Webinar Q&A – 2024 AML results and thematic review: the firm-wide risk assessment

How often should CDD be reviewed?

The frequency should always be risk-based. Firms typically either review annually/when accessing client files or implement a risk-based schedule where normal-risk clients are reviewed every 2-3 years, high-risk clients more frequently, and low-risk clients less frequently. On the risk-based schedule, firms should have systems to identify trigger events (ownership changes, adverse media) requiring immediate review.

When ID expires, or the client moves, are you required to ask for updated ID/proof of address?

No, there is no automatic requirement to obtain new ID documents simply because they have expired or a client has moved address. You only need to verify their identity once. Additional verification may be needed if risk factors or significant changes emerge that question your understanding of the client.

If you use SmartSearch and have adequate client onboarding information, do you have to have all checklists as well?

The use of checklists is not mandatory The key is demonstrating a systematic approach, whether through checklists or other documented methods. But the key thing to note here is that you might have good onboarding information (first stage of CDD) and ID verification through Smartsearch (third stage of CDD) but how, and where, have you performed your risk assessment of the client?

What constitutes "verification" of CDD documentation? Is a human review sufficient or must it involve electronic technology too?

Electronic technology is not mandatory for verification. Verification can be achieved through various means, including human review of physical documents and online searches. While electronic screening tools can be helpful, particularly for higher-risk clients or those with overseas involvement, they are not a requirement. The key is ensuring your verification process is appropriate for the level of risk identified.

What is the ICAEW's position on video calls to verify client ID, in place of meeting in person?

Post-pandemic, virtual meetings have become increasingly common. An online meeting is now considered as 'meeting the client'.

But you need to recognise that meeting the client is part of a bigger picture. You need to think about what the meeting is achieving – what is its purpose and how is it part of your AML risk mitigation strategy?

You should always bear in mind the risks you are trying to mitigate. So, if you think there is an issue or concern with a client that a traditional, in-person meeting might help to deal with, then you might want to move to that.

If you don't use checklists, then how do you prove the systematic approach you have followed?

While checklists aren't mandatory, you need to demonstrate a systematic approach to AML compliance, that demonstrates you have performed the three stages of customer due diligence, identification, risk assessment and verification. This can be achieved through means other than checklists, for example detailed file notes, electronic system records, standardised procedures, and clearly documented risk assessments that show your decision-making process and the steps taken for each client.

If we are only providing bookkeeping services, what are our responsibilities for reviewing sources of new funds?

Regardless of the services provided, you maintain responsibility for understanding significant sources of funds where there might be concerns or the source of funds are considered higher risk. If you identify suspicious transactions or unexplained sources of funds while providing bookkeeping services, you have the same obligation to question and report as you would with any other service.

If you have a director or UBO owner who is overseas based, can we rely on the local lawyers to provide a reference for AML?

While you can take into account information from overseas professionals, you remain responsible for ensuring adequate CDD. The reliance provisions in the Money Laundering Regulations have specific requirements about which third parties you can rely on and the conditions that must be met. However, if you are simply using local lawyers to certify that documents are a true-likeness, be sure to perform some verification work that the individual purporting to be a local lawyer, is.

How do you verify a charitable donation from an overseas individual to a UK charity?

This requires a risk-based approach focusing on both the source of funds and the legitimacy of the donation. The level of verification needed will depend on factors such as the size of the donation, the jurisdiction involved, and any other red flags identified. Sometimes, simply by asking the right questions of the client, you can gain sufficient information and understanding to ensure that the ‘story’ stacks up. If there are any elements that seem unusual, you may need to gather documentation or evidence to corroborate the information you have been told.

With payroll risks are you referring to if we do the client's payroll or if the client does payrolls themselves?

The National Risk Assessment describes payroll services as higher risk as it is possible to legitimise illicit funds or transactions that may take place as a result of modern slavery, benefit fraud or tax evasion. If you're providing payroll services, you need to be alert to potential money laundering risks in the transactions you process – does the payroll data make sense? If the client handles their own payroll, payroll risk would be higher if the client operated in sectors that are more closely linked to modern slavery (such as restaurant businesses or cleaning services).

Would you expect source of funds and source of wealth information to be documented for all clients or only for politically exposed persons (PEPs) and high net worth individuals?

Enhanced due diligence (including detailed source of funds/wealth checks) is mandatory for PEPs and high-risk clients. For other clients, the level of documentation needed depends on their risk profile and any red flags identified. As part of your client take-on, you will get a sense of source of funds and source of wealth through general discussions (ie, do they have significant investments, have they funded these through salary/earning or through other means such as inheritance). When you have this high-level information, you may have a build-up of risk factors that suggest you need to do more work to corroborate or explain information that is unclear or unusual.

When completing our 'know your client checklist' regarding high net worth individuals, what is the threshold?

For ICAEW annual return purposes, the threshold for high net worth individuals is currently £20 million. However, this does change so please refer to our latest annual return guidance to check this figure. Firms can set their own, lower, internal thresholds based on their risk appetite and client base.

When I identify a client as medium risk (eg, a company with a non-UK director) what additional work is expected?

Medium risk clients require proportionately enhanced measures beyond standard due diligence but not the full extent of enhanced due diligence required for high-risk clients. This might include additional verification steps, more frequent reviews, and enhanced monitoring of transactions. The specific measures should be determined by the particular risk factors identified. Remember, the extent of the additional information you obtain, or the corroborative enquiry you perform will depend on, and should address, the risk itself.

If we can mitigate a risk deemed high can we conclude the client to be a normal AML risk?

While risk mitigation is important, the original risk factors should still be considered in your overall risk assessment. Effective controls can help manage high risks, but this doesn't automatically reduce the inherent risk level to 'normal'.

If you are asked to set up a complex structure which makes it difficult to find the true owner but refuse to do the work, is that reportable?

Yes, this may warrant making a suspicious activity report (SAR). While the extent of your obligation might depend on how far you got in the take-on process when you identified the risks, on the face of it, this scenario would be expected to be reported. This is supported by both the CCAB guidance and the regulations.

Is an overseas company that is not on the Register of Overseas Entities (ROE) (but should be) a reportable discrepancy?

Yes, if you identify that a company should be registered on the ROE but isn't, this constitutes a discrepancy that should be reported to Companies House as part of your obligations under the money laundering regulations.

If we encounter a situation to report a SAR, could we still take on the client or should we decline the engagement?

The decision to take on a client after filing a SAR depends on various factors, including the nature of the suspicion and whether proceeding might tip off the client or constitute an offense. You should carefully document your decision-making process and consider seeking professional or legal advice for specific situations.

When the new Companies House ID verification has been completed for Directors & PSCs, will we then be able to rely on that?

While this would be ideal, this is not currently confirmed and would require government legislation. It is important to remember that ID verification is only one part of CDD, and firms should focus on mitigating other risks rather than fixating solely on ID verification.

A lot of firms now offer digital ID with photo and video verification. Do you see this becoming the norm?

While electronic verification methods are becoming more common, we want firms to focus on ensuring that the verification performed addresses the risk. For many clients, it may be entirely appropriate to view original passports.

Is there a template for a cold file review to use internally?

Yes, ICAEW provides compliance review templates and guidance on their website, including the AMLBites videos that provide guidance on what should be included in file reviews.