Bill Bewes, IFA’s head of AML and Compliance, encouraged accountants to fully assess risks among their clients to help demystify the customer due diligence (CDD) process.
“If you understand those risks, everything becomes really simple, straightforward,” he said. “If you don’t understand these risks, it can all be impenetrable, and you just don’t know where to start with your CDD.”
The session highlighted gaps in the approach to risk assessment and a tendency for practitioners to dilute the severity of risks and effectively manage them. The risks facing the accountancy sector are set out in two key documents: the National Risk Assessment and the AASG (Accountancy AML Supervisors Group) Risk Outlook; both found on the IFA website.
Risk assessment
David Erichsen, an IFA AML reviewer, revealed that firms across the spectrum struggle with proper risk documentation, from those with no client due diligence procedures to those with overly complex systems.
“I get to see all ends of the spectrum, from literally firms having nothing at all to firms having everything in place and literally everything in between,” Erichsen said. “What we’re missing is the fact that you need to write it down.”
Documenting procedures such as client onboarding processes was an important part of compliance during reviews. “If it’s not written down, it didn’t happen,” he said.
The most common failing appears to be treating risk assessment as a simple tick-box exercise. Bewes described seeing assessments where firms ask basic questions like whether a client is a politically exposed person or on sanctions lists, then classify them as low risk without considering other factors.
“Classic risk assessment that you sometimes see is, ‘Oh, is the client a PEP? Is the client on the sanctions list? No, okay, they’re low risk,'” Bewes said. “Those are the only factors they consider.”
High-risk clients
Cash-intensive businesses such as nail bars and hairdressers, companies with unusually complex corporate structures, high-value businesses like jewellers and car dealerships and high-net-worth individuals required extra scrutiny.
Bewes advised firms to introduce risk management processes that capture high-risk clients. “Where you have got clients who have traits of high-risk client types, doesn’t mean you can’t take them on as a client. Often, it just means that you need to apply what we call enhanced due diligence,” he said.
“If you don’t understand these risks, it can all be impenetrable, and you just don’t know where to start with your CDD.”
Bill Bewes, head of AML and Compliance, Institute of financial accountants
While cash-intensive businesses were often legitimate enterprises, Bewes reinforced the need for them to maintain proper records and receipts. Clients with no clear rationale for selecting a firm also required further scrutiny.
Service risks
Risks in services such as bookkeeping and accounts preparation relate to clients not declaring their true source of income. Payroll services can conceal ghost employees or people on payrolls but not actually working and more serious risks of modern slavery and human trafficking.
Bewes cited cases where trafficked individuals were found working in major retail supply chains, with criminal gangs taking the majority of their wages. Trust and company formation services also require assessment where complex corporate structures could obscure beneficial ownership.
Geographic and delivery risks
Geographic risks for clients in countries with poor anti-money laundering controls or high corruption levels raise potential risks. The guidance references the Financial Action Task Force’s blacklist and greylist of non-cooperative countries.
However, Erichsen acknowledged overseas clients often have legitimate reasons for using UK accountants. “Nine times out of ten when we do reviews of firms it is simply that it’s a local client who’s moved abroad, but he’s got property within your local area,” he said.
Though how services are delivered to clients requires consideration, it is straightforward if firms meet clients face-to-face or via video calls with proper identity verification.
Effective risk management doesn’t require complex compliance jargon but rather clear documentation of existing practices. “Most likely, it’s all things that you’re doing anyway,” Bewes said. “You just need to describe the steps that you’re probably already doing.”
Erichsen emphasised the importance of holistic client understanding rather than prescriptive checklists. “It’s very much about having that holistic understanding of your client, understanding your level of risk, and what you will take on, and what you simply won’t take on,” he said.
Sessions from the AML Conference 2025 are available to purchase on demand here.
