As we enter the Autumn, we’re getting a much better picture of what the new Money Laundering Regulations will really mean for accountancy practices – and, although there are a number of significant changes, much of the previous regime will remain intact.
However, one key feature of the new regime that practices are unlikely to have given thought to before is the need for a firm level risk analysis. This will require senior management approval and will need be regularly updated in response to a firm’s changing risk profile.
Draft guidance issued by the Consultative Committee of Accountancy Bodies (CCAB) in August 2017 has provide some guidance on this – but how should smaller firms really tackle it?
1. Consider and document what your typical client looks like
Thinking about and documenting what your typical client looks like has long been considered best practice. It helps you to understand where your practice is most exposed to money laundering. It also helps you to appreciate which prospective new – or existing – clients present a higher level of risk and therefore require more in depth AML checks.
It can also inform client acceptance decisions. If a prospective client is way outside your comfort zone, it may make more sense to decline the appointment.
“As a practice, Bull & Co provides the following services to clients typically based within 30 miles of the city centre:
– Bookkeeping and preparation of management accounts
– Preparation, audit and submission of accounts – companies, sole traders and partnerships
– Preparation and submission of tax computations – income tax, corporation tax, VAT, PAYE, national insurance, inheritance tax and capital gains tax
– Preparation and payment of payroll
Although our clients engage in a wide range of activities and sell a range of goods and services, all are owner managed businesses”.
2. Consider the need to assess risk at ‘service line level’
The draft CCAB guidance suggests that firms might want to produce a different risk assessment for individual service lines (e.g. accounting, audit, payroll, personal tax) if different service lines present different risks. It remains to be seen how often this will happen. Some smaller, simpler practices may consider the key risks to be common to all their activities.
3. Consider how your practice is exposed to money laundering
This will require careful thought practice by practice. In assessing how they are exposed, firms should remember that ‘money laundering’ is very broadly defined as ‘possessing or in any way dealing with or concealing the proceeds of any crime.
Here is an example – with a suggested strategy to handle the risk:
Criminals might seek to use our client monies account to launder the proceeds of crime
We will regularly monitor use of the client monies account in line with ICAEW/ACCA requirements and, through appropriate training and regular review (including an annual compliance review), ensure that the client monies account is only used in relation to an accountancy service that is being, or will be or has been provided.”
4. Consider your clients’ potential exposure to/involvement in money laundering
Many firms will feel that their clients are more likely to be exposed to or involved in money laundering than they are. This risk must also be addressed because it is an offence for a ‘relevant person’ (i.e. a firm) not to report to the National Crime Agency (NCA) knowledge or suspicion of criminal conduct that it becomes aware of.
Also a client’s involvement in money laundering might cause the firm to suffer legal, regulatory or reputational damage.
The draft CCAB sector guidance suggests that five aspects are assessed:
· Client risks – “Do our clients or those associated with our clients have attributes known to be frequently used by money launderers or terrorist financiers?”
· Service risk – “Do our services have attributes known to be used by money launderers or terrorist financiers?”
· Geographic risk – “Do our clients operate in jurisdictions that are known to be used by money launderers or financiers of terrorism”
· Sector risk – “Do we and our clients operate in a sector in which money laundering or terrorist financing is known to take place?”
· Delivery channel risk – “How close is my relationship with my client?”
Again, each area of risk needs to be thought through and an appropriate strategy devised.
Here is an example relating to sector risk:
“Although we do not feel that there are any particular sector risks relevant to our clients, criminal conduct may come to light as a result of the work undertaken by our different service lines (e.g.):
· Our accounting, audit and tax work might provide evidence of understated income in order to evade tax. Client-facing staff should be vigilant and be willing to make an internal report to the MLRO if they consider it necessary.
· Our accounting, audit and tax work might provide evidence that clients are charging expenses not incurred wholly and exclusively for the purposes of the business in order to evade tax. Client-facing staff should be vigilant for such expenses and be willing to make an internal report to the MLRO if they consider it necessary”.
5. Devise an action plan
There is little purpose in carrying out a risk assessment without putting relevant action plans in place to deal with them. The examples above illustrate what such plans might look like.
Many firms may feel that relevant strategies will already be in place based on procedures under the previous AML regime. This doesn’t mean that the thought process and risk assessment should not be formally documented though.
6. Publish the action plan – and train
Staff training has always been a central feature of a firm’s AML procedures. The draft CCAB guidance makes clear that staff training should cover an explanation of relevant legislation, ‘red flags’ relevant to the firm and how to deal with suspicions of Money Laundering and Terrorist Financing (MLTF).
Once it has been approved by senior management, explaining the risk analysis and related safeguards to staff internally will a crucial element of this training plan.
7. Use the risk assessment to inform individual client risk assessments
When taking on new clients or reassessing risk in respect of existing clients (both longstanding requirements of the previous regime), a firm’s risk assessment will inform whether a client presents a high, medium or low level of risk, how much client due diligence and verification evidence is required – and whether a firm wants to take a new client on.
Linkage between the firm level risk analysis and work done in respect of individual clients will be crucial. Otherwise the firm level risk analysis might be redundant.
8. Revisit the risk assessment plan and update it
The draft CCAB guidance makes clear that a firm’s risk profile changes over time. It will be important for the risk analysis to be reassessed and updated periodically and detailed policies and procedures updated accordingly.
How regularly it needs to be updated will be for an individual firm to decide and justify to its regulatory body.
The new Money Laundering Regulations can be downloaded from
The draft CCAB guidance can be downloaded from:
Peter Herbert, September 2017