Regulation of AML compliance continues to growby
As regulators ramp up anti-money laundering supervision, what does this mean for accountancy firms, and how severe are the consequences for non-compliance? Ian Ko and Julie Matheson from Kingsley Napley and David Winch explore the current issues.
Consistent with the government’s Second Economic Crime Plan, regulators have identified anti-money laundering and the countering of terrorist and proliferation financing (AML/CTF) as key priorities.
It is therefore perhaps unsurprising that many firms in the accountancy and professional services sector have also noticed a recent uptick in regulatory scrutiny of their AML/CTF processes.
So what are the regulators’ current AML priorities, and what should accountancy firms bear in mind when designing processes that comply with the relevant regulations?
Amplification of regulatory priorities
Published on 30 March 2023, the plan describes the AML supervisory regime as being a “critical component” of the fight against economic crime. Supervisory bodies have been asked to set clear expectations, including taking “appropriate, proportionate and dissuasive” enforcement action for AML/CTF breaches.
The message from the top has clearly filtered down to regulatory priorities. This mandate is perhaps one of the key factors contributing to the increase in AML/CTF supervisory activity by accountancy regulators, not least the Institute of Chartered Accountants in England and Wales (ICAEW) and the Association of Chartered Certified Accountants (ACCA).
Focus on AML compliance
ICAEW has unsurprisingly announced that its area of focus for practice assurance reviews in 2023 is AML compliance.
In its recently published 2023 Practice Assurance Monitoring Report, breaches of the money laundering regulations 2017 (MLRs) were by far the greatest source of non-compliance. The report noted that 545 of the firms reviewed had at least one finding of non-compliance with the MLRs. The second-greatest source of non-compliance, breaches of the clients’ money regulations, involved some 197 firms by contrast.
Such a trend is also reflected in referrals made to the ICAEW Practice Assurance Committee. In 2022, the committee considered a total of 45 reports. Of those, almost 40% related to “significant weaknesses” in compliance with the MLRs.
Comparatively, the second and third issues most commonly considered were the use of the title “chartered accountant” when ineligible to do so (approximately 11% of reports), and “significant breaches” of clients’ money regulations (approximately 8% of reports).
ICAEW noted that, “in addition to our routine AML monitoring procedures”, its on-site reviews would also include consideration of the following:
- the role of the money laundering reporting officer (MLRO)
- firm-wide risk assessments
- sanctions compliance
- prohibitions on provision of accountancy services to Russia
- suspicious activity reports (SARs)
- client due diligence (CDD) processes.
ACCA has taken a similar approach. Its report on regulation 2023 stated that it undertook 395 AML compliance reviews in the UK and Ireland in 2022. This represented an approximately 25% increase in the number of AML reviews undertaken in 2021.
The report also noted that in January 2023, ACCA had been inspected by the Office for Professional Body Anti-Money Laundering Supervision (OPBAS).
While the OPBAS assessment findings indicated that ACCA had increased its effectiveness in several areas, it also identified further areas for improvement. ACCA has accordingly prepared a proposed action plan in response to the OPBAS findings.
What does this mean for firms?
It is clear that regulators, driven by the government’s mandate and ongoing OPBAS scrutiny, are prioritising AML/CTF compliance. But what does it mean for those downstream, namely firms themselves and members of professional bodies?
We are already seeing increased monitoring activity by way of on-site and desktop reviews. It is likely that such regulatory scrutiny will only continue to increase, and lead to larger numbers of disciplinary referrals where breaches appear to have occurred.
Enforcement action, as well as penalties for proven breaches, are also likely to be shaped by the government’s directive for “appropriate, proportionate and dissuasive” action to be taken.
Many firms may already have AML/CTF arrangements in place which they have been using historically, but which are not fully systemised, documented and/or rigorously implemented.
It is essential, however, that such historical arrangements remain up-to-date and compliant with the latest regulations. In most cases, these arrangements, while a useful starting point, are unlikely to be deemed fully compliant.
Some firms may consider it unfair that the MLRs apply uniformly, with little regard to the firm’s size and resources. Nonetheless, regulators have consistently noted that the size of a firm does not absolve the need for compliance. Adopting such a stance may even be deemed to demonstrate a lack of understanding regarding the importance of AML compliance, as well as the absence of a desire to abide by the relevant regulations.
We routinely observe that firms appear to be caught out in one or more of the following areas:
- conducting and documenting an AML firm-wide risk assessment (FWRA)
- undertaking regular reviews of the adequacy and effectiveness of the firm’s AML policies, controls and procedures
- undertaking and recording appropriate AML training for staff
- conducting and documenting customer due diligence (CDD) for new clients and/or ensuring that CDD documentation is regularly reviewed and updated.
- incomplete criminal record checks for beneficial owners, officers and managers.
Consequences for non-compliance
Where an on-site review has been conducted, regulators attempt to engage in constructive dialogue with their supervised populations prior to taking enforcement action. This is often not the case where there has been a desktop review.
Following an AML compliance review by ACCA for instance, a firm is usually issued with a report. The review may be completed and the report issued (and in some cases, a referral made to the professional conduct department) without any substantive dialogue between the firm and the reviewer to clarify the firm’s procedures and the circumstances surrounding any alleged breaches.
Such referrals may then result in disciplinary action. Lower-level breaches of AML regulations might not attract the most serious sanctions. However, where there is some other form of alleged misconduct, firms can be sure that regulators will take matters very seriously.
For example, where there are allegations of potential dishonesty or lack of integrity arising from the creation of documents retrospectively, or a failure to cooperate with the investigation process more widely, then sanctions are likely to be at the upper end of the spectrum.
Although the approach to AML compliance breaches varies between supervisory bodies, the following summaries of recent disciplinary findings illustrate regulators’ current positions.
- On 6 December 2022, an ACCA member was found guilty of misconduct for (a) failing to comply with the MLRs by not conducting a FWRA, not having an AML policies and procedures document, not completing and recording AML training, not implementing appropriate CDD measures, and (b) failing to cooperate with the ACCA’s investigation. He was excluded from membership and ordered to pay costs of £8,400.
- On 14 February 2023, an ACCA member was found guilty of misconduct for (a) failing to comply with the MLRs by not conducting a FWRA and not undertaking AML training; (b) making false representations regarding the creation date of his firm’s policies and procedures document; (c) failing to cooperate with the ACCA’s monitoring processes, and (d) failing to cooperate with the ACCA’s investigation. He was excluded from membership and ordered to pay costs of £6,000.
- On 12 April 2023, an ICAEW member was found guilty of misconduct for (a) failing to fulfil assurances provided to the ICAEW regarding CDD procedures; (b) breaches of the MLR 2007; (c) failing to conduct a FWRA, not having an AML policies and procedures document in place, and not implementing appropriate CDD arrangements; and (d) failing to cooperate with the practice assurance committee process. He was severely reprimanded, fined £8,000, and ordered to pay costs of £10,825.
Firms would therefore be well advised to re-evaluate their current AML processes, bearing in mind the following key matters.
- The FWRA should reflect the unique nature of the firm, the services it provides, the ways in which it communicates with clients, the transactions in which the firm is involved, the activities of its clients, and its clients’ locations. The FWRA must demonstrate the firm’s awareness of the relevant money laundering risks, as well as the measures taken to mitigate those risks.
- The firm’s AML policies and procedures document must record the policies and procedures actually operated by the firm. They must satisfy the requirements of the MLRs (including recent updates dealing with proliferation financing, for example), and take into account the relevant recommendations and guidance published by the firm’s supervisory body.
- Training records should demonstrate and document that all relevant staff have received and understood the AML training undertaken. For instance, this might include keeping records of test results obtained by staff following AML training.
- Internal SARs should be made to the firm’s money laundering reporting officer in writing. It is preferable that this is recorded in a form that prompts the author to provide all appropriate details of the suspected person, the suspicion, as well as the reasons for making the report.
Where a regulator has arranged for a desktop review, firms may find it helpful to have a second pair of eyes reviewing the document package before it is submitted. This will ensure that any documentation provided gives a clear picture of the firm and its approach to AML compliance.
Ultimately, firms in the accountancy and professional services sector would be prudent to set aside some time in the near future to carefully consider whether their current AML/CTF processes are fully compliant. The alternative might be to risk an adverse report being issued, potentially leading to more significant disciplinary consequences down the line.