Prepare for an AML audit

Each of the professional accountancy bodies listed in Schedule 1 to MLR 2017 is the supervisory authority for its members and firms. In addition, HMRC is the supervisory authority for (among others) external accountants, tax advisers and trust or company service providers not supervised by the FCA or one of the professional body supervisors (PBSs). Where a firm could be supervised by more than one supervisory authority, the supervisory authorities may agree that only one of them will act as the supervisory authority for that firm. (The PBSs communicate to ensure that a practice that leaves a body’s supervision is then supervised by another PBS or by HMRC.)

The PBSs are answerable to the Office for Professional Body Anti-Money Laundering Supervision (OPBAS). OPBAS exists (within the FCA) to facilitate collaboration and information sharing between the PBSs, but also to oversee the supervisory arrangements of the PBSs. Of course, the remit of OPBAS cannot extend to oversight of the statutory supervisory authorities (such as HMRC), and that may be seen as a weakness, given that so many accountants are supervised by HMRC. However, OPBAS does communicate with HMRC with the objective of achieving consistency.

Duties of supervisory authorities

The responsibilities of the supervisory authorities (including HMRC) are mainly contained within Chapter 1 of Part 6 of MLR 2017. Regulation 46 requires a supervisory authority to monitor its supervised population and take steps to ensure compliance. There must be onsite monitoring, as well as offsite supervision, and regulation 46 specifically requires that the supervisory authority must review:

• a practice’s firmwide risk assessment (FWRA),
• the adequacy of the practice’s policies, controls and procedures, and
• how those policies, controls and procedures have been implemented.

AML supervision must be seen to be robust – to satisfy OPBAS, but also because MLR 2017 specifically requires a breach of a relevant requirement (defined in Schedule 6) to render a practice liable to proportionate and dissuasive disciplinary measures.

Powers of supervisory authorities

To be able to carry out its duties effectively, MLR 2017 affords certain powers to the supervisory authorities, which include the power (in regulation 66) to require information. A supervisory authority may (by notice in writing) require a firm to:

• provide specified information, or information of a specified description;
• produce specified documents, or documents of a specified description; or
• attend before an officer of the supervisory authority at a specified time and place and answer questions.

This includes the power to require the production of copies of any SARs made to the NCA. It is interesting to note that there is no corresponding provision in MLR 2017 to require a firm to retain copies of SARs submitted. Nevertheless, you would be well-advised to retain them - securely and in compliance with the record-keeping requirements of regulation 40.

What a supervisory authority would expect to see

The duties and powers of a supervisory authority set out within MLR 2017 give us a good indication of what a supervisory authority would want to see during an AML compliance visit. We shall use the term ‘compliance visit’, even though some reviews by the AML supervisors are conducted remotely. In that case, the supervisory authority will nevertheless require access to the firm’s AML records and will expect to discuss the firm’s AML policies and procedures with its Compliance Officer (and perhaps other senior members of staff). But bear in mind that the powers of a supervisory authority to require information are wide-ranging.

The supervisory authority has a general duty to ‘effectively monitor’ those within its supervised population. In the case of a PBS, what is ‘effective’ is determined by OPBAS. However, as stated earlier, regulation 46 requires an AML supervisor to:

• review your firm’s FWRA,
• review and consider the adequacy of the firm’s policies, controls and procedures, and
• review the way in which its policies, controls and procedures have been applied in practice.

The third of these bullet points gives a lot of flexibility to the supervisory authority in the way they choose to review how a firm’s policies, controls and procedures have been implemented. However, it is reasonable to assume that the diligent documentation of a firm’s policies and procedures, (based on its FWRA) would likely reduce the need for the supervisory authority to inspect many client files for example.

Due to the wide-ranging power of a supervisory authority to require information, there is rarely anything to be gained in resisting your AML supervisor’s requests – either during an AML compliance visit or at any other time. For example, some PBSs now ask each firm to submit its FWRA alongside an annual return. This better enables the supervisor to monitor its members and firms, on a risk basis, and should not be resisted. Of course, if you genuinely believe that the supervisory authority is requesting irrelevant information that may be sensitive or confidential, you may engage with the supervisor to challenge their request in a constructive manner.

Possible areas of focus during a compliance visit

Although a supervisory authority may look at anything related to the implementation of a firm’s AML policies and procedures, their checklist of things to review will include some or all of the following. We discuss record-keeping in a separate section of this guidance, but needless to say that effective record-keeping will make the compliance review process much easier.

1. Policies, procedures and controls

These must be clearly documented and tailored to the circumstances of the firm. They should be evidenced as up-to-date, and easily accessible by all relevant employees. It may be useful to have a record of how and when they were communicated to relevant employees.

2. Firmwide risk assessment

Some professional bodies now collect the firm’s FWRA as part of the annual return process. But it is also important that a firm can produce an up-to-date FWRA during an AML compliance visit. It should also be able to explain how any areas of risk have impacted the firm’s policies, controls and procedures.

3. Evidence of CDD

The firm’s CDD measures must be documented, to show the three components of CDD:

• sufficient information-gathering about the client,
• the money laundering, terrorist financing and proliferation financing risk based on that information, and
• the verification work performed (including ID verification), based on the client risk assessment.

The AML supervisor will also expect to see that excerpts from the relevant registers have been collected and reviewed, and that any discrepancies have been reported (to Companies House or HMRC).

4. Training records

A separate section of this guidance explains the importance of employees’ training records. AML training must be seen to be adequate and relevant. It would be reasonable for a PBS to inspect the CPD records of any of its members and, in a small practice, the AML training of professional staff may be integrated into their own CPD records (provided that AML training is easily identifiable and quantifiable).

5. Approval of BOOMs

Regulation 26 of MLR 2017 states that no person may be the beneficial owner, officer or manager (BOOM) in a firm unless they have been approved as such by the firm’s supervisory authority. It is the firm’s responsibility to ensure that no-one is appointed as an officer or manager unless they have been approved as such.

An application for approval must contain (or be accompanied by) sufficient information to enable a PBS to determine whether the person concerned has been convicted of a ‘relevant offence’. Many PBSs require the results of a criminal record check to be submitted; alternatively, a PBS may require confirmation that the firm has seen a criminal record certificate (eg from the Disclosure and Barring Service), in which case the PBS would inspect all criminal record certificates during a compliance visit.

6. Copies of any SARs made to the NCA

The supervisory authority’s power to require a firm to provide copies of any SARs submitted to the NCA is set out explicitly in regulation 66(1A). Many believe that the accountancy sector does not submit a sufficient number of SARs. Therefore, an AML supervisor may also want to see the rationale for not reporting a particular activity to the NCA. The supervisor is likely to have more confidence in a firm that retains clear evidence of internal SARs considered by the Nominated Officer, and the process of determining whether there was reasonable cause for suspicion.

7. Evidence of compliance reviews by firms

There is some uncertainty – among sole practitioners in particular – about the need for a firm to regularly conduct its own AML compliance reviews. Regulation 19 states that a firm’s documented policies, controls and procedures must include ‘the monitoring and management of compliance with’ the firm’s AML policies, controls and procedures.

According to regulation 21, ‘where appropriate with regard to the size and nature of its business’, a firm must appoint someone as Compliance Officer and ‘establish an independent audit function’ responsible for examining the effectiveness of the firm’s policies, controls and procedures. It goes on to state that, when considering what is ‘appropriate’ with regard to the nature of the business, a firm:

• must take into account its FWRA; and
• may take into account any guidance issued by a supervisory authority or appropriate body and approved by the Treasury.

The latter would include AMLGAS, which states that a sole practitioner with no relevant employees would not be expected to establish an independent audit function. Nevertheless, they must have documented AML policies, controls and procedures, and be able to demonstrate that they monitor compliance with them.

What happens after an AML compliance visit?

The purpose of an AML compliance visit is primarily to determine the money laundering and terrorist financing risk presented by the firm. The supervisory authorities tend to use a grading system as part of a visit outcome, which will usually categorise the firm as compliant, generally compliant or non-compliant. It is in the public interest that the supervisory authority supports a non-compliant firm in raising its level of compliance. While this will often involve a plan for remediation, and sometimes enforcement action, the objective is not to punish the firm. Most PBSs would only take enforcement action (such as financial penalties) after a firm has failed to improve following an unsatisfactory visit outcome, or if the firm has shown a disregard for AML compliance.

But the fact that a supervisory authority will rarely take enforcement action after an initial visit is no reason to be complacent. If your firm is ill equipped in the area of AML compliance, it will be difficult (and resource intensive) to prepare for an AML compliance visit. Following the visit also, the firm will likely have to create and implement a plan to remedy several shortcomings. Clearly, this absorbs time and other resources that the firm would rather be applying to serving its clients. In short, you and your firm should not leave it too late to engage with the subject of AML compliance.

Addressing the findings of a compliance visit

When deficiencies are identified during an AML compliance visit, the firm should respond promptly (and certainly within the timeframe set out by the supervisory authority). Some AML supervisors will ask the firm to prepare a detailed plan – with appropriate timings – to demonstrate a controlled approach to remedying the shortcomings and mitigating AML risk. If the firm fails to engage with the remediation process at this stage – presenting the supervisory authority with a plan that appears effective and workable – it will attract greater scrutiny from the supervisory authority going forward.

The firm must then ensure that it does what it has said it will do. If the proposed timings start to slip, it will be difficult to make up time. However, if that happens, it is advisable to be proactive and inform the AML supervisor of the issue with a view to agreeing a flexed remediation plan.

Where the findings from the compliance visit have been set out in a detailed report, communicating the contents of that report among the firm’s relevant employees can serve as effective training. It will rarely be appropriate to conceal the findings of an AML compliance review from relevant employees. In fact, staff training will often be a sensible priority for any remediation plan, as the knowledge gained by staff will assist in the implementation of other elements of the plan. At times, engaging a consultant at an early stage will also be helpful – not only in remedying specific areas of non-compliance, but in providing confidence to the supervisory authority.

Conclusion

Each supervisory authority has a duty to monitor its supervised firms and must be seen to do so according to a review cycle (based on assessed risk). Therefore, no firm can escape an AML compliance review. The supervisory authorities have wide-ranging powers, and the PBSs are expected to use those powers to meet the standards demanded by OPBAS.

Supervisory authorities are used to seeing documentation that has been created shortly before a compliance visit. When this happens, it is relatively easy for an inspector to find examples where AML policies, for example, have not been applied. The most positive AML compliance visits require very little preparation, because the firm will have effective systems to ensure policies, procedures and other documentation are always sufficiently up-to-date.

A few points to remember

• Documented AML policies are fundamental. Together with the FWRA, they drive the other AML compliance procedures.
• Documentation and record-keeping are obligations set out within MLR 2017. Therefore, if a firm has failed to document a process (such as a risk assessment for example), it is reasonable for an AML supervisor to conclude that it has not taken place.
• Although a requirement of MLR 2017, a firm also benefits from effective AML training of its relevant employees. Recording AML training (being carefully planned and undertaken) demonstrates a diligent approach to AML compliance.
• Be aware of the sorts of documentation a supervisory authority may expect to be made available during an AML compliance visit. Do not underestimate the importance of documentation evidencing regular compliance reviews (even if you are a sole practitioner).
• Constructive engagement with your AML supervisor – before, during and after a compliance visit – will demonstrate a positive attitude towards AML compliance, and so build a degree of confidence and trust into the relationship.

‍