Speed read: Training is a requirement under the UK Money Laundering Regulations but the wording leaves wide scope for interpretation. Jonathan Fisher QC of Bright Line Law runs a close eye over the law before turning to professional body guidance and drawing on his own experience.
The subject of professional training in anti-money laundering is little discussed but has recently commanded regulatory attention. It is important to understand the nature and extent of the regulators’ expectations when it comes to delivery of such training. To do this, it is necessary to consider the relevant legal provisions, the meaning of ‘appropriate measures’ in this context, which are the appropriate benchmarks, and what we might learn from the recent Withers LLP case.
The Regulation
The starting point is Regulation 24 of the Money Laundering Regulations 2017 (MLR), which provides in Regulation 24(1) that a relevant person must take appropriate measures to ensure that its relevant employees are made aware of the law relating to money laundering and terrorist financing. The training must be regular and include how to recognise and deal with transactions and other activities or situations which may be related to money laundering or terrorist financing. The relevant person must also maintain a record in writing of the measures taken, and in particular, of the training given to its relevant employees.
Who is a relevant employee? Essentially, anyone whose work is related to the obliged entity’s compliance with the Regulations. This is a wide definition which includes all fee earners, ancillary support staff and receptionists. The MLR sets out the requirement for training and the fundamental elements it must cover but outside of this the legislation affords the MLRO a wide discretion as to the type of training offered, and how frequently, depending on the resources available. The bigger the firm, and the greater the risk of money laundering, the larger the resource which needs to be devoted to satisfying the Regulation 24 requirement.
Enforcement mechanisms are strong for firms obliged to train employees: to breach Regulation 24 constitutes a criminal offence, as do breaches of any of the customer due diligence (CDD) requirements. In practice, there is a relationship - almost symbiotic - between a breach of CDD requirements and a breach of Regulation 24 because if a fee earner has been properly trained, there will be no CDD breach.
What does appropriate measures mean? Regulation 24(3) provides that in determining what measures are appropriate a relevant person must consider the nature, size and risk exposure of the business. It then says they may consider any Financial Conduct Authority (FCA) or relevant body guidance. It is interesting that the legislation requires the training measures to be appropriate and not adequate. Appropriateness connotes an element of propriety – that these measures are proper, in the sense of being relevant – but measures can be appropriate although not necessarily adequate. This should not be the first argument to reach for when facing regulatory action, but it is a curious drafting decision.
Supervisory guidance
Regulation 24 is vague in its terms, which means sector specific guidance is needed to fill the gap. In theory, therefore, sector guidance completes the picture but in practice, it is not so clear.
Law Society Guidance
The Law Society does give some guidance [1] beyond a repetition of the statutory requirements. Helpfully, it reminds of the AML risk posed by forged documents and of the multiple forms training can take. But it does not illuminate the content beyond the Regulation, which is needed most.
The meaning of ‘regularly’ training staff is also a concept that would benefit from expansion in guidance. The furthest the Law Society goes is to state that ‘some type of training every two years is preferable’. This is helpful, but only up to a point. For example, it omits any mention of the need to keep abreast of statutory and international regulatory developments or of the practical need to decide regularity in conjunction with the risk profile and size of the firm. In terms of frequency, is every two years the best yardstick? It is suggested that the issue of regularity is regarded as a variable, depending on the number of developments taking place and whether the level of risk has changed.
CCAB Guidance
MLROs might wish to look at the supervisor guidance issued by the accountancy profession since it offers a little more guidance on the substance of training and how this might be delivered. It also touches on an important point:
8.2.3 Training programmes should be tailored to each business area and cover the business’ procedures so that relevant employees understand the MLTF risks posed by the specific services they provide and types of client they deal with, and so are able to appreciate, on a case-by-case basis, the approach they should be taking…(emphasis supplied). [2]
As the AML/CTF regime has matured over the years, this message has strong resonance for MLROs and fee earners. For example, the exposure of the commercial conveyancing department and corporate transactions will both be significant; there will be overlaps, but there will also be different vulnerabilities. Bespoke programmes are therefore required.
Enforcement
The most recent case, brought to provide ‘a credible deterrent to other firms’, involved Withers LLP, a highly ranked international law firm with an estimated pre-pandemic turnover of around UK£185 million. The lessons are that however large or small you may be, AML update training must be given in a timely fashion, and changes in the law must be brought to the attention of the firm’s employees.There is little latitude allowed for delay. Withers LLP took 2 years 3 months to complete training for all staff under MLR2017. The burden of the Solicitors Regulation Authority (SRA) complaint was that the delay was not acceptable, especially since the SRA had earlier indicated its concern. The agreed outcome, published on 16 March 2020, was a public rebuke. [3]
It is also important to note that a supervisor may not take a holistic overview of the adequacy of professional training but may dig into the minutiae of what has been provided. In 2014, Santander UK faced an FCA investigation focusing on their provision of investment services to retail customers, and one issue related to the adequacy of the training given to new investment advisers on the Santander systems. The FCA drilled down and identified two deficiencies with the training.
First, the self-assessment pre-course learning for compliance, which was tested on the first day of training, was marked at a 70% pass mark, whereas other courses were marked at an 80% pass mark. It was noted that if the pass rate had been 80%, 41% of advisers who completed the training would have failed the compliance assessment and could not have proceeded on the course. [4]
Second, the FCA determined that the new advisers spent insufficient time using the systems that would become their platforms during the investment sales process. In feedback, 80% of the new advisers said that they felt this lack of training left them unprepared for the real world.[5]
I recollect a professional instruction some years ago, from a building society turned bank, which demonstrates another potential pitfall. The issue was the lack of case studies and hypothetical examples to explain to bank tellers what a money launderer looked like. It was not sufficient to set out the well-trodden signs of suspicion in abstract terms. In the event, to satisfy the regulator’s requirements the bank commissioned a media company to make a film consisting of money laundering scenarios, whereby actors would don the roles of money laundering customer and teller.
We have travelled a long way. From starting this article by noting the flexibility and lack of prescriptiveness in the way in which AML/CTF training is delivered, we can see examples of where the regulators have expressed clear expectations as regards the content and detail of the training, as well as its timing.
Concluding recommendations
1. Develop a rolling training programme
It is rarely sufficient to deliver ad hoc training updates. There needs to be a clear, formally developed programme which covers all employees of the firm. Relevant learning objectives need to be identified, including new legal developments and specific vulnerabilities. It is the responsibility of the MLRO to know their own company, for example ascertaining department records on SAR submissions, as well as to stay abreast of new developments.
There is a constant stream of topics which will need to be covered by updated training. The MLR 2019, for example, requires additional training on new disclosure duties, the expanded regulated sector, remote CDD plus an understanding of the criminal threats posed by COVID-19. These can all be caught by regularly allocated training time.
Where activities relating to UK business operations are undertaken by processing employees outside the UK, these employees must also be made aware of and trained to follow the AML/CTF policies and procedures applicable to the UK.
2. Ensure sufficient time is allocated to AML/CTF training
As part of a rolling training programme, it is vital that sufficient time and resource is allocated to AML/CTF training. This is very firm-specific but, for example, an hour lunch biannually is likely to be too little. The pressures of using what would otherwise be regarded as billable time is noted, but perhaps a higher-level culture shift is needed to ensure compliance.
3. Clarity of content and delivery
There must be a balance between generic and bespoke training. Supervisors often say that examples of good practice are where training has a strong practical dimension (e.g. case studies) and some form of testing. This is not a new idea: Article 46, 4th EC Directive on Money Laundering recommends supplementary ‘special ongoing training programmes’ to meet all training targets.
4. Training records must be retained
It is essential to keep evidence of assessments of training needs and the steps taken to meet those needs. In practice, training records include a copy of the training materials, details of who provided training, staff attendance or electronic training records.
5. Compulsory attendance
There should be no tolerance for dilatory partners or departments not receiving training. Failure to attend AML/CTF training sessions must be pursued at the highest level because the risks to the firm are serious if one of the fee earners tumbles into a money laundering scenario.
[1] LSAG, Anti-money laundering guidance for the legal sector, March 2018, section 3.7
[2] CCAB, Anti-money laundering guidance for the accountancy sector, March 2018
[3] SRA and Withers LLP Regulatory Settlement Agreement, 6 March 2020
[4] FCA Final Notice to Santander Plc, 24 March 2014, [4.63]
[5] Ibid, [4.65]
