Anti-Money Laundering: How to ensure compliance

Accounting and bookkeeping practices are vital in preventing and protecting against anti-money laundering.

Modern-day practices need a comprehensive plan to fight fraud and maintain compliance, including robust policies, internal controls, and tools that take care of compliance tasks.

In this guide, we share a step-by-step process for meeting AML compliance rules in your practice. Learn about building a strong AML framework and simplifying compliance tasks with software.

Why is AML compliance important?

In the UK, accountants and bookkeepers must follow the Money Laundering, Terrorist Financing, and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017).

The legislation applies to businesses in the financial sector – such as banks, credit companies, independent legal professionals, and auditors. Under MLR 2017 rules, mandated businesses must have policies, processes, and internal controls to prevent, detect, and report suspicious activity. This can include:

• Customer due diligence checks
• Risk management
• Internal controls
• An appointed compliance officer

Money laundering has become one of the most common fraud types in the UK, and failing to put sufficient measures in place to prevent it puts your practice at risk. Your practice could be subject to millions of pounds worth of fines for non-compliance with AML, so getting it right isn’t just a matter of compliance – it’s about practice survival.

But, when practices are already over-stretched, setting up manual compliance processes for verifying clients, detecting fraudulent activity, and reviewing financial data is a burden. Fortunately, modern accounting software can help you set up and uphold compliance processes that protect your practice.

How to build a strong AML framework

There are various ways fraudsters commit money laundering crimes, so your practice needs to be prepared with lots of different protections.

An AML framework is your system for preventing and managing risk. As with any good plan, you don’t hedge your bets on a single process or technique to keep your practice safe. You combine different policies, processes, and tools to ensure you’re covered from all angles.

Strong AML frameworks reduce compliance risks, simplify processes, and protect practices from financial and reputational damage. Let’s take a look at four framework components – Customer Due Diligence (CDD), risk-based approach, internal controls, and appointing an MLRO – and how you can integrate them into your practice.

Customer Due Diligence

You must verify the identity of every client you work with, to be compliant with AML. You can do this in a few different ways – either collecting government-issued documentation such as a passport or driving license, or using an identity verification service.

While you can gather and store paper copies of evidence, these aren’t always the easiest to locate in the future. Today, modern accounting software can support you with the safe storage of identity documents, and even provide the tools for verifying identity.

Xero’s cloud-based accounting software, for instance, makes it easy to securely store and organise client data so that you have sufficient evidence of compliance that’s easily retrievable.

Risk-based approach

Taking a risk-based approach helps you identify client-specific risks and tailor your AML policies and practices around them.

To do this, you need to conduct a risk assessment first. Under MLR 2017, mandated businesses are required to assess the risk factors of the following:

• Customers
• Geography and countries you operate in
• Your service types and/or products
• Transactions you’re involved with
• Delivery channels

Look at each risk identified and rank it by the likelihood of it occurring, and the severity of the potential impact. This risk assessment should be recorded and repeated regularly to maintain a consistent level of protection.

If you already have measures in place to mitigate the risks identified, question whether these are sufficient. And, if you haven’t set up protocols yet, it’s time to design and implement ones that address the risks. Action should be relative to the size of your practice – a sole trader or two-person business won’t be expected to have the same controls as a global accounting firm.

Keeping up with the changes to your clients and their businesses isn’t easy, but cloud-based software can give you a helping hand. Our practice management product (Xero Practice Manager) integrates with tools like CAS 360. This app connects to Companies House and tracks client data, so you can view company registrations and get notifications when clients change their listings. This gives you complete oversight and makes it easier to track client changes over time.

Internal controls

Internal controls are the measures you take to keep your practice safe. Under MLR 2017, businesses are required to:

• Assign a compliance officer
• Screen employees
• Set up an independent audit function

You can read the full guidance on MLR 2017 controls in the legislation.

Other internal mechanisms, such as maintaining clear accurate records, providing regular training for your team, and completing thorough ‘know your client’ checks will keep you on the right side of compliance.

It’s a lot of work for any practice – especially if you’re using different tools for every internal mechanism. You could be storing client records on workplace devices, segregating duties and assigning work with a spreadsheet, or using a separate identity verification service to check your clients are who they say they are.

With cloud-based accounting software, like Xero, you can set up and manage your internal controls in one place, making it easier to track client verification statuses, retrieve records, and follow financial data trails.

Appoint a Money Laundering Reporting Officer

As one of your internal controls, you may need to appoint a Money Laundering Reporting Officer (MLRO).

This person is responsible for ensuring the practice complies with the requirements to screen employees before and throughout their employment, take care of the audit function, and maintain policies, controls, and procedures. Plus, the MLRO is required to report suspicious activities to the National Crime Agency.

Your MLRO needs to be either a member of the board of directors/equivalent management body (if you don’t have a board) or senior management. The officer will engage with the tools you use for compliance; tracking changes to your client’s details and Companies House registration, ensuring client identity checks are adhered to, and reviewing financial data for unusual activity.

Having software that centralises all of these processes can be a massive help and a time saver. Instead of being spread across multiple platforms and resources, your MLRO can review client data, monitor transactions, and manage verification in cloud-based software like Xero.

How to identify potential risk

With fraud growing increasingly sophisticated, it can be hard to spot suspicious activity. And, what looks like suspicious activity for one business could be considered normal for another – which is why you need to know your clients.

High-risk scenarios could look like any of the following:

• Large, unexpected cash payments (without a clear purpose) into or out of a client account. The transactions may have little or no information attached to them, or be attributed to something outside of the client’s usual scope of business. If this happens, you should review the transaction against your knowledge of the client and their business. You can also request documentation (like a bank statement) for the transaction.
• A high volume of large transactions in a short space of time. These transactions may not follow the usual pattern of income and outgoings for your client. Again, requesting documentation as proof could help you weed out suspicious activity. And, generating financial reports can help you identify if this activity is outside the norm.
• Unexpected or surprising wealth increases, such as third-party funding. What counts as unexpected or surprising comes down to how well you know your client and their business. If you see a large lump sum enter their account, consider whether this could be fraudulent activity and request proof of the transactions if needed.

Monitoring and mitigating risk is much easier when you have financial information stored in a single space, alongside client documentation, reports, and practice tasks.

With Xero’s accounting and practice management software, you can monitor client activity and manage your team in a single space. Xero Practice Manager makes it easy to see team activity and assess whether they're likely to meet compliance deadlines. Plus, with a live feed of client transaction data into Xero, you can spot discrepancies in financial information early, as they flow into the software.

How to use technology and training to remain compliant

AML risks can easily go under the radar if you’re not on top of your compliance tasks.

It’s hard to maintain oversight of policies, procedures, and adherence to them if everyone is using different tools and processes. Standardising how you manage clients and compliance with software helps you maintain a clear view of activity.

Accounting software like Xero gives you the tools to track client activity as it happens, implement identity verification steps, and store documentation – like client contracts, transaction records, and proof of identity – in one secure environment. This creates clear audit trails automatically and helps you mitigate suspicious activity before it poses a threat.

Since criminals apply increasingly sophisticated techniques to get away with fraud, conducting regular AML training is essential for managing the threat.