Since the implementation of Part VA of the Legal Profession Act on Prevention of Money Laundering and Financing of Terrorism, and the accompanying Legal Profession (Prevention of Money Laundering and Financing of Terrorism) Rules on 23 May 2015, the Law Society has conducted independent reviews on its members to assist the members in the compliance of the AML/CFT requirements.
So how can legal practitioners prepare themselves for the AML/CFT review?
We summarise the key areas where a busy legal practitioners should focus on to prepare for the AML/CFT review.
AML/CFT Internal Policies, Procedures and Controls (IPPC)
First and foremost, law practices should have adequate AML/CFT risk management Internal Policies, Procedures and Controls (IPPC). Hence, law practices should establish a policy document which we called the AML/CFT Policy.
This policy should contain:
- Customer Due Diligence (CDD) measures and on-going monitoring
- making of suspicious transaction reports
- risk assessment and management
- audit of the internal policies, procedures and controls
- monitoring and management of compliance with, and the internal communication of, the internal policies, procedures and controls
- hiring and training of employees
The Council of the Law Society of Singapore provides some guidance on the implementation through the Practice Direction 2015 (Prevention of Money Laundering and Financing of Terrorism). While the guidance is quite prescriptive, law practices still need to provide the implementation details relevant to their practice in the policy document.
If you are not sure how to develop an IPPC document, you can purchase the template here.
What are the roles and responsibilities of the sole proprietor/partners/board of directors and management in preventing money laundering and terrorism financing?
It is recommended that the practice establish an organisational and reporting structure in relation to AML/CFT. The reporting structure should include a Compliance Officer, preferably also a Money Laundering Reporting Officer (MLRO) and an Internal Auditor. These are key persons who are responsible for AML/CFT and they should be named in the reporting structure as well as mentioned in the AML/CFT policy.
The role of the Compliance Officer is to develop processes for the practice to conduct CDD, handle higher risk clients, and to keep Management informed of the compliance and risk management matters as and when they deal with customers that are seemingly suspicious. Any suspicious transactions should be reported to the MLRO.
The audit function of a practice should be independent and adequately resourced, and be able to assess the effectiveness of its IPPC periodically.
We recommend that law practices perform an overall risk assessment of its customers. For AML/CFT purposes, there are three types of risks that practices can evaluate:
Customer Risks – what is the customer’s main business or occupation? For entities, are the structure overly complex for the type of business they are in? Some businesses, especially those that involves cash transactions, high value assets, cross border movement of funds and virtual currencies generally carry higher AML/CFT risks. Complex structures that do not serve meaningful business needs could be used to hide the true beneficial ownerships.
Country Risks – which country is the customer from? For entities, where are they incorporated, or who do they mainly trade with? Where are the beneficial owners of the entities from? If the countries involved are from higher risks jurisdictions, then the AML/CFT risks would be higher.
Services Risks – what are the services provided to the customer? Some services, especially those that involves transfer of cash, or assets carry higher risks. Practices should also be vigilant against customers who would abuse the good standing and reputation of the legal practitioners to act as the front for them to hide their criminal activities.
For each specific risk category, give a risk rating to it based on your professional judgement and knowledge of the customer. You may want to rate, for each risk category, simply as Low Risk, Medium Risk or High Risk. Firms need to pay particular attention to those risk categories that they rate as Medium or High Risk, because these risk categories will need to be mitigated with Enhanced CDD procedures and these procedures should be documented.
For each risk category, produce a set of risk mitigation procedures.
Customer Due Diligence (CDD)
For each customer, law practices should have in place CDD processes when onboarding a customer, and for ongoing monitoring of the business relationship.
For onboarding, the key requirements involve:
- Identification and verification of the customer (the person whom the practice engages for scope of service, fees etc)
- Identification of the beneficial owners, and take reasonable effort to verify the beneficial owners.
- Screening of the customer and beneficial owners to ensure that they are not sanctioned individuals or entities, or Politically Exposed Persons (PEPs), or relatives/close associates of a PEP. This can be done either by doing Google searches or searching commercial AML/CFT databases like SentroWeb-DJ. All search results must be retained as documentary proof.
- Look out for suspicious behavior or activities.
- Conduct risk assessment on the customer.
- In the event that there are PEPs, or relatives/ close associates of PEP involved, or when dealing with higher AML/CFT risk individuals or entities, conduct enhanced CDD by asking for source of wealth and source of funds.
Once the customer is onboarded, the practice have to monitor the business relationship to ensure that the practice is not involved in any transactions related to criminal activities or terrorism. These ongoing monitoring efforts include ensuring that the customer’s information is kept up-to-date and looking out for suspicious activities. The importance of ongoing monitoring is discussed in this related article here.
Suspicious Transaction Reporting
If a law practice has not reported an Suspicious Transaction Report (STR) before, it should at least know how to report one if such an occasion arise. Practices should have proper escalating procedures being documented in the AML Policy. In addition, the MLRO (if one is appointed) or the Compliance Officer should sign up for an account for STRO Online Notices and Reporting Platform (“SONAR”). You can visit STRO here to register for a SONAR account.
Practices should also subscribed to AML/CFT and Targeted Financial Sanctions section of the Monetary Authority of Singapore (MAS) website, so as to receive alerts and updates on AML/CFT requirements and changes to the relevant lists of UN-designated individuals and entities. By subscribing to the website, the practice will stay abreast of other AML/CFT announcements, such as high risk jurisdictions identified by the Financial Action Task Force (FATF). You can visit MAS website here to subscribe.
It should be noted that the penalties for not reporting suspicious transactions has been increased on 19 Nov 2018 to $250,000 in fine with up to 3 years imprisonment (read Straits Times report here).
Every business dreads the news that the auditors or regulators are coming. Law practices can manage the AML/CFT review process proactively and reduce surprises when they cover the major areas mentioned above. An important thing to do is also to train and brief your staff of all the policies and procedures before the inspectors arrive. The goal of the review is to understand what the inspectors want and to give them the assurance that you have done your best and what is required according to the regulations. The approach to the review is to be truthful. If there is any shortcomings, work out the remedial actions with the inspectors.