Skip to content

Can you show me your AML records?

Question no. 2 from the supervisor

When the regulator pays a visit, the first question is usually “How do you determine whether a matter falls under the AML legislation?” We discussed that in a previous article. This time, we focus on the next likely question during an inspection: “Can you show me your AML records?” Below you will find what you should be prepared to show in order to be inspection-ready.

The three main parts of an AML audit

During an inspection, the regulator assesses your AML administration based on three main components:

  1. Review of selected client files

  2. Client due diligence and reporting obligations

  3. Engagement confirmations

Each of these is explained in more detail below.

 

1. Review of selected client files

During the inspection, you are expected to provide at least two client files. In the past, firms could prepare these files in advance, which often resulted in a last-minute scramble to bring them up to date. Increasingly, regulators are now selecting random matters on site. This means all client files must be in order at all times.

The regulator will look at how you maintain your AML files. Is this done using paper files or supporting software such as RegLab? Recent inspections highlight the importance of maintaining a uniform and consistent AML administration across the entire firm. Every lawyer or staff member, in every department, must follow the same procedures. If, for example, Department A records AML checks differently than Department B, the regulator may decide to carry out a more detailed review.


2. Client Due Diligence and reporting obligations

At the heart of every AML inspection is your client documentation. This includes making sure all underlying documentation is up to date. To demonstrate continuous monitoring, outdated ID documents or company extracts are not acceptable in active matters. You must include a clear risk profile and specify the type of due diligence performed. Descriptions of these profiles should be clearly outlined in your office policy.

The starting point for client due diligence and reporting is your AML policy. This document sets out how your firm handles AML obligations. It should include:

  • The types of clients your firm typically works with

  • Your firm's risk appetite

  • How the AML process works in practice

  • What client information is collected and how frequently

  • When to apply simplified or enhanced due diligence

  • Definitions of client risk profiles

Although many firms have an AML policy in place, when asked to demonstrate how it is applied in daily practice, many fall short. The regulator will want to see how your policy is implemented, especially in relation to reporting obligations and practical client due diligence.

Firms inevitably deal with potentially unusual transactions. If you suspect such a transaction, you are required to report it to the FIU. Your AML records must clearly show that a proper assessment was made. This is often straightforward in routine cases, but what if the client is a Politically Exposed Person (PEP)? In such cases, you must document in detail why you have decided to continue or terminate the engagement. That decision must be recorded in your AML file.

3. Engagement letter

Many lawyers send engagement confirmations by email. The signed confirmations and replies often remain in personal inboxes. In most cases, there is no central location where these are stored. It is often unclear whether the confirmation was ever returned signed. Our recommendation is to ensure all engagement confirmations are stored in a centralised location. Assign someone the responsibility for managing and verifying this. You can do this manually or automate the process using AML tools such as RegLab, which also manages follow-ups.

 

Practical Tip from Hans Urlus (Shareholder and Attorney, Greenberg Traurig LLP)

“Don't be mistaken about the importance of human awareness. Having a policy and the tools is key, but it is the lawyer himself who needs to conduct the assessment based on the possible risks of a transaction or matter. That is why education and awareness are a priority. With internal training sessions, at least every six months, we give concrete substance to the open standard: the AML. The software helps create this awareness. It makes people aware of the AML process and the AML audit. But the most important thing is still our motto: “The AML process... it’s all about the lawyer”.

 

Conclusion

The strongest advice is to monitor and update AML documentation consistently, not reactively. If you only bring your files up to date the week before an inspection, the regulator will notice. It also puts a strain on internal resources.

Whether or not you choose to automate your AML process, it must be integrated into your everyday workflow. Do not wait for an inspection letter. Start now. Even taking a small step, such as sitting down with an AML specialist to map out your approach, can set your firm on the right path.

⭠ Question no. 1 from the supervisor

Question no. 3 from the supervisor ⭢

Themed file: fully prepared for the supervisor’s audit

This article is part of a number of articles and downloads that will help you prepare yourself for the supervisor’s visit. This content is based on a supervisor's FAQs during an audit. Do you want to be 100% AML-proof and ready for the supervisor’s visit? Find all FAQs in our Knowledge Centre.

Knowledge centre

Download the ‘100% AML-proof’ checklist

Download