Four Principles to Guide Sole Practitioners Through the Minefield
The Money laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (“the Regulations”) came into force on 26 June 2017, and impose a number of obligations on solicitors’ firms. The following are four principles, which appear to set out the intentions underpinning many of the Regulations, that sole practitioners may wish to consider when putting in place the various measures required by the Regulations.
1. Get it in writing, and put it somewhere accessible
Regulations 18 and 19 set out the requirements regarding risk assessments and policies that your firm must put in place. Importantly, such risk assessments and policies must be reduced to writing. It will also be necessary to produce the risk assessments, together with the information on which it was based and an up-to-date written record of your risk assessment steps, to the SRA upon request.
Similarly, Regulation 39 makes clear that you must keep records of checks on clients for at least five years after the business relationship has come to an end. Keeping a centralised, electronic record, rather than a paper record, may (in this instance) be preferable, not only as it keeps the office free from clutter, but also because it is easily accessible if you are required to produce such records to the SRA.
2. Don’t rest on your laurels
The risk assessment and policies must be reviewed and updated, and so a date should be diarised for this (potentially) laborious task. Looking ahead, it may become increasingly important to keep on top of your risk assessment and policies as Brexit approaches, and in the aftermath.
The Regulations implement the EU’s Fourth Money Laundering Directive, and it is possible that once the UK has left the EU, they may review these (and other similar) Regulations. Getting into the habit of reviewing risk assessments and policies may, apart from ensuring compliance with the Regulations, also help to avoid being caught out, in what may become a rapidly moving regulatory landscape.
Similarly, in addition to the various factors set out in Regulation 18 that must be taken into account in any risk assessment, it will also be necessary to take into account any “information made available” by the SRA. The SRA has not yet provided guidance on this issue, so watch this space.
3. Tailor the templates to your circumstances
It is very tempting to download one of the many specimen policies and risk assessments, and leave it unchanged. However, this may cause a number of problems for sole practitioners. The Regulations require your policies to be “proportionate with regard to the size and nature of the relevant person’s business”. What is appropriate for a multi-national firm is unlikely to be appropriate for a sole practitioner. Similarly, what is appropriate for a firm that does mainly private client work may not be appropriate for a firm dealing mainly with companies in other jurisdictions.
Specimens are a good springboard to drafting your policies and making your risk assessments. However, where a specimen has not been designed with your particular circumstances in mind, there is a risk of either (1) breaching the Regulations by not doing enough, and so not complying with your obligations, or (2) expending too much time and money in complying with policies and undertaking assessments that far exceed what is necessary for your firm.
4. Keep up-to-date
It is not unusual for people to accuse the legal world of being behind the times, or not up-to-date, with technology. However, if the recent spate of cyber attacks shows anything, it is the importance of ensuring that you, who must be approved by the SRA, and your employees, who you must train, are up to speed with the Regulations. Regulation 24 makes clear that you must take measures to ensure that you and your employees are made aware of the requirements of data protection.
As above, what constitutes “appropriate measures” will depend on the size and nature of your firm. However, there are many conferences and talks that are designed to inform participants of any changes in the law, and on steps that can (and should) be taken to ensure compliance with the law. Law Society guidance should be followed. It may be that further measures need to be taken to comply with the Regulations. Attending such conferences and talks is a useful starting point.
It is very easy to become lost in a regulatory minefield, particularly where the regulations are prescriptive, and yet also ambiguous. It is hoped that the above four principles, broadly speaking, may help to guide sole practitioners through this minefield, and to safer shores.
8th August 2017
This note comprises the view of the author as at 8th August 2017. This note is not a substitute for legal advice. Information may be incorrect or out of date, and may not constitute a definitive or complete statement of the law or the legal market in any area. This note is not intended to constitute advice in any specific situation. You should take legal advice in specific situations. All implied warranties and conditions are excluded, to the maximum extent permitted by law.