The Association of International Accountants (AIA) has worked with other accountancy professional body supervisors to produce the following advisory notice.
Accountancy practices and practitioners should be aware that criminals will continue to operate throughout, and look to take advantage of, the COVID-19 outbreak. This includes laundering the proceeds of crime and terrorist financing, so it is important that everyone is aware of the changing risks.
Accountancy Sector Anti- Money Laundering (AML)/ Counter-Terrorist Financing (CTF) supervisors understand the particular challenges currently facing accountancy practices and practitioners. This includes the difficulties associated with undertaking customer due diligence (CDD), including appropriate levels of identification and verification (ID&V) – particularly where clients cannot be met face-to-face
Please note accountancy practices and practitioners in scope of The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (as amended) (the MLRs) must still comply with their statutory requirements at all times.
However, in line with a risk-based approach, the MLRs provide flexibility in the application of their requirements. There exist options for practices seeking to comply while also observing requirements such as social distancing.
Risks that may arise due to COVID-19
As well as changes to how we live our lives, COVID-19 is also changing the economy. An economic downturn may make accountancy practices more susceptible to financial difficulties or other pressures, which creates risk and potential weaknesses for criminals to exploit. As the UK economy enters a period of uncertainty, practitioners and practices should be particularly alert to the following risks in new or prospective customers:
- Being asked to work with unusual types of client or on unusual types of matter
- Resistance from a client regarding compliance with due diligence checks, for example being pressured to forego necessary due diligence checks or to “speed up” the process.
- Becoming involved in work that is outside of the practice’s or practitioner’s normal area of experience/expertise – without full understanding of the money laundering and counter terrorism risks associated with the new area of work
- Transactions where the business rationale for the transaction is not clear.
Always ensure that you are comfortable as to your understanding of the matter, including its purpose and why it is happening in the particular way it is happening.
Identification and Verification
ID&V, is often undertaken in person, on the premises of the accountancy practice using suitable identification documents. This can provide a strong level of assurance, but this may no longer be possible in the current circumstances and you should consider what risks this may create.
An inability to conduct in person ID&V does not mean you cannot complete CDD, but you may need to consider using other methods that give you the necessary assurance that the person is who they say they are.
Practices and practitioners are reminded to adopt a risk-based approach, taking into account the contents of their practice-wide risk assessment, policies and procedures (and where necessary updating them) and the circumstances of individual clients/matters. As an alternative to face-to-face documentary verification, accountancy practices and practitioners may adopt or further utilise electronic means of ID&V where appropriate to the risks present in the client/transaction.
Such methods may include (but are not limited to) using independently or in combination:
- Digital ID&V services that meet the requirements of the MLRs (R28(19) - “secure from fraud and misuse and capable of providing an appropriate level of assurance that the person claiming a particular identity is in fact the person with that identity.”)
- Gathering and analysing additional data to triangulate the evidence provided by the client, such as geolocation, IP addresses, verifiable phone numbers etc.;
- Verifying phone numbers, e-mails and/or physical addresses by sending codes to the client’s address to validate access to accounts
- Using live and/or recorded digital video (many reliable and free options exist for this) of the customer showing their face and original photo identification documents so that you can compare them to a scanned copy of the same document (e.g. passport or driving license).
No matter what ID&V service or procedure is used, the responsibility to make sure the ID&V is undertaken correctly, is with the relevant practitioner and practice. Make sure that you keep a record and evidence of the process you follow; for example, of any video calls you make.
These methods alone may not be appropriate or sufficient where the money laundering and terrorist financing risks inherent in the particular client or matter are greater. In higher risk situations, further verification (including verification of source of funds/wealth) will likely be required.
Where you need to update ID&V records for existing clients, you should not rely on old ID just because you cannot currently meet them face-to-face.
Further, information and advice is available at https://www.aiaworldwide.com/anti-money-laundering-supervision and through the Secure Documents Library of MyAIA. You are also referred to the HM Treasury approved Anti-Money Laundering Guidance for the Accountancy Sector (March 2018).
Digital Identification and Verification Services
If you are considering whether to use a digital ID&V service, you must carefully consider whether it provides the assurance needed. In order to make this judgement, you may have regard to the Financial Action Task Force (FATF) guidance on Digital Identity, particularly recommendations 22-27 in the Executive Summary as summarised below.
- Understand what the service actually does i.e. what checks is it doing and what databases is it checking, if any.
- Take a risk-based approach to relying on the service including understanding the assurance level provided and that it is appropriate to the risk.
- Understand whether the service provides levels of assurance and how these may be appropriately used in different circumstances.
- Consider whether using the service, negates the idea that all non- face to face transactions are high risk.
- Use anti-fraud and other cyber security processes to support the service.
- Engage with the service provider to ensure the practice has access to the information it may need to prove its compliance to its supervisor or to law enforcement.
Other Issues to Consider
Another important consideration is whether the service has attained any accreditation or certification from any of the bodies listed in Appendix D of the FATF guidance.
Government guidance and requirements will also require practices to reconsider other aspects of their compliance, including training. Training may be deliverable remotely or via digital means (e.g. via webinar) and you should consider what adaptations your practice can make to ensure compliance while staff are working remotely.
You should consider whether your policies, controls and procedures remain appropriate and whether they need adjustment to reflect what you or your practice is doing. If your CDD or EDD processes change then you should consider updating your Practice-Wide Risk Assessment, any matter risk assessment, and relevant policies.
If staff are working away from the office, you should ensure they have access to the necessary CDD documentation to be able to consider the risks of any client or matter.
If you are using digital video or photography to support your CDD, or obtaining other personal information, you should obtain consent from the data subject for the capture and storage of this information and have due regard to data protection requirements.
If you have questions about whether a specific ID&V method is allowable or any other aspect of the above, contact your supervisor. If necessary, obtain independent accountancy advice from an experienced accountancy practitioner.
It is not for your supervisor to provide specific accountancy advice and/or confirmation on the application of the MLRs and that you are required to satisfy yourself on your accountancy/regulatory obligations under the MLRs and that you have complied with them.
While care has been taken to ensure that this Advisory Note is accurate, up to date and useful, members of the AAG will not accept any accountancy liability in relation to this Advisory Note (which has not been HM Treasury approved).
AML Responsibilities During COVID-19
View AIA's free webinar on accountants' AML responsibilities during the COVID-19 outbreak, presented by AIA Director of Operations, David Potts. During the webinar David covers topics including criminal activity and fraud, COVID-19 challenges to operations, guidance on digital identity and more.