Firm-wide risk assessments Q&A

Can the FWRA be drafted by a consultant and then reviewed and signed off by a relevant person?

If a firm decides to go down that route, there's nothing in the Money Laundering Regulations to prohibit it.

But as an AML supervisor, we would emphasise that the Money Laundering Reporting Officer (MLRO) is the person who best understands the firm’s services, clients, risks and mitigations.

Although the MLRO could pass that information on to consultant, it’s likely to be a more robust exercise if the firm takes ownership and carries out the assessment internally.

So, while there's nothing to say you can't outsource the assessment, we wouldn't recommend it.

If you were starting afresh with AML documentation, would you first write the FWRA, or would you do that last after you had done policies and procedures and customer due diligence (CDD) for individual clients?

The FWRA should be first. It is the foundation for everything else, including your policies and procedures and CDD.

How do you know how to mitigate your risks and build those mitigations into your procedures unless you first recognise and understand those risks?

Are there any risk assessment checklists available for specific sectors, such as cryptocurrencies/assets?

ICAEW does not produce sector-specific checklists. We do, however, produce guidance in the form of webinars and factsheets.

ICAEW has also published a factsheet on virtual assets in partnership with the International Federation of Accountants.

Could you provide an update on guidance for completing a proliferation financing risk assessment and whether it should be a separate document?

The requirement for a proliferation financing risk assessment came into effect in September 2022. So firms should be considering that risk. ICAEW’s view is that the risk of proliferation financing in our firms, or of our firms being used to enable proliferation, is predominantly low.

The definition of proliferation financing in the regulations refers to:

“the act of providing funds or financial services for use, in whole or in part, in the manufacture, acquisition, development, export, trans-shipment, brokering, transport, transfer, stockpiling of, or otherwise in connection with the possession or use of, chemical, biological, radiological or nuclear weapons, including the provision of funds or financial services in connection with the means of delivery of such weapons and other CBRN-related goods and technology, in contravention of a relevant financial sanctions obligation”.

Remember that proliferation financing in this context relates only to states sanctioned by the UN. It covers dual-use goods or biological or chemical weapons that might be ending up in, or being used by, Iran, North Korea or Syria.

This is quite a specific set of circumstances. So if you haven’t got clients that go anywhere near those jurisdictions or produce these types of dual-use goods or weapons or chemicals, it should be sufficient simply to write a sentence to that effect at the end of your FWRA.

We are waiting for the Treasury to sign off on the updated AML guidance for the accountancy sector. There will be some short paragraphs in that to explain what you need to do, together with reference to the fact that we generally expect the risk to be quite low.

Are you happy with firms looking at categories/types of clients in the FWRA, and leaving individual clients to be considered as part of the individual client acceptance?

It’s for the firm to decide on its approach. It’s whatever is appropriate, based on your firm, your degree of risk and client base. There is no one-size-fits-all approach.

For example, a firm with only five clients might feasibly include all of them individually in the FWRA. Or if a firm had only one high net worth individual, then in the FWRA it might note that, and then detail the risks and mitigations.

Where can I find ICAEW’s FWRA template?

The template is available on our website: ICAEW firm-wide risk assessment methodology template or via our regular eNewsletter, AML – the essentials.

Slavery and human trafficking doesn't even feature in my brain. So how am I going to know risks I'm not even seeing?

If you’re the MLRO, you have an obligation to find out about and understand AML risks and red flags.

You can't delegate responsibility and lack of knowledge isn’t an excuse or defence if something goes wrong.

There is a lot information available to help you, including from ICAEW. You could watch our AMLbites or check out our other webinars, articles and fact sheets.

Our AML educational drama All Too Familiar also sets out some key red flags and risk indicators. This should help bring some of the issues to life for you.

In the webinar, you mention that a risk might be whether you meet the client or not. What if they are only met virtually, which is becoming more common. If this is now ‘normal’ would this still be a risk for the purposes of the FWRA?

Yes, we agree this is increasingly ‘normal’ practice, and not meeting a client face-to-face is no longer an automatic risk. But you should still flag not meeting clients as a potential risk in the first stage of the FWRA because this particular risk combined with other red flags, or risks, may mean you consider the AML risk attached to a particular client as being higher.

In your FWRA you might deal with this by highlighting that there are clients you haven’t met and there could be a risk attached to that; they could be hiding who they really are. But your mitigations would then set out that you met them on screen and asked for identification on screen and that you consider whether there are other risks or red flags that heighten your risk assessment, and whether there is the need for additional scrutiny.

Your FWRA is where you document all of these thought processes and actions.

How would we be expected to identify that a client has been secretive?

It’s your obligation to understand the risks and to identify the signs that a client isn’t being completely open. For example, they might not be telling you who the beneficial owners are, or they might be evading other questions, delaying giving you information or evidence, or providing unclear answers. Very simply, you might realise that one set of answers contradict another set, or contradicts information you’ve gathered from external / independent sources.

What constitutes a ‘high net worth’ individual?

A lot of firms get confused about the definitions and categories for high net worth individuals and other individuals such as politically exposed persons (PEPs). We advise referring to our guidance on the annual return, which gives an up-to-date explanation. Note the high net worth individual definition does change, so we recommend you continue to refer to our annual return guidance each year.

Do you have any insight on the likely date of publication of the next National Risk Assessment (NRA)?

There is no concrete news yet. We’ve heard via our contacts in other supervisory bodies and the government that it could be the end of this year or early 2024. But we have no official update.

Outside a normal regular cycle, are there examples of any events that might trigger an urgent review and potential update of the FWRA?

The FWRA is not like your CDD, which is a live, ongoing process shaping your hunt for suspicious activity.

Instead, the FWRA is more of a strategic, overriding document that enables you to design your AML policies and procedures. So the trigger events have to be quite significant to prompt a review outside the normal cycle.

One example might be the publication of an updated NRA. This could be a trigger event, depending on how soon your next regular review is due.

Another example might be if you’re offering a significant new service line and you want to think through the risks associated with that.

If nothing has changed in my firm, is the regular review of the FWRA necessary? 

You must regularly review your FWRA to ensure it remains relevant and fit-for-purpose. For most firms this is likely to be an annual programme of review by senior management.

You still need to review the assessment but, if nothing has changed, you should simply record that and sign off the review.

The point is that you've thought about it, rather than carrying on without stopping to consider whether there have been any relevant changes.

Are electronic verifications of ID mandatory?

No, they are not mandatory.

Does ID have to be obtained again for existing clients if the date expires on the ID?

If it's a typical client and there are no specific risks and nothing's changed except the passport date has expired, we wouldn't expect you to ask for new ID.

Other AML supervisors may have a different approach. But at ICAEW, we say if you’ve verified the client once, you don't need to verify them again unless circumstances change.

A change in circumstances would include you suspecting the client might have misled you when they provided the original ID, or where you have other concerns about the client.

You might also want to update your verification records if there’s a change in the client’s name.

If a firm reports an issue relating to a client to the National Crime Agency (NCA), can the firm continue to work for the client?

That’s a matter for you to decide within the firm, and depends on the nature and extent of the issues involved.

Ultimately, if you think a client is involved in money laundering or some other criminality, you need to be thinking very carefully about whether you want to continue to act for that client, and whether you could be facilitating or enabling what’s going on.

If you are disengaging from a client where you are reporting to the NCA, should you consider the possibility of 'tipping off' and seek guidance from the NCA? What is the latest guidance on 'tipping off'?

This is a complex area and difficult to answer in a few lines in a Q&A. We recommend that firms watch our Suspicious Activity Reporting Q&A webinar for a more in-depth discussion on this point.

• Check out our AMLbites
• Read the CCAB AML Guidance for the Accountancy Sector
• Watch the AML team’s webinar on FWRA or any of our previous webinars