In November last year, Insights covered the key findings of ‘Protecting Against Professional Enabling’, ICAEW’s latest Anti-Money Laundering (AML) Supervision Report. Based on more than 1,000 monitoring reviews at firms in the Institute’s supervisory remit during FY23/24, the report found that cases of non-compliance often stemmed from ineffective customer due diligence (CDD).

The findings emerged against the backdrop of a growing use of technology for a variety of different accountancy tasks. With that in mind, Michelle Giddings, ICAEW Head of AML and Operations, Professional Standards, explains how tech can help accountants address the AML challenges they face in their work.

In the first instance, though, Giddings highlights a major caveat: that firms of different sizes will be dealing with different risk levels, so sophisticated tech will not always be the answer. She points out that, while the most prominent firms within ICAEW’s supervised population are the Big Four, they are still just a small subset. After those market leaders, there are around 50 firms with more than 20 principals and 150 with 10 to 20 principals.

“We then quickly arrive at a long tail of sole practitioners,” she says. “From risk profiling our firms, we know that the vast majority are at the lower end of risk. That’s in terms of the nature of their clients, their likelihood of encountering people who are using legitimate businesses to legitimise criminal proceeds, and the risk that they themselves could be exploited to launder money.”

Indeed, Giddings notes, risk sits in only around 2,000 of ICAEW’s total 10,000 supervised entities. “That’s an important context,” she says. “It’s easy to talk up tech and how we must all use it. But if we look at risk management at the lower end of risk, most firms are doing a great job. Yes, tech could help them speed up certain processes. But it won’t necessarily revolutionise their work. In fact, those firms could be at risk of using a third-party provider for CDD, for example, without properly understanding what that provider is doing.”

Unpacking risk

Those cautions aside, Giddings notes that at the higher end of risk – comprising the Big Four and the remainder of the UK’s Top 20 firms – tech could prove immensely useful for addressing business factors with AML relevance.

“Given the number of offices, staff and clients those firms have, and all the risks that can intermingle with those factors, tech can help larger, supervised entities unpack the component parts of their businesses and deal with the related risks in a more efficient and effective way,” says Giddings.

She explains that simply having automated systems, where all the data is stored in the same format in a central hub, presents a significant advantage. “Working from the middle of the system, the money laundering reporting officer (MLRO) can define the firm’s compliance strategy through policies and procedures and define the risk appetite, ie, ‘These are the client types we’re prepared to take on.’ Plus, tech enables the MLRO to push that messaging through the template forms that staff fill in online, directing them to do the right thing.”

Compliance reviews, Giddings points out, are much easier to action when all the details are saved and stored centrally. The MLRO and their team can then dip into a reserve of, for example, CDD data and take a critical look at whether the relevant procedures are good enough. In a large firm with multiple premises, doing a paper-based CDD check by sampling physical documents from each office would be a much more time-consuming process.

“Tech is also valuable for ongoing monitoring,” Giddings says. “If you have systems that are plugged into, say, sanctions screening, Companies House, beneficial ownership registers or Dun & Bradstreet data, you will be alerted in the event of any potentially adverse changes on a client’s side. That will prompt you to see whether the issue needs investigating.”

Support structure

ICAEW tech and financial crime specialists regularly meet with AML software providers to quiz them and critique their platforms’ capabilities. One functionality gap that often comes up is that a system will take some initial Know Your Customer (KYC) details and jump straight to verification. In other words, they will triangulate a given KYC ID with a passport number, driving licence and/or electoral register details to determine its veracity, yet will skip a whole series of steps in the middle such as evaluating political exposure, or the jurisdiction(s) to which the individual is selling goods.

“AML systems tend to be fixated on verification,” Giddings says. “That can lead them to overlook potential criminality. However, we need to be fair to the tech companies. While they know that they need to step up on this issue, risk assessment is a tough problem for them to crack as it resists standardisation. The tech providers have thousands of client firms in accountancy and other sectors – all of which are allowed, under the Money Laundering Regulations, to have their own risk appetites. And what counts as high or low risk in one particular firm may be treated differently in another.”

As such, Giddings notes, tech companies face a dual challenge. They want to provide firms with as much of a support structure as possible. But they often find that firms want to absolve themselves of the responsibility for fine-tuning systems to fit their requirements. Instead, firms prefer to rely on the software to provide the answers. “It’s a bit of a conflict,” Giddings says. “What the providers are trying to say to firms is: ‘We can give you the essential backbone and structure – but we need you to go in and flex some of the parameters to make it specific to your firm.’”

Referring back to the report, Giddings notes: “When we talk in our study about risk assessment not being done well, we do point out that sometimes it’s because firms have used electronic systems without understanding what they’re doing for them. As such, the assessment either isn’t there, or isn’t quite correct.”