8 – AML, Data Protection, Risk Register and Business Continuity

Anti money laundering

Law firms are a target for criminals who wish to turn the proceeds of criminal activity into laundered money.

We can help you understand and mitigate the risks posed by the activities you carry out. You will need to produce a firm risk assessment. Read our guidance on anti money laundering which includes a template for your firm’s policy.

Your compliance with the Money Laundering Regulations is a key role for us as an AML supervisor.

Data protection

Law firms hold large amounts of personal data. You need to make sure that you are doing everything possible to protect it.

Most organisations pay a data protection fee. The fee depends on your firm’s size and turnover.

The Information Commissioner’s Office provides resources to help you create your firm’s data protection policy.

Risk register

You should create and maintain a risk register, including important dates for your firm. Check our risk register template for ideas on your annual responsibilities.

You should then have a risk assessment register.  This will help you to log and evidence any risks to the firm, as well s documenting any breaches. It can act as a prompt to review your risk activities.

Business continuity

A business continuity plan can help you continue to operate as normal in the event of serious disruption. This could include:

  • the death or long-term absence of a key member of staff, including the owner
  • loss of business premises due to fire, flood or other reason
  • loss of IT systems through technical failure or cybercrime

It can also provide an essential role in defining how more regular occurrences such as the need for supervisory cover during planned absences are arranged. This is particularly important in smaller firms which may only have one authorised person, who it is reasonable to assume will need to take holiday at various points during the year. We would expect to see that suitable documented arrangements are in place to cover supervision and the continued operation of the firm during the planned absence of key staff. You may well find that external bodies such as financial institutions will ask for confirmation of such arrangements as a requirement of entry to their lender panel, and having this aspect of the firm’s governance documented in the Business Continuity Plan will help provide the evidence required.