Compliance with the regulations and preventing money laundering Q&A

This section provides answers to a number of common questions we are asked about preventing money laundering and compliance with The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 ('the regulations'). If you cannot find an answer to your specific question, you could call our Professional Ethics team, or consider seeking independent legal advice.

Scope of the regulations

Open all

No. Whether or not you fall within scope of the regulations is not dependent on holding client’s money. There are many ways to meet the definitions of an independent legal professional, trust or company service provider (regulation 12 paragraphs (1) and (2) respectively) or tax adviser (regulation 11(d) as amended) without holding client money.

The regulations do not differentiate between solicitors practising on their own (eg as freelancers) or in firms. So if a solicitor practising on their own works in scope of the regulations, then they need to do so in full compliance with the regulations and follow our guidance. This is true regardless of whether the work is reserved under the Legal Services Act (2007) or not. Freelancers need to tell us the work they do via the freelancer form in MySRA, and we can then supervise them for the purposes of the money laundering regulations.

Assuming that the entity providing the in-scope services is totally separate to you, and that this entity has its own contractual relationship with the client independent of your firm, then you are likely not in scope.

The definition in the regulations is extremely broad, and includes 'tax advice, material aid and assistance.' This effectively means that you do not need to be providing tax advice to be a tax adviser – it is enough to provide help, whether that be advice or some other service. This definition has not been tested in court, but we interpret there to be a relatively low level at which something qualifies for inclusion.

We consider however that in and of itself providing someone with a calculation of stamp duty and land tax liability from a single residential transaction, or paying it on a client’s behalf is not likely to be in scope. If a solicitor is dealing with anything other than a simple calculation based on price, they need to give thought as to whether in so doing they fall within the definition of a tax adviser.

We cannot provide a case-by-case guide to what is and is not in scope, but firms may refer to our guidance for more information. Firms may wish to seek independent legal advice if they want further assurance.

It depends on the nature of the relationship between your client and the tax adviser. If you have made a referral, and the tax adviser and client now have a contractual relationship between them, it is likely you are not in scope, assuming you are not providing any other help (ie advice, assistance or material aid) with their tax affairs. If the client only has a contractual relationship with you, and you are passing tax advice to them (but not necessarily creating the advice), then both you and the tax adviser are likely to be

We can only supervise firms for AML purposes that are eligible for authorisation under the SRA Authorisation of Firms Rules.

Solicitors can work in unregulated entities using their title of 'solicitor'. For the purposes of the money laundering regulations, as the entity is not an SRA-regulated firm, we will not be the money laundering supervisor for the purposes of the money laundering regulations and it will be necessary for them to approach one of the other supervisors set out in Schedule 1 of the regulations.

Interacting with your supervisor

Open all

The best way of making sure your AML details are up to date is by submitting an updated FA10b form in MySRA with all your current details. Firms can check their existing details by contacting our Authorisation team.

Not always. It is worth noting that roles set out in our glossary (eg 'manager') differ from the roles as defined in the regulations. Our glossary definition of 'manager' is only relevant for requirements under our Standards and Regulations and not the AML regime. The AML requirements are a separate regime based on separate legislation and need to be considered and satisfied in their own right.

Yes. It is possible to be drawn into scope via multiple routes (eg as a tax adviser and an independent legal professional). You need to tell us about all the ways that you are in scope of the regulations and ensure your FA10b form (found in MySRA) is updated accordingly.

Beneficial owners are those that might benefit from their ownership of an entity or asset (eg a company.)

For firms we authorise in scope of the regulations, beneficial owners must be approved by us.

You will need to identify and undertake reasonable measures to verify the identity of your customers. For a company or partnership, you only need to identify a beneficial owner where they own more than 25 per cent of the entity (as per regulation 5). For trusts, the requirements are detailed in regulation 6. See 6.15 of LSAG for more information.

During our visits we speak to the firm's money laundering compliance officer (MLCO) and money laundering reporting officer (MLRO). We also need to speak to two fee earners who undertake work in scope of the regulations and conduct reviews of some of their client files.  We will also review the following:

  • your firm-wide risk assessment
  • your firm’s AML policies, controls and procedures
  • your firm’s template client AML risk assessment
  • copies of any audits on your firm’s policies and procedures
  • AML related training records

During the course of our interviews, we also gather data on the number of suspicious activity reports (SARs) submitted by the firm and you should have the information relating to this to hand ahead of our review. Please do not send copies of suspicious activity reports, whether internal (made by staff to the MLRO) or external (made by the MLRO to the National Crime Agency).

If we identify serious failures to comply with the regulations, we may consider a referral to our investigation team to look into this further.

This would be a breach of the regulations. You should report this to the SRA in line with 3.1 and 3.9 of our Code of Conduct for Firms. We will investigate further to assess the severity of the issue in line with our enforcement strategy and our AML topic guide. Whether we will take regulatory action will depend on several factors including the actual risk the firm could have been used for money laundering (including the nature of the services provided) and what action the firm took when they realised there was a breach.

If there is an ongoing chance you may provide services in scope of the regulations, you will need to become approved to do so and make sure you are compliant with the regulations.

We take a risk-based approach to AML supervision.

While we are more likely to visit a firm we have rated as higher risk, we will also from time to time visit lower-risk firms. Just because we are visiting you does not automatically mean we consider your firm to be higher risk.

In determining which firms we do consider as higher risk, we have regard to the relevant sections of the Office of Professional Body Anti- Money Laundering Supervision (OPBAS) source book.

We may also have regard to information we hold on firms (including past interactions) when determining whether we consider them to be higher risk. However, there is no one single factor which automatically dictates that we will regard a given firm as being higher risk.

Level of risk

Open all

Yes, although it is a little more complicated than that.

To explain why this is, we need to consider inherent risk and mitigated risk. Inherent risk is the risk posed by the matter, due to its features eg it involves a high-risk service like conveyancing. Inherent risk will be the same from firm to firm.

You can address inherent risks by using controls (eg regular file reviews, ensuring those acting on a file have relevant experience), and these controls can mitigate the effect of these inherent risks, albeit likely not eliminate the risk altogether. Once you have mitigated a risk with the controls you apply, you are left with the residual risk. Depending on the different controls applied by two different firms, the residual risk could be different across them for the same matter.  

For example Firm A and Firm B might both be approached by the same client for the same matter – let's say high-value conveyancing. Firm A mainly deals with other services and does not have a good understanding of conveyancing work. Firm B mainly undertakes high-value conveyancing matters and has developed a suite of controls they can apply to address the risk. 

The inherent risk won't change and will be the same for Firm A and B.

The residual risk might be lower for Firm B depending on the mitigations applied. See 5.7 of the LSAG guidance for more information.

These two tools help firms to fulfil their duty under regulation 28(12)(a)(ii) to tailor due diligence to the specific risks identified in each particular case. Client risk assessments record risks relating to the client like their location, their main business activities, how they are beneficially owned and controlled, and adverse media screening checks. Matter risk assessments account for risks specific to the matter, such as cash transactions, the nature of the service (eg conveyancing) and the rationale for it happening, including who is benefitting from the transaction. For more information on these and how to use them see 5.9 to 5.12 in the LSAG guidance.

In order to understand how to consider the risk present, you will need to understand why your client is involved in the matter and whether it is consistent with their business and what you know of them.

If a low-risk client engages you on a high-risk matter, it could be a sign the client is no longer low-risk. You should revisit your client risk assessment that concluded they were low risk in this case. It might be that with the new information and the new service they have asked of you, you need to re-evaluate and update the client risk assessment.

This is also the case where you encounter something that does not align with your firm-wide risk assessment. These risk assessments should be living documents, and if the risks change, so should the risk assessments.

Customer Due Diligence (CDD)

Open all

You might need to undertake due diligence on the other party in a transaction. This could be because this is required by the regulations due to either the client or counter-party to the transaction being established in a high-risk third country (regulation 33(1)(b)) or as a part of developing your understanding of a matter or transaction.

If so, you will need to decide what level of checks are appropriate based on the risks identified in the matter risk assessment.

A useful starting point might be the counter-party’s representative who should be able to provide more details on their client - and you may be able to rely on their due diligence under regulation 39 depending on their jurisdiction and what regulation they are subject to.

Open-source web searches are a cheap, easy and non-invasive way to help you gain a better understanding of the counter-party but might not give you all the information you need on their own.

Yes. While passports are very useful as they have key identifying information, they are not the only document you might use for this. The LSAG guidance provides a list of documents you might find helpful when verifying the identity of a client (6.14.5) eg a passport or residence permit. While documentation that provides greater assurance should be preferred, it is important to ensure that fulfilling this requirement should not create a barrier to access legal services where documents are unavailable for legitimate reasons. Section 6.14.7 of the LSAG addresses where a client cannot provide standard identification documents for legitimate reasons such as being a refugee or asylum seeker.

No, but you might decide that there are some advantages in doing so. If you do full AML checks on all clients, you can easily transition to providing them services that are in scope without doing further checks. It also has the advantage that you gain a better understanding of new clients, and the wider risks they may pose to you eg reputational risk via media checks. Transitioning clients from non-AML services to AML services is known as passporting and can create significant risk where this does not trigger all relevant AML checks.


Whether work is in scope of the regulations or not, you will always need to satisfy the requirement in our Standards and Regulations to identify your client in as per 8.1 of the SRA Code of Conduct for Solicitors, RELs and RFLs.

The costs of customer due diligence (eg identification and verification or source of funds checks) can vary depending on the type of client and level of money-laundering risk they pose. You can pass the costs of customer due diligence on to your clients, however the cost will need to be clearly stated in the firm’s terms and conditions.

It is important that clients are informed of and understand the cost in advance as this will enable them to instruct an alternative firm if they are not agreeable to the cost.

Source of Funds

Open all

You need to go back as far as is needed to build a clear picture of how the client accumulated their money for the transaction. For some, it may be as little as six months (particularly if that shows a big event like a significant gift), for others it might require looking back several years. This is a case-by-case assessment and should reflect the level of risk you have identified in your client and/or matter risk assessment.

A source of funds check is to answer the question, “how did the client accumulate the funds for this transaction?” This will need to go beyond where or who the funds have come from and look at why they have the money they do (eg is it salary, or a gift?). Along with answering the question of who your client is, identifying the source of their funds is one of the most valuable checks you can do to protect your firm from the risk of money laundering and terrorist financing.

In terms of how you go about a check, you can use paper or digital copies of statements though both carry some vulnerability to fraud. Some services exist which allow prospective clients to share relevant information directly from their bank accounts, while preserving their privacy; which you may find helpful to use.

Source-of-funds checks are particularly useful where there is a higher risk that monies coming into your account might be the proceeds of crime (eg where there are allegations of fraud against the party sending you the funds.)

For more information on this, see 6.17 of the LSAG guidance.

If the client is a politically-exposed person, you must apply a source-of-funds check under regulation 35. If the client or counterparty are established in a high-risk third country, you will need to check source of funds also.

In addition regulation 28(11)(a) requires firms to undertake a source of funds check 'where necessary', though this is not defined in the regulations. We interpret this as requiring a risk-based approach. This means your firm, client and matter risk assessments need to be considered when deciding if it is necessary.

The requirement to do source of funds checks might apply even if no money is coming through your client account. You do not need to do these kinds of checks on monies sent to you as payment (providing they are an 'adequate consideration' as defined in the Proceeds of Crime Act 2002 ie are reasonable and not considerably more than the value of the work as per 16.4.2 of the LSAG guidance.)

For more information on source of funds, see 6.17 of the LSAG guidance.

Source of funds means checking where the specific money for a transaction has come from (eg salary, gift, investment profit).

Source of wealth is a more holistic assessment of how the client has generally accumulated the wealth they have. A source of wealth check must be undertaken when your client is a politically-exposed person or the close relative or associate of a politically-exposed person, or where the client or the counter-party to the transaction is based in a high-risk third country.

Technology for due diligence

Open all

There is an ever-growing list of technology providers and services you can use to help protect your firm – though there is no requirement for you to use any of them. Some things to consider when deciding whether or not to use a service are:

  • Do you understand what it does?
  • Do you understand all the options and how these may be used across the different levels of client/matter risk your firm encounters?
  • Does it have any certifications or accreditations with regards how it holds data?
  • Does it meet any standards (eg the Land Registry Safe Harbour Standard)?

It is important to remember what information your staff will need access to across the course of their work, particularly the undertaking of ongoing monitoring of clients and matters as per regulation 28(11). You should consider whether the technology you use is inappropriately restricting access to this information.

For more information on how to evaluate and use AML technology in your firm, see Section 7 of the LSAG guidance

It is important to understand that this kind of technology is a tool like any other. To decide on whether to use it or not is ultimately your decision and one you should take seriously.

There is a test in the regulations (see 6.14.3 of the LSAG guidance) for whether you can consider technology as a 'reliable source' of information. A key part of the test is whether it provides an appropriate level of assurance – something you will need to determine yourself.

Your decision about whether to use a given technology or service, should be based on a comprehensive understanding of what the system does and how it will help you to address the AML risks presented by the client. If you do decide to use a service you will need to ensure relevant staff are adequately trained to use it, including how to enter information correctly, and how to correctly interpret the results of checks.

It is worth noting that the responsibility for the decisions made by your firm regarding client matters remain with the firm, and as a result you should not seek to outsource decision-making itself; rather consider the results the technology returns in order to make decision.

It’s also important to note that whilst you can use digital verifiers as a source when making your own checks, you cannot rely on digital client due diligence providers in the meaning of reliance as defined in regulation 39 as they are not relevant persons for the purposes of the regulations. If you are relying on checks that have been done by another relevant person, you will need to have a fully compliant reliance agreement in place as per regulation 39.

Other requirements under the regulations

Open all

No. Just because money has come through a client account or UK bank account, does not mean you can assume it is not the proceeds of crime. A firm will always be responsible for its own AML checks and you cannot assume the work of others outside your firm address this risk.

Even where you have a regulation 39 compliant reliance agreement in place with another firm, the requirement to report suspicions to the NCA will still apply.

You must submit a SAR when you know, suspect or have reasonable grounds to suspect that you may have encountered the proceeds of crime or that someone is engaged in money laundering or dealing in criminal property. You do not have to be handling the proceeds of crime yourself or seeking a defence against an offence in order to be required to submit a SAR.

You will not be able to tell the subject of the SAR anything that might prejudice an investigation – there is a 'tipping off' offence in the Proceeds of Crime Act 2002 (s333A) that sets this out.

See Section 11, and 16.5 to 16.10 of the LSAG guidance for more information on SARs. 

Regulation 21 sets out the key features of an independent audit function including that it must:

  • Review your policies, controls and procedures (ie under regulation 19)
  • Make recommendations about how these can be improved and
  • Monitor compliance with the recommendations of the audit

'Independent' does not necessarily mean that this has to be carried out by an external party. A compliant independent audit may be carried out by an employee of your firm who is not involved in the creation or application of the policies, controls and procedures (PCPs).

The regulations state an independent audit is necessary where appropriate to the size and nature of the firm but does not define this.

LSAG 9.1 gives more detail as to what you should consider when deciding whether this applies to your firm.

We also believe the 'nature' of a firm needs to be judged against the risk they pose via:

  • the type of work the firm does
  • how much of their work (both as a percentage of the firm’s total turnover and in absolute volume) is in scope of the regulations and
  • the results of their regulation 18 firm wide risk assessment.

Even where an independent audit might not be 'necessary,' gaining feedback via an independent audit may still help your firm to review and improve your AML compliance.

If a firm wishes to make the case that this requirement does not apply to them, they should record their reasoning. Firms will have to continue to review their PCPs, record any changes made to them and record all steps taken to communicate changes to the PCPs to staff across the firm.

Firms might consider entering into reciprocal arrangements with other firms in order to undertake independent audits on each other, subject to suitable controls to protect client confidentiality being in place.

Firms should take a risk-based view on how often they undertake an independent audit, but it might be appropriate to do one annually depending on:

  • the results of the previous audit
  • changes to legislation, internal processes, services provided and firm risk
  • whether the firm has recently merged with other firms.

LSAG 9.3 addresses this in more detail.

'Screening' is one of the three controls listed in regulation 21 and requires you to check:

  • the skills, knowledge and expertise of the individual to carry out their functions effectively
  • the conduct and integrity of the individual.

For details of what might be appropriate in terms of procedures for screening, please see the table in section 9.4 of the LSAG guidance.

When considering who to screen, consider who in your firm can contribute to protecting your firm from money laundering. This will include any fee earners working on matters in scope, but might also extend to others, eg finance staff. You should assume you need to screen staff and only exclude staff where there is no clear way that they could contribute to protecting your firm (eg cleaning staff or catering) as per regulation 21(2)(b). The level and frequency of screening should be based on the risk posed by the role and the individual and the ability of the role to contribute to the prevention of money laundering.

There is nothing in either the money laundering regulations or our Standards and Regulations to stop you from accepting crypto assets as payment for services. However this situation does raise some questions you need to answer and for you to be mindful of the risks.

You should note that our client account rules require money held on account to be held in a bank or building society. This means that any payment for services in crypto assets will only be possible after the services have been provided or as a fixed fee, as there are no compliant client accounts for crypto-assets offered by banks or building societies at present.

Subject to the above, the main question you should seek to answer before deciding to accept crypto assets as payment is 'Does the accepting of crypto assets as payment create risks?'. What to consider when answering that question:

  • How sure am I that I can consistently check and understand that the crypto assets are not the proceeds of crime or subject to sanctions? Where it is difficult to determine the origin of crypto assets, it increases the risk they may be an attempt to hide the proceeds of crime or circumvent the sanctions regime (even when the transfer is payment for fees). Some assets may have features that facilitate anonymisation which will increase the risk of handling them.
  • How clear is your pricing in relation to crypto assets and are you meeting your price transparency requirements when dealing with your clients? Please note these requirements apply whether payment is made in fiat currency or crypto assets. Your pricing will also need to be considered against fluctuations in crypto asset values which are more common than when dealing with fiat currencies.
  • Are there some crypto assets I am willing to accept and others I am not, and how will I decide which are outside my risk tolerance? Things to consider when answering this should include price instability of specific crypto assets and whether the asset has any features which may facilitate anonymisation or opacity that might make it more difficult to ensure compliance with the money laundering and sanctions regimes. It is also very important that this information about what you will and will not accept be clearly communicated to clients as well as any requirements you may have around methods of transfer, use of particular platforms etc.

The involvement of crypto assets generally will raise the money laundering, terrorist/proliferation financing and sanctions risk in a matter.

Crypto assets create money laundering risks because:

  • Historically they have lacked some of the controls of fiat currency (by which we mean traditional national currencies eg UK sterling, US dollars) and broadly they and the firms who primarily work with them have lacked regulation.
  • Crypto assets are a relatively new development and keeping up with the pace of change is challenging, particularly for those not engaged on the topic. It can also be hard to understand the varying reputations of certain crypto assets or related service providers as things change so quickly.
  • There have been criminals who have used them to launder and/or attempt to launder money and there are tools which help to make crypto ownership/transfers even more opaque (eg crypto 'tumblers' which make it more difficult to trace the history of ownership of the asset). There have been multiple scams that have involved crypto assets, or that have purported to involve crypto assets (such as with OneCoin where the crypto asset itself was fraudulent).

Despite the risks associated with them, due to increased prevalence and awareness of crypto assets in the public, it is now much more common to encounter clients that have gained money from investment in crypto. Crypto investments can be a valid source of legitimate funds but you should check:

  • The source of funds for their original crypto investment, particularly where it was a substantial amount in relation to their income/salary.
  • Claimed profits, given what you know about their initial investment and the changes in price over time.
  • Transactions using publicly available records. Bitcoin and many other crypto assets can allow you to simply use google to track down transactions involving specific assets or between specific wallets. You will need details of the client’s wallet or the assets held in order to be able to check them against publicly available transaction databases eg

Following amendments to the Money Laundering, Terrorist Financing, and Transfer of Funds (Information on the Payer) Regulations 2017 (the regulations), all firms need to carry out a proliferation financing risk assessment. This means that you will need to assess the risk of your firm being used to facilitate the proliferation of nuclear, chemical, biological and radiological weapons.

Rogue states and terrorists use methods similar to money laundering to disguise their purchase of materials to create weapons. This can include 'dual-use' goods which have both a civilian and military purpose. For example, fertiliser that could be used in farming or in bombs.

We consider that the overall risk to the profession is low, and most firms will be able to briefly assess their exposure to this risk within their existing firm-wide risk assessment, after taking into account the National Proliferation Risk Assessment and our own Sectoral Risk Assessment. You can find more information about how to conduct a proliferation financing risk assessment in the Legal Sector Affinity Group guidance.

Some services are at higher risk of exposure to proliferation financing. We expect to see a more detailed proliferation financing risk assessment from firms working in the following areas:

  • trade finance
  • commercial contracts
  • manufacturing particularly in relation to dual-use goods
  • commodities – particularly mined metals and chemicals
  • shipping/maritime
  • military/defence
  • aviation

I work for a global firm. Sometimes matters are initiated in one of our overseas offices without equivalent AML controls to the UK, and it is only after some time that it is discovered that the overall matter will have a UK element which falls within scope. This will sometimes be of a very minor nature, involving a UK fee earner spending just a few units of time on it. As this is only a minor part of a much larger matter, do we have to do full due diligence on the client? Can we put a de minimis provision in place?

There is no de minimis provision in the Depending on the nature of the matter and client, simplified due diligence under Regulation 37 may be available to you. Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017). If a matter falls within scope under Regulation 12, no matter how short in duration or scope, the appropriate level of client due diligence and a risk assessment must be carried out. It will be for you to determine the appropriate level of due diligence to be carried out based on the level of risk identified.


Open all
We have been asked by firms if they can receive payment for any legal work for designated persons without applying for a specific licence. The answer is no. The Legal Fees General Licence is purely in relation to the payment of legal fees and expenses, as defined in the licence itself. Any legal work on behalf of the client must be a permitted activity – in any other case, you must not receive payment for work unless covered by a specific licence.

The sanctions regime is strict liability, and the Office for Financial Sanctions Implementation (OFSI) does not prescribe the level of checks needed in any particular case. Relying on the other side or third parties to have effective systems in place to screen for designated persons again is unlikely to provide you with a complete defence if you breach the sanctions regime.

Transferring the following to a designated person, for example, could be a breach of the sanctions regime if no licence is in place:

  • an award of damages
  • completion funds in conveyancing
  • shares
  • real property.

While the regime itself is strict liability, OFSI has produced guidance which sets out its attitude to enforcement. This includes measures which will mitigate the position of firms who find themselves in breach.

OFSI will consider it good mitigation where a decision was made in good faith and, on the basis of proper due diligence, was a reasonable conclusion to draw. OFSI will take into account the measures and checks undertaken, including due diligence and ongoing monitoring, taking into account:

  • the facts of the case
  • the degree of sanctions risk of the relevant entities involved.

The level of due diligence you apply should be appropriate to the nature of a person's contractual or commercial relationship with the a designated person. OFSI expects these decisions to be evidenced and, ideally, made within an internal sanctions policy or framework. As ownership and control can change over time, OFSI has indicated that it expects that due diligence and risk assessments are reviewed at appropriate points in the case. To evidence this, we recommend that your checks and decision-making are thoroughly documented.

The information obtained as part of any ownership and control assessment should be scrutinised carefully, particularly where efforts appear to have been made by designated persons to avoid relevant thresholds.

The degree of scrutiny of the counterparty, therefore, should be proportionate to the risks identified. As a basic measure, at the outset of the matter we advise you to check counterparties against the OFSI consolidated list, perhaps as part of your conflict checking procedure. Riskier counterparties and transactions should be subject to more in-depth due diligence and more regular ongoing monitoring.

My firm has received a payment from a designated person who is subject to an asset freeze, to satisfy an obligation to one of our clients. It is currently sitting in our client account. Accounts Rule 2.5 states that 'You ensure that client money is returned promptly to the client, or the third party for whom the money is held, as soon as there is no longer any proper reason to hold those funds'. Does this mean I can transfer the sum to our client, as we have no reason to hold onto it in our client account?

No. You must not transfer monies which are subject to the sanctions regime without a licence being in place. This is for two reasons:

  1. Retaining funds which are frozen under the sanctions regime is a proper reason to hold them under Rule 2.5 and therefore would not breach your obligations under the Accounts Rules.
  2. In addition, the requirements of the sanctions regime take precedence over the Accounts Rules. The SRA Principles state that: 'Should the Principles come into conflict, those which safeguard the wider public interest (such as the rule of law, and public confidence in a trustworthy solicitors' profession and a safe and effective market for regulated legal services) take precedence over an individual client's interests.'

In these circumstances you will need to apply for a specific licence from OFSI in order to transfer the funds. You should note that this applies to all funds, no matter how small. OFSI recently published a decision against a company that made a payment of £250.

I submitted a report to OFSI some weeks ago after discovering that the firm is holding money on behalf of a designated person. I have not heard back from them since. Can I assume that OFSI does not object to my transferring the money onwards to meet a prior obligation?

No. Sanctions reporting is a separate and distinct regime to suspicious activity reporting under the Proceeds of Crime Act 2002 (PoCA), and there are several differences. One particular difference is that there is no system of ‘deemed consent’ as there is under s.335 PoCA.  You cannot assume that OFSI does not object to the transfer taking place if they have not yet responded to your report. Unless a general licence applies, you will need to apply for a specific licence for the transfer to go ahead.

You can find guidance about when to make a report to OFSI here, and guidance on how to report here.  

It sounds like you have carried out a risk assessment and determined that your firm are at very low risk of encountering a designated person. This might be because you only deal with clients that are local and have no international exposure.

It is good practice to document these considerations in a written risk assessment explaining why the type of clients your firm deals with and the work you carry out means your exposure to encountering a designated person and committing a sanctions breach is minimal. If you haven't already it is also good practice to set out your firm's approach to screening for designated persons and why it might not be necessary to carry out this check every time.

Paragraph 8.1 of the SRA Code of Conduct for individuals sets out 'You identify who you are acting for in relation to any matter.' It might be helpful as part of the risk assessment to set out that the identity checks you carry out help you determine that your clients are local with no international reach.

We recommend that you keep this risk assessment under regular review and adding version controls to a risk assessment is a useful way of showing your firm regularly assess its exposure to sanctions risk.