Anti-Money Laundering annual report 2021-22

Foreword by Anna Bradley

Money laundering is not a victimless crime. It is a blight on our economy, on our society and on the lives of many - often vulnerable - individuals. That's true irrespective of whether it is local drug dealers seeking to launder money through buying property, corrupt officials setting up opaque corporate structures to hide embezzled funds, or people traffickers making investments to hide ill-gotten gains.

And of course, the war in Ukraine has shone a spotlight on the international movement of money and reinforced the need for the global community to come together to respond to the changing risks.

We take our role as an AML supervisor very seriously, as this review of our work in 2021/22 demonstrates. As part of that, we significantly increased the resource we dedicate to preventing and detecting money laundering in the last year.

These additional resources have allowed us to step up our supervision in this area to directly engage with more firms through 163 inspections and 109 desk-based reviews. This increased engagement allowed us greater insight into how firms we supervise are working to prevent money laundering and meant we could bring more firms into compliance. From the inspections and reviews, we brought 140 from partial into full compliance, and we also made 20 suspicious activity reports to the NCA reporting on £149m of potentially criminal funds, and achieved 51 enforcement outcomes. We have published additional guidance and run a series of free lunchtime webinars on how to comply with the money laundering regulations.

We have also stepped up our work to make sure solicitors understand and comply with their obligations to uphold the financial sanctions regime. We issued guidance - with more to come in autumn, along with information on risks and red flags - and undertook a thematic review on what can be a tricky area to get to grips with. We also undertook an exercise to identify a sample of firms with exposure to the Russian market and to screen their client lists for 'designated persons' - that is those who are subject to financial sanctions. In the coming year, we will continue to work proactively to make sure we help firms we supervise to comply with sanctions legislation, stepping in to take action where they don't.

Most firms take keeping 'dirty' money out of the legal sector very seriously. I would like to thank those firms that engaged with us through feeding into our thematic review, cooperation with proactive supervision and sharing their practical experiences of implementing the money laundering regulations.

But there is still a small minority of firms that do not take preventing money laundering seriously. In the last year we have seen a polarisation of the outcomes from our proactive supervision with more firms being assessed as either compliant or not compliant and fewer firms being assessed as partially compliant.

To those firms not doing enough to prevent money laundering, you need to take your obligations seriously and play your part. As we increase our inspection and desk-based review supervision now is the time to put your house in order.

SRA Chair, Anna Bradley
October 2022

Open all

What is money laundering?

Money laundering is when criminals 'clean' the proceeds (the financial gains) of crime. Criminals transform proceeds into assets, such as houses or businesses, or other seemingly legitimate funds, for example, money in a bank account. In some cases, laundered money is used to fund terrorism.

Money laundering makes these proceeds look like genuine sources of income, which criminals can then spend freely and without raising suspicion. Such criminals often make their money from serious crimes like fraud, or trafficking people, wildlife or drugs.

Organised crime costs the UK economy more than £100bn every year, and the National Crime Agency (NCA) believes there are 4,500 organised crime groups operating in the UK. This, along with a rise in terror attacks in the past 10 years and an increasingly complex and uncertain global backdrop, is why combatting money laundering is an international and UK priority, with UK legislation in place.

The information in this report details our work in this area and highlights key information on specific areas of our AML work for the 2021/22 fiscal year.

We produce this report as part of our responsibility as an AML supervisor and our duty to report information to the Office for Professional Body Anti-Money Laundering Supervision (OPBAS) under regulation 46A of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017(as amended) (MLR). For this purpose, we are reporting on the fiscal year (6 April 2021 to 5 April 2022). From 2017 to 2020, we have reported in line with our previous corporate reporting fiscal year, which runs from the start of November to the end of October.

Our role tackling money laundering and terrorism financing

The Solicitors Regulation Authority (SRA) is the regulator of solicitors and law firms in England and Wales. We work to protect members of the public and support the rule of law and the administration of justice. We do this by overseeing all education and training requirements necessary to practise as a solicitor, licensing individuals and firms to practise, setting the standards of the profession and regulating and enforcing compliance against these standards.

We are the largest regulator of legal services in England and Wales, covering around 90% of the regulated market. We oversee some 156,000 practising solicitors and around 10,000 law firms. We supervise 6,408 firms for the purpose of AML requirements.

The money laundering regulations we enforce come from the international standard-setting body, the Financial Action Taskforce (FATF), and EU directives. This includes the Fourth Money Laundering Directive and the Fifth Money Laundering Directive. These directives were brought into UK legislation through the MLR. In the future, following our exit from the EU, new UK legislation is more likely to come from recommendations made by the FATF and the government.

The regulations set out the business types which offer services that could, potentially, be targeted by money launderers. They include banks, estate agents and some legal services.

Laundering money through the legal sector

Solicitors and law firms are attractive to criminals because they process large amounts of money, are trusted, and can make the transfer of money or assets appear legitimate. Most law firms work hard to prevent and to spot money laundering and take necessary action, but some get involved unknowingly. A very small number may even knowingly cooperate or work with criminals to launder money.

The legal sector also plays a key role in upholding the financial sanctions regime, restricting what individuals and businesses that are subject to sanctions can do.

Some ways in which firms and solicitors become involved with money laundering, either knowingly or unknowingly, are:

Conveyancing: criminals use the proceeds of crime to buy houses to live in, rent or sell.
Setting up shell companies or trusts: solicitors and law firms are integral to such transactions.
Misusing client accounts: criminals will seek to misuse law firm client accounts to 'clean' laundered money.
Failing to carry out proper due diligence: money laundering can take place if firms and solicitors do not carry out sufficient checks on a client's source of funds.
Failing to train staff: so that they know how to spot potential money laundering and who to report it to.

Our work as an AML supervisor

The regulations name professional bodies with responsibilities for AML supervision. The Law Society is the named supervisor for solicitors in England and Wales and delegates regulatory activities to us. This means we must effectively monitor the firms we supervise and take necessary measures, including:

Making sure the firms we supervise comply with the regulations and we approve the relevant beneficial owners, officers, and managers to work in those firms.
Adopting a risk-based approach and basing the frequency and intensity of our supervision on our risk assessments of firms.
Encouraging firms we supervise to report actual or potential breaches of the regulations. We do this through:

a requirement to report in paragraph 3.9 of the SRA Code of Conduct for Firms
by providing a secure communication channel for reporting, Red Alert line.

We must take appropriate measures to review:

The risk assessments carried out by firms (under MLR 18).
The adequacy of firms’ policies, controls and procedures (under MLR 19 to 21 and 24), and the way in which they have been implemented.

We enforce the money laundering regulations mentioned above and carry out our work as an AML supervisor through:

Sharing and receiving information to prevent money laundering with other supervisors and law enforcement agencies.
Publishing guidance on the regulations.
Proactive supervision.
investigating potential breaches of the regulations.
Taking enforcement action where breaches of the regulations are proved.

Supervision tools

We use several tools to supervise firms and improve compliance. Below are the types of steps we take and an explanation, including how we define the compliance level at a firm. These are used throughout the report.

Steps taken	Compliance level at firm	What this involves
Guidance issued	Compliant	Standard required in the regulations has been met. This includes cases where minor changes are necessary and we issue guidance or share best practice.
Engagement	Partially compliant – where there are some elements of a firm's controls that need improving, but there is some good practice and the firm is generally doing well at preventing money laundering.	We engage with some firms to help them refine their processes and bring them into full compliance. When we talk about our process of engagement with a firm, this is where corrective action is required in one or more areas but is not so widespread that it requires a compliance plan. Depending on the extent of action, we need evidence or confirmation from the firm this has been rectified before we conclude our contact. After sending a letter of engagement, we expect the firm to resolve the issue identified and provide us with evidence this has been done. We can, and do, refer firms for a disciplinary investigation if they fail to act on our letter of engagement.
Compliance plan	Partially compliant – in a number of areas or where the level of non- compliance is significant.	A compliance plan sets out a series of actions that firms need to take, and by when, to bring them back into compliance with the regulations. We monitor the firm to make sure it has carried out all the actions. We require evidence that action has been taken. We can, and do, refer firms for an investigation if they fail to follow the plan.
Referred for investigation	Non-compliant – examples include failure to carry out customer due diligence (CDD), no firm-wide risk assessment in place, out-of-date policies or a failure to train staff on the regulations.	We open an investigation into the firm, which may result in a sanction. Where necessary, we will also set up a compliance plan.

In this report we have set out findings from our supervisory work by theme, such as assessing risk, and the steps we have taken.

We often identify more than one issue at a firm, so some firms are included in the figures for several themes throughout the report. This is particularly relevant for matters referred for disciplinary investigations where firms are often referred for investigation due to multiple breaches.

When making the decision on engagement or a referral we consider a number of factors, such as:

The extent of the breaches and how widespread the issues appear to be.
The impact of the breach, for example, a failure to risk assess files has led to insufficient due diligence being undertaken, or a failure to identify a politically exposed person (PEP).
Whether there is a systemic lack of compliance, for example, a firm that does not have adequate policies, controls, and procedures and is failing to comply with a significant number of the regulations.

Our sanctions
If there has been a serious breach of our rules by a firm or solicitor we can issue an in-house sanction.

The range of sanctions we can impose in-house is limited. For example, up until July 2022 we could only issue a fine of £2,000 to regulated firms or individuals. From July 2022 this limit increased to £25,000. However, we can impose a fine of up to £250m on an ABS, also known as a licensed body, and up to £50m on managers and employees of an ABS.

We are not able to strike off a solicitor. Such a sanction can only be imposed by the courts, most commonly the Solicitors Disciplinary Tribunal.

Where appropriate, we can also resolve a matter through a regulatory settlement agreement (RSA). Under an RSA, the facts and outcome are agreed by both parties. RSAs allow us to protect both consumers and the public interest by reaching appropriate outcomes swiftly, efficiently and at a proportionate cost.

We publish the details of our findings and sanctions, including RSAs, on our website. We are able to withhold any confidential matters from publication where this outweighs the public interest in publication (for example, details of an individual's health condition).

Firms and individuals in scope of the regulations

Just under 6,500 firms (6,408 as of 5 April 2022) fall within the scope of the money laundering regulations. This represents around two-thirds of the total firms we authorise (9,782).

As a professional body supervisor we have a duty to make sure that the firms we supervise comply with the regulations and have appropriate controls in place to prevent money laundering.

The table below details the number of firms we supervise which fall within scope of the regulations. This includes the number of firms we supervise for AML purposes, where there is just one solicitor or registered European lawyer (REL) practising at the firm.

This is the figure we report to HM Treasury and our oversight supervisor, the Office for Professional Body Anti-Money Laundering Supervision (OPBAS). This is different to our definition of a sole practitioner who may employ staff or work in conjunction with others.

Firms subject to the regulations	2020/21	2021/22
Number of firms where there is more than one solicitor/registered European lawyer REL practising at the firm.	5,222	5,124
Number of firms were there is just one solicitor/REL practising at the firm	1,294	1,284
Total number of firms we regulate that fall within scope of the regulations	6,516	6,408

Number of beneficial owners, officers and managers

Under the regulations, beneficial owners, officers and managers (BOOMs) must be approved by us. They must get a Disclosure and Barring Service check and submit it to us when they first become a BOOM or take on a new role. This table shows the total number of BOOMs we regulate as of 5 April 2022:

	2021	2022
Number of BOOMs	23,430	23,349

Enforcement

We receive reports about potential breaches of the regulations and money laundering activity from both the profession and consumers. We monitor media and other reports for potential breaches, and we also receive intelligence from the National Crime Agency (NCA) and other law enforcement bodies.

The number of reports include where we ourselves have identified a potential breach of the regulations, for example, through an AML inspection at a firm.

We investigate suspected breaches of the money laundering regulations and cases of suspected money laundering.


2017/18 (SRA financial year)	2018/19 (SRA financial year)	2019/20 (SRA financial year)	2020/21	2021/22
235	197	196	273	252

Types of reports received

We record the reasons why a report has been made. In 2021/22 there were 252 money laundering-related reports with 393 reasons attached. Often, reports have more than one suspected breach that need investigating and these can change during the life of an investigation as we get more information. (Read more about our enforcement processes).

These were the most significant reasons for the AML reports we received:

Specific matter reason	Count
Failure to carry out/complete initial CDD	49
Failure to carry out a money laundering risk assessment	40
Failure to carry out a source of funds check	39
Failure to identify client	28
Failure to have proper AML procedures	26

Number of money laundering related matters resulting in an internal outcome

Where we see that firms or individuals have failed to comply with the money laundering regulations, we can take action. We refer more serious matters to the independent Solicitors Disciplinary Tribunal (SDT).For less serious matters our internal outcomes include a letter of advice or rebuke, where we remind the individual or firm of their regulatory responsibilities. We can also fine a firm or individual or put conditions on their practising certificate, limiting what they can do in their role.

2017/18	2018/19	2019/20	2020/21	2021/22
10	14	21	16	43

The increase in cases in 2021/22 relates to firms' failure to respond to our AML data request.

During 2021/22 we issued 29 fines, totalling £286,976. We made 43 internal decisions in total relating to money laundering concerns. This is a breakdown of the type of outcomes:

SRA outcomes	Count
Fine	29 (totalling £286,976)
Letter of advice	9
Rebuke or Reprimand	4
Finding and warning	1

See further information on the type of decisions we can make, their purpose, and our enforcement strategy.

Number of money laundering related cases brought to the SDT

In more serious matters we prosecute a firm or an individual at the SDT. It has powers that we do not, including imposing unlimited fines and suspending or striking solicitors off the roll.

2017/18	2018/19	2019/20	2020/21	2021/22
10	14	13	13	8

This is a breakdown of the outcomes at the SDT for 2020/21:

SDT decision	Count
Fine	5 (totalling £92,500)
Suspended for a period	3

Themes from enforcement action

In total, there were 51 enforcement outcomes in relation to money laundering.

In around half of the cases the most common area for breaches related to firms failing to respond to us and failing to provide declarations about AML compliance. These amounted to 26 fines where firms failed to declare to us whether they had a compliant firm-wide risk assessment in place.

Of the remaining outcomes the majority related to the buying and selling of property and poor customer due diligence (CDD). These concerned inadequate identification and verification of clients (both individual and corporate) and source of funds checks.

Understanding the source of funds to be used in a transaction is a fundamental part of the risk-based approach. If you are clear around the legitimacy of the source of funds, the risk of money laundering is greatly reduced. While we have seen a slight improvement, firms need to do more in this area. Other issues we identified were:

Failures to apply enhanced customer due diligence (EDD).
Failure to have a firm-wide risk assessments (FWRA) or having a FWRA that was inadequate.
Poor policies, controls and procedures.
Failure to notify us of the appointments of money laundering reporting and compliance officers or seeking approval as a manager (BOOM).
Failing to have sufficient regard for issued warning notices and red flag indicators (as highlighted in a FATF report) in transactions.

We have identified three key themes that we believe contributed to these breaches:

Lack of understanding of the importance of our role as a professional body supervisor and complying with data requests from us.
Inadequate supervision or training of fee earners on firms’ policies, controls and procedures.
Having poor policies, controls and procedures, such as poor processes which allow the receipt of funds from clients when no checks had been carried out. We expect to see an increase in the number of sanctions for such failings. This is on top of the historic common themes of failings relating to adequacy of CDD measures on individual transactions.

Reporting suspicious activity

We submit a suspicious activity report (SAR) to the National Crime Agency (NCA) if we identify a suspicion of money laundering through our work.

2017/18 (SRA financial year)	2018/19 (SRA financial year)	2019/20 (SRA financial year)	2020/2021	2021/2022
11	19	26	39	20

The money laundering key themes featuring in the SARs we submitted include:

property conveyancing
misuse of the client account (no underlying legal transaction or rationale)
tax evasion
fraud
client/funding links with high risk jurisdictions
complex offshore company structures/trusts to obscure source of funds or beneficial owners
third party involvement
property assets being sold over or under their true market value.

These themes have broadly remained unchanged from previous years with no significant shift in trends. We continue to make the most reports on matters involving property conveyancing transactions.

The reason for us to suspect money laundering is being facilitated is because inadequate or no due diligence or source of funds checks have been conducted on clients or third parties. We also see that many of the transactions bear multiple red flags and risk indicators which appear to have either been missed or ignored.

Quality of suspicious activity reports at firms

Where we conducted an inspection onsite during the reporting period we have also reviewed a sample of SARs submitted by the firm to the NCA over the past two years. We found that on average firms submitted two defence against money laundering (DAML) SARs and one information SAR.

Our findings after one year have not been indicative of significant quality issues in SARs submitted by firms. Most of the SARs we reviewed (from 36 firms) were written in a comprehensible manner. They clearly identified what the reporter thought to be the proceeds of crime and describing the legal work involved, the parties involved and the transaction.

Our most consistent finding (in 66% of SARs) is that firms did not include glossary codes in their SAR narratives as recommended by the NCA. The inclusion of glossary codes helps triage SARs to the correct area of law enforcement.

A quarter of DAML SARs firms did not describe the criminal act that they were seeking a defence against. This demonstrates a lack of understanding around the purpose of DAML SARs.

Firms also missed out phone number and email address details in around a quarter of submissions. This information is useful to law enforcement in investigating crime. Where available firms should include this information when submitting SARs.

In autumn 2021 we broadcast a webinar with the NCA to help firms understand when they should report concerns to us and how to submit a good quality SAR.

Assessing risk

This section concentrates on the measures we have seen taken by firms to assess the level of risk, both at firm level (as required under regulation 18) and client and matter level (as required under regulations 28(12) and 28(13)).

Firm-wide risk assessments

The purpose of a FWRA is to identify the risks a firm is or could be exposed to. Then, appropriate policies and procedures can be put in place to mitigate exposure to financial crime. It is a crucial document for preventing money laundering and forms the backbone of firms' AML controls.

We are pleased to see an improvement in FWRAs in this reporting period compared with previous years. This reflects the thought, effort and time that many firms put into these documents. Nonetheless, there are still a very significant proportion of firms with FWRAs that are not compliant, so we would urge firms to review and update this key document. We have provided information below that should help firms to do that.

During the reporting period, we called in a total of 224 FWRAs to review as part of AML inspections and AML desk-based reviews. When undertaking an AML inspection or desk-based review, firms must provide us with a copy of their FWRA.

Four firms failed to provide a FWRA and were referred for investigation. Of the remaining 220 documents we reviewed, we found the following levels of compliance:

Compliant	Partially compliant	Not compliant
113	91	16

We have seen an improvement in the quality of FWRAs from the previous reporting period. Just over half - 51% - of the FWRAs we looked at during the reporting period were assessed to be compliant, compared with 41% during the previous reporting period.

Similarly, we have seen a decrease in the amount of non-compliant FWRAs. Seven per cent of the FWRAs we looked at during the reporting period were assessed to be non-compliant, compared with 13% during the previous reporting period.

The most common risk factors we saw missing from FWRAs were:

Risk factor	Number of firms with risk factor missing from FWRA
Areas identified by our sectoral risk assessment	40
Transactions	30
Products or services	23
Delivery channels	22
Geographic	21
Client	15

There were several themes which featured within the non-compliant FWRAs. These include:

Several firms only put in place a FWRA after we asked to see it. This is despite each of these firms confirming it had a compliant FWRA in place in January 2021.
Providing an alternative document, such as an AML policy.
Providing an operational risk assessment, which looks at business risks as a whole, not AML risks.
Using a template but not completing it correctly (for example, using a checklist or not including enough detail).
Failing to consider all services the firm provides.
Many firms failed to expand on the risks identified, for example, we saw firms stating they often operated in high-risk jurisdictions but not setting out and assessing the applicable jurisdictions.
Many documents focused on what the firm does not do (for example, setting out that the firm does not offer trust formation services or act for PEPs), instead of focusing on the AML risks present in its day-to-day business.

It is important that the FWRA is reviewed regularly and updated, where necessary. We found that some firms had not done this. A FWRA is a living document and should be regularly updated, for example:

when AML legislation changes
where firms provide a new service or act in a new area of law
where firms make changes to the way they work, for example, during the pandemic or the introduction of a new client verification system.

The main areas of feedback we provided to firms where we deemed FWRAs to be partially or not compliant are shown below. These numbers include occasions where we have provided feedback where the risk area has been missed (ie taking into account the above figures).

Area of feedback	Number of times feedback provided
Geographic location There was a lack of detail on where the firm's clients and transactions are based and if any of the firm's clients have overseas connections. Most risk assessments focused only on setting out the likelihood of dealing with a client from a high-risk jurisdiction and failed to address the geographical locations the firm does deal with and if these are local or national.	64
Assessment of transaction risk Firms did not sufficiently explore transactional risk, such as how many high-value transactions the firms deal with, the typical size and value of a transaction, whether transactions are large or complex, and the type of payments accepted, for example, cash payments or payments from third parties.	61
Assessment of product/service risk Many firms are failing to list all the services they provide that are within scope of the regulations. A cross check against the firm's website and information we gather during our practising certificate renewal exercise shows a disconnect between the FWRA and the products and services provided. We would also often see firms focusing on the services they do not provide, as opposed to the risks attached to the services they do provide.	60
Assessment of client risk Firms failed to set out the type of clients they deal with. For example, whether these clients are individual or companies, if any of the companies have complex structures, whether the clients are predominantly new or longstanding clients, and if any clients pose a higher risk, such as PEPs.	56
Further tailoring to firm's size and nature In some cases, firms provided an FWRA that was not suitable, given the size and nature for their practice. These documents were often completed on templates that were predominately specimen text, which had not been tailored to the firm. While there is nothing inherently wrong in using a template, you must ensure this has been uniquely tailored to your practice.	49
Assessment of delivery channel risk Firms did not assess how they deliver their services. It was difficult to determine from the risk assessments reviewed whether firms meet their clients, if they offer services that are not face-to-face, and, if they do, how they deliver those services, for example, by email or video meetings.	47

Good practice

We identified a lot of good practice through our reviews of FWRAs during the reporting period.

In some of the best examples we saw it was clear the person undertaking the FWRA had worked closely with various teams and partners across the business to assess the risks. On more than one occasion, we saw firms had undertaken separate AML risk assessments for separate business areas/offices within their practice.<./p>

The advantage of this was that all areas of the business were feeding into the FWRA. It also helped to demonstrate a risk-based approach, as something which would be low risk in one business area may be considered high risk elsewhere.

Some firms had used templates to good effect. We have previously highlighted poor practice, where firms had used templates but had not edited the standard text to make it relevant to their firm. However, some of the best examples of FWRAs we saw during the reporting period were firms that had used a template as a starting point. These firms had adapted and tailored the templates to cover the risks in detail and in a way specific to the firm.

Some firms also made use of quantitative data and statistics to help them analyse their AML risks. For example, using information gathered from internal SARs. We consider this to be good practice.

Client/matter risk assessment findings

Flowing from FWRA, client/matter risk assessments prevent money laundering by making sure firms consider the risks posed by each, and whether firms can perform the correct level of CDD to mitigate those risks. Client and matter risk assessments are required under regulation 28(12) and 28(13).

We had concerns about whether firms were undertaking client/matter risk assessments during the reporting period, as well as the quality of those assessments and whether they led to risk-based CDD.

During the reporting period we reviewed 1,325 files. Of these, 20% did not contain a client/matter risk assessment, as necessary under the regulations. Where firms failed to undertake client/matter risk assessments, they were referred for an investigation. There were a few exceptions, such as where EDD was being carried out. Other key findings were:

20% of client/matter risk assessments did not reflect the firm’s FWRA
30% of client/matter risk assessments did not clearly show when EDD was necessary
42% of client/matter risk assessments reviewed were ineffective

Again, this is an area where improvement is needed and we provide insight below that should help firms to take the necessary steps.

Poor practice

In some cases, firms had a template matter risk assessment form, but this was not being completed correctly, or even used at all.

Many of the forms we saw were very basic and tick box in nature, where fee earners only had to mark whether a file was high risk, medium risk, or low risk. Often, these forms did not feature any commentary or justification where the fee earner could input how they had arrived at the risk level.

Similarly, many forms we looked at failed to set out high-risk factors, which fee earners need to consider when assessing the level of risk with the client or matter. These forms also failed to notify the fee earner when EDD was required. This is concerning, as matters subject to EDD are typically the highest risk.

Many matter risk assessment forms we looked at did not reflect their FWRA. For example, one firm considered all cash purchases in property matters to be considered high risk in the FWRA. When we reviewed the matter risk assessment, this was assessed to be low risk by the fee earner.

We also reviewed a number of risk assessment forms which assessed the wider risk to the business as a whole. For example, reputational risk and whether the client had the ability to pay fees, as opposed to the AML risk. These forms would not constitute a client or matter risk assessment as needed under the regulations.

Good practice - best examples

Some of the best examples we saw were where the matter risk assessment form set out factors which fee earners must consider when making an assessment of client or matter risk.

We also saw some good examples where firms used different matter risk assessment templates, depending on the type of work being carried out. For example, whether the matter was transactional or non-transactional. These templates contained guidance for fee earners around the various risks that could be present.

One firm adopted a client or matter risk assessment form that set out various risk factors which must be considered by fee earners. Each of these factors provided a risk weighting. Where a certain risk threshold was met the fee earners had to gain approval from the MLCO to proceed with the matter.

Controls

This section concentrates on the controls, in particular the AML policies firms must put in place to mitigate against any money laundering risks.

We reviewed AML policies for 224 firms. More than half - 58% - of the policies we reviewed needed improving. A FWRA should evaluate the money laundering risks the firm is exposed to. The AML policy should set out the measures staff should take to protect the firm against money laundering. This is another area where firms must be doing more. We have, and will continue to take action against firms with poor quality AML policies.

These are some of the most significant themes and findings:

Deficiencies in policies	Count
No information on taking additional measures to prevent the use of money laundering or terrorist financing where products and transactions might favour anonymity.	95
No information on the firm's stance on reliance (on another person to carry out CDD).	87
No information on high-risk third countries.	80
No information on the use of simplified due diligence.	77
No information on high-risk jurisdictions.	67
No information on checking the sanctions register.	60
No information on how to identify and scrutinise unusually large or unusual pattern transactions.	52
No information on how to identify and scrutinise transactions that have no apparent economic or legal purpose.	51
No information on how to identify and scrutinise complex transactions.	45

Discrepancy reporting to Companies House

Under regulation 30A, firms must inform Companies House of any discrepancies in their information about beneficial ownership. We found that this information was not included in 46% of the AML policies we reviewed.

Any discrepancy must be reported to Companies House (via its new online reporting tool) as soon as reasonably possible.

Simplified due diligence

Simplified due diligence (SDD) was one of the most significant areas we provided feedback on. Many policies contained conflicting information around what SDD is, or not mentioning it at all.

Regulation 37 maintains SDD can be carried out where a firm determines that the business relationship or transaction presents a low risk of money laundering or terrorist financing, taking into account the FWRA. SDD is the lowest permissible form of due diligence and can only be used where the firm has determined that the client presents a low risk of money laundering or terrorist financing.

It is important to note that, while there is no obligation on firms to apply SDD, it is something they may wish to consider adopting, in the appropriate circumstances. However, a firm’s approach to SDD must be set out in its policies and procedures. This is so fee earners know whether they can apply it or not. If firms do permit SDD, they will need to set out the circumstances and the checks they would expect to see, as CDD will still need to be applied, albeit to a lesser extent.

Further guidance on SDD can be found in the Legal Sector Affinity Group (LSAG) AML Guidance 2021.

Reliance

Reliance was another common area we provided feedback on. Reliance has a specific meaning within the regulations and relates to the process under regulation 39 where, in certain circumstances, firms may rely on another person to conduct CDD for you, subject to their agreement.

We found that the vast majority of firms (90%) did not use reliance or permit other firms to rely on CDD they had collected. The firm’s stance on reliance, however, was missing from 39% of AML policies we reviewed.

A firm’s stance on reliance must be documented within their policies and procedures so fee earners know whether it permitted by the firm.

Identifying and scrutinising patterns of transactions

Under regulation 19(4), firms must have in place controls which identify and scrutinise:

transactions that are unusually large or complex
unusual patterns of transactions
transactions which have no apparent legal or economic purpose.

We found that many firms mentioned these factors within their AML policy. However, very little explanation was given as to what a large or unusually complex transaction looks like for that firm.

Each individual firm will have their own measure as to what constitutes unusually large or complex transactions.

Firms' AML policies should outline a list of potential red flags that fee earners must be aware of. These red flags should be tailored to the firm. We accept that it is impossible to list every possible red flag, given that criminals are constantly adapting their methods to launder money. However, the inclusion of a non-exhaustive list will help fee earners identify transactions that may be out of the ordinary.

Products or transactions favouring anonymity

The regulations are clear in that firms must set out their position on these types of services. If this is a service firms offer, they must make sure their AML policy contains a section which sets out mitigating actions for their fee earners. In many cases, we provided feedback to firms on including a section within their AML policy to take additional measures when dealing with products or transactions that may favour anonymity.

Sanctions regime

Firms may be at risk of being used to evade sanctions. It is, therefore, important fee earners are aware of all parties involved within a transaction, including any beneficial owners, to ensure they are complying with the sanctions regime.

Around a quarter (26%) of the AML policies we reviewed failed to mention what steps a fee earner should take to make sure their client is not subject to financial sanctions.

This finding is concerning, given the importance of the financial sanctions regime, and its prominence in the media over the reporting period. We have published guidance in this area and undertook at thematic review into compliance during the reporting period. We will publish further guidance in November 2022 based on the insights from this work. The thematic work has highlighted some valuable controls we consider to be best practice and risks for firms to be aware of.

High risk jurisdictions

We found that many firms failed to identify or comment on their approach to high risk jurisdictions.

While it may be unusual for some practices to come across overseas clients, firms must make sure their fee earners are aware of any high risk jurisdictions so they can exercise caution. They must ultimately identify matters that need EDD.

Regulation 33(1)(b) requires firms to apply EDD measures in circumstances where high risk third countries are involved. It is therefore important firms identify where their clients, client entities or the transactions they are working on are linked to, and whether they are high risk jurisdictions.

Other themes

We were concerned to see a number of firms had not updated their AML policies recently. On occasions, these policies referred to outdated legislation or outdated government agencies. This is an area where there needs to be improvement. Firms must review their AML policies regularly to ensure they comply with the current legislation. We will consider taking further action where AML policies have not been maintained or kept up to date.

Fifteen percent of the AML policies we reviewed did not reflect the FWRA, suggesting the firm had failed to put in place mitigating actions for the risks they identified. This is concerning, as it means fee earners may not conduct the appropriate level of due diligence, providing an opportunity for criminals to exploit the firm.

We also found a tendency for firms to use 'off-the-shelf' AML policies, which had not been tailored to the firm and/or were not being applied in practice by fee earners. A firm's AML policy should be specific to the firm. It should be used to guide fee earners on what steps they need to take to mitigate risks. We will take further action where AML policies have not been followed and breaches of the regulations have been identified.

In some cases, particularly where clients or matters were referred from overseas offices, firms set out that they would not undertake CDD on a client until a certain amount of time (for example, 10 hours) was recorded against a matter. The regulations are clear that it is the type of work being carried out which brings a matter in scope, not the amount of time spent working on a matter.

Firms seeking to only conduct CDD after a set amount of hours have been billed, is likely to put firms in breach of the regulations. Firms will, therefore, need to have a process in place to make sure they meet this requirement.

Independent audit

Under the regulations firms must where appropriate to their size and nature, undertake an independent audit. We have previously highlighted independent audits as an area where firms struggle and we have issued further guidance on this.

There are various factors we consider when assessing whether a firm needs an independent audit. These include:

The size of the firm. We take various aspects in consideration when determining size, such as the amount of fee earners, whether they have multiple offices and turnover.
The nature of the firm. This includes whether the firm offers any high-risk services, as well as what percentage of work falls within scope of the regulations.
What the firm’s internal oversight to ensure compliance with the regulations looks like, for example, direct supervision of fee earners by the MLCO, and regular file reviews.

Key findings

Of the 143 firms we inspected during the reporting period, 74 firms (51%) had not undertaken an independent audit. Of these, we deemed that 34 firms (45%) should have had one. The table below outlines how we determined whether a firm needed an independent audit. Often, there was more than one reason why we determined a firm needed an independent audit:

Reason why audit was required	Amount of times feedback provided
Firm size	24
Numerous offices	13
Audit carried out does not sufficiently address AML controls or include file reviews	6
Firm offering high risk services	2

One firm we inspected had relatively few fee earners. They felt they did not need to carry out an audit for this reason. We disagreed with this view as the firm carried out work in higher risk areas, often for high-net-worth individuals, such as cross-border transactions and high value property purchases.

Given the high risk nature of the firm we decided that an independent audit was necessary.

We continued to see firms relying on external accreditation schemes which do not assess AML adequacy at all. On more than one occasion we were handed a copy of an audit which, when examined, did not address AML compliance.

This is another area where firms must improve. To reiterate our previous guidance - most firms need to carry out an independent audit. If firms consider they do not need to carry out an audit they will need to justify this to us.

Additional findings

This section covers key themes from our findings from both onsite inspections and desk-based reviews. This expands on some of the important statistics reported in previous sections.

Our approach

The inspections involve interviewing the firm's MLCO, MLRO and two fee earners (if applicable to the size and nature of the practice) using our AML questionnaire.

Our desk-based reviews involved examining the:

FWRA
the firm's AML policies, controls and procedures
the client and matter risk assessments
a sample of the firm's files to assess compliance with the firm's AML policies, controls and procedures and the regulations.

For both inspections and onsite visits we reviewed between four to eight files for each firm, depending on the size and nature of the firm.

For larger firms, or those doing a high volume of regulated work, we are likely to review eight files. On occasion, we may also ask to see further files, if we have not been able to complete our assessment on the ones provided. For example, if there are files that show a client matter closed quickly after being opened, or where we may have identified a trend but need to see more files to check our initial findings. We reviewed 1,325 files in total.

In April 2021 we conducted a thematic review into MLCO/MLROs to help produce guidance for the profession around what makes a successful MLRO/MLCO.

Key findings

In total 273 firms underwent an AML inspection or desk-based review during the period, which were broken down as follows:

Rolling programme of inspections	As part of an onsite investigation	Thematic work	Desk-based review
126	13	25	109

Of the 260 inspections and desk-based reviews we carried out, 35 are ongoing. [The 260 figure does not include 13 reviews undertaken as part of an onsite investigation.]

We have found the following levels of compliance.

Compliant	Partially compliant	Not compliant
49	133	43

We carried out six AML reviews alongside wider onsite inspection by our forensic investigation team. The approach we take in these reviews is the same as in a rolling firm visit. The outcomes of the onsite investigations were:

No further action/no further action but guidance issued	Ongoing investigation
10	3

We have taken the following steps with firms after our inspections or desk-based reviews:

Steps taken	Number of firms
Letter of engagement	101
Guidance issued	49
Referred for investigation	43
Compliance plan	32

Themes identified with non-compliant firms

Many firms failed to assess AML risks, either at firm level or client/matter level. We observed that a number of firms had submitted a false declaration to us when asked if they had a compliant firm wide AML risk assessment in January 2021. We also observed several firms that were not adequately assessing AML risk at client/matter level.
Several firms were referred because of concerns over the client due diligence (CDD) we observed on client files. This included failure to identify beneficial owners and a lack of source of funds/source of wealth information.
A number of firms were referred for not having compliant PCPs. This included a lack of fundamental controls (such as a failure to mention PEPs) or having references to outdated legislation, such as the Money Laundering Regulations 2007.

We also referred a very small number of firms to our AML Investigations Team for failure to notify us of the Trust and Company Service Provider (TCSP) work that they are carrying out.

If firms provide TCSP services they must ensure they have declared this to us so that they can be registered with HMRC. Providing TCSP services without being registered is a criminal offence. Further information can be found here.

Case studies

1. Onsite inspection - partially compliant - resolved with engagement

We visited a firm as part of our rolling program of inspections. The firm provided a copy of its FWRA and AML policy prior to our inspection. We provided feedback on how both of these documents could be improved.

We also reviewed eight files to assess compliance with the regulations. One of these files concerned a trust for a long-standing client of the firm. The firm had acted on this matter on an ongoing basis for around 30 years. When reviewing the file it became apparent that some of the CDD was out of date. The remaining seven files contained relevant CDD and, where necessary, source of funds/source of wealth information.

The firm explained they had also identified keeping CDD up to date for long-standing clients as an issue. As part of our engagement we asked the firm to set out what measures they will put in place to ensure CDD is kept up to date for long-standing clients.

The firm subsequently came back with an updated ongoing monitoring process and confirmed they have updated the CDD for the file we reviewed. Additional training was also provided to fee earners.

The caseworker was satisfied with the action taken by the firm and the matter was closed.

2. Desk based review - referred for lack of client/matter risk assessments

We undertook a desk based review of a large firm. The firm has a dedicated client onboarding team based in the USA. The team were responsible for carrying out client due diligence and conflict checks for the London office.

None of the files we reviewed contained a client/matter risk assessment, as required under regulation 28(12) and 28(13) MLR. The firm explained this did not form part of their existing process.

In addition, several files contained inadequate or missing client due diligence documents. We also identified the firm was not carrying out on-going monitoring on their clients. We identified significant shortcomings in the firm wide risk assessment and policies, controls and procedures.

The firm was referred to our AML investigations team in light of these issues.

While there are many advantages to having a centralised function to carry out your client onboarding checks this does not absolve fee earners of their responsibilities under the regulations. This includes ensuring fee earners continue to monitor clients for any changes in behaviour throughout the course of the relationship.

Enforcement action case studies

1. Inadequate CDD, EDD and ongoing monitoring

A solicitor and partner of a firm carried out work concerning asset planning for an individual and a proposed acquisition of two businesses for another individual.

We became aware of the matter after a previous client of the firm reported it to us.

During our investigation, we found that inadequate CDD had been carried out. The proposed acquisitions presented a 'higher risk of money laundering or terrorist financing' under the relevant money laundering legislation in force at the time. This was because they involved companies in offshore (and therefore potentially high risk) jurisdictions, and EDD and ongoing monitoring should have taken place.

The partner admitted to money laundering breaches and to providing banking facilities through the firm's client account, also in breach of our rules.

We resolved the matter through a regulatory settlement agreement and fined the solicitor £17,500.

2. Failure to gather CDD

We investigated the firm following a separate report from another one of the firms clients

The firm acted in three property-related transactions and secured CDD in relation to the ultimate beneficial owner. But, because it opened each matter file in the name of a different entity in the corporate structure, the firm did not secure full CDD for each special purpose vehicle before each relevant transaction took place.

The firm also did not retain copies of some of the CDD information obtained in relation to the ultimate beneficial owner, and in relation to another individual who instructed the firm on a fourth, related, matter.

In addition, the firm failed to have a firm-wide risk assessment in place until March 2019. The firm admitted breaches of the regulations and our code of conduct. The matter was resolved with a regulatory settlement agreement.

3. Inadequate identity and CDD checks carried out

A firm was acting in the sale of a residential property. The person instructing the firm said they were the genuine owner of the property. The firm never met the client in person and relied on copies of identity documents certified by a third party.

The firm obtained ID documents from the 'client'. The ID documents were certified as being true copies of the original documents, not that there was a likeness to the client. This meant the identity of the client had not been verified. The property was sold and, shortly after, the police contacted the firm to say it was investigating suspicions that the sale was fraudulent.

The firm admitted it had failed to carry out proper CDD We resolved the matter through a regulatory settlement agreement, where firm received a rebuke.

4. Numerous breaches of money laundering regulations

We became aware that a firm and the solicitor had breached a number of the regulations following a report from a third party.

These breaches included failing to:

carry out proper CDD and to scrutinise the source of funds in transactions
carry out EDD or enhanced ongoing monitoring
identify a politically exposed person (PEP), and not having appropriate systems and procedures to determine whether the client was a PEP
have a FWRA in place.

We also identified SRA Accounts Rules 2011 breaches, including incorrectly providing a banking facility through the firm's client account.

The SDT issued a fine to both the solicitor and the firm.

Emerging risks, areas of focus and the year ahead

We assess emerging risks through a range of sources such as:

our investigative work
reports from law enforcement agencies or other authorities
our pro-active inspections of firms

The past 12 months have been marked by significant changes in risks relating to financial crime.

As the uncertainty created by Covid-19 receded to a degree, the economic upheaval it has caused, along with other factors such as the war in Europe, continues to create challenges. This has been compounded by the massive expansion in sanctions and their associated risk.

These, while not specifically a money laundering issue, generally fall on those responsible for money laundering and terrorist financing compliance.

There have also been a significant number of changes to legislation. Some of these have created new and immediate compliance requirements for firms. For example, the need to assess proliferation financing risk. Proliferation financing is providing funds or services to manufacture chemical, biological, radiological or nuclear weapons. This includes services to deliver such weapons.

Legislation continues to evolve, as demonstrated by recent changes that have long-term impacts, like the new requirements of Companies House and the register of overseas owners of UK property.

All of these changes take time for firms to understand and to incorporate within their compliance systems and structures. This can create vulnerability and uncertainty as new requirements bed in.

Sanctions

The pace and complexity of the changes to the sanctions regime over the past year have presented challenges for some firms. This is an important regime and the consequences of non-compliance are high because of the strict liability enforcement by the Office of Financial Sanctions Implementation. Firms must, therefore, make sure they are fully compliant at all times.

For most firms this comes down to:

correctly identifying designated persons
avoiding providing them with prohibited services without proper licensing from the Office of Financial Sanctions Implementation
making sure all reporting obligations are fulfilled

As well as setting out our expectations of firms, the guidance we will publish in the coming year will help firms to comply with these obligations.

This includes pointing out areas of legal services where they are more likely to encounter a designated person and what controls to put in place to identify designated persons to make sure they don’t accidentally offer services to a designated person. It will also cover what to do if they identify a designated person through the course of their work.

Conveyancing and dubious investment schemes

The two areas where we continue to see the most risks relating to money laundering are conveyancing, including vendor fraud (where fraudsters try to sell a property without the consent or knowledge of the owner) and dubious investment schemes.

This has been a consistent pattern over multiple years and one that should cause firms to consider conveyancing as a high risk activity. They should treat is as such when it comes to due diligence and ongoing monitoring.

This is reflected in our sectoral risk assessment that we publish for firms, and we also consider it as part of our own risk assessment of firms.

Evading currency controls

We have, along with other legal sector money laundering supervisors, worked on this over the past year. We have highlighted the need to understand any scenario where an individual has evaded non-UK currency controls via financial institutions in part by misrepresenting the intended purpose of the funds. This can be a sign something is wrong, but it may, in some instances, be a reaction to local humanitarian issues or political persecution.

The example most frequently cited is the ‘Daigou’ system of shadow banking used to offshore wealth from China, often through chains that include cash produced by criminal activity. While China is the most cited example, this is a common method internationally and has similar features with systems seen around the world.

We have spotted a mix of issues within this, including concerns about the source of funds where capital controls present in a given country drive clients to seek workarounds. Some of these can carry a greater money laundering risk.

Separately, we have encountered unwarranted suspicion of whole ethnic groups on the basis of their links with jurisdictions with capital controls in place. This underlines the need for firms to avoid blanket approaches and to consider the risks of each client and matter on their own circumstances.

We will shortly publish guidance on this topic to provide further information and red flags for firms.

Sectoral risk assessment

A broader related risk is the risk of a law firm being compromised by criminals who may use the services of the firm to clean illicit funds.

While not specifically a money laundering issue, we have also found the personal injury market remains a consistent source of fraudulent reports.

We set out the areas where we think there is the greatest risk of money laundering in our sectoral risk assessment.

Areas of focus and the year ahead

In the coming year we will continue to focus on:

Taking a risk-based approach to firms and desk-based reviews, to gain a richer understanding of AML systems, processes and procedures in place.
Helping firms put strong controls in place to prevent money laundering and bringing enforcement action against firms that are not meeting their responsibilities under the regulations.
Providing targeted and timely guidance for firms through a programme of lunchtime webinars focused on discrete AML topics.
Monitoring the areas mentioned above, under emerging risks, and considering what next steps we might need to take.

We will also increase our work on compliance with sanctions. In the last year, we have checked the client lists of some higher-risk firms and completed a thematic review of financial sanctions. This will contribute to guidance due to be published this autumn.

Under the regulations we must risk profile firms and monitor risks as discussed in this report. We look at a range of factors to determine risk, including regulatory history and size. Where appropriate, our risk model also considers mitigation, such as AML controls.

During the next reporting period (2022-23), we will be using our revised risk model. It takes into account additional information provided to us by firms in the past year, among other insights. This will help refine our risk assessment and future approach to supervision.

While we have already improved our methods for risk rating firms we have also identified new opportunities for further developing our approach. We will look to implement these over the coming year.

Further information and useful links

SRA guidance published in the past year

Setting out guidance to MLCOs and MLROs around what we expect in the various roles.

Money Laundering Governance: Three Pillars of Success

Other SRA AML resources

Money laundering regulations and who they apply to

What does my firm need to do?

How we regulate money laundering

Legal Sector Affinity Group

The main AML guidance for the legal sector.

Legal Sector Affinity Group Guidance - Part 1

Legal Sector Affinity Group - Part 2

(barristers, trust or service company providers and notaries)

Barristers - to be read independently of Part 1

TCSPs - to be read in conjunction with Part 1

Notaries - to be read in conjunction with Part 1

A short note setting out issues relevant for firms around the global pandemic including economic pressures and challenges in completing client due diligence:

Covid-19 and Preventing Money Laundering/Terrorist Financing in Legal Practices