Risk assessments are a critical part of AML, but also when you’re working with a client in two different capacities, and offering multiple services, how do you know where you start, and what’s correct in terms of your risk assessment and record-keeping requirements?
Let’s talk about risk assessments, they’re one of the most important parts of AML compliance, yet we know that they’re still one of the most common gaps in a firm’s AML compliance. What has been emerging in our conversations with accountants & bookkeepers is there is some confusion around the requirements when you have both a business relationship with an organisation and also deal with the personal matters of an individual that is related to an organisation you work with.
Now I know you’re probably thinking, wait? What? Please don’t confuse me any more about my AML compliance requirements – fear not, we’re going to do our best to help you understand exactly what we’re talking about.
But first, what exactly does a compliant AML risk assessment entail? Its purpose is a thorough evaluation of your client's risk profile to identify potential money laundering or terrorist financing activities. The reality is that 99.9% of your clients probably demonstrate a normal level of risk, whereby everything is in order, and there is just an “ordinary” client. However, by understanding your client's risk level, and most importantly having it documented, you can implement appropriate measures to mitigate potential risks.
As part of a complete risk assessment, you'll need to consider various factors such as the client's industry, location, customer type, organisational structure and transaction patterns, to name a few examples. Gathering and analysing this information is a crucial step in helping you to identify potential risks and also ensures you’re hitting your compliance requirements.
This isn’t to be confused with your firm-wide risk assessment (also an AML obligation), that’s something for another post – we’re talking here specifically about your client risk assessments.
It’s not uncommon for many accountants and bookkeepers to work with clients who have both organisational and individual needs when it comes to accounting services. For example* ⬇️:
I (Nathan Barker) am the sole Director of my own Limited Company, let’s call it ‘Snow & Bike Limited’, but I also own a rental property so have additional income.
I work with an accounting firm for both my businesses (Snow & Bike Limited) matters, but also get tax advice on my personal situation, due to my rental income, and as the only Director of my limited company, I am also taking dividends from my businesses which of course has some impact when it comes to my tax situation.
Still follow?
In this example, it’d be easy to assume that I am one client – which in the accounting firm's eyes is kind of true as I am one person, but from an AML perspective, I’m essentially two clients to this accounting firm 😖 – which no doubt sounds a little confusing.
But, hear me out. ‘Snow & Bike Limited’ is a company in its own right, and whilst I might be the only Director, how my organisation, ‘Snow & Bike Limited’ interacts with the accounting firm is different, but also the services it sells and the other factors surrounding it.
Whereas the services provided to me as an individual are less complex, and essentially only involve tax advice, as opposed to the other services my accountant might provide me for my business.
An example of a client with two different engagements with the same accounting firm, resulting in two different AML risk profiles
*This example is for illustrative purposes only to demonstrate how one client can have very different profiles when it comes to AML risk management – it is not necessarily a reflection of the best way to structure accounting services with an individual client in this situation, especially related to tax returns and filing.
If we reflect on some of the key considerations as part of our risk assessments, the reason for evaluating these are two separate clients from an AML perspective:
Transaction risk – I might choose to accept Cryptocurrency as a means of payment for my business which increases risk when it comes to potential money laundering, whereas my rental income is normal income via a bank transaction
Geographical risk – Snow & Bike Limited sells globally online, and I have a really strong market in some emerging countries considered higher risk across the Americas and Africa, in addition a large percentage of my suppliers are in overseas countries
That’s just two examples, but as an accountant or bookkeeper evaluating this situation, it becomes more obvious why you have to consider these two “clients” separately – at least from a risk perspective. And if you do fail to treat these two clients as separate entities from a risk assessment perspective AML auditors will most likely fail you for not doing them for both the business and the individual.
It most certainly might feel like overkill in an already complicated world of AML compliance for the accounting profession, but by conducting risk assessments at both levels, you ultimately strengthen your foundations and protect your firm – as our good friend David Winch, of MLRO Support Limited, likes to say “having something documented is better than not having anything at all – document it, document it, document it!”
One final thing to think about why this is important is that I might not be the only director of Snow & Bike Limited forever – I may choose to sell the company, I may choose to bring another person into the business to be a 50% owner, and therefore make them a Director. This not only changes the make-up of the business, but for my accountant, it changes a few dynamics that need to be re-assessed from an AML perspective. Notably one of these is a new person involved in the business, but this also might have implications for me as an individual and as a client in that respect, so that also means reviewing the current risk assessment for me as an individual is needed to.
Now the example we shared above is of a Limited Company and an Individual (and arguably one of the most simple and common examples), but they aren’t the only types of organisations or combinations you might work with, and it’s important to make sure that when you understand the different risk factors of the different types of entities because they all have their unique considerations to think about.
Sole Traders: As an accountant or bookkeeper, you may assist sole traders who operate as individuals. Their risk assessments will focus on their personal financial activities and potential exposure to money laundering or terrorist financing.
Partnerships: Accountants often support partnerships, where multiple individuals or entities pool resources and share profits. Risk assessments for partnerships will involve evaluating the partners' individual risks, as well as assessing the partnership's activities and transactions.
Limited Companies: Many accountants work with limited companies, which have separate legal identities from their owners. Risk assessments for limited companies will involve assessing the company's activities, ownership structure, and potential vulnerabilities.
Trusts and Estates: Bookkeepers often handle finances for trusts and estates, which hold assets on behalf of beneficiaries. Risk assessments for trusts and estates will involve considering the parties involved, the source of funds, and potential risks associated with the beneficiaries or trustees.
Non-Profit Organisations: Accountants may also serve non-profit organisations, such as charities or community groups. Risk assessments for non-profit organisations may focus on identifying potential risks associated with the organisation's funding sources and activities.
Our intention was not to burden you with the hassle of performing more risk assessments, it’s our goal to help you be fully AML compliant. So here are a few tips to help you succeed in conducting AML risk assessments:
Define Risk Assessment Procedures: Establish clear policies, procedures and guidelines for your risk assessment process to ensure consistency and efficiency – almost all supervisory bodies have templates available to their members, and this is a great place to start. Remember you always need to tailor this to your firm, but these provide a solid starting point. And if you want to dive a bit deeper, AML expert David Winch ran a session at the Firmcheck 2024 AML Summit on how to write a risk assessment – you can catch up on the session on our education platform.
Leverage Technology: Use AML management software, (shameless plug) like Firmcheck, to document risk assessments and streamline the process – in a recent study we found that using technology is an indicator of better AML compliance and those using technology are 2x more likely to have a standardised means of managing and staying on top of client due diligence.
Document, Document, Document: Keep detailed records of your risk assessment findings, methodologies, and any actions taken to demonstrate compliance – as we mentioned above technology can help but even just a simple Word Doc or Google Doc can go a long way should your supervisor come knocking – because if there’s a record, there’s a starting place for a conversation – if there's no record, did it even happen?
Carrying out risk assessments is a critical part of your AML compliance, and understanding what you need to do and why is what we’re here to try to help you understand.
Having a clear understanding of risk helps protect your firm, and your reputation, and can help highlight things you might have missed otherwise.
If you want a hand improving how you manage AML, or you’d like to leverage technology to help strengthen your risk assessments and risk management – get in touch with us, and we can show you how Firmcheck can help make them more streamlined, but also really help with the record-keeping requirements you have.
👉 Why do I need to conduct AML risk assessments?
Risk assessments are a vital part of your AML compliance obligations. They help you identify potential risks of money laundering and terrorist financing, protecting your business, clients, and reputation. Plus, demonstrating your commitment to due diligence helps build trust with stakeholders.
👉 What factors should I consider when conducting risk assessments?
When performing risk assessments, consider factors like industry, location, customer types, and transaction patterns. These elements help in determining the level of risk your client might present, enabling you to implement appropriate AML measures.
👉 Do I need to assess risks for both organisations and individuals?
Absolutely! If you work with organisations and also file individual tax returns for key personnel, it's essential to assess risks separately for both entities, as they each present different AML risks.
👉 How often should I update risk assessments?
Regular reviews of your risk assessment procedures and staying in the know about current requirements will ensure your risk assessments remain accurate and compliant. It’s good practice to do this at least once per year, or when your relationship changes with the client – this could be introducing new services, for example.
👉 What documentation should I keep for risk assessments?
Keeping detailed records is key! Document your risk assessment findings, methodologies used, and any actions taken based on your assessments. Proper documentation demonstrates your compliance and helps you respond to any regulatory inquiries. Most supervisory bodies have templates you can use, or you can leverage AML software (of which there are many different types) that allows you to document risk assessments digitally.
(NB: This article doesn't constitute legal advice and is only intended for general informational purposes. Always consult with a legal expert or compliance consultant for guidance specific to your firm.)
Latest news, events, and updates on all things app related, plus useful advice on app advisory - so you know you are ahead of the game.