Money and matters: A lawyer’s guide to navigating Tranche 2. Part 6

Money and matters: An Australian lawyer’s guide to navigating Tranche 2.

In the last article, we took a look at money laundering red flags in the legal sector. Namely, what to watch out for and how to avoid both reputational damage and fines. In this piece, we dive into risk assessments; the foundation of every AML programme.

Part 6. Getting the basics right. Risk assessments in law firms.

As Tranche 2 reforms roll in, you’ll hear a lot more about your law firm taking a ‘risk-based approach’. This was a point of great discussion in a May 2024 ALPMA webinar with Alice Molan, Partner and AML expert from Herbert Smith Freehill, “The risk-based approach is all about designing a compliance framework that's responsive to the risks in your business, having regard to the services that you provide, the customers that you engage with, how you provide your services, and also the jurisdictions that you deal with.”

Risk assessments allow you to develop an AML/CTF programme that’s not over- or under-cooked for your specific firm. 

When asked about the relevance of an umbrella legislation that’s applicable to banks, casinos and soon to be law firms she responded: 

“Yes, banks and lawyers will all need to do customer due diligence, but what it looks like for a bank or casino versus a law practice will be very different. What it means though, is that there needs to be an understanding in your firm of how a client could use your services to launder money or finance terrorism.” 

It’s this understanding that must then be translated into the creation of your AML programme, and the foundation of the entire setup, is the risk assessment. Identifying the specific risks you could be exposed to determines what measures you need to include in your programme. It allows you to develop an AML/CTF programme that’s not over- or under-cooked for your specific firm.  

The assessment.

The first thing to know is that a risk assessment is a regularly updated, written document that helps law firms to:

• develop policies, procedures and controls to reduce the risk of money laundering
• apply a risk-based approach to detecting and preventing money laundering
• understand the level of risk associated with certain business relationships and transactions
• make appropriate risk-based decisions about clients and retainers

For law firms in particular, there are many types of risk to consider. This may look daunting as a list, but it’s a formalisation and extension of what firms often already do. Risk assessments for law firms cascade down from firm-wide risks, all the way to individual transaction / matter risks, these include:

• Firm-wide risk
• Sectoral risk
• Customer / client risk
• Geographical risk
• Product / services risk
• Delivery channel risk
• Transaction / matter risk

We won’t go into all of these risk types here. For a comprehensive review have a look at “A How-To Guide to AML Risk Assessments”. Although not written for Australia specifically, it covers typical risks law firms in regulated countries consider. Instead, let’s take a look at the broadest risk types. 

Firm-wide risk.

This helicopter-view of risk associated with your specific firm helps you set the scene. Risk areas include:

• Your practice areas and services 
• Your client base 
• Geographic factors (where your clients reside and where you do business)
• Transaction sizes and complexity
• Client engagement channels (online, in person etc)

Once you’ve identified them in relation to money laundering or terrorism financing, document them along with potential consequences and your mitigation strategies. This is a regular process that should be updated as things at your firm change such as new services are added or broader client types are onboarded.

Although not specific to Australia, New Zealand’s national risk assessment guidance provides a deeper understanding.

Client risk.

It’s assumed that Tranche 2 legislative amendments will require law firms, who are offering certain designated services (such as acting as the formation agent of a structure, providing a registered office and of course conveyancing), to assess the specific money launder / terrorism funding (ML/TF) risks before onboarding a new client. This will likely mean:

• Identifying the client and beneficial owners
• Checking for politically exposed persons (PEPs)
• Understanding the client's source of funds (where they got their money from for a specific transaction)
• Determining the legitimacy of the client's legal needs
• Screening for adverse information (for example if they have been previously convicted or involved in suspect activities.)

During another recent webinar we spoke about risk assessments with AML global leader, Amy Bell, who is also the founder of AML consulting firm Teal Compliance, Chair of the UK Law Society's Money Laundering Task Force, author of 'Solicitors and Money Laundering' and 'Compliance That Works' and the mind behind the UK Law Society's Anti-Bribery Toolkit and AML Training Courses.

“Really, what you're asking yourself [during the first part of a risk assessment] is, does this seem okay enough that we're going to go on to the next stage. If I think it's too strange, unusual or odd, then I don't do it.”

- Amy Bell, Teal Compliance, author and UK Law Society Money Laundering Task Force Chair

Her advice for assessing a client for the first time is to take a practical approach, “I call it the barge pole or sniff test. If I think it's too strange, unusual or odd, then I don't do it. That's your first look at risk. And you can only do that from the initial information that you've got from a client. You're not going to have anything else at that point. Really, what you're asking yourself is, does this seem okay enough that we're going to go on to the next stage, which is to collect the client due diligence information (identity verification, entity structures, proof of source of funds etc).” 

Transaction / matter risk.

The transaction level is the most exposed part of money laundering risk. It’s at this point that a criminal is trying to place their illicit funds into the legitimate financial system and thereby launder it. Because of this, evaluating the money laundering risk of each client matter or transaction is a must. There are many money laundering red flags to watch out for, but some common ones include:

• Overly complex or urgent instructions
• Unusual funding sources 
• Transactions misaligned with the client's profile
• Frequent structural or party changes
• Opaque beneficial ownership

A key concept to adopt is to revisit your risk assessment for ongoing matters. 

Avoid a check-box mentality.

Globally, some supervisory and industry bodies offer industry-specific templates as a way of providing guidance and ensuring that companies consider all necessary types of risk. However, many regulators and supervisors actively discourage using a generic template. This is because each company is exposed to different ML/TF risks. Often, where templates are used, companies download and shelve them without engaging senior management on how to tailor it to the specific risks for their business.

That said, for smaller regulated companies who do not often deal with complex matters or entities, using a template as a base for discussion and risk analysis may be suitable.

If you do wish to use one of these templates, we recommend that you go through each clause with senior management to determine if the template is suitable for you. You should also keep in mind the questions and types of risk covered in this guide so that you understand and are comfortable putting in place the appropriate processes, controls and procedures.

 Keep it simple, but relevant.

This may all seem daunting, but it really is a practical approach to a global problem. Getting your risk assessments right doesn't have to be overly complicated. Start with the basics - a comprehensive firm-wide assessment, client due diligence, and matter-specific evaluations. Document your findings and decisions. Seek expert guidance if needed to fine-tune your approach.

For Australian law firms, investing the time upfront to get your AML risk assessments right is well worth it. You'll be better equipped to identify and manage risks, fulfill your legal duties, and avoid the financial and reputational damage that comes with AML/CTF violations. Build your assessments on a solid foundation and you'll be positioned for long-term success in mitigating ML/TF risks.