Money Laundering Regulations 2017—independent audit function—law firms
Money Laundering Regulations 2017—independent audit function—law firms

The following Practice Compliance guidance note provides comprehensive and up to date legal information covering:

  • Money Laundering Regulations 2017—independent audit function—law firms
  • The requirement to establish an independent audit function
  • Responsibilities of the independent audit function
  • Who should carry out the audit?
  • Audit frequency
  • Planning the audit
  • The audit report
  • Monitoring compliance with recommendations
  • The difference between independent audit and risk assessment

Forthcoming changes: The UK has voted to leave the EU and this will take place on exit day as defined in section 20 of the European Union (Withdrawal) Act 2018. This has implications for law firms. This Practice Note is likely to be affected. It will be updated as and when relevant implementing legislation is published. For more on Brexit, see Practice Notes: Brexit—anti-money laundering and counter-terrorist financing—law firms and Preparing for Brexit—key considerations and action planning—law firms.

The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017), SI 2017/692 introduced a new requirement for certain firms to establish an independent audit function to audit their compliance with the MLR 2017. This Practice Note provides guidance on establishing an independent audit function. It sets out the key responsibilities of and best practices for the independent audit function and the differences between independent audit and your money laundering risk assessment. This Practice Note reflects the requirements of the MLR 2017, which came into force on 26 June 2017.

The requirement to establish an independent audit function

The Financial Action Task Force (FATF) has long recommended that financial institutions' anti-money laundering (AML) and counter-terrorist financing (CTF) programmes include an independent audit function to test their systems. In the UK, for example, the Prudential Regulation Authority (PRA)