Three gaps in the Law Society templates for AML/CFT compliance

In this month’s installment of Dr AML, the specialist breaks down how firms and practitioners can address three gaps in the templates for AML/CFT compliance released by the Law Society.

Q: We are approaching auditors to get our audit completed in good time, and one asked if we had used the Law Society templates to establish our risk assessment and compliance programme. When we replied yes, they said they recommended they carried out a review prior, as they said the Law Society material had many gaps and generally meant firms that had used them were non-compliant. This sounded strange so we checked with peers and found it was true: those who relied on the templates had received very negative audit outcomes. Is this a well-known problem? What should we do to address it?

A: In a word, yes, like many templates the Law Society material (8th Feb 2018) has a number of significant gaps, and we are not surprised that auditors are highlighting non-compliance arising from them. The society highlighted some problems in a “clarification” several months after the regime came into force but it’s entirely possible many firms didn’t notice. And because of the passive language we feel it is quite understandable that many firms wouldn’t have grasped the significance of this update.

Of course responsibility lies strictly with your firm, so it’s important to get on with tackling the issues. We have found that as long as you take genuine and timely measures to recognise and plan to address gaps, the supervisor will generally be supportive. But you need to show that you were proactive. I like to remind my fellow lawyers of Section 4 of the Lawyers and Conveyancers Act 2006 from time to time. I have to say that when it comes to AML I do sometimes wonder if it is still part of the curriculum.

Fundamental obligations of lawyers

Every lawyer who provides regulated services must, in the course of his or her practice, comply with the following fundamental obligations:

1. the obligation to uphold the rule of law and to facilitate the administration of justice in New Zealand:

We don’t have room here to address the problems in detail, but we think there are three major areas that should be addressed

1. Despite the later correction, they are referred to as templates, and this is especially a problem with the risk assessment. Reporting entities must show that they have properly assessed risk in the context of their firm, so that means showing analysis of your client base and the nature of transactions you carry out, in order to establish risk specific to you.

The legal profession has very real money-laundering risks: about 30% of all laundering involves a lawyer, so it is important to be realistic, and if you don’t understand what those risks are, you need to learn. Your risk assessment is where you can say “my practice is special, we only manage deceased estates ^[1]” and explain why in your context you don’t have to be quite as careful.

We think this is an area where collaboration is very useful to get different perspectives. It needs numerical analysis: we would expect to see proportion of trusts, limited partnerships (as they are high risk) and so on, broken down by the ML risk of jurisdictions you deal with, including reference to a reliable independent sources (e.g. the National Risk Assessment that was released a few weeks ago).

2. The templates make extensive use of blanket references to external guidance documents. It is important to remember that they should be reasonably self-contained: a new compliance officer should be able to know enough from reading your programme to understand how your firm applies the concepts of the ML regime. External references should be ancillary, not a core part of the flow. 

We operate in a risk-based context, which means the application of judgement and discretion, and that means showing how (based on your risk assessment) this will be applied in your firm. Regurgitation of sources doesn’t get the grades at university, and it won’t get points with the supervisor. This is where you need to show the application of some critical thought.

3. There are a number of components notable by their absence, such as the requirement for training, vetting and exception registers. It is perhaps the absence of these requirements (that are not hard to derive from s57 of the AML/CFT Act) that is hardest to understand, and put your firm at real technical compliance risk from a monitoring visit.

It is worth noting that merely recording information in a practice management platform is not a control, especially as the default workflows are flawed. These appear to have been configured prior to a full understanding of requirements: perhaps based on early guidance, or methods appropriate to other jurisdictions.

Overall the suggestion of your auditor sounds very sensible – to carry out an audit against anything based on the NZLS templates is probably a waste of money which might be better spent on helping you make sure your documents are of good quality.

A final point: it is not just law firms who relied on these documents. We have seen them used by accounting firms and even real estate agents, which means the problems with them have moved beyond the legal profession. But perhaps more worrying is that we bump into lawyers giving advice founded on their flaws.

It strikes me that there is a real reputational risk presented here. At some stage non-legal entities will themselves be audited, and discover that the legal profession is relying on flawed internal advice. That could have a detrimental effect on trust in the profession.