The UK's anti-money laundering regime, as currently constructed, is fundamentally risk-based.  Its roots lie in the Financial Action Task Force's 2012 Recommendations, as interpreted and implemented by a series of EU Money Laundering Directives (up to and including the Fifth Money Laundering Directive, implemented in the UK in late 2019/early 2020).

The key philosophy behind it is that financial services firms are best placed to consider the risks of money laundering and terrorist financing in their own businesses.  They are required by the UK's money laundering regulations to assess those risks, taking into account a series of key risk factors, and then implement appropriate policies, procedures and controls to guard against them.  The regime is not, and does not aim to be, one that will detect and prevent all incidents of money laundering or terrorist financing.

That is not to say there are no prescriptive aspects of the UK's money laundering regime.  There are a considerable number, for example requirements to carry out risk assessments, implement policies, procedures and controls, and to carry out customer due diligence.  However, critical aspects of the regime rely on firms' own judgements.  Firms play a role in establishing the regulatory standard to which they will be held.  

Once a firm has identified the risks it faces, a regulator or prosecutor will expect it to be on the lookout for them.  It is therefore important not just to carry out a risk assessment and file it.  Use it as a guide.  A regulator or prosecutor will expect your staff to know when they are working in an area of higher money laundering risk.

Further, a firm's AML risk assessments need to be dynamic – to be compliant, they need regular review and update.  It is therefore essential to watch out for trigger events that may require a review – for example changes to a particular customer's business, the issue of an updated UK national risk assessment, or world events such as Brexit or the withdrawal of Western troops from Afghanistan.

A sceptic might question whether – when some requirements of the regime are dynamic rather than prescriptive, but still enforceable under the law, it is ever possible to be sure that a firm will be compliant.  Will there not always be a risk of a regulator or criminal prosecutor reaching a different view of the risks to the one that the firm reached?  Or finding the firm breached legal requirements by ignoring or underplaying risks in its risk assessment?  Or saying that an assessment should have been updated more often?  Or saying that the firm should have identified different risks?

In our view, this is potentially a risk, but experience suggests firms, and senior individuals with responsibility for this area, can do much to protect themselves.  We suggest key priorities should include investing time and effort in the risk assessment process, ensuring assessments are regularly reviewed, ensuring that good records are kept of decisions reached, and training those in the front line of the business to understand the risks they are most likely to encounter.

A firm's risk assessments, policies, procedures and controls, represent, in the eyes of a regulator, not just a statement of the present, but a commitment to a standard of behaviour in the future.  The UK regime requires a firm's policies, procedures and controls to reflect the risks in the risk assessment.  It is common in enforcement actions for a regulator to compel production of policies and procedures at an early stage, investigate whether or not a firm complied with the requirements it set itself, and use that as part of its analysis of whether or not there has been a breach of underlying law and regulation.

A key way a firm can mitigate enforcement risk is therefore to ensure that it meets the standards set out in its own policies and procedures.  Proper segregation of duties, regular compliance testing, and internal audit work, are other effective risk mitigants.

A further mitigant is to reform controls which are proving ineffective.  If your experience is that some aspects of your AML controls may not be working properly, for example if it is proving impossible to comply with, or is routinely being overlooked, then revisit it appropriately.  That can sometimes be because the control is wrongly calibrated.  Overly sensitive controls (generating a flood of alerts that are never looked at and resolved) can pose as much of an issue as controls that can't identify relevant risks when they need to.

Regulatory and legal change represents a particular challenge in this area.  In the UK alone, developments over the last 5 years have included:

• a mutual evaluation review by the Financial Action Task Force and a number of governmental measures taken in response;
• a Serious and Organised Crime strategy, an Economic Crime Plan, and two national AML risk assessments (in 2017 and 2020); and
• a series of reforms to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations (particularly in 2017 and late 2019/early 2020);
• an Act of Parliament implementing a new legal basis for the UK's sanctions regime, and changes to the sanctions regime in light of world events; and
• the 'on-shoring' of some Rules as part of the Brexit process.

This is likely to remain an area of change, as criminals develop ever-more sophisticated methods, and law and regulation seek to keep up.  Further reforms were proposed over summer 2021, alongside HM Treasury's call for evidence mentioned above.  A new statutory instrument amending the current money laundering regulations is expected in Spring 2022.

Monitoring and implementing change should be recognised as a challenge requiring appropriate investment of time and resource.  In our experience, problems in this area can be a key factor increasing enforcement risk.  Ensuring that change projects are concluded properly is a key way of mitigating it.

A priority for firms at the current time would be to ensure that any regulatory change projects in this area that might have been delayed or deprioritised during the Covid-19 pandemic are picked up again and brought to term.

Firms can in our experience successfully mitigate the risk of enforcement action by responding appropriately to specific instances of money laundering.  In a risk-based regime, incidents will occur.  If they are handled properly when they happen, that does not necessarily mean a firm is in breach of legal or regulatory controls requirements.  Different types of firms are likely to experience issues to different degrees.  

That said, difficulties in the handling of an incident, and/or a failure to learn from experience, could well be perceived by regulator or prosecutor as a control weakness. 

It goes without saying that firms and individuals obliged to make suspicious activity reports need to make them to avoid committing money laundering offences.  Beyond that, however, reviewing and reconsidering policies, procedures and controls in light of an incident can be a further effective mitigant of enforcement risk.  Don't overlook regulatory reporting requirements beyond the submission of SARs to the National Crime Agency.  If there has been a control breakdown, this may need to be reported proactively to the FCA in its own right.  If an incident reveals a weakness that you need to remediate pro-actively, for example a gap in record keeping, or a problem with due diligence on a particular customer group, it is often the best course to move as quickly as possible to remediate it and keep the regulator up to date.

A firm that can demonstrate to a regulator not only how its controls stopped issues in a number of cases, but also how it learned from incidents and adapted policies, procedures and controls when risks crystallised, can arm itself with powerful arguments about its compliance with the underlying law.

Part of the FCA's messaging in this area during 2021 has been about its focus on outcomes.  The regulator has expressed a concern that where firms operate complex AML systems, sometimes there can be a "loss of a sense of what they exist for", or a risk that the system becomes "an end in itself, rather than […] a radar to identify and manage the actual risks facing [the firm]" (see a speech by Mark Steward, Director of Enforcement and Market Oversight, FCA, 1 April 2021).  

Whilst aspects of this messaging are controversial in a risk-based regime, firms that can demonstrate that their systems have been able to stop criminal activity are likely be able to mitigate enforcement risks better than firms that cannot show this.

Further, it is important that those in an organisation running any AML systems (for example covering customer on-boarding or transaction monitoring) have a good understanding not only of the risks identified in the firm's risk assessments, and associated policies, procedures and controls, but also the capabilities and limitations of the relevant systems.  There should be a clear escalation process in the event they identify a difference between (i) what the policies, procedures and controls say the firm will do; and (ii) what the systems in issue are actually doing.

The UK's AML and counter-terrorist finance regime is complex.  However, obtaining and acting on legal advice (especially in areas of particular technicality) can be an effective mitigant of enforcement risk.