It’s highly likely that more than £12bn of criminal cash is generated annually in the UK, with the global scale of money laundering hitting hundreds of billions of pounds annually. That’s according to the National Crime Agency’s (NCA) National Strategic Assessment of Serious and Organised Crime 2021. However, many accountancy firms are struggling with AML compliance. Institute of Financial Accountants (IFA) CEO John Edwards sets out some common issues and offers the simple solutions.
As part of its requirements as a supervisory body listed in Schedule 1 to the 2017 and 2019 Money Laundering Regulations (MLR), the IFA’s AML monitoring reviews identify key areas in which firms (including sole practitioners) are non-compliant with the Money Laundering Regulations. In 2021, 38% of firms were deemed as non-compliant, i.e. systems and controls (including training) within the firm were lacking, compared with 28% in 2020.
Some of the most common findings and issues arising from assessments that resulted or could result in a non-compliant outcome are outlined below, along with help for firms, industry-wide to resolve them:
Firm-wide risk assessments (Regulation 18)
Firms are required to have a written risk assessment, to identify money laundering and terrorist financing risks that the firm may face and how they would mitigate against those risks. This must be approved by senior management and reviewed annually.
SOLUTION: The key is to avoid templated risk-assessments, review them regularly, and always update when onboarding a new client. 71% of non-compliant firms failed to have an up-to-date written firm-wide risk assessment, or the existing firm risk assessment failed to meet the required standard. Examples of inadequate firm risk assessments included blank client risk assessments as well as template documents sourced from third parties, often websites, that had been copied and not tailored to the firm.
Adequate written policies, controls and procedures (Regulation 19)
Firms are required to have adequate written policies, controls and procedures in place. 78% of non-compliant firms did not have appropriate policies and procedures in place and/or they were not reviewed on a regular basis. Firms either had no written policies and procedures or had copied documents from other sources which had not been tailored or implemented by the firm. In some circumstances, firms had not reviewed their policies, controls and procedures on a regular basis.
SOLUTION: Firms should make use of AML compliance software which is often provided by their professional accountancy membership body or is readily available to purchase direct. AML compliance software typically includes a firm risk assessment, an annual requirement to review it, as well as policies and procedures, services provided, and client base which are tailored to the firm.
Review of policies, controls and procedures (Regulation 21)
This requires firms to have appropriate internal controls, and is usually the responsibility of the Money Laundering Reporting Officer (MLRO) or Money Laundering Compliance Principal (MLCP) for larger firms. The MLRO/MLCP is required to attend appropriate AML training and to complete an annual AML compliance review of the firms’ policies and procedures to ensure they are appropriate to the firm and its client base, and that the firm has appropriate resources including training requirements. In some instances, the IFA found that non-compliant firms had sometimes not designated an officer or employee in senior management to be responsible for reviewing or ongoing monitoring of compliance with the regulations. 91% of non-compliant firms had not undertaken an annual AML compliance review and/or completed appropriate training (92% in 2020).
SOLUTION: Firms can use the AML compliance checklist and the MLRO training available on their AML compliance software package to make these simple strategic changes.
Training (Regulation 24)
All relevant employees are required to undertake regular AML training to recognise and deal with transactions which may be related to money laundering, as well as to identify and report anything that gives grounds for suspicion. 87% of non-compliant firms – up by 19% from the previous year – could not provide documentation to support that appropriate and regular training had been provided to relevant employees (including sole practitioners).
SOLUTION: Firms must ensure that they are aware of their money laundering obligations, the firm’s policies, procedures and controls and how to apply them, and are required to maintain a training log. AML training can be delivered in several ways: face-to-face, self-study, e-learning, video presentations or a combination of them all. Typically, most supervisors will provide dedicated AML training.
Criminal record checks of BOOMs (Regulation 26)
A firm must register and receive approval of all beneficial owners, officers or managers (BOOMs) with their AML supervisory body. This includes the need to ensure all BOOMs have a recent criminal record check, often referred to as a Disclosure Barring Service (DBS) check.
The IFA found that two-thirds (65%) of non-compliant firms have no current DBS certificate/s. Common errors included naming an employee as the MLRO who was not senior enough to undertake this role and also failed to provide their DBS. Another issue relates to the appointment of a partner as company secretary, which is often not required but still requires approval and a criminal record check.
SOLUTION: Details relating to BOOMs can be found on the IFA website along with instructions on how to obtain a criminal record check.
Client risk assessments and client due diligence (Regulations 27 and 28)
These relate to customer due diligence (CDD) and client risk assessments. Although most firms understood this requirement, almost half 46% of non-compliant firms had issues in this area. The most common failing was a lack of written client risk assessments where firms stated that they did not require them.
Other issues included incomplete or inadequate client risk assessments that did not reflect the services provided or nature of the client.
SOLUTION: Some AML compliance software packages provide free unlimited storage for CDD documents and a risk assessment tool for all clients and their associated beneficial owners.
Other areas
Other areas of non-compliance include data protection issues (Regulation 41) requiring firms to notify clients of documents retained and how they are used. In some cases, firms referred to data protection in its letter of engagement but on inspection, it was found the firm was not registered with the Information Commissioner’s Office. Often firms were not aware of the requirement to notify Companies House of discrepancies on the persons of significant control (PSC) register.
Introducing an AML mindset
While grasping all aspects of compliance isn’t achieved overnight, it is nevertheless critical for every firm to stay on top of it and to develop and embed appropriate AML procedures within the firm. Besides penalties for non-compliance from a firm’s professional body, there are criminal penalties, including jail, for non-compliance with the MLRs. The annual estimated cost of fraud in the UK’s private sector is £140bn, with around 3.4m instances of fraud.
The above is just a snapshot of only part of the regulatory requirement, and so it is vitally important for practitioners to make AML compliance an integral part of their organisation’s ethos. Further information is at ifa.org.uk.
