This article was originally published in The Journal of the Law Society of Scotland.
In September 2022, new regulations brought in the legal requirement to identify and mitigate your firm’s risk of “proliferation financing” (PF).
PF means the act of providing funds or financial services for use, in whole or part, in the manufacture, acquisition, development, export, trans-shipment, brokering, transport, transfer, stockpiling, or otherwise in connection with the possession or use of, chemical, biological, radiological or nuclear (CBRN) weapons. It covers provision in connection with the means of delivery of such weapons and other CBRN-related goods and technology, in contravention of a relevant financial sanctions obligation.
Law firms will have vastly different levels of exposure here, but it is important to understand the subject to the extent that you can record a reasonable judgment on your own firm’s risk.
Two documents will help steer your course: first, the Financial Action Task Force (“FATF”) guidance, and secondly the UK’s own National Risk Assessment (“NRA”).
FATF guidance
The FATF guidance on PF risk assessment and mitigation (2021) tells us that your assessment may consider the vulnerabilities associated with your products, services, clients and transactions, including whether products or services are complex in nature, or have a cross-border reach. Also, the nature, scale, diversity, and geographical footprint of the firm’s business should be considered.
Of most sectoral interest to law firms will be the risks of trust and company service provision (TCSP), particularly in facilitating company formation and the use of shell or front companies, or perhaps nominee ownership arrangements. The guidance notes that “designated persons and entities, and those persons and entities acting on their behalf have quickly adapted to sanctions and developed complex schemes to make it difficult to detect their illicit activities; both Iran and [North Korea] frequently use front companies, shell companies, joint ventures and complex, opaque ownership structures for the purpose of violating sanctions measures”.
The UK National Risk Assessment
The domicile here of many global financial institutions perhaps represents the most obvious meta risk to the UK. Some niche risks facing the insurance and maritime industry are detailed in the NRA, but it is perhaps the point around use of UK companies which will again be most pertinent to law firms.
The NRA gives a particular case study where an East European business operator used a professional gatekeeper in a Baltic state to set up a Scottish limited partnership (SLP) to conduct defence contract business activity. A representative resident in Scotland was paid per item to sign all SLP filings and returns, but was completely unconnected with the SLP or the business operator; their payment came from the gatekeeper’s business account in the Baltics. At no point was there any link back to the physical person behind the SLP.
Generally, firms involved in transactions and arrangements on behalf of defence or dual-use goods contractors will wish to think seriously about their direct and indirect exposure here, though I suspect such firms might ordinarily be larger firms who are already well aware of the risks and requirements. (Exposure through dual-use goods is an interesting and complex area of its own; to learn more, see UK Government guidance.)
Your practice-wide risk assessment (PWRA)
TCSP work, layering and obfuscation, and geography are clearly key considerations. Fundamentally, these represent general AML risk factors we should all be familiar with by now, but the new requirements demand extra thinking.
As a starting point, you may wish to review the number of customers already identified as high risk, especially those often carrying out cross border transactions involving legal persons and arrangements, or multiple shell or front companies. Information on the type and identity of the customer, as well as the nature, origin and purpose of the customer relationship is also relevant.
Do you act for clients with structures reaching higher risk or so-called “secrecy” jurisdictions? You should be comfortable that you understand the true beneficial ownership, and the rationale for inclusion of such jurisdictions.
Do you provide company formation or other corporate services which might raise exposure to PF arrangements? Be clear about your risk appetite and policy, and ensure you understand the client, their operations, and their ownership on an ongoing basis. Similarly, be vigilant about the use of an intermediary or other contact where the rationale for their use or interest isn’t clear.
Finally, where you decide that you have lower exposure due to, for example, not undertaking TCSP work or clients in international matters and transactions, it is just as important to note this clearly in your PWRA. The absence of inherent risk is a legitimate and required part of your assessment of exposure to risk.
Like other areas of AML, the truth is that people who want to abuse your services are forever adapting and enhancing their methods, and your firm is not a special branch of the National Crime Agency. You are not being tasked with catching bad guys, but with taking reasonable measures commensurate to the size and nature of your business. Considering what we know about some of these sanctioned regimes, I’m sure you’ll agree this assessment is worthwhile.
