v Da Silva [2006] EWCA Crim 1654.
34 Bullivant v AG Victoria [1901] AC 201.
35 See discussion in guidance.
36 Longmore LJ in Kuwait Airways v Iraqi Airways [2005] EWCA Civ 286 commented that "Cox and Railton was, of course, a criminal case but it has always been recognised that the fraud exception applies as much to civil cases, see e.g. O'Rourke v Darbishire [1920] AC 581."
37 The potential for evidential nuance in this area is considerable. See comments in Addlesee v Dentons (Europe) LLP [2020] Ch 243.
38 Note that the s342(4) exception cited above refers to disclosures to clients/third parties, not by them.
39 See Cotton LJ in Wheeler v Le Marchant (1881) 17 ChD 675 at pages 684-5. The judgment is quoted in Three Rivers (No 5) [2003] EWCA Civ 474 at para 18 on the meaning of "representative" in the broader LPP context.
40 See the comments of Lord Taylor in R v Derby Magistrates [1995] UKHL 18 at para 58: "The principle which runs through all these cases, and the many other cases which were cited, is that a man must be able to consult his lawyer in confidence, since otherwise he might hold back half the truth. The client must be sure that what he tells his lawyer in confidence will never be revealed without his consent. Legal professional privilege is thus much more than an ordinary rule of evidence, limited in its application to the facts of a particular case. It is a fundamental condition on which the administration of justice as a whole rests."
41 Lord Taylor in R v Derby Magistrates [1995] UKHL 18 at para 65.
42 FATF Guidance for a Risk-Based Approach: Legal Professionals (June 2019) p10.
42 ". Legal professional privilege is an established concept. As a non-lawyer, I accept that it is a complicated issue. However, professional legal advisers ought to know whether legal privilege applies; indeed, if they do not, there are people whom they can consult." Lord Rooker HL Deb 27 May 2002 vol 635 c1087.
44 The term "irresistible interference" as used in R v Anwoir [2008] EWCA Crim 1354 in the context of criminal property.
45 Per Longmore LJ in R v Da Silva [2006] EWCA Crim 1654 at para 16. This decision turned on the interpretation of "suspicion" for the purposes of s93A(1)(a) of the Criminal Justice Act 1988. There is no material difference between the concepts for the purposes of the interpretation of suspicion under POCA.
46 FATF Guidance for a Risk-Based Approach: Legal Professionals (June 2019) p11.
47 Law Commission Anti-money laundering: the SARs regime (Law Comm No 384, 2019).
48 POCA ss 330, 331 and 332.
49 POCA ss 327(2)(b), 328 and 329(b).
50 A retainer letter was considered in the context of a claim to LPP in SAAB v Dangate & others [2019] EWHC 1558 at para 217 by way of example. See also commentary on the interplay between retainer letters and LPP obligations in AML/CTF context by Jonathan Fisher QC "Legal Privilege, Reporting Suspicions, and Retainer Letters" blog post Friday 13 April 2018 https://brightlinelaw.co.uk/
53 LSA 2007 s190.
54 CAA v The Queen on the application of Jet 2.com Limited [2020] EWCA 35 at para 69 and the comments of Hickinbottom LJ on the application of legal advice privilege.
55 The concept of the "marginal case" which may pose additional problems is recognised in Three Rivers (No 6) and, by implication in several guidance notes from FATF. It may also be important in the context of any defence or exemption under POCA for the lawyer, or of "reasonable excuse" more generally.
This section considers the relationship between the AML regime and potential civil claims in two contexts:
You should note that POCA is silent on the issue of compensation for victims. Its aim is to deprive criminals of the benefits of financial crime. Although the court may order compensation where confiscation proceedings are brought under POCA Part 2, civil law allows victims to make a claim of constructive trusteeship 1 .
Liability for constructive trusteeship could arise from:
If you are a constructive trustee, you have a personal liability to account for the value of the property received or the loss resulting from assistance with a breach of trust or fiduciary duty (Lord Millett in Dubai Aluminium Co Ltd v Salaam [2002] 3 WLR 1913).
This guidance applies to the law of trusts in England, Wales and Northern Ireland. The recognition of the concept of a constructive trust under Scottish law is less likely. For further information see paragraphs 2.1 to 2.8 of the Scottish Law Commission Report on Trust Law (2014).
Liability for knowing receipt occurs where a person:
For example, receiving funds that you apply for your own fees could amount to knowing receipt. However, receiving money as an agent or into the client account as trustee of a bare trust will not amount to knowing receipt as the funds are not received or applied for your own use and/or benefit.
What amounts to fault in this context is not clear. However, the Court of Appeal in BCCI v Akinele [2001] Ch 437 held that the test is whether you have acted unconscionably. The test is subjective and includes actual knowledge and wilful blindness. In that case, the court stated that:
You will be personally liable for damages and loss caused if you knowingly assist in a breach of fiduciary or trust duties (Twinsectra v Yardley [2002] WLR 802).
The breach does not need to be fraudulent (Royal Brunei Airlines v Tan [1995] 2 AC 378) and you do not need to know full details of the trust arrangements or obligations of the trustee/fiduciary. You must:
Knowing assistance also requires that you act dishonestly. The Court of Appeal in Group Seven Ltd & Rheingold Management Incorporated v (1) Notable Services LLP and (2) Martin Landman [2019] EWCA Civ 614, states that the test of whether your conduct is dishonest is the same test as in the case of Ivey.
The court stated:
“In the light of Ivey, it must in our view now be treated as settled law that the touchstone of accessory liability for breach of trust or fiduciary duty is indeed dishonesty, as Lord Nicholls so clearly explained in Tan, and that there is no room in the application of that test for the now discredited subjective second limb of the Ghosh test. That is not to say, of course, that the subjective knowledge and state of mind of the defendant are unimportant. On the contrary, the defendant’s actual state of knowledge and belief as to relevant facts forms a crucial part of the first stage of the test of dishonesty set out in Tan. But once the relevant facts have been ascertained, including the defendant’s state of knowledge or belief as to the facts, the standard of appraisal which must then be applied to those facts is a purely objective one. The court has to ask itself what is essentially a jury question: namely whether the defendant’s conduct was honest according to the standards of ordinary decent people.”
A client may seek a court order for the return of funds on the basis that you are breaching their retainer.
Case law does not provide a direct authority in this situation, but a ruling by the Court of Appeal 2 relating to banks’ obligations may indicate the obligations a court might place on legal professionals. That case held:
The period during which a client’s funds are unable to be returned to them has been extended by the introduction of extended moratorium periods under the Criminal Finances Act 2017. Where an application to extend is being considered, section 333D (other permitted disclosures) might provide a limited exception to the tipping off provisions. Where an application is made to extend the moratorium period under section 336A a person does not commit an offence under section 333D where:
For more information see the Home Office Circular 008/2018: Criminal Finances Act: extending the moratorium period for suspicious activity reports.
Obtaining consent will not necessarily protect you from liability for breach of constructive trust. Where you continue with a transaction you must show:
Section 338(4A) of POCA sets out: “where an authorised disclosure is made in good faith, no civil liability arises in respect of the disclosure on the part of the person by or on whose behalf it is made”.
However, there may be circumstances in which a court will order inspection of a SAR in civil proceedings.
In Lonsdale v National Westminster Bank [2018] EWHC 2843 the court considered that an individual may have rights to access a SAR under the Civil Procedure Rules where necessary for the fair disposal of proceedings.
1 A victim may target a professional advisor in a civil claim as they may be more likely to be able to pay. If you believe that you may have acted as a constructive trustee, you should seek legal advice.
2 K Ltd v National Westminster Bank plc & others [2006] EWCA Civ 1039.
3 Provision of evidence in these circumstances was permitted under repealed POCA s333(2)(b) which provided an exception to the tipping off offences. A similar provision is now found in s333D(2).
Breaches of obligations under the regulations and other relevant legislation are subject to disciplinary sanctions and criminal penalties.
Law enforcement agencies have the power to take action in relation to breaches of the regulations, and particularly cases of money laundering and/or terrorist financing. While they may choose to pursue any breach which they may become aware of, their resources are not infinite, and they may prioritise some matters over others.
Though some AML supervisors may have the power to prosecute some matters (for example, HMRC), professional body supervisors (PBSs), like the members of LSAG generally do not. They use their own rule setting and enforcement powers to enforce compliance with the AML regulations.
Supervisors work closely with regulated practices to encourage compliance and increase understanding of how to effectively mitigate risks.
The possible sanctions for a failure to comply are serious, and supervisory bodies will take appropriate action against non-compliance.
Each supervisor will take a risk-based approach to the supervision of their population, but the Office for Professional Body AML Supervision (OPBAS) acts to ensure a level of consistency across the PBSs. You should consult with your supervisor in order to understand their approach to supervision of your practice and enforcement of the Regulations and have regard to any guidance they may publish.
The named supervisory authorities for the legal sector are:
The supervisory authority listed in the regulations for solicitors in England and Wales is the Law Society of England and Wales. This responsibility has been delegated to the Solicitors Regulation Authority (SRA).
The General Council of the Bar is the named supervisory authority for the Bar of England and Wales. It discharges its regulatory functions through the Bar Standards Board.
The Chartered Institute of Legal Executives is the named supervisory authority listed in the regulations for legal executives in England and Wales. It delegates its regulatory functions too and they are discharged by CILEx Regulation.
Other supervisory authorities may be of relevance to some legal professionals and include:
Occasionally there may be overlap between legal and other supervisors particularly with accountancy supervisors, so it is important to understand what activities your practice provides that are regulated and who supervises such activities. It is also important to ensure that you are not providing services without supervision of all activities in scope of the regulations.
Where there is a supervisory overlap and a supervisory authority reaches agreement with another supervisor about which is to supervise the legal professional or practice, this agreement will be made known to the legal professional/practice in accordance with R7(3).
In all other cases of supervisory overlap, and where you have questions about AML supervision, you should contact your supervisory authority in the first instance.
R7 sets out the supervisory authorities for the regulated sectors. Where a person in one or more regulated sectors is covered by more than one supervisory authority, either the supervisory authorities may decide between them who is to be the sole supervisor of the person, or they must co-operate in the performance of their duties.
A supervisory authority must:
As a part of the regulations as amended, a supervisor must also:
R49(1)(d) also requires that potential conflicts of interest within the organisation are appropriately handled: for example, via a functional separation of activity areas where appropriate. This is particularly relevant for organisations that have both a representative and supervisory function.
Part 8 of the regulations gives supervisory authorities a variety of powers for performing their functions under the regulations.
In addition, Part 9 of the regulations gives the FCA and HMRC powers to impose civil penalties, prohibit an individual from having a management role within a relevant person and/or seek an injunction restraining the contravention of a relevant requirement under the regulations.
Conduct which fails to comply with AML/CTF obligations may also be a breach of your professional obligations, for which a supervisor may have additional powers to those mentioned in the above.
Generally speaking, if you are not compliant with the law (in this instance, the regulations, POCA and TACT) you are likely to be in breach of your regulatory requirements to your supervisor. Often where a supervisor undertakes enforcement action against a practice, it is their own regulatory powers they will use, rather than a power listed in the regulations.
Contact your supervisor for further information on their approach to AML enforcement.
Schedule 6 lists a number of relevant requirements, the breach of which is an offence. In addition to the offence of breaching a relevant requirement, the regulations contain offences of prejudicing investigations and disclosure offences.
The relevant requirements in Schedule 6 that are most likely to be applicable to legal professionals are those imposed under the regulations listed in the table below.
| Regulation | Requirement |
|---|---|
| 18 | Risk assessment by a relevant person |
| 19 | Policies, controls and procedures |
| 20 | Policies, controls and procedures (group level) |
| 21 | Internal controls |
| 23 | Requirement on authorised persons to inform the FCA |
| 24 | Training |
| 25 | Directions to a parent organisation from a supervisory authority |
| 26 | Acting as a beneficial owner, officer or manager without approval |
| 27 | Application of CDD measures |
| 28 | Application of CDD measures |
| 30 | Timing of verification |
| 31(1) | Requirement to cease transactions where unable to apply CDD measures required by Regulation 28 |
| 33(1) and (4-6) | Obligation to apply enhanced due diligence |
| 35 | Enhanced due diligence: politically exposed persons |
| 37 | Application of simplified due diligence |
| 39(2) and (4) | Reliance |
| 40(1) and (5)-(7) | Record keeping |
| 41 | Data protection |
| 43 | Corporate bodies: obligations |
| 44 | Trustee obligations |
| 45(2) and (9) | Register of beneficial ownership |
| 56(1) and (5) | Requirement to be registered |
| 57(1) and (4) | Applications for registration |
| 66 | Power to require information |
| 69(2) | Entry and inspection without a warrant |
| 70(7) | Entry of premises under warrant |
| 77(2) and (6) | Power to impose civil penalties, suspension and removal of authorisation |
| 78(2) and (5) | Prohibitions |
Relevant requirements for which summary conviction may carry a fine and indictment may carry a two-year custodial or a fine or both
Under R87 a person commits the offence of prejudicing an investigation if they know or suspect that an officer or proper person is acting in connection with an investigation which is being, or is about to be, conducted, and they:
It is not an offence if:
The penalty for an offence under R87 is:
Under R88(1) a person commits an offence if, in supposed compliance with a requirement imposed on them under the regulations, they knowingly or recklessly make a statement which is false or misleading to a relevant issue.
The penalty for an offence under R88(1) is:
Under R88(3), it is an offence to disclose information in contravention of a relevant requirement. It is a defence for the person to prove that they reasonably believed the disclosure was lawful or that the information had already lawfully been made publicly available.
The penalty for an offence under R88(3) is:
Offences under the regulations can be committed by a practice as a whole, whether it is a body corporate, partnership or unincorporated association. However, if it can be shown that the offence was committed with the consent, contrivance or neglect of an officer, partner or member, then both the practice and the individual can be jointly liable.
The Crown Prosecution Service is a prosecuting authority for offences under POCA, the Terrorism Act and the regulations.
The Crown Office and Procurator Fiscal Service is a prosecuting authority for offences under POCA, the Terrorism Act and the regulations.
The director of public prosecutions for Northern Ireland is a prosecuting authority for offences under POCA, the Terrorism Act and the regulations.
The Revenue and Customs Prosecutions Office is a prosecuting authority for offences under POCA and the regulations.
The FCA is a prosecuting authority under POCA and the regulations as a result of section 402 of the Financial Services and Markets Act 2000.
Part 7 of the Proceeds of Crime Act 2002 (POCA) is applicable throughout the UK. It creates both a set of substantive money laundering offences (principal offences) and a reporting regime that makes it an offence to fail to disclose knowledge or suspicion of money laundering (failure to disclose offences).
By virtue of the definition of ‘criminal property’ both the principal offences and the disclosure obligations apply to the proceeds of all crimes.
POCA section 340(3) states:
Property is criminal property if:
POCA applies to all persons (and therefore all legal professionals), although some offences apply only to persons within the regulated sector or to MLROs. The principal money laundering offences under POCA apply to money laundering activity which occurred on or after 24 February 2003. The failure to disclose provisions in section 330, section 331 and section 332 apply where the information on which the knowledge or suspicion is based came to a person on or after that date. In other cases, the previous law applies.
Money laundering offences assume that a prior criminal offence has occurred, generating the criminal property being laundered. The underlying criminality is often known as a “predicate offence.” No conviction for the predicate offence is necessary for a person to be prosecuted for a money laundering offence. Under POCA it does not matter where in the world the predicate offence took place, provided it would have constituted an offence if it had occurred in the UK (see also section 6.9).
Be aware that it is also an offence to conspire, incite or attempt to launder the proceeds of crime, or to counsel, aid, abet or procure money laundering.
A person commits an offence if he or she conceals, disguises, converts, or transfers criminal property, or removes criminal property from the UK.
Concealing or disguising criminal property is extremely wide in nature, and includes concealing or disguising its nature, source, location, disposition, movement, ownership or any rights connected with it, and therefore covers a wide range of activities – including mixing criminal funds with legitimate cash flows. The deliberate non-disclosure of facts has also been found to amount to a concealment offence (Clark vs Escanda, 1984).
A person commits an offence if they enter into an arrangement or become concerned in an arrangement which they know or suspect facilitates the acquisition, retention, use or control of criminal property by, or on behalf of another person.
Commercial arrangements and professional services are clearly included in this. Examples include transferring ownership of assets/property, the conversion of asset type, or the movement of criminally derived value from one jurisdiction to another
An arrangement is not defined in Part 7 of POCA. The arrangement must exist and have practical effects relating to the acquisition, retention, use or control of property.
There must be a meeting of minds.
Arrangement "bears the meaning that an ordinary educated man would ascribe to it". It involves a meeting of the minds and mutuality such that each party would consider itself under a legal or moral obligation to do or not do a certain thing.
Agreement requires that ‘parties to it should have communicated with one another … and that as a result … each has intentionally aroused in the other an expectation that he will act in a certain way.’ (Diplock LJ Re British Basics Slags Ltd Agreements (1963)).
To enter into an arrangement is to become a party to it.
To become concerned in an arrangement suggests a wider practical involvement such as taking steps to put the arrangement into effect.
Both ‘entering into’, and ‘becoming concerned in’, describe an act that is the starting point of an involvement in an existing arrangement.
Although the court did not directly consider the conduct of transactional work, its approach to what constitutes an arrangement under section 328 provides some assistance in interpreting how that section applies in those circumstances.
Bowman v Fels (2005) EWCA Civ 226 supports a specific understanding of the concept of entering into or becoming concerned in an arrangement, with respect to transactional work.
If you are doing transactional work and become suspicious, you have to consider:
Bowman v Fels (2005) EWCA Civ 226 held that section 328 does not apply to the ordinary conduct of litigation by legal professionals, including any step taken in litigation from the issue of proceedings and the securing of injunctive relief or a freezing order up to its final disposal by judgment. The court in Bowman v Fels also stated that its reasoning applied to the section 327 and section 329 offences. The same is the case in respect of disputes before tribunals.
The reasoning in Bowman v Fels also suggests that the principle money laundering offences do not apply to consensual resolution of existing or contemplated legal disputes: for example, by way of mediation, negotiation, out of court settlement, or another form of alternative dispute resolution.
Dealing with assets (for example, transferring them or receiving them) in accordance with a judgment or consensual relation, including the handling of assets which are criminal property, is therefore neither entering into or participating in an arrangement or committing any of the other principal money laundering offences.
Legal professionals involved in the implementation of a judgment or the implementation of a dispute resolution process will not therefore be committing any of the principal money laundering offences.
A person who receives property under a court judgment or as a result of the consensual resolution of a legal dispute would not be committing an offence under any of the principal money laundering offences. For example, a victim of an acquisitive offence who is receiving monetary compensation and/or recovering their property, pursuant to litigation or its consensual resolution, would not be committing an offence under either section 327, section 328 or section 329.
Criminal property retained by a person following such a resolution, for example by the person who had unlawfully acquired it from the victim, will generally still remain criminal property. You should consider referring such a person for specialist legal advice regarding possible offences that they may commit after the completion of any such settlement.
Sham litigation created for the purposes of money laundering remains relevant to section 328. Shams arise where an acquisitive criminal offence is committed, and settlement negotiations or litigation are intentionally fabricated to launder the proceeds of that separate crime.
A sham can also arise if a whole claim or category of loss is fabricated to launder the criminal property. In this case, money laundering for the purposes of POCA cannot occur until after execution of the judgment or completion of the settlement.
A person commits an offence if he or she acquires, uses or has possession of criminal property with the requisite mental element, discussed below.
You will have a defence to a principal money laundering offence if:
Section 338 authorises you to make a disclosure as a means of requesting consent for otherwise prohibited acts.
It specifically provides that you can make an authorised disclosure either:
If a disclosure is an authorised disclosure made under section 338 and in good faith, it does not breach any rule which would otherwise restrict it, including professional regulatory requirements relating to confidentiality.
Where your practice has a MLRO, you should make your disclosure to the MLRO. The MLRO will consider your disclosure and decide whether to make an external disclosure to the NCA. If your practice does not have a MLRO, you should make your disclosure directly to the NCA (see section 11 of this guidance).
If you have a suspicion that a retainer you are acting in will involve dealing with criminal property, you can make an authorised disclosure to the NCA via your MLRO and seek a DAML to undertake the further steps in the retainer which would constitute a money laundering offence.
For further information on how to make an authorised disclosure to the NCA and the process by which consent/DAML is gained, see section 11 of this guidance.
In relation to section 329 you will also have a defence if you received adequate consideration for the criminal property that is acquired, used or possessed. This exception applies where there was adequate consideration for acquiring, using and possessing the criminal property.
It is important to note that the adequate consideration exception is restricted. Section 329 stipulates that consideration will not be adequate if:
The Crown Prosecution Service guidance for prosecutors says the exception applies where professional advisers, such as legal professionals or accountants, receive money for or on account of costs, whether from the client or from another person on the client's behalf. Disbursements are also covered. The fees charged must be reasonable, and the exception is not available if the value of the work is significantly less than the money received.
However, returning the balance of an account to a client may be a money laundering offence if you know or suspect the money is criminal property. In that case, you must make an authorised disclosure and obtain consent/DAML to deal with the money before you transfer it unless you have a reasonable excuse for not making a disclosure because your suspicion or knowledge was acquired by you in a privileged communication (see 16.4.3 below).
In addition to the protection provided by Bowman v Fels (see 16.3.6 above), the adequate consideration exception also applies to clients who receive criminal property as a result of a consensual dispute resolution: for example, where a party enforcing a debt is given criminal property in payment, or part-payment, for that debt.
The exception would also cover a situation where a person provides goods or services as part of a legitimate arm's length transaction (provided it does not help someone to commit a criminal offence) and is paid from a bank account which contains the proceeds of crime.
There may be some situations where a client does not provide adequate consideration in exchange for criminal property. You will need to consider very carefully your own position if asked to act in such a situation and you may need to consider referring such a person for specialist advice regarding possible implications of receiving and retaining criminal property.
This defence applies where you intended to make an authorised disclosure but had a reasonable excuse for not doing so.
No offence is committed if there is a reasonable excuse for not making a disclosure, but there is no judicial guidance on what might constitute a reasonable excuse.
However, you are prevented from disclosing if your knowledge or suspicion is based on privileged information and legal professional privilege is not excluded by the crime/fraud exception. It is the Legal Sector Affinity Group's view that in such instances you will have a reasonable excuse for not making an authorised disclosure and will not commit a money laundering offence.
There may be other circumstances which could provide a reasonable excuse, but this would initially be for law enforcement to consider prior to any prosecution and ultimately for the court to decide in any subsequent prosecution.
This is not intended to be an exhaustive list. Moreover, reporters should be aware that it will ultimately be for a court to decide if a reporter’s excuse for not making a disclosure report was reasonable. Reporters should clearly document their reasons for concluding that they have a reasonable excuse in any given case and, if in doubt, may wish to seek independent legal advice.
The failure to disclose provisions are found in section 330, section 331 and section 332. In all three sections, the phrase ‘knows or suspects’ refers to actual knowledge or suspicion – a subjective test. However, you will also commit an offence if you fail to report when you have reasonable grounds for knowledge or suspicion – an objective test. On this basis, you may be guilty of the offence under s330 or s331 if you should have known or suspected money laundering.
For all failure to disclose offences you must either:
A person commits an offence if:
Under the changes introduced by the Criminal Finances Act 2017, where a practice shares information about a suspicion with another regulated entity, making a required notification or being party to a joint disclosure report will both be treated as satisfying any requirement to disclose.
Delays in disclosure arising from taking legal advice or seeking help may be acceptable provided you act promptly to seek advice.
A MLRO in the regulated sector commits a separate offence if, as a result of an internal disclosure under section 330, he or she knows or suspects, or has reasonable grounds for knowing or suspecting, that another person is engaged in money laundering and he or she fails to make a disclosure to the NCA as soon as practicable.
An organisation which is not in the regulated sector, may decide on a risk-based approach to set up internal disclosure systems and appoint a person as MLRO to receive internal disclosures.
A MLRO in the non-regulated sector commits an offence if, as a result of an internal disclosure, they know or suspect that another person is engaged in money laundering and fails to make a disclosure as soon as practicable to the NCA.
There are three situations in which you have not committed an offence for failing to disclose:
The first defence is the only one which applies to all three failure to disclose offences; the other two defences only apply to persons in the regulated sector who are not MLROs.
All of the failure to disclose sections also reiterate that the offence will not be committed if the property involved in the suspected money laundering is exempted overseas criminal conduct.
Similar to the reasonable excuse defence against the primary money laundering offences, no offence in respect of a failure to disclose is committed if there is a reasonable excuse for not making a disclosure. Refer above to the guidance on this point.
No offence is committed if the information or other matter giving rise to suspicion comes to a professional legal adviser or relevant professional advisor in privileged circumstances.
You should note that receipt of information in privileged circumstances is not the same as legal professional privilege. It is a creation of POCA designed to comply with the exemptions from reporting set out in the European directives.
Privileged circumstances means information communicated:
The exemption will not apply if information is communicated or given to the legal professional with the intention of furthering a criminal purpose and is unlikely to apply in respect of any transactional work undertaken on behalf of a client.
Employees within the regulated sector who have no knowledge or suspicion of money laundering, even though there were reasonable grounds for suspicion, have a defence if they have not received training from their employers. It does not apply where actual knowledge or suspicion exists. Employers may be prosecuted for a breach of the Regulations if they fail to train staff. This defence is not available to MLROs/nominated officers.
The three mental elements most relevant to offences under Part 7 of POCA are:
The objective standard only applies to offences relating to the regulated sector (section 330 and section 331). The element ‘belief on reasonable grounds’ is also relevant in the specific context of the foreign legal conduct defence. A person will not be guilty of an offence if they know or believe on reasonable grounds that the relevant criminal conduct was exempt overseas conduct.
For the principal offences of money laundering the prosecution must prove that the property involved is criminal property. This means that the prosecution must prove that the property was obtained through criminal conduct and that, at the time of the alleged offence, you knew or suspected that it was.
For the failure to disclose offences, where you are acting in the regulated sector, you must disclose if you have knowledge, suspicion or reasonable grounds for suspicion. If you are not in the regulated sector you will only need to make a disclosure if you have actual, subjective knowledge or suspicion.
These terms for the mental elements in the offences are not defined within POCA. However, case law has provided some guidance on how they should be interpreted.
Knowledge means actual knowledge. There is some suggestion that wilfully shutting one's eyes to the truth may amount to knowledge. However, the current general approach from the criminal courts is that nothing less than actual knowledge will suffice. Knowledge can be inferred from surrounding circumstances – for example, a failure to ask obvious questions may lead to a jury implying knowledge
For a section 330 offence, knowledge must also come to the practice or member of staff during the course of regulated business. Information that does not arise through these circumstances may not give rise to the requirement to report, although does not preclude the practice/MLRO from doing so.
The term 'suspects' is one which the courts have historically avoided defining; however, because of its importance in English criminal law, some general guidance has been given. In the case of R v Da Silva [2007] 1 WLR 303, which was prosecuted under previous money laundering legislation, Longmore LJ stated:
"It seems to us that the essential element in the word "suspect" and its affiliates, in this context, is that the defendant must think that there is a possibility, which is more than fanciful, that the relevant facts exist. A vague feeling of unease would not suffice."
There is no requirement for the suspicion to be clear or firmly grounded on specific facts, but there must be a degree of satisfaction, not necessarily amounting to belief, but at least extending beyond speculation.
The test for whether you hold a suspicion is a highly subjective one.
If you think a transaction is suspicious, you are not expected to know the exact nature of the criminal offence or that particular funds were definitely those arising from the crime. You may have noticed something unusual or unexpected and after making enquiries, the facts do not seem normal or make commercial sense. You do not have to have evidence that money laundering is taking place to have suspicion, or have knowledge of the underlying criminality.
Section 18 of this guidance contains a number of warning signs which may give you a cause for concern; however, whether you have a suspicion is a matter for your own judgment. To help form that judgment, consider talking through the issues with colleagues or contacting your supervisor. Listing causes for concern can also help focus your mind.
If you have not yet formed a suspicion but simply have cause for concern, you may choose to ask the client or others more questions. This choice depends on what you already know, and how easy it is to make enquiries.
If you think your own client is innocent but suspect that another party to a transaction is engaged in money laundering, you may still have to consider referring your client for specialist advice regarding the risk that they may be a party to one of the principal offences.
For legal professionals in the regulated sector an additional objective test may establish the mental element of an offence. It is necessary to ask were there factual circumstances from which an honest and reasonable person, engaged in a business in the regulated sector, should have inferred knowledge or formed the suspicion that another was engaged in money laundering?
MLRO access to good quality CDD information (including the background/circumstances of a particular client/transaction) is key in this situation. This will help establish whether the matter in question is out-with the normal course of business or what might be expected of the client, or what specific further enquiries to make in order to establish whether there are grounds to know or suspect.
A clear and concise rationale for the internal report should be available to the MLRO for consideration. Practices may find it helpful implement a standard internal reporting form for use by staff/partners – outlining the key information necessary to aid the MLRO in determining whether a report should be submitted.
Questions to ask in this context may include the source of funds or source of wealth/assets involved, the amounts/value involved, the intended use/movement/destination of assets, presence of red flags, high risk jurisdictions etc.
Legal professionals must be able to demonstrate the actions/non-action taken was reasonable given the specific set of circumstances involved in each particular matter. The rationale for the decision taken should be retained by the MLRO.
Consideration must be made to balance the requirement to submit a SAR in a timely manner, and the gathering of further information in order to decide whether a suspicion has been formed.
You must report suspected money laundering even if your suspicion relates to overseas criminal conduct. Unless you have a reasonable excuse you may also commit a principal money laundering offence if you deal with criminal property derived from a predicate offence committed outside the UK.
This is because the definition of ‘criminal conduct’ in POCA not only includes all UK crimes, but all conduct which would be criminal if it had occurred in the UK. Similarly, the definition of money laundering, which underpins the failure to report offences, includes the principal offences, related offences and anything that would fall within either of those categories if done in the United Kingdom.
It is unnecessary to know, and is irrelevant, whether the conduct generating the criminal proceeds was unlawful in the jurisdiction where the conduct occurred.
A narrow exception from the application of these principles for conduct that occurs overseas and is legal where it takes place was introduced by the Serious Organised Crime and Police Act 2005 and is known sometimes as the “Spanish Bullfighter” exception. The legal conduct overseas exception applies where a person knows or believes on reasonable grounds that the relevant criminal conduct occurred in a country outside the UK and:
Since 2007, section 333A POCA has contained two offences for tipping off. There are also tipping off offences for terrorist property in the Terrorism Act, discussed in section 17.
There are two tipping off offences in section 333A of POCA. They apply only to businesses in the regulated sector.
It is an offence to disclose to a third person that an internal or external SAR has been made by any person to the police, HM Revenue and Customs, the NCA or a nominated officer, if that disclosure might prejudice any investigation that might be carried out as a result of the SAR. This offence can only be committed:
It is an offence to disclose the fact that an investigation into a money laundering offence is being contemplated or carried out if that disclosure is likely to prejudice that investigation. The offence can only be committed if the information on which the disclosure is based came to the person in the course of business in the regulated sector, and it is known a law enforcement investigation is being contemplated or is underway.
The key point is that you can commit this offence, even when you are unaware that a SAR was submitted.
Section 342(1) contains an offence to prejudice a confiscation, civil recovery or money laundering investigation, if the person making the disclosure knows or suspects that an investigation is being, or is about to be, conducted. Section 342(1) applies to those outside the regulated sector as well as those within the regulated sector.
You only commit this offence if you knew or suspected that the disclosure would, or would be likely to, prejudice any investigation.
The following disclosures are permitted:
A person does not commit the main tipping off offence if he or she does not know or suspect that a disclosure is likely to prejudice an investigation.
It is not an offence if an employee, officer or partner of a practice discloses that a SAR has been made if it is to an employee, officer or partner of the same undertaking.
A legal professional will not commit a tipping off offence if:
A legal professional will not commit a tipping off offence if all the following criteria are met:
A legal professional will not commit a tipping off offence if the disclosure is to a client and it is made for the purpose of dissuading the client from engaging in conduct amounting to an offence. This exception and the tipping off offence in section 333A apply to those carrying on activities in the regulated sector.
It is a defence to a section 342(1) offence that a disclosure is made by a legal adviser to a client, or a client’s representative, in connection with the giving of legal advice or to any person in connection with legal proceedings or contemplated legal proceedings.
Such a disclosure will not be exempt if it is made with the intention of furthering a criminal purpose (section 342(5)).
You should make preliminary enquiries of your client, or a third party, to obtain further information to help you to decide whether you have a suspicion. You may also need to raise questions during a retainer to clarify such issues.
There is nothing in POCA which prevents you making normal enquiries about your client's instructions, and the proposed retainer, in order to remove any concerns and enable the practice to decide whether to take on or continue the retainer.
These enquiries will only be tipping off if:
It is not tipping-off to include a paragraph about your obligations under the money laundering legislation in your practice's standard client care letter.
Terrorist organisations require funds to plan and carry out attacks, train militants, pay their operatives and promote their ideologies.
Terrorist financing is the provision or collection of funds with the intention of being used to carry out terrorist acts whether by terrorist organisations or by individuals acting alone or in small networks.
Practices should be aware that terrorist financing can involve funds from legitimate or illegitimate sources – ranging from personal donations to the proceeds of criminal activity such as drug dealing, extortion or human trafficking. It may also originate from funds raised via the diversion or exploitation of natural resources.
Concealment of the destination of legitimate funds to be used for criminal purposes is, in effect, money laundering in reverse.
The Terrorism Act 2000 (as amended) (TA) criminalises not only the participation in terrorist activities but also the provision of monetary support for terrorist purposes. Unless stated otherwise, sections mentioned in this section 17, will refer to sections of the TA.
The UK national risk assessment 2020 states:
“The risk of terrorist financing through legal services is low. We continue to assess that legal services are not attractive for terrorist financing and there remains no evidence of these services being abused for terrorist financing purposes”.
Practices must still be aware of their risk exposure in the context of the overall business, and within individual client relationships or transactions – and take appropriate steps to mitigate these risks.
All persons are required to comply with the TA. The principal terrorist property offences in section 15 to section 18 apply to all persons and therefore to all legal professionals. However, the specific offence of failure to disclose and the two tipping off offences apply only to persons in the regulated sector, as defined in Schedule 3A of the TA.
Terrorist property is defined as:
“money or other property which is likely to be used for the purposes of terrorism (including any resources of a proscribed organisation), proceeds of the commission of acts of terrorism, and proceeds of acts carried out for the purposes of terrorism”.
It is an offence to be involved in fundraising if you have knowledge or have reasonable cause to suspect that the money or other property raised may be used for terrorist purposes.
You can commit the offence by:
It is no defence that the money or other property is a payment for goods and services.
It is an offence to use or possess money or other property for terrorist purposes, including when you have reasonable cause to suspect they may be used for these purposes.
It is an offence to become involved in an arrangement which makes money or other property available to another if you know or have reasonable cause to suspect it may be used for terrorist purposes.
It is an offence to enter into or become concerned in an arrangement facilitating the retention or control of terrorist property by, or on behalf of, another person including, but not limited to the following ways:
It is a defence if you did not know, and had no reasonable cause to suspect, that the arrangement related to terrorist property.
We will refer to defence against terrorist financing SARs as DAML for simplicity.
In 2007, three new defences to the main offences in section 15 to section 18 were introduced to the TA. These defences are contained in section 21ZA to section 21ZC, and are as follows:
Similarly to POCA there is a seven working day notice period for the NCA to respond, after which you will have either a response or deemed consent but unlike POCA there is no moratorium period.
See section 11 of this guidance for more information on how to make a disclosure and gaining consent.
There are further defences relating to co-operation with the police in section 21. You do not commit an offence under section 15 to section 18 in the following further circumstances:
The defence of disclosure to a constable or the NCA is also available to an employee who makes a disclosure about terrorist property offences in accordance with the internal reporting procedures laid down by the practice.
Section 19 provides that anyone, whether they are a MLRO or not, must disclose as soon as reasonably practicable to a constable, or the NCA, if they believe or suspect that another person has committed a terrorist financing offence based on information which came to them in the course of a trade, profession or employment. The test is subjective.
Section 21A creates a criminal offence for those in the regulated sector who fail to make a disclosure to either a constable or the practice's MLRO where they know, suspect, or there are reasonable grounds for knowing or suspecting that another person has committed an offence. Since 2007 the offence has also covered the failure to disclose an attempted offence under section 15 to section 18.
The following are defences to failure to disclose offences under both section 19 and section 21A.
Under section 21A a person also has a defence where they are employed or are in partnership with a 'professional legal adviser' to provide assistance and support and they receive information giving rise to the relevant knowledge or suspicion in privileged circumstances.
It is also a defence under section 19 if you made an internal report in accordance with your employer's reporting procedures.
It is an offence to disclose to a third person that a SAR has been made by any person to the police, HMRC, the NCA or a MLRO, if that disclosure might prejudice any investigation that might be carried out as a result of the SAR. This offence can only be committed:
It is an offence to disclose that an investigation into allegations relating to terrorist property offences is being contemplated or carried out if that disclosure is likely to prejudice that investigation. The offence can only be committed if the information on which the disclosure is based came to the person in the course of business in the regulated sector. The key point is that you can commit this offence, even where you are unaware that a SAR was submitted.
It is not an offence if an employee, officer or partner of a practice discloses that a SAR has been made if the disclosure is to an employee, officer or partner of the same undertaking.
A legal professional will also not commit a tipping off offence if a disclosure is made to another legal professional in a different undertaking, provided that the undertakings the parties work in:
A legal professional will not commit a tipping off offence if all the following criteria are met:
A legal professional will not commit a tipping off offence if the disclosure is to a client and it is made for the purpose of dissuading the client from engaging in conduct amounting to an offence. This exception and the tipping off offence in section 21D only apply to the regulated sector.
You will often make preliminary enquiries of your client, or a third party, to obtain further information to help you to decide whether you have a suspicion. You may also need to raise questions during a retainer to clarify such issues.
These enquiries will only amount to tipping off if you disclose that a suspicious activity report has been made, or that an investigation into allegations relating to terrorist property offences is being carried out or contemplated.
Part 1 of the Terrorist Asset-Freezing Act 2010 (the TAFA) contains prohibitions against:
It is a defence if you did not know nor had any reasonable cause to suspect that you were undertaking a prohibited act with respect to a designated person.
In relation to funds, “deal with” is defined by the legislation as:
In relation to economic resources, “deal with” is defined as “using to obtain funds, goods, or services in any way.”
Funds, and economic resources are each defined very broadly in section 39 of the TAFA 2010. Section 40 of the TAFA defines financial services broadly and includes asset management (trust services) as well as investment advice.
The TAFA applies to persons designated by the UK unilaterally or under Council Regulation 2580/2001. The ISIL (Da'esh) and Al-Qaida (Asset-Freezing) Regulations 2011 (the 2011 Regulations), as amended, create a similar, and parallel regime of offences for persons designated under EC Regulations 881/2002 and 1686/2016.
In addition to the Terrorism Act offences, the UK has enacted terrorist asset-freezing legislation in part to give effect to international obligations. These terrorist property offences focus on the financial and economic dealings of specific individuals, referred to in the legislation as designated persons.
The Sanctions and Anti-Money Laundering Act 2018 empowers the secretary of state to make regulations that enables the terrorist-asset freezing regime to apply in substantially the same way after the United Kingdom leaves the European Union. After Britain leaves the European Union (and any transition period), the government intends to repeal Part 1 of the Terrorist Asset-Freezing Act 2010 and revoke the 2011 Regulations. The asset-freeze offences will be reproduced across three regulations:
These regulations contain prohibitions against:
It is a defence if you did not know nor had any reasonable cause to suspect that you were undertaking a prohibited act with respect to a designated person.
In relation to funds, ‘deal with’ is defined by the legislation as:
In relation to economic resources, 'deals with' is defined as:
exchanging or using the resources for funds, goods, or services (including by pledging them as security).
A consolidated list of designated persons is available on the Treasury website.
The Regulations require you to conduct risk assessments, due diligence and ongoing monitoring of your business relationships and take steps to be aware of transactions with heightened money laundering or counter-terrorist financing risks. The Proceeds of Crime Act 2002 requires you to report suspicious transactions.
This section highlights a number of warning signs or “red flags” for legal professionals generally and for those dealing with particular types of work, to further help you assess the AML risks associated with your practice, or risks of a particular client or matter appropriately and also to help you decide whether you have reasons for concern or the basis for a reportable suspicion.
Because money launderers are always developing new techniques, no list of examples can be exhaustive or fully comprehensive; however, below are some key factors which may arise during or after client and retainer acceptance and give you cause for concern.
If you become aware of a red flag, this should prompt to you to ask for additional documentation or ask further questions of your client.
For any aspect of an instruction, good questions to ask are, “Does this make sense?” and, “Is the documentation I have consistent with what I am being told and know about the background, nature or circumstances of the client?”
If the answer is no, then consider what further information or documentation you require in order to become satisfied.
If you cannot be satisfied, you consider your position in terms of proceeding with the relationship or matter, as per R30., and consider the submission of a suspicious activity report.
The presence of any one red flag does not mean that a client is automatically high risk, that you should not continue with the retainer or that you need to make a suspicious activity report.
The presence of red flags must be considered in context; the client may be able to provide a legitimate explanation.
For example, a large transaction by an oil company points to high risk, but actually it may be a normal and regular occurrence for that particular client’s industry and business activities, and for your law firm.
Remember, it is not “tipping off” to ask for further information as part of your client due diligence process.
If you cannot get the information you need, this may in itself be cause for further concern and lead you to become suspicious.
In collating these red flags, reference has been made to the FATF Report on Money Laundering and Terrorist Financing Vulnerabilities of Legal Professionals (2013) and the FATF Guidance on Concealment of Beneficial Ownership (July 2018) as well as other, similar pieces of guidance.
If the client is a legal person or legal arrangement and it:
The source of funds is unusual due to:
The risk associated with a collective investment scheme may be decreased where:
Factors which will increase the risks include where:
| Acronym | Meaning |
|---|---|
| AIM | Alternative investment market |
| AML | Anti-money laundering |
| BACS | Bankers' automated clearing system |
| BOOM | Beneficial owner, officer or manager |
| CDD | Client due diligence |
| CEO | Chief executive officer |
| CFO | Chief financial officer |
| CTO | Chief technology officer |
| DAML | Defence against money laundering |
| EDD | Enhanced due diligence |
| EEA | European Economic Area |
| EID&V | Electronic identification and verification |
| EU | European Union |
| FATF | Financial Action Task Force |
| FCA | Financial Conduct Authority |
| GDPR | General Data Protection Regulation |
| HMRC | HM Revenue and Customs |
| HMT | HM Treasury |
| HRTC | High-risk third country |
| ID&V | Identification and verification |
| IDV | Identity verification |
| ISIL | Islamic State of Iraq and the Levant |
| LLP | Limited liability partnership |
| LSAG | Legal Sector Affinity Group |
| ML | Money laundering |
| ML/TF | Money laundering/terrorist financing |
| MLCO | Money laundering compliance officer |
| MLRO | Money laundering reporting officer |
| NCA | National Crime Agency |
| OPBAS | Office for Professional Body Anti-Money Laundering Supervision |
| PCP | Policy, control, procedure |
| PEP | Politically exposed person |
| POCA | Proceeds of Crime Act |
| PWRA | Practice-wide risk assessment |
| RBA | Risk-based approach |
| SAR | Suspicious activity report |
| SDD | Simplified due diligence |
| SFO | Serious Fraud Office |
| SLP | Scottish limited partnership |
| TACT | Terrorism Act |
| TF | Terrorist financing |
| UBO | Ultimate beneficial owner |
| UK | United Kingdom |
| UKFIU | United Kingdom Financial Intelligence Unit |
If you suspect that property involved in a retainer is criminal property, offences under section 327 and section 329 are relatively straightforward to assess. However, an arrangement offence under section 328 may be more complicated, particularly with transactional matters.
You may become concerned in the arrangement by, for example, executing or implementing it, which may lead you to commit an offence under the Proceeds of Crime Act or the Terrorism Act (2000).
Consider whether you need to make an authorised disclosure to:
If you are acting within the regulated sector, consider whether you risk committing a failure to disclose offence, if you do not make a disclosure to the NCA.
The following two flowcharts show the issues to consider when deciding whether to make a disclosure to the NCA.
Special thanks to:
