CCAB sets out elevated AML standards for the accountancy sector

Background and context

On 17 May 2022, the Consultative Committee of Accountancy Bodies (“CCAB”) - comprised of five UK professional services supervisory bodies[1] – published updated Anti-Money Laundering (“AML”) guidance for the accountancy sector to align with AML standards set out in the EU’s 5^th AML Directive.

The key amendments made to the guidance are:

1. Reducing the timeframe considered to be “as soon as reasonably practicable” in the context of reporting discrepancies in the Persons of Significant Control (“PSC”) register to Companies House from 30 calendar days to 15 working days;
2. Changing statements from “should” to “must” in various instances, including within guidance for controls such as business wide risk assessment (“BWRA”), customer due diligence (“CDD”) and treatment of politically exposed persons (“PEPs”); and
3. Including clarifications with respect to the application of enhanced due diligence (“EDD”) measures and reference to the UK’s high-risk third country lists.
    

What does this mean for firms regulated/supervised by the ICAEW, ACCA, CIPFA, ICAS and Chartered Accountants Ireland?

In BDO’s view, the shift in terminology from “should” to “must” within nine discrete guidance elements is a stepwise change and places obligation, rather than merely expectation, onto supervised firms. The repercussions associated with a breach of requirements (compared to formerly a breach of best practice) are expected to be more severe. In H1 2022 we have seen financial and professional services regulators/supervisors alike levy sizeable fines for non-compliance with requirements, and thus we expect that CCAB-supervised firms will likely want to pay close attention to these new obligations.  

The impact of these wording changes have the potential to be widespread across firms’ economic crime framework, ranging from policy/procedure enhancements to deployment of additional training to introducing new controls. Some prospective downstream impacts of these changes for consideration by firms are as follows:

Control area	CCAB paragraph	New requirement	Potential downstream impacts for consideration by firms
Risk Assessment	3.6.5	Firms must consider information from its AML supervisory authority when conducting the BWRA	Increased need for (dedicated) resource for proactive horizon scanning for guidance/standards published by relevant AML supervisory authorities Documentation/audit trail of how this information has informed the BWRA, and then ultimately the AML framework
	3.6.9	Firms must have procedures that require the BWRA to include an assessment of money laundering and terrorist financing risk upon the introduction of any new service/product	Evolution of the design of the BWRA and product risk assessment methodologies to include new service/product risk assessment
CDD	Appendix B, paragraph 1.2	For verification purposes, the original document (or an acceptably certified copy) must be seen, and a copy retained	Updates to client onboarding and identification and verification (“ID&V”) procedures Updates to staff training
	5.1.9	Where an individual is believed to be acting on behalf of another person, that person must also be identified
	5.5.1	If there are delays in CDD, the firm must still gather enough information to enable them to form a general understanding of the client’s identity to assess the risk of ML/TF
Simplified due diligence (“SDD”)	5.3.6	The firm must set out circumstances under which SDD provisions cannot be applied (e.g. suspicion of ML/TF or where the firm no longer considers there is a low risk of ML/TF)	Updates to client onboarding and ID&V procedures and ongoing monitoring procedures Updates to staff training to support the understanding and impact of the application of a risk-based approach
PEPs	5.3.12	Appropriate risk management systems and procedures must be put in place to determine whether potential clients (or beneficial owners) are PEPs or PEPs by association	Enhancements to name screening solutions to identify PEP exposure Updates to client onboarding and ongoing monitoring procedures, including PEP alert investigation and dispositioning Documentation of escalation and approval channels for PEP clients Enhanced staff training for mitigation and management of PEP risk
People and resourcing	3.6.10	Before introducing any new ways of working (such as a remote/hybrid model),  firms must consider whether new controls, policies or procedures are required to mitigate any additional ML/TF risk which this may bring	Design and implementation of new “ways of working” risk assessments Enhanced training for staff to identify and evaluate the ML/TF risks posed by new ways of working Increased burden on the business and compliance to design and implement controls to mitigate risks identified Inclusion of assessment of such controls within assurance activity (e.g. internal audit or compliance monitoring)
	3.6.22	Firms must consider the skills, knowledge, expertise, conduct and integrity of all relevant employees both before and during their appointment	Hiring framework to be updated to assess required areas Staff performance assessment/ evaluation framework to be updated to assess required areas Enhanced training to be deployed to line/people managers in relation to such performance assessment/ evaluation amendments

 

In addition to changing wording from “should” to “must”, the updated CCAB guidance also:

1. Defines “as soon as reasonably practicable” in the context of reporting discrepancies in the PSC register to Companies House to be 15 working days, rather than 30 days. This timeframe should allow firms sufficient time to internally discuss the identified discrepancy and determine whether it is material and reportable. The UK Government considers that material and reportable discrepancies are factual errors such a missing PSC or an incorrect correspondence address, rather than typos[2]
2. Clarifies that EDD measures must be applied in relation to an occasional transaction or business relationship where either the client or another of the parties to the transaction are established in a high-risk third country and in relation to a business relationship with a client established in a high-risk third country; and
3. Makes explicit reference to UK high risk third country lists (applicable following Brexit).

The shortening of the timeframe for reporting of discrepancies from 30 calendar days to 15 working days may warrant firms to re-visit the efficiency of escalation channels (such as how frequently relevant governance forums convene) to ensure that potentially material discrepancies are promptly identified, discussed internally, recorded and reported.

The clarifications with respect to EDD measures and high risk third country lists are likely to warrant updates to relevant procedures as well as staff training.

Finally, in BDO’s view it is vital for firms’ Senior Management to implement and communicate a strong compliance culture in order to embed the new expectations.
 

How can BDO help?

BDO’s Economic Crime Advisory team work closely with AML-regulated firms across a wide range of sectors, including professional services firms. We have a deep understanding of their businesses and the specific environments in which they operate, enabling us to act as a strategic partner, providing clear advice which is both balanced and constructive.

Our team benefits from individuals who have extensive experience in professional services firms, and recently one of team completed a six-month secondment into the Compliance function of a professional services firms to enhance its anti-financial crime target operating model   . In addition to our dedicated Economic Crime Advisory team, our Head of Economic Crime has acted as the Chair of Accountancy Europe’s AML working party   and is the chair of the CCAB Economic Crime Panel. 

We have experience in reviewing and helping firms across the professional services sector to enhance their economic crime frameworks, including risk assessments; due diligence measures; and governance and training controls. Our services include, but are not limited to:

• Evaluating and/or enhancing the design of the BWRA to meet regulatory requirements and supervisory expectations;
• Reviewing and enhancing relevant policies and procedures, including onboarding, ID&V, ongoing monitoring and alert investigation;
• Designing and/or deploying economic crime technical training for all/any lines of defence, including senior management; and
• Supporting firms on the implementation of an effective and robust three lines of defence model

Please do not hesitate to contact a member of our Economic Crime Advisory team if you have any questions regarding how the updated CCAB guidance may affect your AML framework.