With the rise of remote working in the legal sector, it is important for practitioners to be aware of the risks associated with carrying out remote customer due diligence (CDD) and identification and verification (ID&V). Criminals may seek to exploit the vulnerabilities that remote working can create. However, practices and practitioners should also recognise that innovation and change are fundamental aspects of strong anti-money laundering (AML) control. In this guide, we will discuss how legal practices and practitioners can take a risk-based approach to comply with their statutory requirements when working remotely.
AML rules – Stay Compliant with AML Regulations
The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (as amended) (MLRs) provide flexibility in the application of their requirements, allowing for different ways of undertaking CDD and appropriate levels of ID&V, particularly where clients cannot be met face to face. However, it is important to note that legal practices and practitioners in scope of the MLRs must still comply with their statutory requirements at all times.
When it is not possible or desirable to undertake ID&V in person using suitable identification documents, practitioners should consider what risks this may create. However, an inability to conduct in-person ID&V does not mean that CDD cannot be completed. Practitioners may need to consider using other methods that provide the necessary assurance that the person is who they say they are.
Legal practices and practitioners are reminded to adopt a risk-based approach, taking into account the contents of their practice-wide risk assessment, policies and procedures (and where necessary updating them), and the circumstances of and risks presented by individual clients/matters.
As an alternative to face-to-face documentary verification, legal practices and practitioners may adopt or further use electronic means of ID&V, such as Verify 365, where appropriate to the risks present in the client/transaction.
Some methods of electronic ID&V that may be appropriate include digital ID&V services that meet the requirements of regulation 28(19), gathering and analysing additional data to triangulate the evidence provided by the client, verifying phone numbers, emails, and/or physical addresses by sending codes to the client’s email or phone to validate access to bank accounts, and using live and/or recorded digital video.
However, it is important to note that no matter what ID&V service or procedure is used, the responsibility to ensure that ID&V is undertaken correctly lies with the relevant practitioner and practice.
Practitioners should ensure they understand how others have adapted their CDD procedures to different circumstances if they are placing reliance on others to conduct CDD under regulation 39. In high-risk situations, further verification, including verification of source of funds/wealth, will likely be required. Where practitioners need to update ID&V records for existing clients, they should not rely on old ID just because they cannot currently meet them face to face.
It is important to keep a record and evidence of the processes practitioners follow. For example, a set method for how verifications will be undertaken. However, these methods alone may not be sufficient where the money laundering and terrorist financing risks inherent in the particular client or matter are greater.
Further, practitioners should be aware that information and advice on AML compliance in the legal sector is available on the Law Society website. They are also referred to section 7 of the AML guidance for the legal sector.
When considering whether to use a digital ID&V service, practitioners must carefully consider whether it provides the assurance needed. They may have regard to the Financial Action Task Force (FATF) guidance on digital identity when making this judgment. FATF advises practitioners to understand what the service actually does, take a risk-based approach to relying on the service, understand whether the service provides the required levels of assurance.
Practice-wide risk assessment
It is important for legal practices to conduct a practice-wide risk assessment to identify and assess the money laundering and terrorist financing risks associated with the business.
The MLRs require legal practices to identify, assess and take appropriate measures to mitigate the risks of money laundering and terrorist financing. This includes adopting a risk-based approach to CDD, as well as ensuring that appropriate policies and procedures are in place.
When conducting a practice-wide risk assessment, legal practices should take into account a range of factors, including the nature of the business, the types of clients and transactions undertaken, and the geographical locations of clients and transactions.
The risk assessment should also consider the risks associated with remote working and client interaction. This may include the risks associated with the use of electronic identification and verification methods, as well as the risks associated with conducting business remotely.
It is important to regularly review and update the practice-wide risk assessment to ensure that it remains current and relevant.
Policies and procedures
Legal practices should have appropriate policies and procedures in place to manage the risks of money laundering and terrorist financing.
These policies and procedures should be based on the practice-wide risk assessment and should be regularly reviewed and updated to reflect changes in the risk landscape.
In relation to remote working and client interaction, policies and procedures should address issues such as the use of electronic identification and verification methods, as well as the risks associated with conducting business remotely.
The policies and procedures should also cover issues such as the recording and storage of records relating to CDD and other AML requirements.
Training and awareness
Legal practices should ensure that their staff are trained and aware of the risks associated with money laundering and terrorist financing.
This includes providing training on the use of electronic identification and verification methods, as well as the risks associated with conducting business remotely.
Staff should also be made aware of the policies and procedures in place to manage the risks of money laundering and terrorist financing, and the importance of recording and storing records relating to CDD and other AML requirements.
Regular refresher training should be provided to ensure that staff remain up-to-date with the latest risks and requirements.
Supervision and monitoring
Legal practices should have appropriate supervision and monitoring arrangements in place to ensure that their policies and procedures are being followed. This may include the use of automated monitoring systems to identify unusual or suspicious activity, as well as regular reviews of records relating to CDD and other AML requirements. It is important that any suspicious activity is reported to the relevant authorities in a timely manner.
Why taking a risk based approach is important
Remote working and client interaction present a number of risks in relation to money laundering and terrorist financing. Legal practices must take a risk-based approach to managing these risks, which includes adopting appropriate identification and verification methods, as well as having appropriate policies and procedures in place.
Staff must be trained and aware of the risks associated with money laundering and terrorist financing, and appropriate supervision and monitoring arrangements must be in place to ensure that policies and procedures are being followed.
By taking a risk-based approach and adopting appropriate measures, legal practices can manage the risks associated with remote working and client interaction, while still delivering high-quality legal services to their clients.
AML Checks technology for law firms
Remote working and client interaction have become increasingly important for law firms in recent years. This trend has only accelerated due to the COVID-19 pandemic, with many law firms shifting to remote work to comply with social distancing guidelines. However, remote work can create new challenges for law firms when it comes to compliance with regulations related to client identity verification.
As outlined above, in England and Wales, law firms must comply with the Money Laundering Regulations 2017 (MLR 2017), which require firms to have appropriate measures in place to prevent money laundering and terrorist financing. These measures include verifying the identity of clients and conducting ongoing monitoring of client relationships. Digital onboarding technology like Verify 365 can help firms meet these requirements by simplifying and automating the process of client identity verification.
Similarly, in Australia, law firms must comply with the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act), which requires firms to identify and verify the identity of their clients. The Act also requires ongoing monitoring of client relationships and reporting of suspicious activity. Verify 365 can help law firms meet these requirements by providing a streamlined and efficient way to verify client identities and monitor client relationships.
In Canada, law firms must comply with the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), which requires firms to implement a risk-based approach to detecting and preventing money laundering and terrorist financing. This includes verifying the identity of clients and conducting ongoing monitoring of client relationships. Digital onboarding technology like Verify 365 can help firms meet these requirements by providing a reliable and efficient way to verify client identities and monitor client relationships.
Overall, remote working and client interaction have become a critical aspect of the legal profession, and law firms must adapt to meet these new challenges. Compliance with regulations related to client identity verification is a key part of this adaptation, and digital onboarding technology like Verify 365 can be a valuable tool for law firms looking to stay compliant while operating in a remote environment. By simplifying and automating the process of client identity verification, Verify 365 can help law firms reduce the risk of human error, save time and costs, and stay up-to-date with regulatory requirements in England, Australia, Canada and other countries.
Why switch to Verify 365?
Verify 365 helps law firms reduce the risk of human error and improve the accuracy of client identity verification. With its automated process, Verify 365 collects and analyses relevant documents and data to ensure that all necessary information is collected and analysed correctly, minimising the risk of mistakes or oversights. This technology also ensures that law firms are meeting regulatory requirements related to client identity verification, reducing the potential penalties that can come with non-compliance.
Using Verify 365 can also save law firms time and reduce costs. With the process of client identity verification automated, law firms can reduce the time and resources required to perform this task manually. This can free up staff to focus on more high-value tasks and improve the overall efficiency of the firm.
As law firms embrace remote working and look to maintain client interaction, digital onboarding technology like Verify 365 can help them stay compliant with regulations related to client identity verification. By automating the process and improving accuracy, law firms can avoid penalties, reduce costs, and ensure compliance with regulatory requirements.
