One of the less well known requirements of the Money Laundering Regulations 2017 is the provision in regulation 19(3)(e) concerning the monitoring and management of compliance with the firm’s AML policies, controls and procedures, which is amplified in regulation 21(1)(c). The AML supervisory bodies expect all but the tiniest accountancy firms to arrange for a regular independent review (in practice an annual review) of their compliance with AML requirements, and of course that review needs to be documented.
But is this time down the drain? No, I would argue that a thorough review of the firm’s AML compliance can identify problem areas early – allowing them to be addressed well before that dreaded email arrives from the AML supervisory body saying that an inspection has been scheduled.
What is an independent review?
The CCAB AML guidance at paragraph 3.6.25 explains that the requirement for an independent review does not necessarily mean an external review, but the inference is that the review should not be undertaken by the MLRO. At the same time the reviewer will need to have a detailed knowledge of the requirements of MLR 2017, access to all the relevant information concerning the firm and its clients, and the authority to ensure that action is taken to address any shortcomings which the review identifies.
What do firms do?
In my experience firms address this requirement in one of four ways –
- Paying an external reviewer to undertake the review;
- Having an independent internal reviewer undertake the review;
- Having the firm’s MLRO undertake the review; or
- Not undertaking any review.
Each of these approaches has advantages and disadvantages.
CCAB compliant reviews
Paying an external reviewer to undertake the review has the advantage that the reviewer will have a good knowledge of the requirements of AML compliance and experience of how other accountancy firms address these, and will know what the supervisory bodies look for. Also the reviewer will be genuinely independent. But an external reviewer will not have as much knowledge of the firm and its clients as an employee of the firm, and of course an external reviewer has to be paid. In practice this option is usually only adopted where there are known to be problems with the firm’s AML compliance which need to be addressed, or where an external review has been specifically requested by the supervisory body.
Having an independent internal reviewer undertake the review has the advantage that the reviewer will know the firm and its clients very well. But an internal reviewer will not have experience of how other accountancy firms address AML compliance issues and may have a limited understanding of AML compliance requirements. Added to that, it may create awkwardness if the reviewer concludes that the firm’s compliance in practice is not good. The reviewer should use one of the AML compliance checklists published by the AML supervisory bodies to assist him in his review.
Other reviews
Having the firm’s MLRO undertake the review means that the reviewer knows the firm and its clients well and has a good understanding of AML compliance requirements, but the review is not independent (and so does not meet the requirements of the CCAB AML Guidance). The danger is that if the MLRO has a ‘blind spot’ regarding any of the requirements that will not come to light from his review of his own work. Again the use of one of the AML compliance checklists published by the supervisory bodies will assist in the review. Whilst a review by the MLRO himself does not meet CCAB requirements, a review using a compliance checklist is likely to be time well spent – and much to be preferred to undertaking no review at all.
Not undertaking any review is the easiest approach to implement! The disadvantages of this approach will certainly appear when the firm’s AML supervisory body undertakes an inspection. I have to say that, amongst smaller firms, this is the approach which I find is most often adopted in practice.
Results of independent reviews
In my experience the results of independent reviews are typically that there are areas which need to be addressed. Amongst common failings are that –
- the firm’s Firm-wide AML Risk Assessment and Policies, Controls and Procedures documents are inadequate;
- the firm does not actually operate the procedures set out in its own Policies, Controls and Procedures document (which may indicate that the procedures in the document have not been sufficiently tailored to the firm’s circumstances);
- training records are inadequate;
- client identification and especially client AML risk assessments are not properly completed or are not sufficiently documented; and occasionally
- that a Suspicious Activity Report has not been filed where there are grounds for suspicion.
Identifying these types of issues in an annual review creates an opportunity to correct them well before your AML supervisory body comes knocking at your door – and will demonstrate to your supervisor (when they do arrive) that you have taken appropriate steps to comply with your firm’s AML obligations.
When is the best time for a review?
Actually now may be the best time to undertake the firm’s AML compliance review. The summer is often a relatively quiet season for smaller accountancy practices so it presents an opportunity to deal with those tasks which are important but never urgent.
If you are concerned that your firm’s AML compliance is inadequate, or may be interested in an external review, get in touch now using the link below and we can work together to deal with this. The hardest part is getting started.