ECSH52800 - Business sectors supervised by HMRC: accountancy service providers: compliance checks at an accountancy service providers visit
You should refer to the general guidance in ECSH33000 Checking customer due diligence which covers Compliance Testing in general when considering how to test compliance with the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) at a compliance visit. The information below is supplementary and focuses on specific circumstances you may come across at an accountancy service provider (ASP).
(This content has been withheld because of exemptions in the Freedom of Information Act 2000)
At a compliance visit, an officer should seek to understand all ASP services (relevant activity) conducted by the ASP, how the ASP has risk assessed each service alone and in combination, and how it manages and mitigates those risks.
Record testing should span all of the ASP services provided. For example, where an ASP provides bookkeeping and payroll services, records should be selected where bookkeeping services have been provided, where payroll services have been provided, and where both services have been provided together.
Where the ASP also carries out relevant activity in another supervised sector, an officer should seek to understand the business’s compliance with the MLR 2017 in respect of additional sectors. Record testing should span all sectors of relevant services provided by the business, including where provided in combination.
General money laundering, terrorist financing and proliferation financing risks for ASPs can be found at ECSH52625. At a compliance visit, ASPs should be expected to provide an explanation for any departure from published guidance.
Guidance for ASPs
The Accountancy sector guidance for money laundering supervision guidance for ASPs is produced by the Consultative Committee of Accountancy Bodies (CCAB) and is approved and adopted by HMRC. This comprehensive guidance gives full information to assist ASPs in complying with their obligations under the MLR 2017.
HMRC’s assessment of the money laundering, terrorist and/or proliferation financing risks relevant to the ASP sector (‘Understanding Risk and Taking Action for ASPs’) is published in the Understanding risks and taking action for accountancy service providers guidance. HMRC is required to publish its risk assessment of the sector by Regulation 17(9) of the MLR 2017.
ASPs must take these publications into consideration as part of their compliance obligations under the MLR 2107. A compliance visit to an ASP should therefore include establishing whether, and to what extent, they have considered these publications and followed the guidance. ASPs should be expected to provide a credible explanation for any departure from this guidance.
Generic Risk Assessment (RA) and/or Policy, Controls and Procedures (PCPs) documents
You may find that an ASP has purchased RA and /or PCP documents from one of a number of firms that operate in producing these for the ASP sector. These may be given to you by the ASP as an attempt to evidence their compliance with the MLR 2017. However, the MLR 2017 require risk assessments to be tailored to the specific business and some of these generic risk assessments may not be tailored to the individual circumstances of the ASP and therefore be inappropriate. For more information on checking RAs and PCPs see ECSH33205 and ECSH33210.
Customer Due Diligence (CDD)
Chapter 5 of the CCAB guidance provides detailed guidance on the specific checks that a business should consider implementing to demonstrate that satisfactory CDD and Enhanced Due Diligence (EDD) measures are in place.
In addition to demonstrating it has identified and verified its customers, it is also necessary for an ASP to demonstrate that sufficient information about the trading activities of the customer has been obtained so that a risk assessment of the customer can be carried out in relation to possible involvement in money laundering, terrorist or proliferation financing activity. Once such an assessment has been put in place, ongoing monitoring must be carried out when there is a business relationship to confirm that the risk has not altered or to identify any changes which may warrant additional risk mitigation measures.
Appendix D of the CCAB guidance, and HMRC’s ‘Understanding Risk and Taking Action for ASPs’ include non-exhaustive lists of potential risk factors for ASPs to consider when determining appropriate risk-based CDD measures.
Suspicious Activity Reports (SARs)
ASPs are required under Part 7 of the Proceeds of Crime Act 2002 (POCA) and the Terrorism Act 2000 to submit a SAR in respect of information that comes to them in the course of their business if they know, or suspect or have reasonable grounds for knowing or suspecting, that a person is engaged in, or attempting, money laundering or terrorist financing. The MLR 2017 require an ASP to have appropriate PCPs in place that will enable the submission of SARs to the National Crime Agency.
Regulation 66 of MLR 2017 gives supervisors, including HMRC, power to require an ASP to provide a copy of any SAR the business has made to the NCA.
See also ECSH34225 for more guidance.
Discrepancy reporting
Regulation 30A of MLR 2017 requires ASPs to report material discrepancies regarding its customers to Companies House. A material discrepancy is when the information an ASP holds on a customer is significantly different to the information recorded by Companies House about people of significant control (PSC) of a company, or a registrable beneficial owner of an overseas entity; for example, a difference in name, date of birth or nationality.
Detailed information can be found in the Report a discrepancy about a PSC or a registrable beneficial owner guidance.
Training
Where the ASP has employees, the ASP should be assessed for compliance with the training obligations under Regulation 24. You may find that an ASP has purchased training material from one of a number of firms, either that operate in producing it for the ASP sector or produce generic Anti-Money Laundering (AML) training. In all cases, the training provided to staff of an ASP must be recorded. Training must include how the ASP has made their employees aware of the MLR 2017 and data protection laws and be appropriate for employees to be able to recognise and deal with transactions/activities/situations which may be related to money laundering or terrorist/proliferation financing.
Records
Regulation 66 MLR 2017 gives officers of HMRC the authority to request sight of any documents that they consider necessary for them to assess whether an ASP has complied with its obligations under the MLR provided that the request is reasonable.
In some circumstances, it may be necessary to ask to see the ASP’s 'working papers’. Working papers is a general term referring to the documents/records that an ASP uses or creates in the course of their work for a client. The working papers support their professional judgement for the actions they took in providing the ASP services to that client and can include calculations and financial reports.
You should be aware that access to an ASP’s working papers (particularly those of accountants) is a sensitive issue and other parts of HMRC (for example, officers conducting a tax investigation) are instructed to limit requests to see them to only the most serious cases. You should therefore exercise discretion in any request to see an ASP’s working papers and only ask to see what it is necessary to check compliance with the MLR 2017.
For example, an ASP might claim to have carried out a financial analysis of a customer’s business records as part of their risk assessment of that particular customer. It would be reasonable for an officer to ask to see that financial analysis and relevant working papers to verify this risk assessment process, as the request is relevant to the officer assessing the ASP’s compliance with the MLR.
It is reasonable in all cases, however, to ask to see evidence that the ASP has taken action to identify and then verify the identity of the customer as part of their CDD measures. Where the ASP has written AML policy documents, risk assessment documents and spreadsheets compiled for ongoing monitoring purposes these should be inspected.
General Data Protection Regulations (GDPR)
An ASP may have concerns that by keeping records relating to its customers for the periods and purpose as specified in the MLR 2017, or by sharing records during a compliance visit, it may breach their concurrent GDPR obligations. The excuse of 'breaching GDPR' can be countered by reference to Regulation 72 MLR 2017. Regulation 72(2) and (3) provide that a businesses’ compliance in providing information pursuant to regulations 66, 69, 70, 74A or 74B does not carry with it a civil liability for breaching GDPR obligations nor does that provision of information automatically breach restrictions on the disclosure of information.