The money laundering regulations mandate that it’s a requirement for all accounting firms to have an AML supervisor. Who your supervisor is typically boils down to what professional body you are aligned with, most commonly we find in conversations that the Association of Chartered Certified Accountants (ACCA) and the Institute of Chartered Accountants in England and Wales (ICAEW) are more popular, but there are a plethora of other professional bodies that also act as supervisors for their members.
Regardless of who your supervisor is, their mandate is the same: make sure their members comply with the UK Anti-Money Laundering regulations, whilst each body might take a slightly different approach to supporting and auditing members, the requirements don’t change, meaning that the issues we see published by each of the bodies are largely consistent across the board.
The ICAEW recently published their 2022/23 AML supervision report, which is full of excellent insights all of us can learn from. We dived deep into the report and wanted to highlight some of the core challenges they continue to find with AML compliance in practices, and what that means for you.
But, before we get into that, just some key stats from the report to provide some context as to the scale of the findings. ICAEW supervises and monitors roughly 11,000 firms for anti-money laundering activity, and since they introduced AML supervision in 2007, they have carried out over 21,000 monitoring reviews looking at AML within firms. In turn, that gives a lot of data points and insights that we can use to improve the AML capability of the accounting industry as a whole, not just for ICAEW members.
The top 3 most common findings
When compared with the previous year's report – the top 3 most common findings didn’t change, they might have changed in ‘order’ but they were still among the 3 most common findings. And, as we’ve said, whilst these may be specifically from the ICAEW report – these insights apply to any firm, no matter who your supervisor is.
1️⃣ Updating customer due diligence (CDD)
The report indicates that many firms are failing to perform or update CDD throughout the client relationship. We’ve also heard this during some of our early conversations with customers and prospective customers – the requirement to manage due diligence on an ongoing basis is often missed, or not known.
Even if you are verbally checking or asking clients about changes on an annual basis (or even better more regularly) this still doesn’t mean anything if these interactions aren’t being adequately documented – because the proof is in the documentation, and the documentation is what demonstrates compliance.
The easiest way to solve this is by building it into your reviews with clients, building a task item into your practice management system can help remind you, and using an AML system that makes it easy for you to identify when a review is due, and documents that evidence for you can help you sharpen up your process here.
Updating CDD is something that can’t be understated, it’s how you stay on top of your risk, keep a handle on your client relationships, and ultimately it’s a key obligation of the Money Laundering, Terrorist Financing, and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017).
2️⃣ Risk assessing clients
It was highlighted that the performance of risk assessments is being neglected – often focusing solely on identity verification, and not considering the other potential risks. A more alarming finding is that risk assessments were in some cases only being carried out in an ad hoc fashion, with only select clients being assessed.
We get it – if you’re onboarding ‘Tina’s Tyres Ltd.’, who are a small local business, and Tina is your best friend's wife, you probably feel like “you’ve known Tina for years”, so why bother doing a full-risk assessment, or even bother at all?
Unfortunately when it comes to the regulations that doesn’t cut it. Even if you know there is no risk whatsoever, documenting those decisions is so important. The biggest challenge we’re seeing in this space to date is that firms have either non-existent or disorganised processes, so a good place to start is by consolidating them into one place.
The key things to evaluate as part of a risk assessment are:
- Client risk – this will include things like the client’s industry, geographic location, ownership structure, and nature of transactions.
- Service risk – this is all about assessing if the services the business offers are more susceptible to money laundering, for example, we know real estate is a channel commonly used by money launderers to re-introduce illicit funds into the financial system
- Delivery channel risk – and the last is how the services are delivered, is it face-to-face, remote, via an intermediary, these factors can impact the level of risk associated with the client.
If you’re unsure about how to assess risk, what to look out for, and some of the nuances of managing risk and what that means for CDD, we recommend jumping into our education course on ‘Risk and Onboarding’.
3️⃣ CDD on new clients
This point is closely connected to number 2! As with our example with ‘Tina’s Tyres Ltd.’, the report highlighted that there have been instances where firms have not performed CDD on all new clients, with some adopting a casual approach based on personal relationships.
As we’ve mentioned it is easy to feel like it’s unnecessary, but largely that’s because there isn’t an easy process or way to document this onboarding process simply. Regardless of how trustworthy you feel the client is, you must treat the due diligence component objectively – and this comes back to having a good process in place, whether that’s a task list you follow in your practice management system, or a Word or Google Doc that has a checklist, actually having a process is a good starting point, and then making sure you document your decisions down regardless of how ‘trustworthy or simple’ a new client is, you can make sure that when your supervisor does ask, you’ve got a clear record of what you’ve done (which is ultimately what your supervisor is looking for from a compliance perspective).
We’ve put together this handy guide if you’re looking for ways to build a more compliant onboarding process.
Other key components of AML compliance to get right ✅
The ICAEW report identified 10 common findings, in addition to the top 3 (which are some of the most important for compliance), there are still many other key components that form a really strong basis of demonstrating a robust AML compliance program.
In order (from the report), they are:
- Incomplete criminal record checks on beneficial owners, officers and managers (BOOMs) in the firm
- Review of policies, controls, and procedures
- Reporting discrepancies in the PSC register
- Firm-wide risk assessments
- Training and education
- No written procedures
Criminal record checks on BOOMs
Conducting comprehensive criminal record checks on beneficial owners, officers, and managers (BOOMs) is crucial to identify any potential risks associated with individuals who have significant control or influence over the firm. Money laundering activity and organised financial crime is complex, and whilst we as accountants take measures to ensure the businesses we work with are legitimate, we must also protect our firms to reduce any potential points of weakness in fighting financial crime – part of this involves the requirement to run criminal record checks on BOOMs. There is a little bit of nuance to account for between unspent and spent offences, however, under the Money Laundering Regulations (MLR 2017) an individual must not act as a BOOM if they have been convicted of a ‘relevant offence’, so therefore running checks is essential to protect your firm – you can learn more about BOOMs and the nuances of the requirements here.
Reviewing policies, controls and procedures
New types of financial crimes or changes in legislation can render existing controls obsolete, hence periodic reviews are essential to maintain the firm’s compliance posture. For example, when Cryptocurrency reared it’s head, criminals began exploiting it, and legislation, processes, and polices had to change quickly to help stop the use of Cryptocurrency for illicit activities. Simply creating policies and controls ‘just so you have them’ is not enough – you need to demonstrate evidence that you’ve reviewed them, and made changes where appropriate as things have changed or risks have been identified.
Reporting discrepancies in the PSC register
A person with significant control (PSC) is someone who owns or controls a company. Accurate PSC information is vital for tracking beneficial ownership, and discrepancies might indicate attempts to obscure ownership, a potential red flag for money laundering.
If you identify a discrepancy between the information you gather while carrying out your regulatory obligations and the information your client has provided on the PSC Register, you must report the discrepancy to HMRC or Companies House.
Making sure you’ve got a policy or process in place, that is documented, is part of meeting this obligation (and of course notifying the relevant bodies when you do find a discrepancy).
Firm-wide risk assessments
Assessing the individual risk of each client is important, but having an overall risk snapshot across your entire firm is equally important. A key component of the MLR 2017 is a risk-based approach. In the past ICAEW found that firm-wide risk assessments hadn’t been carried out, whereas in the latest report, they found that they are now being performed, but not covering all the risks faced by the firm.
Your firm should always have your risk-based framework that is documented and complies with AML laws, but to give you a helping hand and a starting point, we’ve created a firm-wide risk assessment template, that you can copy and make your own.
Training and education
The ICAEW found that some firms had failed to provide sufficient AML training to their staff – an easy place to start is by creating a plan, to begin with, and also a centralised place to document who completed what training and when.
It is a requirement that your employees complete AML training at least once a year, but we shouldn’t view it as something that we just have to do to be compliant. Regular AML training will equip your team with the necessary skills and knowledge to identify suspicious activities, assess risk more thoroughly and stay up to date with AML legislation.
The lack of consistent and regular training is what motivated us to create our (growing) range of FREE educational courses at Firmcheck. We’ve worked with AML experts to develop the content, and we’ve packaged it in a way that is easy to consume, and dare we say it… “fun”. We’ll also give you a certificate afterwards, and if you need the records for your whole firm, we can easily provide you with a report which will have all the information you need to demonstrate your completed training.
No written procedures
Last but not least there were some instances where firms had no written procedures, so even if they were doing something, it wasn’t clear how they were doing it, or what procedures they were following. As we’ve touched on already, a key obligation of the MLR 2017 is having clearly documented policies and procedures that are unique to your firm – there are several templates out there that you can use for inspiration, so it’s worth checking in with your professional body to see if they have one, but remember it has to be unique to your firm, copy and paste won’t cut it. There’s having written policies, and there’s following written policies – the ‘following’ part is more important.
Consequences for non-compliance
There is a growing focus on AML for the accounting sector, and it’s not going to go away any time soon.
Whilst it seems that the professional bodies generally approach non-compliance in more of a collaborative manner as opposed to taking a hard-line approach – there have been some larger fines creeping into the world of accounting.
If we look at an example from the article above;
On 12 April 2023, an ICAEW member was found guilty of misconduct for (a) failing to fulfil assurances provided to the ICAEW regarding CDD procedures; (b) breaches of the MLR 2007; (c) failing to conduct a FWRA (firm wide risk assessment), not having an AML policies and procedures document in place, and not implementing appropriate CDD arrangements; and (d) failing to cooperate with the practice assurance committee process. He was severely reprimanded, fined £8,000, and ordered to pay costs of £10,825.
Given the number of small practices in the UK, fines like the above could be enough to severely hinder or damage business growth, and let's not mention reputation. Unfortunately, cases like this might become more prominent, and if the banking sector is anything to go by, we could end up hitting million-pound territory when it comes to fines.
It’s a scary prospect, yet the best thing you can do is start putting the basics in place, and building those foundations, software can help, but so can understanding your requirements and obligations, and that all starts with education.
If you’d like to learn more about how Firmcheck might be able to help you level up your AML compliance program, or just get something in place, you can book a quick 20-minute demo with us, and in the meantime get started with your learning with our free education.
(NB: This article doesn't constitute legal advice and is intended for general informational purposes only. Always consult with a legal expert or compliance consultant for guidance specific to your firm.)