Getting on top of AML compliance requires getting to grips with various rules, processes, and challenges. It can be tough with evolving legislation and new Anti-Money Laundering (AML) technology. This article is your all-in-one guide to the key elements you need to know to make AML compliance work for your accounting or bookkeeping practice.
We’ll cover the fundamentals of how to overcome common challenges and share resources to help you and your team stay on top of things. Whether you're just starting your practice and are new to AML or looking to enhance your existing knowledge, we've created this piece to help you master AML compliance.
Introduction to AML compliance
AML compliance is an essential pillar of running your practice, and more recently its popularity from the supervisory bodies has raised the awareness of what needs doing, and what firms aren't doing.
As one of the key financial partners for businesses, accountants have intimate insight into their day-to-day financial activities, sources of income and business activities. A key component of fighting financial crime is the task of monitoring all of these elements to make sure that any revenue generated is legitimate, and where it's not, it's reported to the relevant authorities.
What is AML and why is it important?
When we talk about AML in the realm of accountants and bookkeepers it refers to two components.
- There is what we've mentioned above about monitoring for any suspicious activity or things that look out of place.
- The other side to that coin is that firms themselves have to do certain things to reduce those risks and demonstrate they are doing them to be AML compliant in line with the money laundering regulations.
The acronym, AML, typically evokes emotions like fear, pain, or apathy (from our experience), and that's because there is a lot of guidance and legalese. And so actually knowing what to do from your firm's perspective can be daunting. There are however simple practical steps that you can take to stay on the right side of the law (which we share in the remainder of this article ⬇️), build a streamlined process for being AML compliant, and just get it done.
Whilst it can feel like a drag, remember the reason behind AML compliance, is actually to make sure criminals can’t disguise illegally obtained funds as legitimate income, funding and financing terrorism doesn't happen, and that money isn't being used for the proliferation of weapons of mass destruction, which is good for the whole world, not necessarily just countries amid conflict.
Why does AML compliance matter?
AML compliance is somewhat perceived as a box-ticking exercise. And for small practices working with SMEs this is particularly heightened as we hear quite often, "I know all my clients and their businesses personally, they're not criminals". Whilst this is most likely the case, there are real benefits to giving AML compliance the importance it deserves, and it can have real benefits for your firm when you get it right:
- Protecting your firm’s reputation: Accounting is a trust-based industry. Reliability and honesty play a key role in helping firms maintain their reputation and grow their business. Engaging in or inadvertently facilitating money laundering due to a lack of controls wouldn't help enhance your firm's reputation. Having strong AML processes not only protects your firm from money laundering risks, it demonstrates to your clients that you have consistent standards across all aspects of your work, be that client-facing or maintaining the integrity of your firm's operations.
- Avoiding penalties: Regulators are cracking down on AML violations – and these fines can be extremely steep. A lot of firms we talk to are challenged by the cost of managing AML compliance, but when you compare the cost of staying compliant with the potential financial and reputational risk, it's obvious placing some emphasis on your AML compliance is worthwhile.
- Risk management: A core part of the work you do surrounding AML compliance is about knowing who your clients are and how their businesses operate. Ensuring you're doing everything you can from a compliance perspective can be additive to your client relationship, and maybe even open up opportunities for new services as you review and update client risk profiles periodically. It can be positive all around, you can drive existing value from your clients and you can ensure you're staying on top of managing AML risk in the process.
AML regulations you need to know
While you don’t need to get in the weeds of reading every piece of legislation (we've done that for you), it does help to understand a snapshot of the rules that form the foundation of the UK's AML regime.
The key laws and regulations you need to be aware of are:
- The Money Laundering Regulations 2017 (MLR 2017): This is the primary legislation governing AML practices in the UK, outlining the requirements for customer due diligence, record-keeping, and reporting suspicious activity.
- Money Laundering Regulations 2019: While more recent, this is mainly an addendum to the above, but makes important changes to the latter – namely extending the scope of the regulated sector, updating customer due diligence and enhanced due diligence and requiring firms to report any data discrepancies (such as any PSC discrepancies with Companies House).
- The Proceeds of Crime Act 2002 (POCA): POCA provides the legal framework for confiscating the proceeds of crime and outlines the offences related to money laundering. For accountants, the relevant details are the need to report suspicious activities to the National Crime Agency (NCA) and define the penalties for non-compliance.
There is a plethora of complex, and specific guidance out there for the accountancy sector, a good place to start though if you want to dive deeper into the regulations is with the CCAB Anti-Money Laundering and Counter-Terrorist Financing Guide.
Alternatively, we've put together some AML training specifically for accountants, and in our 'Introduction to AML' course, we cover the above in a bitesize, interactive way so you can learn about the foundations, and how they are applied in practice.
Understanding the fundamentals of AML
AML compliance comes down to policies, and processes, of which a big part is taking a risk-based approach. If you can get the right foundations in place, then you can keep your firm compliant, and ensure you're on top of any money laundering risks.
Practical steps for getting started with AML compliance
So if you’re just getting started, here’s what you need to do:
- Document your AML policies, controls and procedures: given that AML is a firm-wide responsibility, you need to make sure everyone is following and has an understanding of your firm's process. An AML policies, controls and procedures document details everything your firm is committed to doing to prevent money laundering, terrorist financing, proliferation financing and complying with AML laws, including:
- Who is responsible for key processes, and the role of your Money Laundering Report Officer (MLRO),
- How you assess risk and carry out due diligence,
- What steps to take when you suspect there might be some suspicious activity,
- Your internal process for training, record-keeping and maintaining your controls and procedures.
- Perform thorough client risk assessments: A client risk assessment is a set process for defining the risk each potential client demonstrates concerning money laundering. Every client should be assessed with a risk-based approach, and where necessary any risks identified and documented so you can demonstrate how you mitigate those risks. Alongside client-level risk assessments, you'll need to maintain an overall portfolio view, which is where your firm-wide risk assessment plays a role, documenting your risk, and mitigating factors across your entire client base.
- Implement customer due diligence (CDD) procedures: Firms need to know who they’re doing business with – that’s why CDD is essential. Checks involve identifying and verifying who you're working with, which involves the collection of basic contact details (typically referred to as KYC – Know Your Customer). In some cases you may also choose to run Politically Exposed Persons (PEP) checks, screen against sanctions lists, or run adverse media checks. PEP and sanctions checks aren't essential for CDD, but can provide an additional insight into your client. There might be some cases too where you collect evidence of the source of funds, or wealth – this will be documented in your policies, controls and procedures document which reflects your firm's stance on when this is required.
- Ongoing monitoring and reporting: AML isn’t a one-and-done activity. Firms need to stay on top of their client's activity. Ongoing monitoring implies by its very nature that things need to be 'always-on' and automated. Whilst that can be beneficial for transaction monitoring, ongoing monitoring really refers to the process of updating and assessing client risk as appropriate, and if anything 'odd' crops up whilst you're filing a tax return or combing through financial statements, you take action to follow up on the perceived suspicious activity.
- Keep your training up to date: AML changes fast, so you need to make sure your team has the skills and knowledge to perform their duties. This should be carried out at least annually, and include new rules, changes to your risk model and learnings from any issues that might have been identified during the previous period. There is no hard, and fast rule on how to do AML training, but we believe it's a good idea to do a mix of firm-specific policy training, and attending some external events to gather other perspectives and ideas on AML compliance.
How to carry out an AML risk assessment
Risk assessments are a core part of AML and risk management. By understanding where the risks are, you can be best prepared to mitigate risks and work with your clients in the right way, yet documenting and carrying out risk assessments is still one of the most common gaps in firms’ AML compliance. So here’s a quick take on what they involve:
- Do your research: It all starts with comprehensive data on your clients, including their industry, geographic location, transaction patterns, and business activities. This information is crucial for understanding the potential risks each client may pose and helps you identify areas where you might need to ask more questions or do some more digging.
- Assess the risks: Once you’ve got the data, look at various risk factors such as the client’s background, the complexity of their business structure, the nature of their transactions, and their geographical ties. For example, clients operating in high-risk industries or countries may warrant a few more checks.
- Categorise the client: Based on your analysis, assign clients different risk levels (e.g., low, normal/medium, high) to help you decide what level of scrutiny you need to apply, and how often. You'll find in most cases your clients are normal/medium risk, but no doubt you'll have times when it's not a simple Limited Company with one Director structure.
- Mitigate the risks: Work out and implement controls tailored to the identified risk levels. For high-risk clients, this will probably include enhanced due diligence (EDD), more frequent transaction monitoring, additional verification steps, and requirements to demonstrate their source of funds or wealth depending on what services you're going to be offering the client.
- Document and Report: Keep detailed records of your risk assessment process, including the data collected, the analysis conducted, and any decisions made, even if it’s just a Google doc – documenting your reasoning and decision-making is the most important part when it comes to demonstrating your AML compliance.
How to make AML work for your firm
A sporadic, tick-box, AML process is better than nothing, but unfortunately, the supervisory bodies are looking for what you're not doing, so making sure there is consistency in your process (even if it is the bare minimum) is a good approach. AML compliance is one of those things that isn't worth half-a$$ing, and not having all elements kept on top of. What's the point in doing client risk assessments, if you're not verifying IDs for all your clients, or your staff training records aren't up to date or documented?
Let’s look at the common issues we find firms have with AML compliance management and how to solve them:
- There are too many rules: It’s true, there are a lot of rules to get your head around, but it doesn’t have to be a never-ending struggle. Simply getting on top of the fundamentals, any changes are more of a matter of tweaking your systems, rather than reinventing the wheel. In particular, it pays to understand any nuances for your particular supervisory body, we know that some of them place more emphasis on certain parts of the regulations than others.
- It's hard to get the information from my clients: Given the lack of knowledge around AML, clients may end up being blockers, dragging their feet on providing necessary information for due diligence, and sometimes not being willing to share sensitive information over email. This one comes down to communication – explain why it matters and provide them with secure ways to share information – and maybe invest in technology to make it easier to manage (speaking of which…)
- It takes too long: Manual record keeping of due diligence and risk assessment is tedious and time-consuming – checking lists and cross-referencing details across multiple systems and/or documents also creates more opportunities for human error. Tools like Firmcheck can consolidate your firm's AML compliance management for all clients into one place, including due diligence, risk assessments, ID verification, and address verification (to name a few things) so you can have confidence in how you're staying on top of your AML obligations.
Staying 'in the know' with AML compliance
As we’ve covered (and you know), AML is a dynamic, complex (and let's be honest), uninspiring field. And the more you and your team understand its role and scope, the more you can turn AML from a chore into an opportunity. Alongside the right tools and processes, your people are the core of your service offering here, meaning that proactive education translates into more streamlined AML processes:
- Faster, more effective execution of AML processes,
- Measurable reductions in risk for your firm,
- Increased confidence that you're meeting your AML obligations,
- Wider scope for using AML to add value for clients and your bottom line in the way of new service offerings.
If you want to put the contents of this article to the test we have a range of resources and learning courses available – including our own free, Introduction to AML for Accountants course.
That's enough for now, but if you do want to explore how technology can benefit you, and help consolidate your AML compliance management into one, secure place, the Firmcheck team is standing by to give you a demo of how you can streamline your AML management.
(NB: This article doesn't constitute legal advice and is only intended for general informational purposes. Always consult with a legal expert or compliance consultant for guidance specific to your firm.)