back

The Art of Timing for Client Risk Assessment

Part 1: Identity Risk

Increasingly it is a law firm’s own client that is their biggest risk when it comes to Anti-Money Laundering (AML) threats facing law firms and the stakes are getting higher.

With recent well-publicised SDT decisions including Clyde & Co’s £500,000 fine for AML failings and now unlimited fining potential within the SRA’s armoury, AML strategy is now firmly, and rightly, a boardroom issue. 

There is much to consider when navigating risk in this area, the issues can be complex and fast moving particularly with wider geopolitical factors constantly evolving. Only in the most straight forward instruction is the ‘one and done’ approach to client due diligence appropriate.

One of the critical areas to enable completion of the client risk assessment is obtaining verified Identification (ID&V). Without it any client risk assessment is likely incomplete or deficient. Often practitioners are confident with the timing of when to obtain identification and verification for new clients, but if the client relationship becomes a long-standing one, it’s sometimes difficult to determine how often this should this be refreshed and reviewed? 

Longstanding clients

An area of challenge for many firms is the resistance from their practitioners to ask longstanding clients for ID or renewed ID due to concern that their clients will be offended and that this will damage the relationship. 

To provide some clarity, the revised LSAG guidance, is unequivocal in that there is no provision in the Regulations for waiving CDD requirements on the basis of long-standing or personal relationships.

The guidance confirms at paragraph 6.2 that taking this approach will not satisfy the requirement to undertake independent verification, although these factors may inform your risk-based approach. This paragraph may confirm an inconvenient truth, but can be used to objectively highlight the need to longstanding clients to avoid ruffling their feathers unduly.

A deeper dive

This article assesses the frequency in which practitioners should obtain identification and verification (ID&V) in long-running matters or for longstanding clients. 

It is first acknowledged that the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 as amended (the Regulations) are drafted very broadly, leaving room for those within scope of the Regulations to apply a risk-based approach to CDD and there is no definitive answer which will apply to every scenario. 

The LSAG guidance goes some way to provide a more prescriptive position of what is expected from practitioners, although there is still no ‘silver bullet’ to nail down the frequency in which CDD should be reapplied and this would be specific to the risk features of the firm, the client and the matter involved. While some may welcome this flexibility, others find the lack of clarity challenging.

It’s important to emphasise that the topic of CDD is much broader than simply ID&V, and CDD takes into account the wider circumstances of the client and transaction; indeed, the LSAG guidance on CDD runs to some 50 pages on the topic! The Regulations and the LSAG guidance both refer to CDD generally, rather than specifying when in particular a refresh of ID&V is required, which also adds to the frustration felt by some solicitors and practitioners regarding the lack of clarity in this area.

The issues of CDD are interlinked and cannot be viewed in isolation. A client or matter risk assessment may trigger a decision to make further enquiries and new information may trigger a need for further risk assessment and this interplay continues ad infinitum!

In my experience, the majority of practitioners are fairly confident in their understanding of when to apply ID&V for clients, giftors and beneficial owners. They are often less confident about when ID&V should be reapplied.

What if the Client doesn’t have ID?

The purpose of the Regulations is not to deny people access to legal services, but to reduce the risk of legal services being used for the purposes of money laundering. If there is a plausible explanation then there are other ways to satisfy your obligations. Practical examples of steps you could take are dealt with at Para 6.14.7 of the LSAG Guidance.

Frequency

Some firms include details within their CDD procedures of the frequency in which ID&V should be reapplied for long-standing or repeat clients and other parties mentioned above. This can vary depending upon the particular risk profile of the firm. This can be anywhere from the opening of every new matter, to once a year, or as infrequently as three yearly intervals. What is reasonable for each firm will be determined though its practice-wide risk assessment (PWRA), mandated by Regulation 18 of the Regulations.

Even where a firm is specific about frequency for standard situations, it may still be appropriate to refresh ID&V more frequently depending upon risk assessment on a client and matter level. For this reason, trigger points for review should be incorporated into your firm’s ongoing monitoring procedures. An example of this is where enhanced ongoing monitoring is automatically applied whenever enhanced due diligence (EDD) is applied (such as when the client is identified as a politically exposed person (PEP)). EDD may include, amongst other measures, undertaking more frequent ID&V.

Trigger points

The Regulations provide some clues as to when a firm should look to reapply ID&V when covering CDD requirements. One scenario is where there is doubt as to the veracity or adequacy of documents or information previously obtained for the purposes of identification or verification. This may arise where, in the course of the business relationship, further information comes to light that contradicts something you have already been told or information you already have. You should consider whether you are content with the level of verification you have and make further enquiries where necessary to satisfy yourself.

Regulation 27(9) sets out a list of trigger events to take into account when determining whether CDD should be reapplied in an existing client relationship, and the most relevant trigger relating to the need to refresh ID&V is where there is any indication that the identity of the client, or their beneficial owner, has changed.

The Regulations also provide that CDD should be reapplied when a practice has any legal duty during a calendar year to contact a client under the International Tax Compliance Regulations 2015.

Monitoring

The LSAG guidance covers ongoing monitoring of CDD in some detail at paragraph 6.21 and, in particular, the need to renew and re-evaluate CDD at appropriate intervals. The guidance states that you should operate a system of regular review and renewal of CDD and should consider reviewing (although not necessarily redoing) the CDD upon each new matter. In practice, this could mean making a note on each new matter opened for a long-standing client who instructs you for assistance with their tax returns. In this scenario, following the LSAG guidance, it is advisable to review CDD including ID&V and make a note on the file that all is in order or, in the alternative, take steps to obtain ID&V as required.

One obvious trigger for obtaining further ID&V is where a client’s passport has expired or the client has changed address. Another trigger to obtain and verify further ID documentation is where there is any indication that the identity of the client or their beneficial owner’s details have changed.

Another area to be considered for ongoing monitoring is in relation to PEPs and sanctions. These can be manually checked at the required intervals using publicly available information. Some electronic identity providers offer ongoing monitoring, where you receive alerts should your client be identified as a PEP or being on a sanctions list following your initial CDD measures.

The Law Society’s practice note on CDD suggests that smaller firms, where ongoing monitoring is done by the fee-earner as opposed to a central team, may consider implementing a system of file reviews or using a matter spreadsheet to track high-risk matters and send reminders to fee-earners, so they remember to undertake ongoing monitoring.

Other parties

Whilst it is not prescribed in the LSAG guidance or the Regulations how frequently ID&V should be refreshed for parties other than the client, such as beneficiaries, deputies or executors, it would be prudent to adopt a similar approach – that being at the outset of a matter or the parties’ involvement, where there is any change in the risk profile of the matter, and for long-running matters at predetermined intervals, such as annually, depending upon your firm’s Practice Wide Risk Assessment.

Whilst it can feel like constantly shifting sands, there are practical steps firms can take to take back control and have confidence in their AML compliance framework to fortify their position:

  • Board-Level Oversight: Board members should be actively engaged in monitoring compliance efforts and addressing any deficiencies promptly.
  • Due Diligence: Review and strengthen due diligence processes for client onboarding and transaction monitoring alongside regulatory guidance which is ever evolving. Regularly review and update these policies to reflect changes in regulations, industry best practices, and emerging threats. 
  • Ongoing Training and Awareness: Provide comprehensive training programs to educate staff about AML regulations, risks, and best practices. Foster a culture of compliance where all employees understand their responsibilities and remain vigilant against potential red flags.
  • Continuous Monitoring and Review: Establish mechanisms for ongoing monitoring and review of AML controls and processes. Conduct regular audits and assessments to identify areas for improvement and ensure compliance with regulatory requirements.

By prioritising AML compliance and implementing these proactive measures, firms can mitigate the risk of regulatory breaches, safeguard their reputation, and uphold the highest standards of integrity and professionalism in the provision of legal services.

If you do feel overwhelmed in this area or if your would benefit from an independent review of your processes, then you may want to consider enlisting support from a specialist.



This article was written by Kate Burt, founder and CEO of HiveRisk

The future of
professional firms is now

Looking to improve how you operate as a professional firm? Speak to one of our team members to find out how we can help.