The ICAEW supervises around 10 thousand UK chartered accountancy firms for AML compliance to money laundering regulations (MLRs). One of those requirements is to identify and assess
the risks of money laundering and terrorist financing to which the business is subject (18(1) regulation) referred to as the firm-wide risk assessment (FWRA).
The FWRA is considered by the ICAEW the foundation upon which a firm builds its AML policies and procedures, particularly concerning costumer due diligence (CDD).
In their review, the ICAEW sampled 100 accountancy firms, all with a high or high-medium risk profile, assessing the completion, content, and regulatory compliance of their FWRAs.
The money laundering reporting officer (MLRO) for each of these firms was contacted, provided with a list of questions, and asked to submit a copy of their FWRA, both of
which were subsequently reviewed by the ICAEW’s Quality Assurance Department.
During the webinar, the ICAEW noted that “professionals such as lawyers, trust and company formation agents and accountants are among those at greatest risk of becoming involved [in money laundering] either wittingly or unwittingly” and that “[firms need to be] asking the right questions and not taking the answer at face value”.
The webinar shone a light on many of the current issues facing firms today, as well as some tools and methodologies to mitigate them, such as the use of AI to scrape data about customers, a point that drew great interest from participants.
We have compiled the major findings and recommendations here:
Key Findings
- Completion: It was found that 88% of firms had completed an FWRA (18(1) regulation), while 6% confused it with AML compliance reviews.
- Value and use: 91% of MLROs found the FWRA beneficial, as it offers a high-level view of firm risk, helps mitigate threats, reassesses the appropriateness and relevance of the firm’s AML policies and procedures, and facilitates customer due diligence (CDD) adjustments. Smaller firms, however, were less likely to see its value.
- Risk identification: Some of the most common risks identified were client location, high-net-worth clients, and payroll services, with 78% of firms assessing both likelihood and impact of risk.
- Templates and Checklists: Most firms were found to use templates for structure, although simple or “boilerplate” templates risked missing specific threats.
- Controls and procedures: 97% of firms had implemented controls to mitigate risks, such as enhanced due diligence for high-risk clients and staff training on AML, as well as other best practices such as Google searches and the use of AI.
- Size and risk: Out of the total ICAEW-supervised population of firms categorized as high to high/medium risk, 20.9% have a turnover of less than £300,000.
- CDD: 27.4% of firms were non-compliant with the 1st CDD step (identifying the client); 25.6% of non-compliant firms had ineffective risk assessment documentation, 27.9% of non-compliant firms had no risk assessments on any of their clients, and 34.4% of non-compliant firms performed ineffective verification procedures.
- Non-Compliance: The ICAEW found the major themes behind firms’ non-compliance are lack of knowledge and/or understanding of regulations, lack of understanding of risk, and insufficient resources allocated to AML.
Recommendations
- The ICAEW stresses that all firms must assess money laundering risks (18(1) regulation), as they found that smaller firms often underestimated their client base risk, assuming it lower due to their size. (18(3) regulation)
- It’s good practice for firms to ensure annual reviews and adjustments to FWRAs in response to changes in their context like new services provided or updated regulations.
- The ICAEW encourages firms to address proliferation financing risk, even if minimal, within their assessment.
- It is recommended to ensure that annual returns accurately reflect the money laundering risks within your client base and that these are similarly included in the firm-wide risk assessment.
- Firms should tailor their FWRAs to specific risks, implement efficient controls, utilize relevant guidance (AASG Risk Outlook, ICAEW bulletins), and engage staff in understanding risks. FWRA should be tailored to each firm’s context, i.e., they should not simply follow templates with minimal changes but rather consider the risks the firm might face and only include these.
- Controls and procedures should be tailored in order to mitigate the risks identified. (21c)
- Relevant staff should be made aware of risks and have access to adequate controls to mitigate them, as well as evaluate if these are effective and correctly identified and whether new risks have arisen due to a change in circumstances. (21c)
- Firms should ensure the three phases of CDD are in place – identifying the client, assessing risks, and verifying the information - especially when they use smart searches, or other tech solutions, as they frequently lack one of the CDD phases.
Key Takeaways
- The FWRA helps firms remain compliant with regulatory requirements
- Most firms consider that preparing a FWRA adds value
- Smaller firms should not assume their client base is lower risk, but they can adapt complexity to their FWRA
- Resources can help the implementation of best practices
This report underscores that comprehensive, annually updated risk assessments are crucial for AML compliance and effective risk management.
