Client risk assessment

What do we mean by AML risk?

The UK’s 2020 National Risk Assessment of money laundering and terrorist financing (NRA) states:

“Overall, the risk of money laundering through [accountancy firms] remains high. The risk is highest when [firms] do not fully understand the money laundering risks and do not implement appropriate risk-based controls …”

The Financial Action Task Force (FATF) noted, in 2018, that smaller firms are generally of higher risk, due largely to a lack of resources. That lack of resources includes inadequate training and, to some extent, a lack of understanding.

A risk-based approach requires us to understand money laundering risks, terrorist financing risks and proliferation financing risks. A risk that is easy to understand is the risk that an individual or a firm may, unwittingly, play a part in a transaction that moves the proceeds of crime. In an accountancy practice, this is unlikely unless the firm operates a client bank account, in which case you must be able to understand the legitimate reason for a client wanting or needing to use that account.

But there is also a risk that a firm may unwittingly breach POCA section 327 (concealing or disguising criminal property) or section 328 (arrangements that facilitate money laundering). So a firm must be alert to the risks of being exploited in these ways.

We are expected to know our clients well – so that we can serve them well. So we are also expected to notice things that are unusual and that might even arouse our suspicion. So in addition to the risk that a firm may be exploited in facilitating or concealing money laundering, there is also a risk that it may fail to identify possible money laundering, which would include failure to identify the proceeds of crime.

To look at AML risk a slightly different way, there are risks that the proceeds of crime may go unnoticed – a risk to the public – and there are risks to the firm. The latter come in the form of reputational risk in respect of the firm’s noncompliance, and the risk that action by the firm’s supervisory authority will lead to robust sanctions against the firm and significant costs of remediation. If the firm manages the risk to the public appropriately, it will also be managing the risks to the firm itself.

What does the legislation say about risk assessments?

Chapter 2 of Part 2 on MLR 2017 sets out the government, the supervisory authorities and supervised firms all have a part to play in assessing risk, and none of them act in isolation. Your firm’s assessment of risk must take into account relevant information made available by its supervisory authority, including the risks of money laundering and terrorist financing faced by its supervised population. The supervisory authority’s risk assessment must, in turn, take into account the NRA published by the government. We say more about risk in the section of this guidance on firmwide risk assessments (FWRAs).

A firm’s risk assessment must take into account the size of the firm and the nature of its business. MLR 2017 specifies that it must consider any risk factors relating to:

• the firm’s clients,
• the countries in which the firm operates,
• the services it is willing to provide,
• the transactions it is likely to undertake, and
• the ways in which the firm delivers its services (its ‘delivery channels’).

So, here we are focusing on the first of those factors. Not only are the firm’s clients considered collectively, in the FWRA – impacting its firmwide policies, controls and procedures - but also individually as part of its CDD. (A separate section of this guidance considers the points at which CDD is particularly relevant.) Regulation 28 states that the way in which a firm complies with its CDD obligations may differ in each case. It must reflect its FWRA, but also “its assessment of the level of risk arising in any particular case”. It goes on to state that, in each case, the firm must take account of factors that include:

• the purpose of the business relationship (or transaction),
• the size of any relevant transactions, and
• the regularity and duration of the business relationship.

Some more detail is provided in regulation 33, which addresses the need for enhanced CDD, which is necessary to manage and mitigate a client risk that is assessed as high. Regulation goes on to state that, when assessing risk in respect of a particular client, the firm must consider risk factors that include:

• client risk factors,
• risks relating to any transaction (or anticipated transactions),
• risks relating to the services to be provided and how they will be delivered, and
• geographical risk factors.

We say more about each of these risk factors below, but bear in mind that the determination of risk level is not an exact science. Regulation 33 itself states that “the presence of one or more risk factors may not always indicate that there is a high risk of money laundering or terrorist financing in a particular situation”.

Risk factors

Although the above list of risk factors is not considered to be exhaustive, we shall consider each in turn and explore what they each mean.

1. Client risk factors

According to MLR 2017, a firm is required to assess client risk with regard to whether:

• the business relationship is to be conducted in unusual circumstances;
• the client is resident in a geographical area of high risk (see the geographical risk factors below);
• the client is an entity or arrangement existing primarily to hold personal assets;
• the client is a company with nominee shareholders or bearer shares;
• the client’s business is cash intensive;
• the client’s corporate structure is unusual or excessively complex; or
• the client is applying for residence rights or citizenship in exchange for the purchase of property, government bonds or an investment.

Most of these questions would be included in a checklist provided by a professional body supervisor to its members or by a commercial organisation. But, in any event, if any of these circumstances existed, a diligent accountant getting to know their client would soon identify them and recognise them as unusual.

2. Transactions

According to MLR 2017, a firm must assess transaction risk by considering whether:

• the client’s transactions, or a proposed transaction might favour anonymity;
• the relationship with the client will involve non-face-to-face transactions;
• payments are to be received from third parties, rather than the client; or
• there may be transactions relating to oil, arms, precious metals, tobacco products, cultural artefacts, ivory or other items related to protected species, or other items of archaeological, historical, cultural or religious significance or of rare scientific value.

3. Services and delivery channels

The risk relating to the services to be provided to a particular client should be assessed with reference to whether:

• the services might favour anonymity;
• the relationship with the client is unlikely to include much face-to-face interaction;
• new or unusual services are to be provided, or there are likely to be new or unusual means of service delivery; or
• services will include the provision of nominee directors, nominee shareholders or shadow directors, or the formation of companies or other entities;

4. Geographical risk factors.

When taking account of geographical risk factors, such as whether the client is resident in a geographical area of high risk, regulation 33 reminds us that a firm must consider:

• countries identified as not having effective systems to counter money laundering and terrorist financing,
• countries identified as having significant levels of corruption or other criminal activity, such as terrorism, money laundering and the production and supply of illicit drugs;
• countries providing funding or support for terrorism;
• countries subject to sanctions, embargos or similar measures;
• countries that have organisations operating within their territory that are designated as terrorist organisations, including those listed in Schedule 2 to the Terrorism Act; and
• countries identified as not implementing requirements to counter money laundering and terrorist financing consistent with the recommendations published by the FATF.

Further guidance on risk factors

On a practical level, we should explore some of the components of the risk factors touched on above.

Lack of ownership transparency

According to a firm’s CDD obligations, beneficial owners must be identified and verified by independent and reliable means. This might entail the corporate structure being mapped out to be able to see more clearly the relationships between the various entities within the structure. Apart from the ID verification of the beneficial owners (once identified), the difficulty identifying them, in itself, may heighten the client risk assessment.

Business complexity

Complex ownership structures not only obscure the beneficial ownership of entities within that structure, but they can also make it difficult to follow the flow of funds. There may be a good reason for structuring a group of companies, for example, in a particular way. However, if you and your firm are unclear about the rationale, then the complex structure would be a risk indicator, and may even give rise to suspicion regarding the client’s motives.

International group structures and cross-border operations demand special attention. Your client risk assessment may be impacted by the client’s supply chain, especially your firm’s understanding of the ultimate destination of the goods it supplies. The risk of breaching sanctions should be considered, and even the possibility of dual-use goods being used for manufacturing weapons, rather than their more common, innocuous use.

Lack of cooperation

A client's reluctance to provide your firm with information requested – especially in respect of AML compliance – might be driven by a wish for obscurity. The firm should also consider the impact on client risk of long delays in responding to information requested. This is particularly true where the firm has taken care to explain to the client the obligations placed upon it by MLR 2017 and its supervisory authority.

Transactions

There are two aspects of client transactions a firm should consider. First, there are transactions between the client and the firm. If the client expects to be able to use the firm’s client account (if it has one), it must be for legitimate reasons. Use of the firm’s client account must always be for reasons associated with the services being provided to the client. If those services are expected to include regular client account transactions (eg to enable the firm to pay the client’s suppliers or employees), there may be a heightened risk of criminal funds being handled by the firm.

The other aspect of client transactions concerns the transactions the client would be expected to undertake with its suppliers, customers, etc. An understanding of these transactions will equip the firm to be alert to unusual and, potentially, suspicious activity. If an understanding of the client reveals that the client uses unusual payment methods (and/or destinations), that would be likely to have an impact on the client risk assessment.

Higher risk services

You and your firm should ensure you are aware of the accountancy services that are deemed to present the highest money laundering and terrorist financing risk. Your supervisory authority will provide information and guidance concerning high risk services, and you should ensure you are kept up-to-date with emerging risks by registering to receive relevant AML notifications from HMRC and your professional body.

The information and guidance issued by your supervisory authority will have regard to the government’s NRA. The NRA, published in December 2020 asserted that “Professional services remain attractive to criminals as a means to create and operate corporate structures, invest and transfer funds to disguise their origin, and lend layers of legitimacy to their operations”.

Chapter 9 of the NRA focuses on accountancy services, and much of Chapter 11 considers trust or company service providers (TCSPs). According to Chapter 9, the accountancy services considered most at risk of exploitation continue to be company formation and termination, followed by mainstream accounting services (eg providing credibility to a set of accounts) and payroll. You should also be alert to the fact that the use of a professional accountant (eg your firm’s association with a reporting entity) suggests legitimacy, and this makes the professional accountant a target for criminals who would wish to ‘legitimise’ the proceeds of their crimes.

Bookkeeping services: Bookkeeping services, in particular, can enable money laundering, because the accountant performing the bookkeeping function may unwittingly create documents and records that have the effect of legitimising the flow of funds. For example, invoices may be created in the absence of evidence of a sale. Conversely, a bookkeeper with insufficient understanding of the business might not realise that they are creating records that hide taxable income, and so facilitating tax evasion and concealing the proceeds of crime.

Trust or company service providers: If your firm is a TCSP (as most accountancy practices are), there is a risk that it will be exploited by criminals wishing to disguise the proceeds of crime. For example, your firm may be used to create complex structures that serve to obscure the beneficial ownership of an entity. Your firm may also offer services such as providing individuals to act as directors or nominee shareholders, or a registered address for a business. These all serve to provide anonymity. The NRA is quite clear in assessing the money laundering risk from TCSPs as high – not because TCSPs will be handling the proceeds of crime (except through the fees they charge), but because they will be helping to conceal those proceeds.

Service delivery and client Interactions

In recent years, there have been significant changes to the way we work. Developments in technology and the global environment have made flexible and remote working much more common. We can have productive conversations with clients, and others, without anyone leaving their desk, let alone their office, and we can access records and information remotely too.

But this raises the question of how well we really know our clients. If a new business relationship is not expected to be face-to-face, original documents cannot be inspected meticulously, business premises will be less easy to visit, and your depth of knowledge of the client and their activities may be impeded. You should ask yourself whether it is reasonable to have a remote relationship with a client, or whether it may be an indicator of heightened risk.

Regulatory environment

An important area of knowledge about your client is the regulatory environment in which it operates. An auditor is required to understand the laws and regulations with which an audit client must comply. But any client’s regulatory environment is important if you are to have a close relationship with the client, and a reasonable area to explore when assessing a client for AML risk.

A strict regulatory framework is double-edged. On the one hand, a regulatory breach could result in a financial penalty, which is avoided if the breach remains hidden. The breach itself may also give rise to undeserved cost savings. The financial benefits from undisclosed breaches of laws or regulations could result in a reporting obligation, which suggests an AML risk. On the other hand, a strict regulatory environment may be one in which checks and controls are common. For example, audit work is not considered high risk in respect of money laundering and terrorist financing, because the auditor is required to comply with a comprehensive set of auditing standards.

To summarise, the firm’s client risk assessment must be based on a clear understanding of applicable law and regulations, but you must also understand (and record) the relevant mechanisms that exist for regulatory enforcement.

Financial Action Task Force (FATF) Jurisdictions

As stated earlier, when considering geographical factors and high-risk areas, a firm must consider any countries identified as not having effective systems to counter money laundering and terrorist financing and those countries not implementing the FATF requirements. Clients in jurisdictions identified by the FATF as “high-risk third countries” will be assed as higher risk and require enhanced scrutiny (i.e. enhanced due diligence).

A “high-risk third country” is named on one of the lists published by the FATF, namely the list of high-risk jurisdictions subject to a call for action, or the list of jurisdictions under increased monitoring. A firm with clients overseas must regularly check the FATF lists for any changes.

Ongoing monitoring

CDD, including client risk assessments, is required at various times – not only when a new client relationship is being contemplated. During the course of any client relationship, it will be necessary to review the client risk assessment, and perhaps obtain further information from the client and perform further verification work. We say more about ongoing monitoring of client relationships and CDD in another section of this guidance.

Regulatory Guidance and Resources

Supervisory authorities (including HMRC and many of the professional accountancy bodies) provide resources in the form of standard templates and checklists and guidance on CDD requirements, including client risk assessments. Some commercial organisations also provide effective solutions. Resources such as this Firmcheck guidance can provide (as part of your firm’s AML training) the understanding required to help relevant employees use standard documentation effectively.

‍