Compliance with the regulations and preventing money laundering Q&A

No. Whether or not you fall within scope of the regulations is not dependent on holding client’s money. There are many ways to meet the definitions of an independent legal professional, trust or company service provider (regulation 12 paragraphs (1) and (2) respectively) or tax adviser (regulation 11(d) as amended) without holding client money.

The regulations do not differentiate between solicitors practising on their own (eg as freelancers) or in firms. So if a solicitor practising on their own works in scope of the regulations, then they need to do so in full compliance with the regulations and follow our guidance. This is true regardless of whether the work is reserved under the Legal Services Act (2007) or not. Freelancers need to tell us the work they do via the freelancer form in MySRA, and we can then supervise them for the purposes of the money laundering regulations.

Assuming that the entity providing the in-scope services is totally separate to you, and that this entity has its own contractual relationship with the client independent of your firm, then you are likely not in scope.

The definition in the regulations is extremely broad, and includes 'tax advice, material aid and assistance.' This effectively means that you do not need to be providing tax advice to be a tax adviser – it is enough to provide help, whether that be advice or some other service. This definition has not been tested in court, but we interpret there to be a relatively low level at which something qualifies for inclusion.

We consider however that in and of itself providing someone with a calculation of stamp duty and land tax liability from a single residential transaction, or paying it on a client’s behalf is not likely to be in scope. If a solicitor is dealing with anything other than a simple calculation based on price, they need to give thought as to whether in so doing they fall within the definition of a tax adviser.

We cannot provide a case-by-case guide to what is and is not in scope, but firms may refer to our guidance for more information. Firms may wish to seek independent legal advice if they want further assurance.

It depends on the nature of the relationship between your client and the tax adviser. If you have made a referral, and the tax adviser and client now have a contractual relationship between them, it is likely you are not in scope, assuming you are not providing any other help (ie advice, assistance or material aid) with their tax affairs. If the client only has a contractual relationship with you, and you are passing tax advice to them (but not necessarily creating the advice), then both you and the tax adviser are likely to be

We can only supervise firms for AML purposes that are eligible for authorisation under the SRA Authorisation of Firms Rules.

Solicitors can work in unregulated entities using their title of 'solicitor'. For the purposes of the money laundering regulations, as the entity is not an SRA-regulated firm, we will not be the money laundering supervisor for the purposes of the money laundering regulations and it will be necessary for them to approach one of the other supervisors set out in Schedule 1 of the regulations.

The best way of making sure your AML details are up to date is by submitting an updated FA10b form in MySRA with all your current details. Firms can check their existing details by contacting our Authorisation team.

Not always. It is worth noting that roles set out in our glossary (eg 'manager') differ from the roles as defined in the regulations. Our glossary definition of 'manager' is only relevant for requirements under our Standards and Regulations and not the AML regime. The AML requirements are a separate regime based on separate legislation and need to be considered and satisfied in their own right.

Yes. It is possible to be drawn into scope via multiple routes (eg as a tax adviser and an independent legal professional). You need to tell us about all the ways that you are in scope of the regulations and ensure your FA10b form (found in MySRA) is updated accordingly.

Beneficial owners are those that might benefit from their ownership of an entity or asset (eg a company.)

For firms we authorise in scope of the regulations, beneficial owners must be approved by us.

You will need to identify and undertake reasonable measures to verify the identity of your customers. For a company or partnership, you only need to identify a beneficial owner where they own more than 25 per cent of the entity (as per regulation 5). For trusts, the requirements are detailed in regulation 6. See 6.15 of LSAG for more information.

During our visits we speak to the firm's money laundering compliance officer (MLCO) and money laundering reporting officer (MLRO). We also need to speak to two fee earners who undertake work in scope of the regulations and conduct reviews of some of their client files.  We will also review the following:

• your firm-wide risk assessment
• your firm’s AML policies, controls and procedures
• your firm’s template client AML risk assessment
• copies of any audits on your firm’s policies and procedures
• AML related training records

During the course of our interviews, we also gather data on the number of suspicious activity reports (SARs) submitted by the firm and you should have the information relating to this to hand ahead of our review. Please do not send copies of suspicious activity reports, whether internal (made by staff to the MLRO) or external (made by the MLRO to the National Crime Agency).

If we identify serious failures to comply with the regulations, we may consider a referral to our investigation team to look into this further.

This would be a breach of the regulations. You should report this to the SRA in line with 3.1 and 3.9 of our Code of Conduct for Firms. We will investigate further to assess the severity of the issue in line with our enforcement strategy and our AML topic guide. Whether we will take regulatory action will depend on several factors including the actual risk the firm could have been used for money laundering (including the nature of the services provided) and what action the firm took when they realised there was a breach.

If there is an ongoing chance you may provide services in scope of the regulations, you will need to become approved to do so and make sure you are compliant with the regulations.

We take a risk-based approach to AML supervision.

While we are more likely to visit a firm we have rated as higher risk, we will also from time to time visit lower-risk firms. Just because we are visiting you does not automatically mean we consider your firm to be higher risk.

In determining which firms we do consider as higher risk, we have regard to the relevant sections of the Office of Professional Body Anti- Money Laundering Supervision (OPBAS) source book.

We may also have regard to information we hold on firms (including past interactions) when determining whether we consider them to be higher risk. However, there is no one single factor which automatically dictates that we will regard a given firm as being higher risk.

Yes, although it is a little more complicated than that.

To explain why this is, we need to consider inherent risk and mitigated risk. Inherent risk is the risk posed by the matter, due to its features eg it involves a high-risk service like conveyancing. Inherent risk will be the same from firm to firm.

You can address inherent risks by using controls (eg regular file reviews, ensuring those acting on a file have relevant experience), and these controls can mitigate the effect of these inherent risks, albeit likely not eliminate the risk altogether. Once you have mitigated a risk with the controls you apply, you are left with the residual risk. Depending on the different controls applied by two different firms, the residual risk could be different across them for the same matter.  

For example Firm A and Firm B might both be approached by the same client for the same matter – let's say high-value conveyancing. Firm A mainly deals with other services and does not have a good understanding of conveyancing work. Firm B mainly undertakes high-value conveyancing matters and has developed a suite of controls they can apply to address the risk. 

The inherent risk won't change and will be the same for Firm A and B.

The residual risk might be lower for Firm B depending on the mitigations applied. See 5.7 of the LSAG guidance for more information.

These two tools help firms to fulfil their duty under regulation 28(12)(a)(ii) to tailor due diligence to the specific risks identified in each particular case. Client risk assessments record risks relating to the client like their location, their main business activities, how they are beneficially owned and controlled, and adverse media screening checks. Matter risk assessments account for risks specific to the matter, such as cash transactions, the nature of the service (eg conveyancing) and the rationale for it happening, including who is benefitting from the transaction. For more information on these and how to use them see 5.9 to 5.12 in the LSAG guidance.

In order to understand how to consider the risk present, you will need to understand why your client is involved in the matter and whether it is consistent with their business and what you know of them.

If a low-risk client engages you on a high-risk matter, it could be a sign the client is no longer low-risk. You should revisit your client risk assessment that concluded they were low risk in this case. It might be that with the new information and the new service they have asked of you, you need to re-evaluate and update the client risk assessment.

This is also the case where you encounter something that does not align with your firm-wide risk assessment. These risk assessments should be living documents, and if the risks change, so should the risk assessments.

You might need to undertake due diligence on the other party in a transaction. This could be because this is required by the regulations due to either the client or counter-party to the transaction being established in a high-risk third country (regulation 33(1)(b)) or as a part of developing your understanding of a matter or transaction.

If so, you will need to decide what level of checks are appropriate based on the risks identified in the matter risk assessment.

A useful starting point might be the counter-party’s representative who should be able to provide more details on their client - and you may be able to rely on their due diligence under regulation 39 depending on their jurisdiction and what regulation they are subject to.

Open-source web searches are a cheap, easy and non-invasive way to help you gain a better understanding of the counter-party but might not give you all the information you need on their own.

Yes. While passports are very useful as they have key identifying information, they are not the only document you might use for this. The LSAG guidance provides a list of documents you might find helpful when verifying the identity of a client (6.14.5) eg a passport or residence permit. While documentation that provides greater assurance should be preferred, it is important to ensure that fulfilling this requirement should not create a barrier to access legal services where documents are unavailable for legitimate reasons. Section 6.14.7 of the LSAG addresses where a client cannot provide standard identification documents for legitimate reasons such as being a refugee or asylum seeker.

No, but you might decide that there are some advantages in doing so. If you do full AML checks on all clients, you can easily transition to providing them services that are in scope without doing further checks. It also has the advantage that you gain a better understanding of new clients, and the wider risks they may pose to you eg reputational risk via media checks. Transitioning clients from non-AML services to AML services is known as passporting and can create significant risk where this does not trigger all relevant AML checks.

 

Whether work is in scope of the regulations or not, you will always need to satisfy the requirement in our Standards and Regulations to identify your client in as per 8.1 of the SRA Code of Conduct for Solicitors, RELs and RFLs.

The costs of customer due diligence (eg identification and verification or source of funds checks) can vary depending on the type of client and level of money-laundering risk they pose. You can pass the costs of customer due diligence on to your clients, however the cost will need to be clearly stated in the firm’s terms and conditions.

It is important that clients are informed of and understand the cost in advance as this will enable them to instruct an alternative firm if they are not agreeable to the cost.

Source of funds refer to the funds that will be used in a specific transaction while source of wealth concerns a client’s overall body of wealth.

It is your responsibility to be satisfied that funds are from a legitimate source, and you should keep written evidence on the file as to why.

You must conduct a source of funds check if:

• the client is a politically exposed person under regulation 35 MLR 2017 and/or
• your client is established in a high-risk third country (HRTC) or in relation to any relevant transaction where either of the parties to the transaction is established in a HRTC under regulation 33 MLR 2017.

You must also scrutinise transactions (where necessary) to ensure the source of funds remains consistent with your knowledge of the client and the transaction (regulation 28 (11)(a) MLR 2017). Though the term where necessary is not defined in the regulations, we interpret this as taking a risk-based approach. This means that our sectoral risk assessment, your firm wide risk assessments, client and matter risk assessments, and the client and their circumstances, need to be considered when deciding if it is necessary to conduct source of funds checks and the extent of such checks. Where you decide, that based on the risk, source of funds checks is not necessary, there should be a clearly documented rationale outlining your approach.

Source of funds checks are crucial for preventing financial crimes like money laundering and terrorist financing. Source of funds checks help to ensure that transaction funds and or assets are not derived from criminal activity.

Understanding the source of funds is a key protection for your firm, and it should be approached as an opportunity to protect your firm from being used for money laundering.

The requirement to do source of funds checks might apply even if no money is coming through your client account. For example, where a transaction involves the movement of assets from one party to another for nil consideration.

This can pose a high risk of money laundering because it can be used by criminals to move their assets to other parties to obscure the link between the assets and their themselves. Ultimately, this may prevent the transferred asset from being confiscated by the authorities under the Proceeds of Crime Act (POCA) 2002.

While no funds will pass through the firm’s client account, the obligation to not handle or transfer criminal property under POCA remains.

You should get source of funds information from a client as early as possible. The appropriate time will depend on the circumstances of the client and or matter. Obtaining information without sufficient time to scrutinise the funding can leave your firm vulnerable to being exploited by criminals.

As far back as is necessary for you to build a clear picture of how the client accumulated their money for the transaction.

Generally, the less obvious it is how a party came by their funds, the more information you will need.

This is a case-by-case assessment and should reflect the level of risk you have identified in your client and/or matter risk assessment.

In accordance with regulation 28(16) MLR 2017 You must be able to demonstrate to your supervisory authority that the extent of the customer due diligence or enhanced due diligence measures you applied were appropriate to the level of risk.

Some countries such as China have strict currency controls in place which prevent their citizens from removing large sums of money from the country.

There may be situations where your firm is asked to undertake a transaction where the funds have come from such countries. Ultimately the key issue is the need to establish that the funds have come from a legitimate source.

You must take a risk-based approach to the checks required. This means gathering as much evidence as possible in order for you to feel comfortable about the funds in question.

Enhanced due diligence (regulation 33 MLR) is necessary where you have assessed the situation as presenting a higher risk of money laundering or terrorist financing.

The client’s reason for doing this may appear to you to be legitimate and explainable, such as fear of political persecution, but it should still be considered an indicator of higher risk. This means in all such scenarios your starting point should be enhanced due diligence.

You should also establish whether the person funding the transaction has misrepresented the reason for the transfer, and if so, why they did this and what the real purpose of the transaction is.

You should also consider the following.

• Misleading the authorities about the reasons for a currency transfer in another country is not a crime in the UK. However, the fact that a person/entity may be knowingly misrepresenting the reasons for the transfer is, may be something to consider carefully.
• While breach of currency controls has no equivalent offence in UK law, you should consider whether illegal methods may have been used to evade them. Clients receiving money from individuals or businesses that you cannot verify can be a red flag of money laundering.

The need to obtain documentary evidence will depend on the circumstances and risk assessment for each client and or matter.

For most firms, bank statements maybe the first resort here, and in many cases may be all that you need to verify the source of funds if you have sufficient information. However:

• It is not enough to simply gather bank statements and place them on file. They must be scrutinised and checked to make sure they accord with what the client is telling you.
• You cannot assume that funds are legitimate just because they come from a UK bank account.
• Source of funds is not proof of funds – you are not just checking that the client has the money, but whether the money is from a legitimate source.

There are instances where documents other than bank statements may be required to evidence the source of funds in a transaction. For example, in transactions funded through company group loans, investments or sales of assets.

The type of document you use for verification of source of funds will vary depending on the circumstances and the information that the customer provides to you.

The table below sets out examples of the types of information to obtain to evidence the source of funds. This is not intended to be an exhaustive list and each matter should be considered on its on facts.

Source of funds	Documentary evidence
Savings from employment/ regular income	Payslips or equivalent evidence of employment income (for example, bank statement, P60, proof of reoccurring payments such as rent). Bank statements showing regular deductions into savings accounts and accumulation of funds. If they have saved for several years, you may consider asking for a statement for each year for a few years to evidence the accumulation of funds. You should consider whether the amount saved is reasonable in relation to what you know. For example, the person’s age, occupation, income and length of time they have been saving for.
Loan	Copies of the loan documents to ensure the lending is genuine and is on commercial terms (for example, there is an interest rate attached, reasonable repayment schedule etc) and If the lender is not a regulated financial institution/entity: does it make sense for the lender to be loaning the borrower the funds in question? How do you know the lender has sufficient funds consider what you know about the origin of their funds. What evidence can they provide to support what they tell you?
Inheritance	Documents confirming the beneficiary/beneficiaries to an inheritance (for example, a copy of a will with a grant of probate and or a letter from a law firm/solicitor confirming the inheritance). You should confirm that the law firm/individual is regulated. A bank statement/statements showing the amount above was received in the beneficiary’s account.
Court settlements /awards eg divorce settlements, compensation awards	Documents confirming a court ordered award, for example, a copy of the court order or letter from law firm/solicitors. You should confirm that the law firm/individual is regulated. A bank statement/statements showing the amounts received in the person in question’s account from the court, solicitor or relevant third party.
Lottery/ gambling winnings	Documents confirming winnings. A bank statement showing winnings received in bank account.
Proceeds from the sale of an asset	Documents to confirm proof of assets sold, proceeds from sale and or transfer of ownership. For example, bank statements showing proceeds received in account, a completion statement, letter from regulated individual or company that can confirm sale and amount received etc. You should confirm that the individual or company is regulated.
Funds from third party (gift/ loan)	Obtain evidence of gift such as gift deed or a signed letters from donors confirming the gift Or evidence of loan, such as loan agreement Seek to understand and obtain evidence relating to the third party’s underlying source of funds, in the same way you would on the client themselves. The extent of the measures taken should increase with the risk level. Enhanced due diligence must be applied where payments will be received from unknown or unassociated third parties.
Company	Seek to understand what the company does, who is in control, how do they typically make their money? For UK-registered companies, access filings at Companies House.  Request audited accounts, financial statements or dividend vouchers (where possible) to ensure there is an understanding of the overall nature of the business, its revenue flows, and profit position. Do the accounts contain any useful information on any facilities available to the company? Seek to understand and obtain evidence relating to where company funds are coming from. Is it from working capital, operating profit, sale of an asset and intragroup loan etc? Does the source of funds make sense in relation to the companies’ business and risk profile? Does the transaction make sense against the nature of the business?
Funds from parent company	Confirm legal structure of companies from client and or reliable independent sources where possible. Documents to evidence parent company authorising payment to subsidiary. For example, share certificates and or a board resolution. Documents to confirm origin of funds from parent company account (see section on company funds above). Evidence of parent company depositing funds into client’s account.
Funds from a trust	Obtain the trust deed or letter from trustees (dependent on risk level) to understand the nature of the trust? Who is the settlor? Who are the beneficiaries? What are the assets in the trust? What is the source of funds (and potentially source of wealth) of the settlor? Does it all make sense in the context of the transaction in hand? Are there any high-risk factors or red flags? If acting for a beneficiary, evidence of distribution from the trust to the beneficiary. For example, copy of a bank transfer.
Funds from abroad	Documents evidencing origin of funds. If documents are in a foreign language, they may need to be translated and certified by a notary public.  Enhanced due diligence must be applied if either of the parties to the transaction is established in a high risk third country. Where is the money coming from? Does it make sense for the individual to have these assets, how were they acquired?

Source of funds is part of customer due diligence. If you are unable to apply customer due diligence measures, regulation 31 states that you must:

• not carry out any transaction through a bank account with the customer or on behalf of the customer
• not establish a business relationship or carry out a transaction with the customer otherwise than through a bank account
• terminate any existing business relationship with the customer
• make a disclosure to the National Crime Agency, either yourself or through the firm’s MLRO if you know or suspect or have reasonable grounds for knowing or suspecting that your client is engaged in money laundering.

Source of wealth is a test to understand how the client or person funding the transaction has generally accumulated their wealth. In certain cases, this may be available in the public domain. You should not, however, make assumptions about how your client or the funder acquired their funds.

A source of wealth check must be undertaken when funds are coming from a politically exposed person (PEP) or the close relative or associate of a PEP, or where the client is based in a high-risk third country.

It may also be a useful exercise to undertake source of wealth checks in a high-risk matter, or if the source of funds causes you concern or raises further questions.

There is an ever-growing list of technology providers and services you can use to help protect your firm – though there is no requirement for you to use any of them. Some things to consider when deciding whether or not to use a service are:

• Do you understand what it does?
• Do you understand all the options and how these may be used across the different levels of client/matter risk your firm encounters?
• Does it have any certifications or accreditations with regards how it holds data?
• Does it meet any standards (eg the Land Registry Safe Harbour Standard)?

It is important to remember what information your staff will need access to across the course of their work, particularly the undertaking of ongoing monitoring of clients and matters as per regulation 28(11). You should consider whether the technology you use is inappropriately restricting access to this information.

For more information on how to evaluate and use AML technology in your firm, see Section 7 of the LSAG guidance. 

It is important to understand that this kind of technology is a tool like any other. To decide on whether to use it or not is ultimately your decision and one you should take seriously.

There is a test in the regulations (see 6.14.3 of the LSAG guidance) for whether you can consider technology as a 'reliable source' of information. A key part of the test is whether it provides an appropriate level of assurance – something you will need to determine yourself.

Your decision about whether to use a given technology or service, should be based on a comprehensive understanding of what the system does and how it will help you to address the AML risks presented by the client. If you do decide to use a service you will need to ensure relevant staff are adequately trained to use it, including how to enter information correctly, and how to correctly interpret the results of checks.

It is worth noting that the responsibility for the decisions made by your firm regarding client matters remain with the firm, and as a result you should not seek to outsource decision-making itself; rather consider the results the technology returns in order to make decision.

It’s also important to note that whilst you can use digital verifiers as a source when making your own checks, you cannot rely on digital client due diligence providers in the meaning of reliance as defined in regulation 39 as they are not relevant persons for the purposes of the regulations. If you are relying on checks that have been done by another relevant person, you will need to have a fully compliant reliance agreement in place as per regulation 39.

No. Just because money has come through a client account or UK bank account, does not mean you can assume it is not the proceeds of crime. A firm will always be responsible for its own AML checks and you cannot assume the work of others outside your firm address this risk.

Even where you have a regulation 39 compliant reliance agreement in place with another firm, the requirement to report suspicions to the NCA will still apply.

You must submit a SAR when you know, suspect or have reasonable grounds to suspect that you may have encountered the proceeds of crime or that someone is engaged in money laundering or dealing in criminal property. You do not have to be handling the proceeds of crime yourself or seeking a defence against an offence in order to be required to submit a SAR.

You will not be able to tell the subject of the SAR anything that might prejudice an investigation – there is a 'tipping off' offence in the Proceeds of Crime Act 2002 (s333A) that sets this out.

See Section 11, and 16.5 to 16.10 of the LSAG guidance for more information on SARs. 

Regulation 21 sets out the key features of an independent audit function including that it must:

• Review your policies, controls and procedures (ie under regulation 19)
• Make recommendations about how these can be improved and
• Monitor compliance with the recommendations of the audit

'Independent' does not necessarily mean that this has to be carried out by an external party. A compliant independent audit may be carried out by an employee of your firm who is not involved in the creation or application of the policies, controls and procedures (PCPs).

The regulations state an independent audit is necessary where appropriate to the size and nature of the firm but does not define this.

LSAG 9.1 gives more detail as to what you should consider when deciding whether this applies to your firm.

We also believe the 'nature' of a firm needs to be judged against the risk they pose via:

• the type of work the firm does
• how much of their work (both as a percentage of the firm’s total turnover and in absolute volume) is in scope of the regulations and
• the results of their regulation 18 firm wide risk assessment.

Even where an independent audit might not be 'necessary,' gaining feedback via an independent audit may still help your firm to review and improve your AML compliance.

If a firm wishes to make the case that this requirement does not apply to them, they should record their reasoning. Firms will have to continue to review their PCPs, record any changes made to them and record all steps taken to communicate changes to the PCPs to staff across the firm.

Firms might consider entering into reciprocal arrangements with other firms in order to undertake independent audits on each other, subject to suitable controls to protect client confidentiality being in place.

Firms should take a risk-based view on how often they undertake an independent audit, but it might be appropriate to do one annually depending on:

• the results of the previous audit
• changes to legislation, internal processes, services provided and firm risk
• whether the firm has recently merged with other firms.

LSAG 9.3 addresses this in more detail.

'Screening' is one of the three controls listed in regulation 21 and requires you to check:

• the skills, knowledge and expertise of the individual to carry out their functions effectively
• the conduct and integrity of the individual.

For details of what might be appropriate in terms of procedures for screening, please see the table in section 9.4 of the LSAG guidance.

When considering who to screen, consider who in your firm can contribute to protecting your firm from money laundering. This will include any fee earners working on matters in scope, but might also extend to others, eg finance staff. You should assume you need to screen staff and only exclude staff where there is no clear way that they could contribute to protecting your firm (eg cleaning staff or catering) as per regulation 21(2)(b). The level and frequency of screening should be based on the risk posed by the role and the individual and the ability of the role to contribute to the prevention of money laundering.

There is nothing in either the money laundering regulations or our Standards and Regulations to stop you from accepting cryptoassets as payment for services. However this situation does raise some questions you need to answer and for you to be mindful of the risks.

For the purposes of our Accounts Rules, we do not consider cryptoassets, including cryptocurrency, to be money. In any event, a payment of cryptoassets on client account would not be possible: the Accounts Rules require client money to be held in a bank or building society account, and no such accounts for cryptoassets currently exist.

Therefore, any payment directly in cryptoassets would not have the same protection as fees paid into and held on client account, and this should be made clear to the client.

Do note that, although they are not client money, cryptoassets are still subject to the protections of rules 5.2 of the Code of Conduct for Firms and 4.2 of the Code of Conduct for Solicitors ('You safeguard money and assets entrusted to you by clients and others') if you are holding them on a client’s behalf for any reason. An example of this could be as part of administration of a deceased estate, or under a lasting power of attorney.

Subject to the above, the main question you should seek to answer before deciding to accept crypto assets as payment is 'Does the accepting of crypto assets as payment create risks?'. What to consider when answering that question:

• How sure am I that I can consistently check and understand that the crypto assets are not the proceeds of crime or subject to sanctions? Where it is difficult to determine the origin of crypto assets, it increases the risk they may be an attempt to hide the proceeds of crime or circumvent the sanctions regime (even when the transfer is payment for fees). Some assets might have features that facilitate anonymisation which will increase the risk of handling them.
• How clear is your pricing in relation to crypto assets and are you meeting your price transparency requirements when dealing with your clients? Please note these requirements apply whether payment is made in fiat currency or crypto assets. Your pricing will also need to be considered against fluctuations in crypto asset values which are more common than when dealing with fiat currencies.
• Are there some crypto assets I am willing to accept and others I am not, and how will I decide which are outside my risk tolerance? Things to consider when answering this should include price instability of specific crypto assets and whether the asset has any features which may facilitate anonymisation or opacity that might make it more difficult to ensure compliance with the money laundering and sanctions regimes. It is also very important that this information about what you will and will not accept be clearly communicated to clients as well as any requirements you may have around methods of transfer, use of particular platforms etc.

The involvement of crypto assets generally will raise the money laundering, terrorist/proliferation financing and sanctions risk in a matter.

Crypto assets create money laundering risks because:

• Historically they have lacked some of the controls of fiat currency (by which we mean traditional national currencies eg UK sterling, US dollars) and broadly they and the firms who primarily work with them have lacked regulation.
• Crypto assets are a relatively new development and keeping up with the pace of change is challenging, particularly for those not engaged on the topic. It can also be hard to understand the varying reputations of certain crypto assets or related service providers as things change so quickly.
• There have been criminals who have used them to launder and/or attempt to launder money and there are tools which help to make crypto ownership/transfers even more opaque (eg crypto 'tumblers' which make it more difficult to trace the history of ownership of the asset). There have been multiple scams that have involved crypto assets, or that have purported to involve crypto assets (such as with OneCoin where the crypto asset itself was fraudulent).

Despite the risks associated with them, due to increased prevalence and awareness of crypto assets in the public, it is now much more common to encounter clients that have gained money from investment in crypto. Crypto investments can be a valid source of legitimate funds but you should check:

• The source of funds for their original crypto investment, particularly where it was a substantial amount in relation to their income/salary.
• Claimed profits, given what you know about their initial investment and the changes in price over time.
• Transactions using publicly available records. Bitcoin and many other crypto assets can allow you to simply use google to track down transactions involving specific assets or between specific wallets. You will need details of the client’s wallet or the assets held in order to be able to check them against publicly available transaction databases eg blockchain.com.

Following amendments to the Money Laundering, Terrorist Financing, and Transfer of Funds (Information on the Payer) Regulations 2017 (the regulations), all firms need to carry out a proliferation financing risk assessment. This means that you will need to assess the risk of your firm being used to facilitate the proliferation of nuclear, chemical, biological and radiological weapons.

Rogue states and terrorists use methods similar to money laundering to disguise their purchase of materials to create weapons. This can include 'dual-use' goods which have both a civilian and military purpose. For example, fertiliser that could be used in farming or in bombs.

We consider that the overall risk to the profession is low, and most firms will be able to briefly assess their exposure to this risk within their existing firm-wide risk assessment, after taking into account the National Proliferation Risk Assessment and our own Sectoral Risk Assessment. You can find more information about how to conduct a proliferation financing risk assessment in the Legal Sector Affinity Group guidance.

Some services are at higher risk of exposure to proliferation financing. We expect to see a more detailed proliferation financing risk assessment from firms working in the following areas:

• trade finance
• commercial contracts
• manufacturing particularly in relation to dual-use goods
• commodities – particularly mined metals and chemicals
• shipping/maritime
• military/defence
• aviation

I work for a global firm. Sometimes matters are initiated in one of our overseas offices without equivalent AML controls to the UK, and it is only after some time that it is discovered that the overall matter will have a UK element which falls within scope. This will sometimes be of a very minor nature, involving a UK fee earner spending just a few units of time on it. As this is only a minor part of a much larger matter, do we have to do full due diligence on the client? Can we put a de minimis provision in place?

There is no de minimis provision in the regulations. Depending on the nature of the matter and client, simplified due diligence under Regulation 37 may be available to you. Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017). If a matter falls within scope under Regulation 12, no matter how short in duration or scope, the appropriate level of client due diligence and a risk assessment must be carried out. It will be for you to determine the appropriate level of due diligence to be carried out based on the level of risk identified.

We have been asked by firms if they can receive payment for any legal work for designated persons without applying for a specific licence. The answer is no. The Legal Fees General Licence is purely in relation to the payment of legal fees and expenses, as defined in the licence itself. Any legal work on behalf of the client must be a permitted activity – in any other case, you must not receive payment for work unless covered by a specific licence.

The sanctions regime is strict liability, and the Office for Financial Sanctions Implementation (OFSI) does not prescribe the level of checks needed in any particular case. Relying on the other side or third parties to have effective systems in place to screen for designated persons again is unlikely to provide you with a complete defence if you breach the sanctions regime.

Transferring the following to a designated person, for example, could be a breach of the sanctions regime if no licence is in place:

• an award of damages
• completion funds in conveyancing
• shares
• real property.

While the regime itself is strict liability, OFSI has produced guidance which sets out its attitude to enforcement. This includes measures which will mitigate the position of firms who find themselves in breach.

OFSI will consider it good mitigation where a decision was made in good faith and, on the basis of proper due diligence, was a reasonable conclusion to draw. OFSI will take into account the measures and checks undertaken, including due diligence and ongoing monitoring, taking into account:

• the facts of the case
• the degree of sanctions risk of the relevant entities involved.

The level of due diligence you apply should be appropriate to the nature of a person's contractual or commercial relationship with the a designated person. OFSI expects these decisions to be evidenced and, ideally, made within an internal sanctions policy or framework. As ownership and control can change over time, OFSI has indicated that it expects that due diligence and risk assessments are reviewed at appropriate points in the case. To evidence this, we recommend that your checks and decision-making are thoroughly documented.

The information obtained as part of any ownership and control assessment should be scrutinised carefully, particularly where efforts appear to have been made by designated persons to avoid relevant thresholds.

The degree of scrutiny of the counterparty, therefore, should be proportionate to the risks identified. As a basic measure, at the outset of the matter we advise you to check counterparties against the OFSI consolidated list, perhaps as part of your conflict checking procedure. Riskier counterparties and transactions should be subject to more in-depth due diligence and more regular ongoing monitoring.

My firm has received a payment from a designated person who is subject to an asset freeze, to satisfy an obligation to one of our clients. It is currently sitting in our client account. Accounts Rule 2.5 states that 'You ensure that client money is returned promptly to the client, or the third party for whom the money is held, as soon as there is no longer any proper reason to hold those funds'. Does this mean I can transfer the sum to our client, as we have no reason to hold onto it in our client account?

No. You must not transfer monies which are subject to the sanctions regime without a licence being in place. This is for two reasons:

1. Retaining funds which are frozen under the sanctions regime is a proper reason to hold them under Rule 2.5 and therefore would not breach your obligations under the Accounts Rules.
2. In addition, the requirements of the sanctions regime take precedence over the Accounts Rules. The SRA Principles state that: 'Should the Principles come into conflict, those which safeguard the wider public interest (such as the rule of law, and public confidence in a trustworthy solicitors' profession and a safe and effective market for regulated legal services) take precedence over an individual client's interests.'

In these circumstances you will need to apply for a specific licence from OFSI in order to transfer the funds. You should note that this applies to all funds, no matter how small. OFSI recently published a decision against a company that made a payment of £250.

I submitted a report to OFSI some weeks ago after discovering that the firm is holding money on behalf of a designated person. I have not heard back from them since. Can I assume that OFSI does not object to my transferring the money onwards to meet a prior obligation?

No. Sanctions reporting is a separate and distinct regime to suspicious activity reporting under the Proceeds of Crime Act 2002 (PoCA), and there are several differences. One particular difference is that there is no system of ‘deemed consent’ as there is under s.335 PoCA.  You cannot assume that OFSI does not object to the transfer taking place if they have not yet responded to your report. Unless a general licence applies, you will need to apply for a specific licence for the transfer to go ahead.

You can find guidance about when to make a report to OFSI here, and guidance on how to report here.  

It sounds like you have carried out a risk assessment and determined that your firm are at very low risk of encountering a designated person. This might be because you only deal with clients that are local and have no international exposure.

It is good practice to document these considerations in a written risk assessment explaining why the type of clients your firm deals with and the work you carry out means your exposure to encountering a designated person and committing a sanctions breach is minimal. If you haven't already it is also good practice to set out your firm's approach to screening for designated persons and why it might not be necessary to carry out this check every time.

Paragraph 8.1 of the SRA Code of Conduct for individuals sets out 'You identify who you are acting for in relation to any matter.' It might be helpful as part of the risk assessment to set out that the identity checks you carry out help you determine that your clients are local with no international reach.

We recommend that you keep this risk assessment under regular review and adding version controls to a risk assessment is a useful way of showing your firm regularly assess its exposure to sanctions risk.