Risk Update

Law Firm AML Compliance — Artificial Intelligence & PII Information Governance / Security

We noted new AML guidance last week. But this detail caught my eye in particular: “AI can form part of anti-money laundering armoury, law firms told” —

  • “New technologies such as biometrics, machine learning and artificial intelligence can now form part of the anti-money laundering (AML) armoury, law firms have been told.”
  • “The Legal Sector Affinity Group, made up of all the UK’s legal regulatory and representative bodies, has published a 212-page draft of its updated AML guidance, which is subject to approval by HM Treasury.”
  • “The guidance also considers new technology. ‘The use of biometric indicators such as facial recognition software as part of an overall identity verification process is now widely used across various industries, and may be considered proven technology, helpful in meeting a practice’s AML obligations, especially in non-face to face situations, remote client take-on situations,’ it said.”
  • “‘Where used, consideration must always be given to the use and storage of such data, where collected, stored and retained.'”

For those curious, my eye was caught due to that last bit — questions about information governance and security relating to personal biometric data. You see, just the other week an expert in the matter was sharing some shocking stories of law firms haphazardly storing passport and other PII data generally open in the DMS and sent around via email (where it can live forever).

The thing about biometric data is that it can be great for security, but carries its own risks. Hard enough to change your social security number if there’s a hack and leak — impossible to change your irises.

And there are plenty looking for this kind of data — though arguable not within the email systems of law firms, just yet. (For more general risk reading, see: “Intel agency warns of threats from China collecting sensitive US health data“.

And for more law firm AML perspective, see: “AML Risks – why did I agree to be the MLRO?!

  • “This is a question I ask myself many times each day since being appointed the MLRO for Weightmans in May 2020! As a compliance specialist advising law firms on all aspects of legal sector regulation, including AML, I was familiar with the obligations and responsibilities which come with being the MLRO so it made sense that I applied that knowledge internally at Weightmans when it became apparent that the role had become too onerous and time consuming for one person to be both MLRO and MLCO.”
  • “Thankfully I inherited effective (touching wood as I speak!) and compliant policies and procedures but of course I am not resting on my laurels and there is always more work to be done to remain one step ahead of the crooks who seek to launder their ill-gotten gains through a law firm’s client account. My priorities currently are the updating of the firmwide risk assessment and PCPs to reflect the latest LSAG guidance and the SRA’s latest sectoral risk assessment dated 28 January 2021.”
  • “One of the key areas of non-compliance with the ML Regs identified by the SRA is the requirement to independently audit the firm’s PCPs. The need for independence in auditing is an area that many firms seem to have neglected or misunderstood. Only the very smallest practices will not have to establish an independent audit function and yet, according to the SRA’s November 2020 report referred to above, more than 50% of the firms visited required follow up action on this issue.”
  • “While ‘independent’ does not necessarily mean the audit has to be carried out by someone external to the firm, there needs to be someone suitable to carry out the audit within the firm who:
    • Is independent of the work areas being audited (so not the MLRO/MLCO/compliance team or the team who did the original work)
    • has the requisite skills and knowledge of audit and the requirements of the anti-money laundering regulations;
    • is a senior member of the firm with authority to access all relevant material and to make recommendations/report findings to senior management; and
    • has the necessary time and capacity to carry out the audit.”
  • “Such a person is not always easy to find! Thankfully, Weightmans has an established internal, independent audit team, the head of which is responsible for auditing the AML PCPs, but many firms will not have this resource and, unless you can justify not having an independent audit (which will need to be carefully documented), this is where external expert support should be considered.”