Accounting firms have an important role to play in preventing financial crime or raising red flags on suspicions. But how can small and medium-sized practices, many under pressure with the changes in the market and their service provision, keep on top of all that they are supposed to be doing to prevent bribery, to flag potential money laundering and to make sure they are not dealing with sanctioned clients?
Policies, procedures and training sit at the heart of firms’ systems for picking up or preventing possible economic crime. However, it’s easy for firms to concentrate on policies and training at the expense of establishing where the risks really are, carrying out a proper risk assessment, and thinking about where exposures might be lurking.
Just as important as a risk assessment is properly documenting it: recording the thought processes around the assessment, what evidence there was for them and the conclusions that the firm reached.
A firm will be in trouble if regulators or law enforcement agents challenge it and cannot produce evidence.
“If you conclude that your thought processes and procedures are completely adequate for your level of risk, then as long as this is properly documented you’ve got a good defence should anything go wrong,” says Jonathan Middup, head of bribery and corruption at EY.
After the risk assessment come the policies and procedures. The advice here from Rob Cutler, forensic services partner at KPMG, is to keep things simple. “Think about the size of your firm and what your needs are,” he says. “A lot of fintech firms offer amazing solutions to different problems such as client onboarding or checking sanctions lists. Often you just need to put in some brainpower to work out what is relevant to the size of your business and operations. Keep at the forefront what your organisation is trying to achieve, what risks you are exposed to and what risks you are trying to mitigate.”
A common pitfall when writing policies and procedures is to be aspirational rather than practical – to set down procedures that the firm thinks regulators would like to see in place as opposed to ones that work in practice.
One of the worst things a firm can do is not to follow its written policies, says Cutler. “Make sure you review your policies regularly and make sure they are in line with what you do as a firm. Another point to be aware of is that procedures evolve over time: the procedures manual needs to as well. Reality doesn’t always reflect what the firms say they are going to do.”
This is about taking a step back and looking at the practice as a whole and its exposure to risks based on its client list (David Stevens, ICAEW integrity and law manager)
Do the practical implications of the policies match the situation on the ground? For instance, a firm’s policies may include reviewing all clients at different intervals, with the time between reviews depending on how risky the client is deemed to be. But firms often don’t factor in the manpower needed to operate, execute and respond to the review, says Cutler. “It comes back to matching reality with aspirations, considering the resource and operational impact of your policy decisions.”
The emphasis of anti-money laundering and anti-bribery regulations is shifting from individual client assignments to include firm-wide risk assessments, policies and procedures. A number of firms already carry out practice-wide risk assessments, but everyone should now be doing this, says David Stevens, ICAEW integrity and law manager. “This is about taking a step back and looking at the practice as a whole and its exposure to risks based on its client list. If you are providing intermittent services remotely to a large client list that you’ve never met face-to-face, your risk will probably be higher than that of a practice in which the partners meet clients on a reasonably regular basis due to their locality.”
Management information can identify changes in the risk profile of customer types or the type of business the firm is doing. If a firm is moving from general auditing and accounting to more private client advice, which is higher risk, or if it is attracting higher risk clients, then its management information system should pick that up, says Cutler.
“In these cases, the firm needs to reassess the risk that is posed by the business and, if necessary, change its policies and procedures to reflect what they need to do to mitigate it.”
This needs to be an ongoing exercise. All too often firms carry out a sound initial risk assessment only for the results to gather dust on a shelf. “Firms need to review this at least once a year and ask, does this reflect the type of business that we are and are we managing our risk appropriately?” says Cutler.
Ongoing analysis is important in other areas, a prime example of which is due diligence. Firms that are on the ball when it comes to performing initial due diligence on new clients often neglect to keep an eye on what’s happening with clients once they are on the books.
An increase in risk factors can creep up on people unawares, says Stevens. “Say you take on a client who is a trader operating out of a high street shop. Your initial due diligence tells you everything is fine. Then, over the years, as trading conditions deteriorate, they start to export, to import from new locations, to take on different lines of business. Several years down the line, you realise that their business is dramatically different from when you took it on. But, in the meantime, you hadn’t carried out any ongoing due diligence that would have alerted you to changing risks.”
Ongoing due diligence is not a new idea but is, like firm-wide assessments, the subject of increased emphasis. The same goes for the idea of “failure to prevent”
a crime itself being an offence. The failure to prevent concept was introduced in the Bribery Act and its perceived success has led to failure to prevent the facilitation of tax evasion being included in the Criminal Finance Bill, which is due to become law this September. Meanwhile, the Serious Fraud Office is pushing for a more general failure to prevent economic criminal offence to be enacted.
The emphasis on the failure to prevent offence should concern all small and medium-sized practitioners, says Middup.
“First you need to get the bricks and mortar in order around your own practice, looking at your own risks. Then you need to consider whether your practice could be used in structures that are involved in bribery or sanctions busting or to help with tax evasion. What controls do you have and what policies do you have around what you will do on a client’s behalf?”
His advice for helping keep focused in this potential minefield is to concentrate on the power of the question “why?”.
“With anti-money laundering and anti-bribery measures, many people get hung up on policies and procedures. Simply asking questions such as ‘why do you want to make this payment?’, or ‘why do you want to attend this conference?’, or ‘why are we paying more than the market rate for this service?’ can unearth what is really happening.
“Keeping that fluidity, that element of an inquiring mind and scepticism to the fore can get you to the heart of the risk much better than by using complex structures,” says Middup.
Information and help centres
The first place to turn to for guidance on anti-money laundering is the CCAB guidance, available on the ICAEW website as Technical Release 04/08. CCAB also publishes a shorter booklet of case studies. “These offer really useful, practical guidance on how to identify when there might be a problem,” says KPMG’s Rob Cutler.
ICAEW, working with SWAT, provides an anti-money laundering package of online compliance systems and training, which is scalable and tailored to the requirements of an individual practice.
Sanctions lists are published online by organisations including the Office of Foreign Assets Control and the UK government. Because of the sheer number of lists and sources, many firms use a compiler database, such as World-Check, to do a single check of names of those suspected of being involved in terrorism, organised crime and money laundering. Other commercial products used by accounting firms include amiqusID for due diligence and compliance checks.
ICAEW’s landing page for bribery and corruption gives a summary of the Bribery Act and its implications for practices before linking through to the latest cases and webinars on the topic. Meanwhile the UK government and Transparency International have extensive guidance for businesses on their websites.