Anti-money laundering compliance is more than just ID verification; it’s a whole world of record-keeping and processes. Learn more about what AML management involves for your firm.
AML compliance is another responsibility faced by accountants. Even doing the bare minimum is still an involved process that most accountants don’t consider valuable. We understand, but it is there to protect your firm, and whilst this article isn’t the place for it, the cost of AML compliance can almost certainly be recouped as part of your onboarding fees or general client fees. The bare minimum approach typically isn’t enough, though. Of the firms we surveyed in our 2024 ‘Landscape of AML Compliance Report’, 30% of firms weren’t conducting risk assessments in a standardised way and, in some cases, weren’t doing them at all. AML software has helped improve how firms manage AML, but we still see a large percentage of accounting firms not doing enough. One of the consistent gaps is the ongoing management (or monitoring) of AML compliance.
The Money Laundering Regulations (MLR 2017) state what ongoing monitoring looks like for firms:
Conduct ongoing monitoring of a business relationship, including—(a)scrutiny of transactions undertaken throughout the course of the relationship (including, where necessary, the source of funds) to ensure that the transactions are consistent with the relevant person’s knowledge of the customer, the customer’s business and risk profile; (b)undertaking reviews of existing records and keeping the documents or information obtained for the purpose of applying customer due diligence measures up-to-date.
Typically, firms grasp the onboarding well, but reviewing and updating risk assessments is almost always highlighted in supervisory body reports and findings. That’s where the term ‘AML management’ comes in. We didn’t want to reinvent the wheel, but we did want to emphasise that AML is not just a one-and-done compliance thing; it’s an ongoing thing that requires some oversight and management. And it’s the management part that we feel is often overlooked. Not being on top of your AML compliance puts your firm in a risky position, and the last thing you need to maintain the integrity of your business is to be caught working with money launderers or getting fined for having poor processes in place: accountancy firms have been fined £98,870 in the second half of 2023 alone for AML violations.
AML management refers to the organising of the operations, activities and processes related to AML compliance and being AML compliant.
When we think about AML management and how it applies to any accounting or bookkeeping firm, we refer back to the foundations of your AML compliance that need to be in place.
They are:
Having a documented AML policy, which includes your processes and controls and sets out how you will comply with your AML requirements.
Ensuring you have due diligence measures in place to identify and verify who you’re working with, and where the risk is higher you have a process for assessing those risks as documented in your policies, controls and procedures document.
Making sure that you’re conducting thorough client risk assessments and keeping a record of them; will help you understand what risk a potential client (or existing client) poses and what additional controls might be required.
Understanding the level of overall risk your firm has amongst your client base by having a well-documented and regularly updated firm-wide risk assessment.
Regularly training all relevant employees, at least once per year, ensures they are up to date with the legislation, know how to spot potential money laundering, and understand how to implement your AML processes internally.
Implementing ongoing monitoring to keep things in check and up to date (including updating and regularly reviewing risk assessments).
Now we’ve got those in our mind, each has a slightly different focus and therefore there are layers of your AML compliance that target various components – ultimately, it is all for the security and protection of your firm, but it’s still important to consider the different layers and how they contribute to your overall AML compliance.
These foundations work across three layers:
Your firm or your business
The clients you work with
And the people associated with the businesses you work with
An example of what AML management involves – it’s the whole entirety of your AML system, not just the client-facing part.
At a firm level, there are three key things you must have in place.
A documented firm-wide risk assessment is critical – this is a benchmark document that demonstrates your overall client risk and what you’re doing to mitigate any highlighted risks. From a Professional Supervision perspective, this is often the document your supervisor will go to first when they carry out an audit.
It is expected you’ll have documented training records for all relevant staff. This must show what training they have undertaken relating to AML and when it was completed.
A clear policies, controls, and procedures document that outlines what your firm does from an AML perspective is the third key pillar. This will involve things such as how you deal with high-risk clients or what the process is for reporting suspicious activity. It’s not enough just to have a documented process, though; you need to show that it’s used, referenced and updated regularly.
When it comes to the client level, you must do the following.
Go through a risk assessment to understand and document any risk factors that might require either additional support evidence or for you to implement stricter controls in your ongoing operations. This is where you’ll dig into things like associations with high-risk countries, or if the business is cash intensive, you’re essentially looking for things that are considered more likely to be exploited by money launderers.
You must regularly review and update your risk assessments. This must be completed at least annually, but there might be triggers like a new director or a change in services provided that would prompt you to re-assess it sooner. Using the example above of a cash-intensive business, you might also consider implementing transaction monitoring tools to help flag any suspicious or odd transaction outside of what you’d expect. If you are filing monthly accounts or doing daily bookkeeping for a firm, monitoring software might be less helpful, and in this case, you’re probably well equipped to spot anything untoward quite easily due to your familiarity with their accounts.
Sometimes, the business and the person might look the same, most likely because they are a sole trader or a one-director limited company. However, when dealing with larger businesses, there might be multiple people or entities involved, so you also need to understand the persons with significant control (PSCs) and beneficial owners. At this level, it’s critical to understand the individuals you are dealing with.
You must identify and verify their identity which you can do in a number of ways. Often, you might be able to meet the person face-to-face and get a copy of their ID and address documents to take copies, but that isn’t always possible, especially in today’s more distributed and remote world. This is where you can leverage software that offers biometric ID verification or electronic checks so these checks can be conducted remotely, yet you’re still able to verify and identify who the person is.
As part of this process, you need to know if they are a politically exposed person (PEP) or on any sanctions lists globally; this is so you can understand if you need to carry out any additional due diligence on the person and resultantly the company.
If you’ve read that and found yourself feeling stressed about your current situation, that’s OK; the first step in making a change is understanding. In our experience, there aren’t actually that many ways to improve how you manage AML compliance; in fact, when you look past all of the scary legislation, it’s actually quite easy to make small tweaks.
A great place to start is with your AML processes. If you don’t have a Policies, Controls, and Procedures (PCP) document, that’s your first port of call. And if you do, ask yourself when it was last updated and if your staff consistently follows it.
If you find yourself questioning any of those statements, we reckon it’s time for a refresh – we’ve got this handy PCP template that you can steal and make your own.
Remember, whilst a template is a great starting point, copying and pasting it word for word isn’t going to cut it, and you should always refer back to your Supervisory Bodies specific guidance. Every firm is unique, and your PCP document has to reflect that.
Once you’ve got your processes nailed down it’s time to make sure you’ve got your documentation in order.
We speak to a lot of accounting and bookkeeping firms at Firmcheck and one of the most common challenges is historic documentation, and sometimes the lack of.
Poor processes, and lack of consistency has led to lots of documents saved in multiple different places, in many different formats. We recommend bringing your documentation and records into either one or two places. This can involve using an AML software, or it might simply be using a Google Drive, and a spreadsheet.
The key here to keep your record keeping and documentation clean is to ensure you’re using the same process for every client, and where you have gaps in your existing records we recommend closing them next time you have a review with that client – it’ll only take you an additional 5 minutes and from an AML compliance point of view you’ll have things in a much better, compliant place.
AML expert David Winch constantly reminds us to “document, document, document”, and that’s absolutely true. When you combine that with consistency in your AML processes and practices then you’re really moving into a world when your AML compliance becomes more efficient and more streamlined.
In practice, this might look like doing the following steps regardless of client size or type:
Always capturing the same personal information
Always using biometric identity verification checks for capturing ID documents, verifying your clients, and running PEPs and Sanctions checks, too.
Following the same risk assessment process for each client (noting that you might have some slightly different questions based on the client type, e.g. a limited company versus a charity)
Ensuring the documents are securely saved, either using the same filing system or in an AML software
The benefits of consistency mainly revolve around how easy it makes your life when it comes to audit time, and not only that, you’ll have a lot more confidence in your AML compliance because, theoretically, there should be fewer gaps due to your consistent approach to AML checks.
We’ve mentioned technology a few times, and it’s true that technology can help with your AML management.
Our latest piece of research found that firms that leverage AML software are twice as likely to have a documented firm-wide risk assessment, and use a systemised way to carry out client risk assessments, which we know are commonly neglected areas of AML compliance in almost every annual supervisory report that has been released in recent year.
The use of technology in managing AML compliance has proven to enhance the frequency and thoroughness of reviews, too, with tech-savvy firms being over three times more likely to conduct regular review and ongoing monitoring – another critical yet commonly overlooked component of your AML compliance obligations.
That being said, though, it’s not just as simple as leveraging AML technology. There are many different types of AML software, and choosing the right one is very dependent on a number of factors, which could include your firm size, the complexity of your firm's teams, and what functionality is required across the organisation. If you need any tips on choosing the right AML management software, we put together some tips to guide you through the selection process.
If you’d like to get some AML compliance tips, and see how Firmcheck can centralise, and streamline your AML management, we run regular Firmcheck Masterclasses, or you can book a one-on-one call to discuss your existing AML challenges and find out how we can help.
(NB: This article doesn't constitute legal advice and is only intended for general informational purposes. Always consult with a legal expert or compliance consultant for guidance specific to your firm.)
Latest news, events, and updates on all things app related, plus useful advice on app advisory - so you know you are ahead of the game.