Firm policies, controls, and procedures

AML Firm Policies 

Firms’ policies generally are essential in governing a firm's operations, ethics, and procedures. They ensure that all employees know their responsibilities, help maintain consistency in decision-making, and help to mitigate a range of risks, including risks to the firm’s compliance, its commercial success and its reputation. Firm policies can cover a wide range of areas within the firm beyond AML, including human resources, IT security, workplace safety, and other areas of compliance. 

But, given the detailed legislative requirements for AML compliance and the mandatory measures firms must adopt, the components of AML compliance policies should be fairly consistent across firms. However, it is crucial to tailor these policies to align with your firm's specific needs and circumstances, ensuring they adequately address your client profile and risk exposure.

For example, a firm working in a local area that only serves small businesses and sole traders is going to have a very different working style and risk profile to that of a sizeable multi-office firm dealing with several international clients. This is why you can’t simply copy and paste a policy template; it has to be tailored to your firm's situation.

While MLR 2017 prescribes certain policies, controls and procedures to include, a firm would be wise to document other policies too - in areas such as reporting suspicious activity and its willingness to provide certain trust and company services. In any event, areas to be addressed within a firm’s AML policies can include:

Purpose and scope: The firm's AML policy documents should clearly state the objectives of its AML policies, emphasising the firm’s commitment to compliance with all relevant regulations and playing its part in combatting money laundering, terrorist financing and proliferation financing. Being transparent and precise ensures that staff members understand the importance of each policy and how and where it applies. Being clear reinforces the firm’s dedication to maintaining high compliance standards. 

Legislative and regulatory framework: Within the AML policy documents, it is helpful to include details of the relevant AML legislation and regulations the firm must adhere to. This includes the Proceeds of Crime Act 2002 (POCA), the Terrorism Act 2000, MLR 2017, and the guidance required to be issued by the government and the firm’s AML supervisor. It might also be useful to note the requirements and guidance of the Financial Action Task Force (FATF) and the AML Guidance for the Accountancy Sector produced by the Consultative Committee of Accountancy Bodies (CCAB). This helps to provide context and convey to staff the importance of AML compliance.

Roles and responsibilities: The policy documents should clearly define all employees' specific roles and responsibilities in relation to AML compliance, especially those defined by MLR 2017 as ‘relevant employees’. This includes detailed descriptions of the duties of the firm’s compliance officer, its nominated officer for the purpose of handling suspicious activity), other senior management, and other staff members. By specifying these responsibilities, you are helping to ensure that everyone within the firm knows their role in preventing and detecting money laundering, promoting accountability and making clear whom to contact when there is any uncertainty. In many firms, one person fulfils the combined role of compliance officer and nominated officer, and such a person is usually referred to as the Money Laundering Reporting Officer (MLRO). This is the term used throughout this guidance from Firmcheck, although the role of the MLRO is not defined in legislation.

‍

Risk management: A firm’s policies should explain how the firm assesses and categorises money laundering risks. This includes evaluating factors such as the types of clients it has, the nature of the services provided, and geographic risk factors. This document ensures that the firm's AML controls are tailored to the level and nature of risk, enabling a more effective and tailored approach to combatting money laundering.

Monitoring and reporting: The AML policies must include procedures for monitoring clients’ activities on an ongoing basis to detect suspicious behaviour. Policies and procedures for reporting suspicious activities internally and externally must be documented, emphasising the importance of filing Suspicious Activity Reports (SARs) with the National Crime Agency (NCA) and the safeguards in place to avoid ‘tipping off’. Any relevant employee who has reasonable grounds for suspecting money laundering or terrorist financing is required to comply with Part 3 of the Terrorism Act 2000 or Part 7 of the POCA.

Record keeping: An essential AML policy concerns the records to be maintained in respect of AML compliance, such as client identification documents, transaction records, and internal and external reports of suspicious activity. It should also detail the duration for which these records must be kept to comply with MLR 2017. This ensures that the firm maintains a thorough audit trail, which is critical for AML compliance and supervision.

Internal controls and training: The AML policies must set out the internal controls to ensure compliance with AML policies and procedures. This includes the monitoring of compliance by the MLRO, the screening of relevant employees, and regular training for relevant employees on how to recognise and respond to potential money laundering activities. Clear policies in these areas can help the firm to foster a culture of vigilance and compliance.

‍

Section 19 of MLR 2017 requires that a firm’s AML policies, controls and procedures must be documented, along with the steps taken to communicate them (and any changes to them) within the firm. The AML policy documents must be accompanied by a system for regularly reviewing and updating the policies to ensure they remain effective and compliant with current laws, guidance and best practices. This includes responding to changes in legislation, emerging risks, and feedback from supervisory reviews. Regular policy reviews and updates must be communicated effectively to all relevant employees.

The firm's AML policies ensure alignment with legislation and provide clear guidelines for staff on managing compliance.

Firm Controls

Firm controls are essential components to be built into policies, procedures, and regulations within an organisation. These controls help to ensure that all activities within the firm adhere to requirements and mitigate risks. In practice, AML controls will be either preventative controls or detective controls. 

Preventative controls are designed to prevent errors and irregularities before they happen. The documentation defines what is done to avoid the negative outcome. An example of this could be ensuring that sole responsibility doesn’t sit with one individual in the firm where possible. This provides oversight of people's work and prevents the risk of undetected errors or opportunities for misconduct. During new client onboarding, this could involve one person obtaining and verifying the client information, making the risk determination, and then another person reviewing and making a decision based on the information gathered. Relevant staff training is a crucial preventative measure. Training staff adequately on the firm's policy and procedures allows them to be better informed on how the firm conducts its AML compliance and encourages better judgment when determining risk.

Detective controls are designed to identify and detect errors that have already occurred. This ensures issues are discovered quickly, promptly addressed and remedied before they become a risk to the firm and disrupt its operational integrity. With an AML compliance lens, this could look like implementing transaction monitoring within the firm's procedures. Transaction monitoring is where the clients' transactions are monitored regularly to identify when there is a change in behaviour or an increase in suspicious activity. Reporting to the National Crime Agency is also a detective control when suspicious activity is identified. The process of doing so sits within your firm's procedures. Where a suspicious activity report (SAR) must be submitted, suspicion and risk have already occurred, and the submission of the SAR demonstrates that the firm has identified and reported the risk. The same is true with PEP and sanction checking, where you run the checks somewhat regularly to prevent individuals who are put on PEP or sanctions lists from going unnoticed for long periods. If your client were to appear on a PEP or sanction list, this would require you to conduct another risk assessment on them to reflect the change of risk they pose to the firm. Regular mock internal audits will also help identify areas that require strengthening. Where documentation is found to lack or proper compliance measures aren’t applied, having conducted an internal audit will identify this and allow it to be remedied before the problem persists.

The firm’s controls ensure alignment with legislation and provide precise mechanisms for managing compliance. This approach promotes consistency in addressing compliance issues and simplifies the process of maintaining adherence to legal requirements. By detailing these controls, the firm can effectively mitigate the risk of money laundering, protect its reputation, and ensure the integrity of its operations.

AML Procedures 

An accounting firm's procedures notes serve as a practical guide for implementing its policies and controls, providing step-by-step instructions on how to carry out specific tasks related to AML compliance. Unlike policies, which outline the firm’s overarching principles and objectives, procedures focus on the actions required to achieve these goals. With the firm policies including defined roles and responsibilities, the procedures set out how individuals in those roles meet their responsibilities. Documented procedures help maintain consistency, efficiency, and compliance throughout the firm’s operations.

‍

Key areas relating to AML compliance procedures include:

‍

Client onboarding and due diligence: With regard to AML compliance, the process for onboarding new clients includes the client due diligence procedures, the procedure for risk assessing the client, and determining which documents will be required from the client to achieve the necessary verification. Client documentation that could be required, such as a driver's licence and gathering additional information to understand the client’s business activities, will be used to identify the client and form a picture of knowing the client as part of KYC. The same documentation and information will be used to conduct the risk assessment, which establishes the client's risk profile and then further informs the amount of due diligence needed, either simplified, standard, or enhanced. 

‍

Record keeping: Proper documentation and record-keeping are essential for demonstrating compliance with MLR 2017. Procedures notes must set out the types of records that must be maintained, such as client identification documents, transaction records, and records relating to suspicious activity. They should state the location and format of records (whether digital or physical) and the procedure for destroying records after the appropriate retention period. The procedures should also include instructions on how to store records to protect sensitive information. Effective record-keeping ensures that the firm can provide evidence of compliance to an AML supervisor; it can review decisions taken and the reasons behind them; and it can perform effective compliance reviews.

‍

Reporting suspicious activities: The procedure for identifying and reporting suspicious activities must be made clear to all relevant employees. There will be guidance on what constitutes suspicious behaviour, and detailed instructions on reporting suspicious activity and consulting the appropriate people. In all but the smallest firms, there must be a process for internally reporting suspicious behaviour to the MLRO, including the information that must be collected and documented. The procedures notes must also cover the steps the MLRO will take to decide whether to file a SAR with the NCA. This includes a checklist of required information for the SAR, such as the nature of the suspicion, the parties involved, and supporting evidence. Clear reporting procedures should ensure that all suspicious activities are promptly and accurately reported, maintaining compliance with MLR 2017 and protecting the firm and its employees from alleged breaches of POCA or the Terrorism Act.

‍

Employee training: Ensuring that all relevant employees are adequately trained on AML risks and compliance procedures is a key component of compliance with MLR 2017. Procedures notes should set out how  the training needs of relevant employees are to be identified and delivered. It might usefully state that the firm’s AML training will cover the identification of red flags, emerging risks, the firm's AML policies and procedures, and the legal obligations of staff members. The procedures notes should specify how training records should be kept, including the documentation of staff attendance and the materials covered. Regular training ensures that employees are well-informed and capable of fulfilling their AML responsibilities effectively.

‍

Other areas in which procedures notes may be relevant include:

• AML compliance reviews,
• employee screening,
• obtaining consent to enter a transaction or arrangement, and
• reliance on the due diligence performed by others.

Procedures notes often include template documents and checklists. By meticulously detailing these procedures, an accounting firm seeks to ensure that all relevant employees are equipped to comply with the firm’s AML policies. Effective procedures notes not only aid regulatory compliance but also help to foster a culture of vigilance and responsibility within the firm. The firm can systematically address the risks associated with money laundering and terrorist financing through well-defined procedures and protect itself from potential legal and operational repercussions.

Conclusion

The way that your firm seeks to ensure AML compliance is evidenced within its Policies, Controls, and Procedures documents. These documents are also fundamental in ensuring that you have a robust way to manage AML compliance. 

‍Firm policies define the objectives, scope, and regulatory framework, and ensure relevant employees and others understand their roles and responsibilities in AML compliance. These policies establish the firm’s commitment to preventing money laundering and consistently provide clear guidelines on handling compliance issues.

‍Controls are embedded within the AML policies to address the risks that the firm will, unwittingly, participate in, or help to facilitate, money laundering, or that money laundering by others will go unnoticed. Relevant controls include ongoing monitoring of client transactions, regular reviews of risk assessments, and suitable AML compliance reviews. Controls also encompass the screening of staff and the training programs that keep staff informed about their AML obligations and the latest regulatory developments. By regularly reviewing and updating these controls, firms can adapt to new risks and maintain a high standard of compliance.

‍Procedures notes support the implementation of the policies, including controls, by providing step-by-step instructions on implementing the firm’s AML measures. They cover critical areas such as client onboarding, reporting suspicious activities, record-keeping, and the identification of employees’ training needs. Procedures notes help to ensure that all staff can perform their duties effectively and in line with the firm’s documented AML policies.An appropriate framework of policies, controls and procedures helps to ensure AML compliance. It also demonstrates (to an AML supervisor, for example) an authentic approach to compliance, and supports a culture of compliance within the firm, where clear expectations are set and understood.