An inspector calls

Why do visits take place?

The CIOT and ATT are the Anti-Money Laundering (AML) supervisors of: CIOT and ATT members who are sole practitioner tax advisers; and other tax adviser firms where at least one of the principals in the firm is a member.

AML visits are part of a number of supervisory tools the CIOT and ATT use to:

• check compliance with the regulations; 
• identify areas where firms need more guidance on how to meet the requirements of the regulations; and
• identify and leverage examples of good practice

What actually happens during a meeting?

Visits are headed up by the Professional Standards team who will talk through the AML risk profile of the firm and what AML policies, procedures and controls are in place with the MLRO and appropriate senior staff. 

The firm being visited will also be asked to produce various documents including the written practice risk assessment and practice policies and procedures. In addition copies of criminality checks are required where these have not already been provided as part of the registration or renewal procedures (further details in relation to the criminality check requirements can be found (CIOT website and ATT website).

The meeting is relatively informal and there is always the opportunity for supervised firms to ask questions and receive guidance on particular areas of concern to them. 

What have we found through our visits?

MLR 2017 brought in a number of new requirements for firms to add to those which have been around for some time. AML Newsletter 19 gives a summary of changes.

Over the last year we have observed that firms in general have good policies and procedures operating ‘on the ground’ and deal with risk at the outset through the careful screening of clients. Firms must, however, remember that compliance with key requirements set out in the regulations must be evidenced in writing. A mental checklist is no longer sufficient.

Where issues have been identified, such as the absence of written policies and procedures or no formal client due diligence (CDD) because the client has been known to the member since birth, these are followed up by CIOT/ATT through to compliance.

Some of the key requirements are discussed below and include examples of good practice.

Written practice risk assessment

Firms have been required to take a risk based approach for a number of years but they now have to set out their practice risk assessment in writing. The requirement applies to both large firms and sole practitioners.

Firms need to ensure they are alert to particular AML risks which are likely to arise and where different risks apply in different parts of the practice. For example, the types of clients taken on, the sectors in which they operate, the geographical links they have and the type of service they provide will all feed in to the risk assessment. The UK government’s National Risk Assessment and information provided by supervisory bodies (CIOT website and ATT website) can be useful sources when drawing up a risk assessment.

It has been helpful to see that many of the firms visited have added a risk assessment section at the start of their policies and procedures document. This provides their summary of the nature of their business, the type of work they provide, and their assessment of whether they consider there is an overall money laundering risk rating of low, medium or high. Backing information used to reach the assessment of risk should be retained. 

Some larger firms have reported that they now use their strategic management meetings to consider not only pure commercial risks but any developments in the AML risk profile of their business. 

Written policies and procedures

Another new requirement is for the firm’s AML policies and procedures to be in writing. Again, this applies to all firms including sole practitioners.

The regulations set out what must be included in the policies and procedures and AML Guidance for the Accountancy Sector (AMLGAS) provides helpful guidance indicating that the following need to be considered and covered:

• risk based approach, risk assessment and management; 
• client due diligence (CDD); 
• record keeping; 
• internal control; 
• ongoing monitoring; 
• reporting procedures; 
• compliance management; and
• communication

Policies and procedures should be proportionate to the size and nature of the business and seek to mitigate and manage the risks set out in the practice risk assessment. This means that it is perfectly acceptable for smaller firms or lower risk firms to write a brief document succinctly setting out what the sole practitioner or small staff team do in relation to all aspects of the MLR 2017. 

The policies and procedures should be subject to regular review and update. The introduction of MLR 2017 has been a useful prompt for firms to look again at their documents. Many firms diarise when they will undertake a review – generally during their quieter period of the year.

Areas of good practice seen include:

• Tailored new client take on forms to make sure all important questions have been covered with the client, a record of Identity documents and other CDD has been retained and risk is considered and noted up front.  These forms often provide a useful prompt to individuals to check on issues such as beneficial ownership and whether their client is a politically exposed person (and in the latter case to get senior staff sign off). They also act as a reminder to check the financial sanctions and proscribed terrorist lists (Who is subject to financial sanctions in the UK? and Proscribed terrorist groups or organisations) (these checks are mandatory).
• Often new client forms include an annual risk assessment ‘grid’ prompting sole practitioners or staff to review CDD and risk and sign off when done.
• Spreadsheet control records showing what CDD was received, the initial risk assessment, annual notes of risk issues which have cropped up, the outcome of discussions with the client and an annual update of the risk assessment.
• AML checks being undertaken in conjunction with the annual tax return procedures. For example when dealing with the tax return the staff member also checks CDD records and notes the updated risk assessment.

For those firms not wanting to write their own policies and procedures some training providers include template documents which can be tailored to your practice (see below re providers). 

Training

The regulations require all relevant employees to be made aware of money laundering and terrorist financing (MLTF) law and training must be provided regularly. A written record of training must now be maintained.

Many firms ensure staff training is untaken on an annual basis and the sessions often require some sort of test to be passed at the end.

For some practices it is practical for everyone to watch a webinar together, for others senior staff will undertake more intensive training to ensure they are fully trained for their role as MLRO etc. and then they will be in a position to cascade that information to others. Firms regularly report that AML issues are a standard agenda item for team meetings. Whilst some firms undertake training in a quiet period others undertake training just as the busy season gets going, as that is an effective time of year to remind staff of the requirements.

There can be serious implications for firms where they have not trained their staff and there is a failure to make a suspicious activity report as the staff member may rely on lack of training as a defence which in turn could lead to a charge against the firm for failure to train its employees. Good practice seen includes not only general AML staff training but a clear policy of ensuring staff are given the time and opportunity to read the firm’s policies and procedures. In some cases, staff are asked to sign to confirm that they have read the firm’s policies and procedures when they commence with the firm and sometimes on an annual basis thereafter.

Guidance on training providers is available on the CIOT and ATT websites.

Suspicious Activity Reporting (SAR)

It is good practice to register with the National Crime Agency’s (NCA) online SAR system. Once in place it ensures the MLRO is ready to make a report promptly if needed. It also provides another source of MLTF guidance. For registration details refer to the NCA website.

MLROs take their responsibilities seriously and areas of good practice discussed include having an open approach where members of staff feel comfortable raising issues with the MLRO. This is often encouraged in the small team environment where an MLRO is located close to the team and they are able to easily approach them. MLROs are reminded of the importance of keeping a note of all matters brought to their attention or considered even if they conclude that a SAR is not required.

Conclusions

There is a continued concern about money laundering and terrorist financing in the UK and CIOT and ATT members are required to play their part in defeating it by complying with MLR 2017. This means ensuring your practice meets not only the requirements of MLR 2017 but also those of your AML supervisor including the timely submission of the AML registration/renewal form and DBS check where requested. 

For further guidance you should refer to the CIOT and ATT websites which link to: 

• the legislation MLR 2017 
• the Treasury approved AMLGAS 
• a set of frequently asked questions (CIOT and ATT websites).

See also information on the warning signs of money laundering and much more on the Government AML Flag it Up campaign site.

The Professional Standards Team is here to help. To make contact email standards@ciot.org.uk and standards@att.org.uk.