Firm policies, controls, and procedures

AML Firm Policies 

Firms’ policies generally are essential in governing a firm's operations, ethics, and procedures. They ensure that all employees know their responsibilities, help maintain consistency in decision-making, and help to mitigate a range of risks, including risks to the firm’s compliance, its commercial success and its reputation. Firm policies can cover a wide range of areas within the firm beyond AML, including human resources, IT security, workplace safety, and other areas of compliance. 

But, given the detailed legislative requirements for AML compliance and the mandatory measures firms must adopt, the components of AML compliance policies should be fairly consistent across firms. However, it is crucial to tailor these policies to align with your firm's specific needs and circumstances, ensuring they adequately address your client profile and risk exposure.

For example, a firm working in a local area that only serves small businesses and sole traders is going to have a very different working style and risk profile to that of a sizeable multi-office firm dealing with several international clients. This is why you cannot simply copy and paste a policy template; it has to be tailored to your firm's situation.

While MLR 2017 prescribes certain policies, controls and procedures to include, a firm would be wise to document other policies too - in areas such as reporting suspicious activity and its willingness to provide certain trust and company services. In any event, areas to be addressed within a firm’s AML policies can include:

Purpose and scope: The firm's AML policy documents should clearly state the objectives of its AML policies, emphasising the firm’s commitment to compliance with all relevant regulations and playing its part in combatting money laundering, terrorist financing and proliferation financing. Being transparent and precise ensures that staff members understand the importance of each policy and how and where it applies. Being clear reinforces the firm’s dedication to maintaining high compliance standards. 

Legislative and regulatory framework: Within the AML policy documents, it is helpful to include details of the relevant AML legislation and regulations the firm must adhere to. This includes the Proceeds of Crime Act 2002 (POCA), the Terrorism Act 2000, MLR 2017, and the guidance required to be issued by the government and the firm’s supervisory authority. It might also be useful to note the requirements and guidance of the Financial Action Task Force (FATF) and the AML Guidance for the Accountancy Sector produced by the Consultative Committee of Accountancy Bodies (CCAB). This helps to provide context and convey to staff the importance of AML compliance.

Roles and responsibilities: The policy documents should clearly define all employees' specific roles and responsibilities in relation to AML compliance, especially those defined by MLR 2017 as “relevant employees”. This includes detailed descriptions of the duties of the firm’s Compliance Officer, its Nominated Officer for the purpose of handling suspicious activity), other senior management, and other staff members. By specifying these responsibilities, you are helping to ensure that everyone within the firm knows their role in preventing and detecting money laundering, promoting accountability and making clear whom to contact when there is any uncertainty. In many firms, one person fulfills the combined role of Compliance Officer and Nominated Officer, and such a person is usually referred to as the Money Laundering Reporting Officer (MLRO). This is the term used throughout this guidance from Firmcheck, although the role of the MLRO is not defined in legislation.

‍

Risk management: A firm’s policies should explain how the firm assesses and categorises money laundering risks. This includes evaluating factors such as the types of clients it has, the nature of the services provided, and geographic risk factors. This document ensures that the firm's AML controls are tailored to the level and nature of risk, enabling a more effective and tailored approach to combatting money laundering.

Monitoring and reporting: The AML policies must include procedures for monitoring clients’ activities on an ongoing basis to detect suspicious behaviour. Policies and procedures for reporting suspicious activities internally and externally must be documented, emphasising the importance of filing Suspicious Activity Reports (SARs) with the National Crime Agency (NCA) and the safeguards in place to avoid “tipping off”. Any relevant employee who has reasonable grounds for suspecting money laundering or terrorist financing is required to comply with Part III of the Terrorism Act 2000 or Part 7 of the POCA.

Record keeping: An essential AML policy concerns the records to be maintained in respect of AML compliance, such as client identification documents, transaction records, and internal and external reports of suspicious activity. It should also detail the duration for which these records must be kept to comply with MLR 2017. This ensures that the firm maintains a thorough audit trail, which is critical for AML compliance and supervision.

Internal controls and training: The AML policies must set out the internal controls to ensure compliance with AML policies and procedures. This includes the monitoring of compliance by the MLRO, the screening of relevant employees, and regular training for relevant employees on how to recognise and respond to potential money laundering activities. Clear policies in these areas can help the firm to foster a culture of vigilance and compliance.

Regulation 19 of MLR 2017 requires that a firm’s AML policies, controls and procedures must be documented, along with the steps taken to communicate them (and any changes to them) within the firm. The AML policy documents must be accompanied by a system for regularly reviewing and updating the policies to ensure they remain effective and compliant with current laws, guidance and best practices. This includes responding to changes in legislation, emerging risks, and feedback from supervisory reviews. Regular policy reviews and updates must be communicated effectively to all relevant employees.

The firm's AML policies ensure alignment with legislation and provide clear guidelines for staff on managing compliance.

AML Risk

Before saying more about the controls and procedures to be implemented by a firm to address the identified risks, we should take time to consider what, in fact, is meant by AML risk. It is important to be clear what we mean, so that we can focus our efforts on achieving the necessary outcomes and so make our procedures more efficient. Anti-Money Laundering, Counter-Terrorist and Counter-Proliferation Financing Guidance for the Accountancy Sector (AMLGAS) uses the term ‘risk-based’ throughout, but it does not say what “risk” means in the context of AML compliance. (Yet supervisory authorities will take into account whether firms have applied AMLGAS.)

The UK’s 2020 National Risk Assessment of money laundering and terrorist financing sets the scene when it states:

“Overall, the risk of money laundering through [accountancy firms] remains high. The risk is highest when [firms] do not fully understand the money laundering risks and do not implement appropriate risk-based controls …”

The Financial Action Task Force (FATF) noted, in 2018, that smaller firms are generally of higher risk, due largely to a lack of resources. That lack of resources includes inadequate training and, to some extent, a lack of understanding.

A risk-based approach requires us to understand money laundering risks, terrorist financing risks and proliferation financing risks. A risk that is, perhaps, easy to understand is the risk that an individual or a firm may, unwittingly, play a part in a transaction that moves the proceeds of crime. But, in practice, this is unlikely unless the firm operates a client bank account, in which case you must be able to understand the legitimate reason for a client wanting or needing to use that account.

But there is also a risk that a firm may unwittingly breach POCA section 327 (concealing or disguising criminal property) or section 328 (arrangements that facilitate money laundering). So a firm must be alert to the risks of being exploited in these ways.

We are expected to know our clients well – so that we can serve them well. So we are also expected to notice things that are unusual and that might even arouse our suspicion. So in addition to the risk that a firm may be exploited in facilitating or concealing money laundering, there is also a risk that it may fail to identify possible money laundering, which would include failure to identify the proceeds of crime.

To look at AML risk a slightly different way, there are risks that the proceeds of crime may go unnoticed – a risk to the public – and there are risks to the firm. The latter come in the form of reputational risk in respect of the firm’s noncompliance, and the risk that action by the firm’s supervisory authority will lead to robust sanctions against the firm and significant costs of remediation. If the firm manages the risk to the public appropriately, it will also be managing the risks to the firm itself.

Firm Controls

Within its procedures, a firm is required to incorporate controls to mitigate the risks of money laundering, terrorist financing and proliferation financing. AML controls may serve to either help prevent money laundering or to detect it should it be reasonable to expect to do so. 

MLR 2017 mentions several controls that must always be present in a firm’s AML procedures. Most of these are set out within regulation 21, which requires that a firm shall (where relevant to its circumstances) appoint a director, or someone with similar management responsibilities, to be responsible for the firm's AML compliance. This role is often referred to as that of Compliance Officer, but they may also be referred to as the MLRO (where the same person also holds the essential role of Nominated Officer).

There must be appropriate controls concerning the firm’s employees, including the need to screen relevant employees - before they are appointed and during the course of their employment. Such screening entails not only an assessment of an employee’s skills, knowledge and expertise, but also their conduct and integrity.

Throughout this guidance, we mention the need to ensure that relevant employees also receive suitable training to understand their role and responsibilities in mitigating the risks of money laundering and terrorist financing. This training requirement is a specific control set out within regulation 24 of MLR 2017.

An important control built into many processes is the control of independent review. Regulation 21 requires a firm to establish an independent audit function (if appropriate according to its size) with responsibility for examining, evaluating and monitoring the adequacy and effectiveness of the firm’s AML policies, controls and procedures. (Clearly, this is not necessary where the firm is a sole practitioner with no employees or subcontractors.)

‍

AML Procedures 

An accounting firm's procedures notes serve as a practical guide for implementing its policies and controls, providing step-by-step instructions on how to carry out specific tasks related to AML compliance. Unlike policies, which outline the firm’s overarching principles and objectives, procedures focus on the actions required to achieve these goals. With the firm policies including defined roles and responsibilities, the procedures set out how individuals in those roles meet their responsibilities. Documented procedures help maintain consistency, efficiency, and compliance throughout the firm’s operations.

‍

Key areas relating to AML compliance procedures include the following, although the documentation of procedures in other areas too will serve as an effective control by providing clarity and consistency:

‍

Client onboarding and due diligence: With regard to AML compliance, the process for onboarding new clients must include CDD procedures, which entail gathering information about the client, assessing the client risk in respect of money laundering and terrorist financing, and determining which documents will be required from the client (or elsewhere) to achieve the necessary verification. But there is no reason why the documented onboarding procedures should be limited to those relating to AML compliance. Employees will find the onboarding process clearer and more efficient if the procedures notes (and related checklists) include ethical and practical steps, such as communicating with a predecessor accountant, agreeing fees, issuing an engagement letter, etc. 

‍

Record keeping: Proper documentation and record-keeping are essential for demonstrating compliance with MLR 2017. Procedure notes must set out the types of records that must be maintained, such as client identification documents, transaction records, and records relating to suspicious activity. They should state the location and format of records (whether digital or physical) and the procedure for destroying records after the appropriate retention period. The procedures should also include instructions on how to store records to protect sensitive information. Effective record-keeping ensures that the firm can provide evidence of compliance to a supervisory authority; it can review decisions taken and the reasons behind them; and it can perform effective compliance reviews.

‍

Reporting suspicious activities: The procedure for identifying and reporting suspicious activities must be made clear to all relevant employees. There will be guidance on what constitutes suspicious behaviour, and detailed instructions on reporting suspicious activity and consulting the appropriate people. In all but the smallest firms, there must be a process for internally reporting suspicious behaviour to the MLRO, including the information that must be collected and documented. The procedures notes must also cover the steps the MLRO will take to decide whether to file a SAR with the NCA. This includes a checklist of required information for the SAR, such as the nature of the suspicion, the parties involved, and supporting evidence. Clear reporting procedures should ensure that all suspicious activities are promptly and accurately reported, maintaining compliance with MLR 2017 and protecting the firm and its employees from alleged breaches of POCA or the Terrorism Act.

‍

Employee training: Ensuring that all relevant employees are adequately trained on AML risks and compliance procedures is a key component of compliance with MLR 2017. Procedures notes should set out how  the training needs of relevant employees are to be identified and delivered. It might usefully state that the firm’s AML training will cover the identification of red flags, emerging risks, the firm's AML policies and procedures, and the legal obligations of staff members. The procedures notes should specify how training records should be kept, including the documentation of staff attendance and the materials covered. Regular training ensures that employees are well-informed and capable of fulfilling their AML responsibilities effectively.

‍

Other areas in which procedures notes may be relevant include:

• AML compliance reviews,
• employee screening,
• obtaining consent to enter a transaction or arrangement, and
• reliance on the CDD performed by others.

‍

Procedures notes often include template documents and checklists. By meticulously detailing these procedures, an accounting firm seeks to ensure that all relevant employees are equipped to comply with the firm’s AML policies. Effective procedures not only aid regulatory compliance but also help to foster a culture of vigilance and responsibility within the firm. The firm can systematically address the risks associated with money laundering and terrorist financing through well-defined procedures and protect itself from potential legal and operational repercussions.

Conclusion

The way that your firm seeks to ensure AML compliance is evidenced within its Policies, Controls, and Procedures documents. These documents are also fundamental in ensuring that you have a robust way to manage AML compliance. 

‍

Firm policies define the objectives, scope, and regulatory framework, and ensure relevant employees and others understand their roles and responsibilities in AML compliance. These policies establish the firm’s commitment to preventing money laundering and consistently provide clear guidelines on handling compliance issues.

‍

Controls are embedded within the AML policies to address the risks that the firm will, unwittingly, participate in, or help to facilitate, money laundering, or that money laundering by others will go unnoticed. Relevant controls include ongoing monitoring of client transactions, regular reviews of risk assessments, and suitable AML compliance reviews. Controls also encompass the screening of staff and the training programs that keep staff informed about their AML obligations and the latest regulatory developments. By regularly reviewing and updating these controls, firms can adapt to new risks and maintain a high standard of compliance.

‍

Procedures notes support the implementation of the policies, including controls, by providing step-by-step instructions on implementing the firm’s AML measures. They cover critical areas such as client onboarding, reporting suspicious activities, record-keeping, and the identification of employees’ training needs. Procedures notes help to ensure that all staff can perform their duties effectively and in line with the firm’s documented AML policies.

‍

An appropriate framework of policies, controls and procedures helps to ensure AML compliance. It also demonstrates (to a supervisory authority, for example) an authentic approach to compliance, and supports a culture of compliance within the firm, where clear expectations are set and understood.

‍