Small firms fall short on AML checks, says ICAS

Smaller accountancy firms are falling short in applying anti-money laundering (AML) checks to higher-risk clients, according to the Institute of Chartered Accountants of Scotland’s (ICAS) latest AML Supervision Report.

Covering the period from 6 April 2024 to 5 April 2025, the report found that smaller practices and sole practitioners were more likely to experience “significant or repeated compliance issues”, often linked to limited resources and time devoted to compliance.

ICAS supervises more than 750 firms for AML and counter-terrorist proliferation financing compliance, most of which are based in Scotland. During the reporting period it carried out 150 full-scope monitoring visits – the highest number since 2019 – alongside 29 thematic reviews, bringing the total number of firms reviewed to 179.

The supervisory body said the main factor associated with non-compliance was firm size, with smaller firms struggling to maintain consistent AML procedures. It noted that some sole practitioners had difficulties when money laundering reporting officers were nearing retirement or facing personal circumstances that disrupted oversight.

Two small firms newly classified as non-compliant were found to have “notable resource limitations”, which ICAS said “significantly contributed to their non-compliance”.

Among higher-risk clients, firms frequently failed to identify or document key risk indicators. These included cash-based businesses, clients with overseas or sanctioned-country links, and those in industries vulnerable to criminal exploitation such as human trafficking.

In one case study, a high-net-worth client previously convicted of fraud was not flagged as high risk, and the expected mitigation measures were not formally considered.

Overall, 34% of firms reviewed had inadequate client risk assessments, 29% lacked sufficient “know your client” documentation, 26% failed to apply enhanced due diligence, and 25% fell short on ongoing monitoring. While the rate of identity verification failings fell to 17% from 27% the previous year, ICAS said the figure remained concerning.

ICAS also noted that many weaknesses in ongoing monitoring were “largely documentary” rather than failures to identify risks, reflecting the impact of a new risk-focused inspection regime introduced in August 2023.

Ten of the 11 firms whose compliance ratings declined were found to be affected by resource constraints, gaps in understanding client-specific risks, or both. ICAS described the pattern as a “recurring issue”, particularly among smaller firms.

The regulator urged firms to ensure that AML systems – including client risk assessment, due diligence and ongoing monitoring – are sufficiently robust to handle complex or high-risk engagements, regardless of firm size.