Framework for complying with anti-money-laundering laws

A single framework for complying with anti-money-laundering (AML) laws across jurisdictions

Cindy Mundow

Practice Group Leader, Risk & Compliance

Yelena Chervinsky

Director of Risk Consulting

How international law firms can simplify AML and know-your-client (KYC) compliance with a single framework

Do any of these situations apply to your law firm?

Your firm is subject to varying AML and KYC laws across multiple jurisdictions.
Your firm practices across some jurisdictions that are subject to AML and KYC laws, and others that are not.
Your firm is not yet subject to any AML or KYC laws.

If you fall into the first or second category, your firm should apply a common framework for complying with AML and KYC laws — then add specific steps as needed to address specific regional requirements. Even if your firm is in the third category, it should still consider voluntarily implementing a framework for several reasons.

Below we look at the core elements of an effective AML and KYC compliance framework as well as additional considerations for specific jurisdictions.

1. Dedicated workflows that enable efficient collection and review of required information

Carrying out AML and KYC checks requires a carefully designed process that enables your firm to gather, review, and store the information necessary to undertake checks before deciding whether to accept a new client or matter.

Your AML/KYC workflow is just one part of a broader client onboarding process and workflow that also involves a data quality review, risk assessment, and conflict review.

It can be challenging to manage client onboarding and AML/KYC compliance without a well-designed process and software solution to automate, manage, and support that process from end to end. Intapp Intake was built to help your firm create workflows for intake and risk assessment.

With the addition of Intapp’s external forms feature to Intapp Intake, your firm can now also separately and securely collect sensitive information in an external environment. Clients can simply log in to the environment to upload any requested documents — without the risk of sharing their private personal details over email. That data is then pulled into the firm’s internal environment for review and workflow processing.

Your firm can also set up notifications to remind users of required actions, while data integrations between Intapp Intake and other software support a more streamlined and effective user experience.

When you combine external forms, Intapp Intake, and Intapp Conflicts, your firm can manage conflicts-of-interest reviews, client matter engagement, and AML/KYC reviews all within an integrated, intuitive platform.

2. Reliable data, including third-party data

An effective AML and KYC risk framework validates information submitted by clients against reliable data. In particular, third-party data from trusted sources helps your firm verify the legitimacy of a prospective new client.

This data also supports a more comprehensive understanding of the potential client and a more accurate client record created in your system. Examples of third-party data that your firm needs for AML and KYC checks are financial data, registered addresses, global ultimate parent company name and structure, and sanctions data.

When integrated with data sources such as S&P Global, Dun & Bradstreet, and Moody’s, Intapp Intake pulls firmographic information from these sources, including details like a client’s registered address, legal structure, and global parent company. Your professionals can view relevant third-party information directly in the Intapp Intake solution — saving time that would otherwise be spent switching between applications and browsers.

With this data, Intapp Intake also serves as a single source of auditability of the full client and matter lifecycle. In addition, integrated data informs the business logic for the intake form and workflow, enhancing efficiency and reducing the need for external research and data re-entry.

3. Risk-based approach to client due diligence

With a risk-based approach to client due diligence, your firm should adjust the stringency of its AML and KYC reviews based on the level of risk that a client and matter presents. That is, your firm gathers baseline information on each client and assigns a risk score.

The risk score and risk categorization determine the extent to which your firm will gather more information, conduct additional research, or — in some cases — escalate to your compliance team or Office of General Counsel for further review and discussion.

It is important to develop a sound approach and methodology to risk scoring within your firm because the risk scores guide your firm in dividing its time among review tasks. Risk scores enable you to devote the highest levels of review and priority to high-risk or higher-risk rated clients or matters and less time to low-risk matters.

With Intapp Intake, your firm can implement a risk-based approach to client due diligence. For example, with the software, you can set up dynamic, risk-based questionnaires that adjust the questions based on initial responses. The software also enables your firm to define risk-scoring rules and adjust them over time, evolving with the ever-changing risk landscape and regulations.

4. Ongoing monitoring to uncover changes that create new risks

Firms tend to dedicate high levels of review to new business — yet often overlook the risks that can emerge with their existing clients. This can be a critical mistake. Ongoing monitoring of existing clients to identify new risks or suspicious activity is both highly advisable and often a requirement of AML and KYC legislation.

It’s important to update your existing client and matter information on a regular basis based on their risk rating. This process should include ensuring up-to-date versions of any documentation that can expire, such as passport copies, utility bills, and corporate documentation.

Intapp Intake enables firms to continuously monitor active clients and engagements for evolving risk factors, including the client’s inclusion on any sanctions lists. If Intapp Intake’s automatic monitoring uncovers an issue, the software automatically alerts designated users or departments.

Firms can then use the Intapp external forms feature to securely request new files or have the client validate and update information. For example, if a client’s organizational structure changes, Intapp Intake will trigger a new AML/KYC workflow, sending requests for information to external users.

AML and KYC requirements across the globe

AML/KYC requirements across the globe vary and continue to evolve. Once your firm establishes a core framework for handling AML and KYC review, what additional elements might be necessary for offices in particular regions?

Below, we take a brief look at select regional requirements, recent developments, and potential changes.

EMEA

The EMEA region has been subject to AML/KYC regulations for many years. These regulations have continued to develop in scope and complexity, requiring compliance departments to ensure they are sufficiently invested in operational and technology changes to fulfill AML/KYC obligations.

In recent years, there has been increased focus on collaboration and transparency across the region. The E.U.’s fifth anti-money-laundering directive aims to mitigate the risks inherent in cross-border financial transactions by introducing an enhanced level of due diligence for high-risk countries and increased transparency in beneficial ownership.

In addition, the E.U.’s sixth anti-money-laundering directive requires member states to keep beneficial ownership information in a central register, ensuring it is accessible and accurate, and regularly check this information against sanctions lists to identify any risks. This requirement is something law firms can meet with Intapp solutions.

U.S.

For years, experts warned professional service firms in the U.S. that they needed to start preparing for money laundering regulations. During 2022, those warnings became impossible to ignore, when the U.S. House of Representatives proposed the Establishing New Authorities for Businesses Laundering and Enabling Risks to Security (ENABLERS) Act. This bipartisan legislation was aimed at so-called gatekeepers and would have expanded anti-money-laundering (AML) surveillance — which is required of financial institutions — to professional services firms, requiring accounting and law firms to collect, monitor, and report specific types of client information.

Scandals like the Pandora Papers and money-laundering activities of Russian oligarchs had convinced lawmakers that AML obligations shouldn’t stop with banks. Under the Act, lawyers, accountants, and advisors would have been required to have heightened reporting, increased client screening, enhanced anti-money-laundering programs, and other KYC provisions typically applying to financial intermediaries.

The U.S. Senate, though, blocked the bill. Despite this, many U.S. law firms have introduced proactive AML/KYC checks and operational measures to review their client and matter engagements.  

APAC

In September 2024, the Australian Commonwealth Attorney-General introduced a bill in Parliament that would amend Australia’s 2006 AML law. If enacted, the law would go into effect in 2026 and would extend AML compliance requirements to Australian law firms and other professional service providers.

These proposed updates to the AML/CTF (anti-money-laundering/counterterrorism financing) regulatory framework are just one example of a growing number of compliance obligations facing Australian law firms.

Key requirements of the proposed legislation include enrollment with the Australian Transaction Reports and Analysis Centre (AUSTRAC), appointing a dedicated AML/CTF compliance officer, and adopting an AML/CTF program. Such a program must involve conducting comprehensive client risk assessments, screening potential clients, keeping records, and reporting any suspicious matters.

Under the proposed law, governing bodies would have enforcement powers and would be responsible for overseeing compliance efforts, with independent reviews expected in the future.   

Effective change management, adequate resourcing, and leveraging advanced technological solutions are essential to navigating these evolving obligations. Integrating these systems, including conflict and onboarding modules, early on can enhance monitoring and compliance while safeguarding data security.

Gain more than just software with Intapp

When you choose to implement Intapp Compliance solutions — whether external forms, Intapp Intake, or Intapp Conflicts — our experienced solution consultants will also advise you on how to most effectively design your processes and risk assessment system. We have helped many firms around the world — including international law firms whose offices are subject to different AML laws.

If you would like to learn more about how Intapp can support your firm in implementing AML and KYC processes, please contact us.

Schedule a demo

Cookie	Duration	Description
__cf_bm	1 hour	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
__hssc	1 hour	HubSpot sets this cookie to keep track of sessions and to determine if HubSpot should increment the session number and timestamps in the __hstc cookie.
__hssrc	session	This cookie is set by Hubspot whenever it changes the session cookie. The __hssrc cookie set to 1 indicates that the user has restarted the browser, and if the cookie does not exist, it is assumed to be a new session.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
drift_aid	1 year 1 month 4 days	Drift sets this cookie as a session identifier token. It is used to tie the visitor on your website to a current website session within the Drift system. This enables session-specific features, such as popping up a message only once during a 30 minute session to prevent a disruptive experience.
drift_campaign_refresh	1 hour	Drift sets this cookie as a unique ID for the specific user. This allows the website to target the user with relevant offers through its chat functionality.
driftt_aid	1 year 1 month 4 days	Drift sets this cookie as an anonymous identifier token. As people come onto the site, they will get this cookie.
li_gc	6 months	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.
visitorId	1 year	ZoomInfo sets this cookie to identify a user.

Cookie	Duration	Description
__hstc	6 months	Hubspot set this main cookie for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_fs_uid	never	Google Analytics sets this cookie to store an ID string on the current session.
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gcl_au	3 months	Google Tag Manager sets the cookie to experiment advertisement efficiency of websites using their services.
AnalyticsSyncHistory	1 month	Linkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie.
DRIFT_visitCounts	never	Drift sets this cookie to determine the number of visits of the specific visitor.
fs_lua	1 hour	Captures the timestamp of the last user action. It is used to assist with the FullStory session lifecycle, ensuring user activity extends the session. See “What defines a session in FullStory?” for more info on the session lifecycle.
fs_uid	1 year	This cookie is set by the provider Fullstory. This cookie is used for session tracking.
hubspotutk	6 months	HubSpot sets this cookie to keep track of the visitors to the website. This cookie is passed to HubSpot on form submission and used when deduplicating contacts.
prevBuyingStage	6 months	6sense intent data
sessionUUID	4 hr	A unique identifier for the visitor’s session on the website. Used to correlate page views andactivities to a single browsing session on the website. It will remain unique for the duration of the cookie.
sixSenseUUID	2yr 12hr	A third-party unique identifier for the visitor that is managed by 6sense.
svisitorUUID	2yr 12hr	A long lived unique identifier of this visitor on the website. It is either correlated to the 6suuid or a unique value, and can be changed during the lifetime of this cookie.
visitorUUID	2yr 12hr	A unique identifier for the visitor that is specific to the website, and will remain unique for theduration of the cookie.
vuid	1 year 1 month 4 days	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos on the website.

Cookie	Duration	Description
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
IDE	1 year 24 days	Google DoubleClick IDE cookies store information about how the user uses the website to present them with relevant ads according to the user profile.
li_sugr	3 months	LinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant.
retargetingUID	1 wk	A unique identifier for the purposes of running 6sense Creative Ads
test_cookie	15 minutes	doubleclick.net sets this cookie to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
_cfuvid	session	Description is currently not available.
int_s	1 hour	Description is currently not available.
int_vc	1 year	Description is currently not available.
loglevel	never	No description available.