The anti-money laundering and know your customer compliance burden has increased significantly in recent years. Manuel Sanchez, information security and compliance specialist at legal technology provider iManage has a range of tips to help firms and individual lawyers manage their obligations.

A slew of Know Your Customer (KYC) and Anti Money Laundering (AML) regulations have come into force in recent years, and they are not empty threats: The Solicitors Regulation Authority (SRA) in particular has shown a willingness to issue weighty penalties for KYC/AML processes it views as insufficiently rigorous.

Meanwhile, constantly evolving global sanctions that forbid doing business with certain individuals, companies, or even entire countries further complicate risk assessment when taking on a new client.

In this new landscape, where one wrong step can land an organisation in hot water, what’s the best way to stay on top of these regulations, ensure compliance, and minimise overall risk and exposure?

Adopt a centralised approach

When firms make a misstep around KYC/AML, it’s hardly ever due to nefarious intent. More often than not, the culprit is simply fragmented processes within the organisation.

Fortunately, firms can combat this problem by creating a more consistent, standardised approach across the different practices and office jurisdictions. This centralised template can be adapted depending on the specific requirements of the practice or jurisdiction, leveraging similar sets of steps and systems, rather than each group employing their own ad-hoc process.

For example, during the intake process, the firm should have a standardised intake form that can be easily adapted to the specific use case to capture only relevant information.

The idea is to make sure that the individual completing the form provides the right pieces of information.

Once the form has been completed, the information collected should be accessible via a single centralised location such as the firm’s document management system, so that there’s a single source of truth for documentation. It goes without saying that the last thing a firm wants to be doing if someone like the SRA comes knocking is to be desperately searching multiple different file shares and drives to try to find a crucial piece of the paper trail.

Get the full picture – but do it efficiently

Intake forms represent one crucial piece of information that firms need to collect, process, and analyse in order to carry out a proper risk assessment, but there are other information sources they need to tap into to guide their decision-making. For instance, KYC/AML regulations and sanctions are published and regularly updated by governmental bodies and agencies. Some AML-related examples include the US Corporate Transparency Act (CTA) and the UK’s Economic Crime Plan (ECP2).

At the same time, firms need access to third-party corporate databases to fully understand the corporate structure of a potential client. For example, is the client a subsidiary of a parent company that is based in a sanctioned country? That presents a complication and requires further investigation.

For firms, getting a true picture of the risk a potential client presents requires bringing all of these different pieces of data together.

Relying on manual efforts to track down this information and populate it in a spreadsheet or database is not ideal, and the information will quickly become out of date, requiring ongoing manual efforts to keep it fresh.

Instead, firms should lean on specialised technology to help streamline and automate this effort, ensuring there is a clear way of connecting to and extracting this information from the various sources and importing it into their risk assessment process. That way, firms can be assured they’re making decisions based on the most accurate and up-to-date information.

Change the culture

Process and technology will go a long way towards helping firms master their KYC/AML obligations but a third, equally important, area is just as critical: creating a culture of compliance within the firm.

This means underscoring the fact that risk assessment is a shared responsibility – the burden does not fall solely on the shoulders of the risk team or the compliance team.

The more you can educate everyone within the firm about the importance of compliance – and the potential consequences of failing to be in compliance with KYC/AML regulations (e.g., fines, reputational damage) – the better.

Additionally, it’s worth reinforcing the fact that simply “going through the motions” and performing a quick, cursory risk assessment is not going to cut it.

Bodies like the SRA take a dim view of sloppy processes where either information wasn’t captured in sufficient detail, or the steps taken weren’t properly documented.

In the same way that educating everyone in the firm about security threats like phishing attacks and other social engineering threats can go a long way towards hardening the overall security of the firm, educating the members of the firm about the threat that failure to comply with financial crime regulations presents can help inoculate the firm against missteps.

When you work in a highly regulated environment, hewing to the letter of the law is non-negotiable – it has to be done, and it has to be done properly. Fortunately, by adopting best practices legal organisations of any size can create a centralised and scalable way to tackle regulatory compliance and manage risk when onboarding new clients and matters.

Visit

iManage

Connect with Manuel Sanchez via LinkedIn