Save content
Have you found this content useful? Use the button above to save it to your profile.
An image of David Winch
Sedulo-forensic-accountants

Getting away with the bare minimum AML compliance

by

To save accountants from getting grief from their anti-money laundering regulators, David Winch spells out the fundamentals that firms need to scrape a pass on their AML compliance review.

26th May 2023
Save content
Have you found this content useful? Use the button above to save it to your profile.

David Winch is quick to note that he loves anti-money laundering (AML) compliance. “I would love people to spend lots of time and effort thinking about their anti-money laundering compliance,” he said. 

But he’s aware that not everyone shares his enthusiasm for AML. Indeed, many accountants in practice often say, “I’ve got thousands of things to do and anti-money laundering compliance is just not on the list at all. Except I’ve got to do it because I’m being hit over the head by my supervisory body.” 

So while Winch wouldn’t encourage accountants to settle for the bare minimum, he said it’s important they get a grasp of the fundamentals because if their AML compliance review is bad, they will get 30 days to fix it. 

And if they don’t, their regulator is going to frogmarch them in front of the disciplinary committee. 

So what’s the bare minimum a firm can get away with to get a pass from their supervisor? Below, in conversation with AccountingWEB, Winch shared a handful of key points, so accountants don’t have any more grief.

A photo of David Winch1. Have a money laundering reporting officer

There needs to be an individual identified in the firm as the money laundering reporting officer (MLRO).

The title comes from the fact that they have to do the reports to the National Crime Agency. But the reality of the MLRO in an accountancy firm is they’re responsible for making sure the firm complies with the regulations. 

They’re the person who’s going to be corresponding with the supervisory body, whether that’s the Institute of Chartered Accountants in England and Wales, the Association of Chartered Certified Accountants, the Association of Accounting Technicians or whoever. So you must have a money laundering reporting officer, and they must be somebody who is actually in the firm. 

The intention is, it’s somebody with sufficient seniority and authority to say, “Yes, we have to do X, Y and Z”, and also to be somebody to whom confidential information can be safely reported.”

2. Have a policies and procedures document

All of the accountancy bodies have templates with what you might want to put in your policies and procedures document. But you should use those templates only as a starting point. 

So think about how things actually work in your firm: what is the structure of your firm, what sort of clients do you have, what is your geography and so on. You then amend the template to reflect what you actually do in practice in your firm to comply with the regulations.

I’ve seen firms that haven’t changed the template at all and it still has the words in italic saying, “insert your name here”.

Again, it’s got to be tailored to the firm’s particular circumstances and what the firm actually does.

The supervisory body is then going to look at those policies and procedures and ask you to demonstrate that you’ve put them into effect. So if you’ve got something in there that says, for example, we search HM Treasury’s list of sanctioned individuals whenever we take on a new client, and you actually don’t, and you haven’t a clue what that list even is, then you’re just asking for trouble from the supervisor when they do their review. 

3. Have a firm-wide risk assessment

This is another separate document that looks at the firm as a whole, the services it offers, who it offers them to and where they are geographically. For example, what sort of clients do they have, do the clients deal in cash and so on.

If you’ve got retailers, cash businesses, used-car dealers, or whatever, then they are going to be more high risk. If you’ve got high net worth clients, they are going to be more high risk. It’s a similar story for clients based overseas that you never see in practice.

All these factors have got to be drawn into your firm-wide risk assessment. Don’t just use the templates from the supervisory bodies — alter them to make them fit your firm’s circumstances. 

Every firm is unique. If you have a niche involvement in dentists, taxi drivers or whatever, then that should be in your firm-wide risk assessment. 

4. Know Your Client and client-risk assessments

While the firm-wide risk assessment covers the firm globally, you then need to do your Know Your Client verification and risk assessments on individual clients. This involves checking their ID and understanding their particular business. You then form an assessment of the money-laundering risk attached to that client.

I have seen people get bad marks because they haven’t really appreciated the difference between the firm-wide risk assessment, which is looking at the firm globally, and the individual client-risk assessment, which is looking at a particular client. 

The client-risk assessment document is separate to the Know Your Client or client due diligence document. It should say whether the client is low risk, normal/medium risk or high risk for money laundering. And if you’ve decided the client is high risk, then that documentation should show what you’ve done to try to mitigate that risk.

It should be obvious to the reviewer looking at the client-risk assessment for John Smith, why you have come to the conclusion that he is medium risk or high risk or whatever. That conclusion shouldn’t just appear like a rabbit out of a hat. 

5. Document your staff training

Supervisors want to see a record of training. They want to see some evidence that the MLRO has had training and that the staff members dealing with clients have had training. 

There’s usually a mini test at the end of purchased training. It might only be 10 questions and you have to get eight out of 10.  

They’re usually fairly simple questions. The AML equivalent of “How many legs does an elephant have?” They’re not meant to catch you out. 

And there needs to be a record of that. For example, your employee Mr Z did the test on 7 September 2022 and he passed. If you haven’t got any record of that, then you’re going to get grief from the supervisor. Effectively, if it isn’t written down, it didn’t happen. 

These supervisory reviews are called desktop reviews (in other words, at a distance/online). You’re just sending a sheaf of documents, and the supervisor has got to make some sense of them. 

If it’s not obvious what your documents mean, then really, you should be sending explanations with them. 

But what about reporting suspicions?

You’ll notice I haven’t mentioned reporting of suspicions. That is because your supervisor won’t give you a fail if you’ve not filed any suspicious activity reports. Whereas you really will fail if you have no record of training or no policies and procedures document, or no MLRO.  

I could add a lot more things such as the need to have fit and proper forms from your staff, which demonstrates that you are screening staff to make sure that they are not villains and rogues. I could talk about getting disclosure and barring service reports for the partners and directors in the firm. Your supervisory body might ask for those things.

But if you really don’t want to get too in the weeds with your anti-money laundering compliance, the fundamentals above are the bare minimum. 

If you’re stuck, or worried about facing an AML compliance review, then contact me or one of the other experts in the field and get some help.

Replies (33)

Please login or register to join the discussion.

avatar
By johnthegood
26th May 2023 17:56

At last, a truly excellent article, practical and relevant to practices, more of this please Aweb and less of, well, most of everything else!

I personally have always resented AML compliance, there seems very little point to it all and it takes up a lot of my time for absolutely no reward.

But a very timely reminder that I would get no rewards at all if I didn't comply (which of course I do) and got found out.

Out of interest is there a greater percentage of AML visits from PBs to their members, than from HMRC to those it supervises? It would interesting to find out those stats.

Thanks (13)
the sea otter
By memyself-eye
29th May 2023 11:29

Shows how detested AML regs are when the title includes the phrases (actually, is mostly) 'getting away with' and 'bare minimum'
just an obsevation...

Thanks (7)
avatar
By carnmores
29th May 2023 14:37

the facts remain, its a complete waste of time and money

Thanks (16)
Stepurhan
By stepurhan
30th May 2023 08:22

Always appreciate your specialist knowledge Mr Winch.

Thanks (3)
avatar
By DavidWinter
30th May 2023 09:52

Now THIS is useful, thank you.

Thanks (3)
avatar
By andrew1211
30th May 2023 09:54

Can anyone recommend some staff training for a small firm please? We need to do a refresher. Last one was fine but feel like using them again it will be pretty much the same aside from a couple of minor updates, so want some possible alternatives . Thanks.

Thanks (3)
Replying to andrew1211:
David Winch
By David Winch
30th May 2023 10:03

I have an interest in recommending PTP, you may recognise the chap in the videos ....
https://www.ptpinteractive.com/online-products/mlr-training

Thanks (5)
Replying to davidwinch:
avatar
By andrew1211
30th May 2023 10:17

Thanks, this is the one used last time! Guess is okay to use again as a refresher, but feels like box ticking almost given not masses of changes, but realise needs must.....

Thanks (0)
Replying to davidwinch:
Grace Heathfield
By Grace Mock
30th May 2023 10:17

We've used PTP - it is indeed straightforward and value for money IMHO.

Thanks (1)
Replying to andrew1211:
avatar
By Jimess
30th May 2023 10:24

We used Veriphy training this year. Quite comprehensive, a test at the end and certificate issued if you pass the test. You can go back over the course as often as you like so useful for checking things out.

Thanks (1)
Replying to Jimess:
avatar
By andrew1211
30th May 2023 10:37

I assume it was fairly relevant and focused towards our sector, was it?

Thanks (0)
Replying to andrew1211:
avatar
By Jimess
31st May 2023 09:57

I don't think AML training is particularly sector specific, Veriphy provide AML and other checks across a broad range of sectors, as do other training providers, we have used them for a number of years. They cover the things you need to know without getting bogged down in too much fine detail, but point you to where to find the fine detail should you need it, and the presentation is pretty good. We have only used either Veriphy or Mercia for AML training and this year I watched David Winch's webinar on Accountingweb, which I found really helpful.

Thanks (1)
Replying to Jimess:
avatar
By andrew1211
31st May 2023 10:03

Can you use Mercia training in isolation, or is part of one of their wider packages, do you know? Thanks.

Thanks (0)
By ireallyshouldknowthisbut
30th May 2023 09:56

From a business point of view, why would you want to do anything more than bare minimum?

It's 'busy work' and mere window dressing which we are forced to do.

As Mr Winch notes, it's irrelevant if you are genuinely looking at risk and genuinely looking for instances of money laundering, its 100% about box ticking and paperwork. So logically stick any told tosh on the file, so long as you tick it all.

If everyone ticks the right boxes then the regulators will of course get bored and invent some more to catch you out, and preputate their vile little industry which really just acts a leech to productivity.

Thanks (20)
Replying to ireallyshouldknowthisbut:
avatar
By johnjenkins
31st May 2023 11:59

When the EU first told us that we had to have AML I went into it in fine detail and more than the "bare minimum" is not required legally. I actually have to say that (and I'm a brexit person) the EU ruling was far simpler and made more sense than the UK counterpart.

Thanks (1)
avatar
By Ben Alligin
30th May 2023 10:21

A very good article, but can we please have one for the bare minimum for a single person practice. The MLO is clearly the same person i.e the accountant, presumably we don't have to have a document stating that, but that is only a guess.

Similarly do you have to produce a document for only you to read, to prove that you have the document?! This is where is starts to get into the realms of Alice in Wonderland.

Curiouser and curiouser, back off down my rabbit hole. But any guidance for a single man practice very gratefully received.

Thanks (8)
Replying to Ben Alligin:
David Winch
By David Winch
30th May 2023 10:37

Can I refer you to Reg 21(6) of MLR 2017 which refers to "where the relevant person [i.e. the regulated firm] is an individual who neither employs nor acts in association with any other person".
This basically says that you don't have to appoint an MLRO or screen your employees if you are 'the firm'.
You will still need a firm-wide risk assessment, policies & procedures document, undertake training, carry out customer due diligence and client risk assessments.
David

Thanks (4)
Replying to davidwinch:
avatar
By Ben Alligin
30th May 2023 10:49

Many thanks David.

I will ensure that my policy documents are currently compliant and that I continue sniffing out potentially dodgy transactions/clients and reporting them to the 'Powers That Be' who sadly still do nothing. At least it is not a futile process!!

Thanks (1)
Replying to Ben Alligin:
Donald MacKenzie
By Donald MacKenzie
30th May 2023 10:55

Another sole practitioner here. Just had a review. Fair bit of nonsense of filling in questionairres on staff training, level of understanding of AML amongst staff, process for staff reporting suspicions etc etc

I told the reviewer that I preferred using professional judgement over a box ticking exercise and that most AML stuff is irrelevant. The bad people still do what they want and the rest of us have to spend time to record what we do to prove we are not bad.

Thanks (5)
Replying to Donald MacKenzie:
By ireallyshouldknowthisbut
30th May 2023 12:28

Donald MacKenzie wrote:

Another sole practitioner here. Just had a review. Fair bit of nonsense of filling in questionairres on staff training, level of understanding of AML amongst staff, process for staff reporting suspicions etc etc

I told the reviewer that I preferred using professional judgement over a box ticking exercise and that most AML stuff is irrelevant. The bad people still do what they want and the rest of us have to spend time to record what we do to prove we are not bad.

Braver than me. I always grit my teeth and say how wonderfully important it all is. Another box ticked. Nothing to do with reality.

Thanks (2)
Replying to Donald MacKenzie:
avatar
By Catherine Newman
30th May 2023 22:08

I did likewise. I was threatened with a call in a month's time. That was in February and the date is????

Thanks (1)
Replying to Ben Alligin:
avatar
By Penny Cole
30th May 2023 15:01

Hi Ben, I have the same question, we are a two "man" operation, husband and wife so as the wife with a background in office administration presume I am the appointed MLRO

Thanks (0)
Replying to Penny Cole:
David Winch
By David Winch
30th May 2023 18:55

Just to be clear, there is a difference between (i) a firm which consists of solely one individual and (ii) a sole practitioner firm employing staff. My previous comment referred to a firm which consists of solely one individual (i.e. with no employees).
Where there is a firm of self + spouse then one of them has to be formally recognised as the MLRO (i.e. the supervisory body has to have been informed of the name of the MLRO). It is not simply a matter of "presuming" that to be the case.
Sorry to be pedantic but you really do have to get these fundamentals in order!
David

Thanks (0)
avatar
By AndrewV12
30th May 2023 10:40

David Winch is quick to note that he loves anti-money laundering (AML) compliance. “I would love people to spend lots of time and effort thinking about their anti-money laundering compliance,” he said.

David has possibly found a way of getting an earn out of AML.

Thanks (2)
Replying to AndrewV12:
David Winch
By David Winch
30th May 2023 10:53

Indeed! I take my hat off to general practictioner accountants who manage to keep abreast of sole trader / partnership accounts, company accounts, tax in many varieties, pensions, etc., etc.
I would suggest that it might be sensible sometimes to get (paid) assistance in other areas, including anti-money laundering compliance.

Thanks (2)
avatar
By rbien1
30th May 2023 23:52

just wastage of time , box ticking excercise , more bureaucracy , working like a slave for nothing

Thanks (8)
Replying to rbien1:
avatar
By petestar1969
31st May 2023 10:23

Do something else then.

Thanks (0)
Replying to petestar1969:
avatar
By johnjenkins
31st May 2023 15:40

Yer be a train driver.

Thanks (0)
Replying to petestar1969:
avatar
By rbien1
01st Jun 2023 03:32

I am happy to work for my clients , it makes me happy but ticking boxes for no purpose is kiiling my soul..... if someone ticks 1000 more boxes it will change anything ? it will stop someone from breaking the low if I he / she decides to do it ? No !

Thanks (0)
By cfield
31st May 2023 14:32

Great article and very timely, having just had a desktop review myself, as I suspect have many others as they seem to be having a blitz on AML compliance at the moment.

The only point I would take issue with is the risk grouping for client assessments, as in practice, you don't have much choice. I would have put almost all my clients in the low-risk group, being mainly landlords, contractors and small local firms, but no, that's only for local authorities, government departments, etc.

Likewise, if a client lives in a high-risk jurisdiction (and Dubai has now been added to that list so that goes for quite a few ex-pats) then they are high-risk too no matter how straight they might be, and you have to do enhanced due diligence, which as far as I can see is getting their ID checked by a specialist firm and trying to find out where their wealth came from.

Same goes for clients you haven't met in person, or don't see regularly. You have to do EDD on them too. Yet that is becoming more and more common these days, with most communication being by email or remote access, including their accounting records. If they are local, then you might see them right at the very start, but from then on it's an online relationship. There's just no need to see them even once a year. If they live more than a few miles away, you might not meet them at all. It might start as a one-off task (e.g. a 60 day CGT return, a Let Property Campaign disclosure or a WDF disclosure if say they forgot about their bank interest in India) and then you start doing their tax returns for them, so it develops into an ongoing business relationship. Are these clients really high-risk? Of course not, but according to the regulations they are.

I would like to know more about the ongoing business relationship requirement. Do one-off clients like the ones mentioned above fall into that category? Does that mean they are exempt from the KYC regulations? That sort of work is very common now, but you haven't mentioned anything about that aspect. It would very handy to know where we stand in such cases.

Lastly, I don't think the regulators are out to get us as such. They've obviously been leaned on by the Government to do a lot more supervision, and they probably don't like it any more than we do. It's just that these rules were drafted by politicians and civil servants, who know very little about how professional work is done in practice, just to comply with international treaty obligations that were agreed without any real thought as to how they would affect the ordinary public and the small firms that serve them. They are probably now having to tick their own boxes as part of the fall-out from scandals like the Panama Papers and the river of dirty money running through London, which they were able to turn a blind eye to until 24 February last year.

So in a way, I guess we could blame it all on Putin. It's all his fault. He's the one that stirred up the hornets nest and now we're the ones being stung.

Thanks (0)
Replying to cfield:
David Winch
By David Winch
31st May 2023 14:54

cfield wrote:

Same goes for clients you haven't met in person, or don't see regularly. You have to do EDD on them too. Yet that is becoming more and more common these days, with most communication being by email or remote access, including their accounting records. If they are local, then you might see them right at the very start, but from then on it's an online relationship. There's just no need to see them even once a year. If they live more than a few miles away, you might not meet them at all. It might start as a one-off task (e.g. a 60 day CGT return, a Let Property Campaign disclosure or a WDF disclosure if say they forgot about their bank interest in India) and then you start doing their tax returns for them, so it develops into an ongoing business relationship. Are these clients really high-risk? Of course not, but according to the regulations they are.

I would like to know more about the ongoing business relationship requirement. Do one-off clients like the ones mentioned above fall into that category? Does that mean they are exempt from the KYC regulations? That sort of work is very common now, but you haven't mentioned anything about that aspect. It would very handy to know where we stand in such cases.


Personally I take the view that if I 'meet' the client on zoom (or something similar) then that is as valuable as meeting them in my office.
With regard to 'one-off' task clients, the regs refers to a 'business relationship' which "means a business, professional or commercial relationship between a relevant person and a customer, which

(a) arises out of the business of the relevant person, and

(b) is expected by the relevant person, at the time when contact is established, to have an element of duration".
There are exceptions to that - for example forming a company for someone is deemed to involve a 'business relationship' even if it is a one-off.
So you may, for example, provide tax advice on a one-off basis without forming a 'business relationship' with the client. In those circumstances, and if you have no reason to suspect money laundering etc, then you are not required to conduct CDD.
But in practice I think most firms simply undertake CDD on every client - and there is nothing wrong in doing that.
David

Thanks (0)
Replying to davidwinch:
By cfield
31st May 2023 16:24

davidwinch wrote:

With regard to 'one-off' task clients, the regs refers to a 'business relationship' which "means a business, professional or commercial relationship between a relevant person and a customer, which

(a) arises out of the business of the relevant person, and

(b) is expected by the relevant person, at the time when contact is established, to have an element of duration".
David

Thanks David, but what does an "element of duration" actually mean in practice? Even 1 second is an element of duration, and all one-off tasks take some time to do. Is it any job that lasts longer than a day, or that you have to keep coming back to over a period of time, or where there is more than 1 email, phone call or meeting? Is there any guidance on this?

I take your point about doing CDD anyway though, as it is always possible the client may become a regular, and they expect to show their passports now anyway.

Thanks (0)
Replying to cfield:
David Winch
By David Winch
31st May 2023 18:05

The CCAB Guidance notes
"generic advice, provided with no expectation of any client follow-up or continuing relationship (such as generic reports provided free of charge or available for purchase by anyone), is unlikely to constitute a business relationship".
I don't find that guidance particularly useful.
I think one has to view the phrase "A business, professional or commercial relationship between a relevant (i.e. regulated) person and a customer, which arises out of the business of the relevant person and is expected by the relevant person, at the time when contact is established, to have an element of duration" as a whole.
So, to my mind, one could argue that the provision of, say, tax advice on the sale of a parcel of shares, might not be a 'business relationship' because it does not have an element of duration. But a judge might interpret it differently - and I wouldn't want to be a test case! So I would just do the CDD anyway.
David

Thanks (0)