AML Audit… a visit from the SRA

Compli Image
CASE STUDY - By Kate Burt, HiveRisk

The SRA is coming to visit and as the firm’s MLRO it’s the one thing that you’ve been preparing for your entire career! You’re really looking forward to showcasing the processes and procedures you’ve diligently perfected over the years and how they are working so well. Files are pristine and personnel know your procedures verbatim. All that’s now needed is to decide what biscuits to offer on the day!

This, sadly, is not the typical reaction to the SRA notifying firms of an impending visit. Often there’s the feeling of panic, under preparedness and a rush to plaster over any perceived compliance ‘cracks’. Anxiety surrounding these visits has heightened significantly since the SRA was granted increased fining powers in June of 2022 (rising from £2,000 to £25,000). And even more so following the SRA’s announcement at their Compliance Conference on 18 October that there are plans for unlimited and automatic fines for AML breaches in the near future.

Despite the real and present danger, with the right support there are ways to ease the pressure of an SRA visit, even at short notice.

First things first, make sure all key officers in the business are aware of the SRA’s invitation. This is not something to tackle in isolation, it should be a team effort.  No one should be blindsided on the day of the visit, particularly if they have vital knowledge of challenges the firm may have in this area.

You are likely to be offered a choice of dates for the visit and, as a simple matter of practicality, you may wish to choose one of the later dates offered. This doesn’t suggest you’re buying time to cover up mistakes.  The SRA understand that it can take firms time to source all the required information and ensure the availability of key personnel; they generally approach these visits with a collaborative mindset and want the visit to go smoothly too. The SRA will usually aim to be on-site for around five hours so, anything a firm can do to not draw this process out, is generally good practice.

In the interim, it’s a good idea to stress test your processes and your firm’s adherence to them by doing your own mini audit. A mock run of how things are likely to proceed on the day gives you a head start in making any obvious improvements ahead of the visit. Some role playing of the interviews can really help with preparations and highlight weak areas in knowledge and understanding. If queries such as: ‘When did you last review your Regulation 18 Risk Assessment?’ have you scratching your head, it might be worth brushing up.

Quite a bit of information is requested in advance by way of a questionnaire and specific requests. The process of compiling the information will give a good starting point for your preparations.

In due course, your firm will be provided with the names of the fee earners the SRA would like to interview, along with requests for dates of completed training sessions and copies of relevant training modules. They may ask you to provide the materials used for training, to review the adequacy of the training.

It was announced by Colette Best, Head of AML at the SRA at its October Compliance Conference, that firms will be asked to produce PCPs as they are at the time of the request, rather than updated versions.  This is a shift from their previous approach.

Notwithstanding this, it is a good time to review and amend your practice wide risk assessment as well as your policies and procedures and make obvious amendments prior to the visit.  This isn’t cheating the system, if you identify errors or weaknesses which are not compliant you should not delay in making the necessary amends. This is not just to put you in a better position for the SRA visit but it helps avoid or reduce ongoing breaches of the regulations and committing money laundering offences, which is the whole purpose of the SRA’s supervision.

Similarly, if you come to the realisation that staff haven’t been adequately trained, arrange for training as soon as possible and preferably before the visit.

In the most recent round of visits, there has been a focus on the SRA asking to see Practice Wide Risk Assessments predating the declarations firms had to make before 31 January 2020. If your firm completed the declaration confirming the existence of one, but then you are unable to produce it, this may trigger an investigation into whether the declaration was falsely made.

Consider scheduling in one-to-one time with personnel who will be interviewed to reassure them and help them answer questions confidently. Don’t think of this approach as the equivalent of a late night cramming for a test you had forgotten about. Rather, it’s a good chance for personnel to get used to articulating your firm’s AML policies in a less pressured environment, so they’re less prone to freezing up or making a mistake when the SRA is quizzing them. Usually, staff know what to do in a compliant way but may not be used to the vocabulary that will be used in the interview. If you’re not confident with the sorts of questions to ask, consider engaging external specialists to support with a mock audit and coaching session. External agencies will also be able to help you put your best foot forward and make any improvements to your processes that are required.

The MLRO can be interviewed for anything up to 2-3 hours, whereas individual fee-earners will likely be interviewed for approximately 20 minutes.  Depending on the area of law practised, the interview could cover the following topics:

  • CDD processes
  • PEP processes
  • Sanctions checking
  • eIDV
  • SAR reporting processes
  • Source of Funds processes
  • AML sanctions and processes for client accounts

New areas of focus related to financial proliferation, sanctions relating to counter parties, underlying clients and beneficiaries, could also arise. In future visits there will be a much greater focus on client and matter risk assessments, as the SRA’s warning notice on 18 October 2023 outlined. To assist firms, the SRA has now produced a template which firms can utilise, however as this runs to some seven pages, firms are likely to use the template to improve and supplement their existing templates rather than adopt entirely.

Realistically, most firms will come out of an SRA audit with some ‘advisories’ with regards to their compliance.  The most recently published report into AML found that only 30% of firms were fully compliant.  Don’t take guidance received from the SRA as a failure. What’s important is that the SRA is satisfied that suggestions have been taken on board and acted upon.

In a minority of cases, the situation is more serious and your firm may be referred for a SRA investigation. In this scenario, you should ensure that you fully cooperate and you may need to consider independent advice.

Overall, when it comes to preparing a for an SRA visit (even if your firm hasn’t been selected), it’s best to start with the basics, ensuring the following are compliant and up-to-date:

  • Firm wide risk assessment
  • Policies, controls and procedures
  • Training for staff and key role holders
  • Relevant risk assessments and CDD evidenced on files

If you still feeling overwhelmed with the task before you, reach out to a specialist to help support you. We’re likely to have seen far worse and we have the tools and expertise to make impactful changes to improve your position.