Skip to content

Can you show me your AML records?

Question no. 2 from the supervisor

The supervisor is about to visit. In a previous blog, we already discussed the first question “How do you decide whether a matter is subject to AML?”. In this article, we address the following question from the supervisor during a law firm audit. The question is this: "Can you show me your AML records?"

Parts of the AML administrative audit

The supervisor audits your AML records based on three parts:

1. Assessment of two files
2. Notification obligation + Customer Due Diligence
3. Engagement letter

These three parts are explained in more detail below.


#1: Assessment of two files

During the supervisor’s visit, you need to submit at least two files. Until now, you had the option to prepare these files in advance, which basically meant spending hours and hours to update them. Unfortunately, today supervisors often focus on two random files. The only way to be prepared is to keep every single file up to date.

During an audit, the supervisor will check whether files meet AML requirements. Does your office use supporting software (e.g. RegLab) instead of physical files? Recent audits show that it is becoming increasingly important for offices, all lawyers, and departments to proceed uniformly and consistently. If team A and B are found to have recorded AML assessments differently, this can lead to more extensive audits.


#2: Notification obligation and Customer Due Diligence

Now you might be wondering: “What is the centre of attention during an audit?" Keeping complete and consistent client records is pivotal. It also means that any underlying documentation must be up to date. To demonstrate that files are continuously monitored, avoid old extracts and IDs in continuous files. A risk profile and recording the type of investigation are necessary and describing those profiles in the policy is indispensable.

The policy is the starting point for Customer Due Diligence and the notification obligation; describing your office in terms of the AML, stating the type of clients your office takes on, the 'risk appetite' and how the AML process works. It also includes details such as: which information is requested per client and how often and which type of investigation is initiated. Also bear in mind the description of the risk profiles and when simplified or more stringent research is required. In the next article, we will discuss the importance of a policy in more detail, based on question no. 3.

In many matters a sound office policy already exists, but should the supervisor require evidence, many offices will default. Especially during an audit, the supervisor wants to see how you put your policy into practice. He/She does this, among other things, by checking how the notification obligation and practical Customer Due Diligence are met. 

Offices simply might have to deal with unusual transactions under the AML. If there is a suspicion of such a transaction, you need to notify the FIU (Financial Intelligence Unit). Your AML records should demonstrate that you have conducted serious assessments. This is not difficult for default matters, but what if you are dealing with a Politically Prominent Person (PEP) for example. Then, you must also explain in detail why it is not a problem (dis)continuing your services.


#3: Engagement letter

Lawyers often send out engagement letters by email. These engagement letters and client’s emailed approvals often get lost in the mailbox. In many matters, there is no central place for storing them, and nobody to keep track of whether these engagement letters have been signed and returned at all. Our suggestion: make sure these engagement letters are stored in a central place and make someone responsible for them. You can set this up manually or use AML software (e.g. RegLab) instead.


Practical tip

Hans Urlus (Shareholder and Attorney at Greenberg Traurig LLP):

“Don't be mistaken about the importance of human awareness. Having a policy and the tools is key, but it is the lawyer himself who needs to conduct the assessment based on the possible risks of a transaction or matter. That is why education and awareness are a priority. With internal training sessions, at least every six months, we give concrete substance to the open standard: the AML. The software helps create this awareness. It makes people aware of the AML process and the AML audit. But the most important thing is still our motto: “The AML process... it’s all about the lawyer”.



Avoid ad hoc and embrace consistent tracking and monitoring to make a virtue of a necessity. You don't make quite a good impression if you have to update your files just before an audit. Not only will the supervisor understand everything has been taken care of just a week earlier; it also means that a lot of resources suddenly need to be released. Whether you automate the AML process or not, make it part of your work process. Do not start until you receive a letter, start today. This can be done very simply by sitting down with a specialist and designing the first steps together.

Themed file: fully prepared for the supervisor’s audit

This article is part of a number of articles and downloads that will help you prepare yourself for the supervisor’s visit. This content is based on a supervisor's FAQs during an audit. Do you want to be 100% AML-proof and ready for the supervisor’s visit? Find all FAQs in our Knowledge Centre.

Knowledge centre

Download the ‘100% AML-proof’ checklist