As well as this guide, there is also the Practice Assurance webinar that we ask all new firms to watch after you register with us. This is available at icaew.com/practiceassurance where you can also find a wide range of resources. We will follow this up with a pre-arranged phone call to discuss any questions or issues you may have. We regularly update the webinar so you should watch it before our call even if you have already looked at it.

If you have questions on any of the issues, please call Advisory Services on +44 (0)1908 248 250.

Anti-money laundering

The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (amended) (MLR17) impose certain obligations on firms that provide accountancy services. Some new firms don’t have sufficient knowledge of what they’re required to do and, as a consequence, don’t have adequate procedures in place to comply with these regulations. Here are some common areas that new firms have difficulties with.

Firm-wide risk assessment

The risk-based approach underpins the MLR17. You should focus your resource on the services and clients that have the highest risk of money laundering. To determine how and where you should focus your resource you must perform a risk assessment at the firm level to understand the risk that your firm may be used to conceal or launder the proceeds of a crime.

A firm is required to perform, and document, an assessment of the money laundering risks faced by the firm as a whole, and not just of its clients. This should take into account factors such as its customer base, the countries and geographies in which the firm operates, and its products and services. Please note that this is a mandatory requirement for all firms and is a separate document to a client risk assessment. We provide guidance on how to conduct a firm-wide risk assessment.

AML risk assessment and customer due diligence

Under MLR17 you have to have a policy in place to assess the money laundering risk of your clients. You need to use this policy to decide the extent of customer due diligence (CDD) required when you take on a new client. You’ll find more guidance in Anti-money laundering guidance from the CCAB.

Some firms obtain evidence of client identity but don’t link this to a proper assessment of the risk of money laundering. This may mean they carry out the wrong client verification checks. You should use your anti-money laundering (AML) risk assessment to decide what CDD you need to do when you take on a new client and to ensure you have carried out appropriate CDD on all your existing clients. The risk assessment is important because it will identify when you should perform enhanced due diligence on high risk clients, or where you can perform simplified due diligence on low risk clients.

CDD includes steps to identify your clients, check they are who they say they are and the source of their funds. The information you need to obtain to confirm identity will depend on the nature of the client and your initial risk assessment. When you take on a limited company or LLP you must check that details of the Persons with Significant Control (PSC) have been filed with the registrar (ie, Companies House) and report any discrepancies you identify.

MLR17 introduced some prescriptive CDD requirements so you should make sure you are familiar with these.

• Read further information

You also need to demonstrate to ICAEW, as your supervisor, what CDD you’ve carried out. You must keep your due diligence up to date and think about the risk to continuing clients on a regular basis. You need to document your review to be able to demonstrate to us that what you’ve done is appropriate, even when there have been no changes since your last review. Examples of triggers for when you should review the risk of a client are changes in:

• ownership;
• trade;
• related parties; and
• location.

For simplicity, some firms review a client’s risk each year as they work on the client’s affairs. You can use ICAEW’s Anti-Money Laundering (AML) Service to improve compliance in this area.

Training

MLR17 (amended) places an obligation on you to ensure that your money laundering nominated officer (MLNO) is adequately trained and that you provide your staff with sufficient training to keep them up to date with AML requirements. We find that a number of firms misunderstand the regulations. You need to keep a log of staff training. Getting staff to sign and date the log can help emphasise the importance of following their training at all times.

Written AML procedures

Each firm must have documented policies, controls and procedures to mitigate and effectively manage the risk of money laundering and terrorist financing you have identified in the firm’s risk assessment.

• These policies, controls and procedures should include:
• how you comply with the MLR17 (amended), including explaining the role of the MLNO and your staff’s duty to report suspicions to that person;
• how and when you will conduct your firm-wide risk assessment;
• your procedures for identifying and verifying clients and your CDD measures and monitoring checks;
• your procedures for checking the PSC information and reporting discrepancies where appropriate;
• your training plan for staff so they’re aware of their responsibilities;
• the requirement for staff and principals to record their MLR17 (amended) training; and
• a summary of the monitoring controls that are in place to make sure your policies and procedures are being carried out.

Regular review of AML compliance

You should ensure that you carry out (and document) periodic reviews of the adequacy and effectiveness of your firm’s AML policies, controls and procedures. Your firm’s money laundering compliance officer (MLCO) will be responsible for this. The MLNO and MLCO can be the same person. You should include file review checks to make sure your staff have followed your procedures for new clients and continuing clients. Where you identify any gaps or weaknesses, you should document how you intend to address them.

AML suspicious activity reports

When you make reports to the National Crime Agency you should include the glossary codes in the ‘Reason for suspicion/knowledge’ text box whenever relevant. Use of the codes will help you to explain the general nature of your report and law enforcement agencies to use the report. You can find further guidance about the codes at the National Crime Agency website.

You should retain copies of all internal SARs that your staff and principals make to the MLRO, including those that result in external reports to NCA. The records kept should record the MLRO’s assessment of the information and his/her conclusion on the need to make an external report.

Money laundering supervision

Firms that provide accountancy services, trust and company services, or related services such as tax advice, probate, audit or insolvency, are required by the MLR17 to be supervised for compliance by HMRC or by one of the specified professional bodies (also known as AML supervisory authorities). ICAEW is a recognised AML supervisory body and can supervise member firms. Some firms and/or their connected entities structure themselves so that they do not qualify as a member firm under the Practice Assurance scheme. As a result of this, the firm is not covered by us for money laundering supervision.

If this is the case, you need to apply for a Practice Assurance contract which will include money laundering supervision or register with another supervisor. Until you have signed a contract you are not covered for AML supervision.

• Read further information

Clients’ Money Regulations

ICAEW’s Clients’ Money Regulations are prescriptive and detailed, with the obvious objective of protecting clients’ money. Nevertheless, we find that a significant proportion of firms that hold clients’ money do not comply with one or more of the regulations. Consequently (and because of the increased risk to your firm), you should consider carefully whether you want to accept and hold clients’ money. Tax refunds received on behalf of clients are clients’ money and need to be banked in a clients’ money account. If you do decide to hold clients’ money, here are the areas that new firms often have problems with.

Clients’ money bank account

If you decide to hold clients’ money, this must be paid into, and held in, a specially set up client bank account. You can find guidance on opening a client bank account in regulation 9 of the Clients’ Money Regulations.

Bank letter acknowledging trust status

When you set up a client bank account, you need to ask the bank to confirm some things in writing, including that it has no right of combination or set-off. You’ll find suitable wording for the letter in regulation 9(b) of the Clients’ Money Regulations.

Five-weekly reconciliations

If you hold clients’ money, you need to reconcile the client bank account at least every five weeks and ensure the reconciled balance agrees with the total balances on each client’s ledger.

Interest

If a client bank account earns interest, you must pass this on to the client. The Clients’ Money Regulations do not include a de minimis limit, but a client bank account need only be interest bearing if ‘material’ interest is likely to accrue (see Regulation 14 and explanatory note 5 of the Clients’ Money Regulations for guidance on ‘material’). The regulations do allow a client to agree in writing to an alternative treatment, for example, accounting for interest only over a certain amount. You could get their agreement to this in your engagement letter.

Alternate (sole practitioner/sole director of corporate practice)

Sole practitioners/sole directors, need to arrange with someone to manage their clients’ money account in the event of their death or incapacity. This person does not have to be a chartered accountant. You need to tell us about this arrangement in writing. You can do this by using the standard form.

Annual compliance review

You need to carry out and document an annual compliance review. The Clients’ Money Regulations compliance review helpsheet contains a checklist you could use.

Regulation 8a

Clients’ Money Regulation 8A aims to ensure that firms only use client bank accounts for lawful and legitimate purposes, and for bona fide transactions. Payments into and out of the firm’s client bank account must relate to an accountancy service that is being (or has been or will be) provided by the firm.

Code of Ethics; referral fees and commissions

Consent for firm to retain referral fees or commissions

You need to obtain written informed consent from clients before you can retain any referral fees or commissions. These can come from a many sources including referral fees from independent financial advisors, commission for providing clients with software and fees from tax specialists.

For unregulated activities, you could obtain advanced informed consent by having an appropriate paragraph in your engagement letter that includes examples of likely commissions and amounts. See sections 330.12 A1 to 330.14 A1 of the ICAEW Code of Ethics for more information on commissions and Practice Helpsheets for sample engagement letter wording.

Professional indemnity insurance (PII)

Levels of cover

You need to make sure your firm’s PII meets ICAEW’s requirements. The PII Regulations set out the minimum requirements for insurance cover, including a minimum limit of indemnity and maximum excess.

In your first year, you’ll need to judge the level of cover you require based on your expected turnover and the risk profile of your work/clients. The cover should be at least two-and-a-half times your gross fee income for the accounting year preceding the start of the policy.

This is subject to a minimum requirement of £250,000 (even if your estimated turnover is less than £100k) and up to the regulatory minimum requirement of £2m. You should keep this estimate under review and increase your cover if required.

Note these minimum limits have recently changed. If your policy was taken out before 1 September 2024, then this is subject to a minimum requirement of at least £100,000 and a maximum of £1.5 million. The increased limits will apply at the next policy renewal and they will apply to all firms by 1 September 2025.

If your policy covers more than one firm, you need to make sure there is adequate cover for each entity and that they comply with the requirements set out in PII regulation 3.9 to permit the use of a policy with multiple insured firms.

The insurance needs to be held with a participating insurer who has agreed to meet the requirements of ICAEW’s minimum policy wording. You can view a current list of approved insurers at icaew.com/pii

The policy can include an aggregate excess which must not exceed the higher of £3,000 or 3% of the firm’s gross fee income (across the policy year). You can have a lower “per claim” excess, but this will be capped at the maximum amount. For policies taken out before 1 September 2024 (and up to 31 August 2025), the maximum aggregate excess is up to £30k per principal.

Terms of engagement

Notifying clients in writing of the basis of fees and complaints procedure

Although you don’t have to issue engagement letters to clients, we strongly advise that you do. Agreeing an engagement letter with a client helps to avoid misunderstandings over the scope of the work required. It can also provide you with protection if there’s a dispute. There are two matters that you must tell all clients about in writing.

• the basis for calculating your fees; and
• your complaints procedure, including their right to complain to ICAEW.

You should provide details of your complaints procedure to new clients before you start working for them and retrospectively to existing clients as soon as possible. You can find more information about this and a sample ‘Confirmation of principal terms of business’ template in the What if you have not issued an engagement letter helpsheet.

If you don’t want to issue an engagement letter, you could communicate details of the basis for calculating fees and your complaints procedure in any of the following ways.

• a standard terms of business letter;
• a brochure given to the client; or
• a paragraph in the body of initial correspondence.

Suggested wording for the complaints procedure is included in the Duty on firms to investigate complaints and in the engagement letter template.

Provision of services

The Provision of Services Regulations 2009 require you to make certain information available to clients and potential clients. This information allows them to consider whether to contract with you either for the first time or on a continuing basis. You’ll find that you provide most of this information as part of other requirements. The main information firms miss is giving details of their PII insurer. Under the Provision of Services Regulations 2009, you must provide clients with the:

• contact details of your insurer; and
• territorial coverage of your insurance.

You can disclose this in a number of ways (such as on your website, office wall or in an engagement letter). Sample wording can be found in the helpsheet, Services Directive PAS1/HS22. If you change insurer, you must update the information and make it available to all clients.

Client acceptance

Professional enquiry

When approached by a new client you should issue a professional enquiry letter to the existing accountant after seeking the client’s permission. See the Change of appointment helpsheet for the latest guidance.

Letterhead, public documents and use of ICAEW logo

There are a number of things you need to consider when designing your letterhead, website and other documents that will be in the public domain.

Disclosures if you are a company or LLP

You need to include the registration number, place of registration (England & Wales or Scotland) and registered office address on your letterhead, emails and website. If your firm is an LLP, you also need to state this fact.

Practice names

You cannot use the words ‘chartered accountants’ in your practice name. You can, however, describe your practice as ‘chartered accountants’ if eligible to do so. In order to use the description, any non-ICAEW member principals need to apply for and obtain affiliate status. Please refer to the Use of description ‘chartered accountants’ helpsheet for further information.

ICAEW logo

ICAEW member firms can use the member firm logo. If you need to check your entitlement to use the logo, please contact the Advisory Service on +44 (0)1908 248 250 or check our website.

Practice Assurance legend

Member firms may also use the legend ‘A member of the ICAEW Practice Assurance Scheme’. Other firms with a Practice Assurance contract with ICAEW may use the legend after their first full review is concluded.

For further guidance on acceptable practice names and letterheads (including details of our letterhead checking service), see the Practice names and letterheads helpsheet.

Eligibility

Use of the term ‘chartered accountants’

Due to the way some firms structure themselves, they are not automatically eligible to use the term ‘chartered accountants’. If this is the case with your firm, you can find a form to apply for a dispensation to use the term chartered accountants by clicking on the ‘Use this form’ link at the foot of the Use of description ‘chartered accountants’ helpsheet.

Until ICAEW has granted a dispensation, the description ‘chartered accountants’ cannot be used.

Data protection

Every organisation that processes personal information must notify the Information Commissioner’s Office (ICO), unless they’re exempt. Failure to notify is a criminal offence. The Information
Commissioner’s view, which we share, is that most firms of accountants need to be registered.
You can find guidance on the Information Commissioner’s website ico.org.uk. You could also contact the Information Commissioner’s helpline on +44 (0)303 123 1113.

General data protection regulation (GDPR)

Firms that process personal data will need to comply with GDPR. You should consider the procedures you have in place to keep data secure and prevent breaches. The ICO website contains regular updates about GDPR. ICAEW also updates its own GDPR webpage on a regular basis. You may find clients ask you to include additional clauses in your terms of business that could increase your liability should any breach occur. If a client does request this, you should seek legal advice and check with your PII provider about the implications of such terms.

Cyber essentials

Cyber Essentials is a Government-backed and industry supported scheme to guide businesses in protecting themselves against cyber threats. If you are interested in applying for accreditation you can find out more here

Storing data outside the EEA

If you store data on servers that are located outside of the EEA you need to comply with the data protection regulations that cover the specific requirements for data security and standard contractual clauses. Further information is available on the Information Commissioner’s website to enable you to confirm that your agreements meet these requirements.

Investment business – DPB boundary issues

Unlicensed firm referring clients to IFAs

You need to be careful when referring clients to IFAs if your firm doesn’t have a DPB (Investment Business) licence. This is because there are specific requirements in respect of referrals for certain insurance products. As an unlicensed firm, you can only make introductions for general financial advice without referring to a specific type of investment.

If you want to avoid this problem altogether, you should provide your clients with the IFA’s details and let them approach the IFA directly. After they has established a relationship with the IFA, you can provide information to the IFA and/ or attend meetings, but you should not agree or disagree with the specific recommendations given by the IFA.

Annual return and changes to your practice

We ask all firms registered with us to complete an annual return. We use the information from these returns to monitor firms between reviews and to highlight any risks which may accelerate a Practice Assurance visit or review. It is therefore important that, when your return is available for completion, you complete it accurately and submit it on time.

Changing the structure of the firm

Some new firms change their structure by converting to a limited company, a limited liability partnership or by setting up new connected entities. The regulations require you to tell us about any changes to your firm as they happen. Please don’t rely on reporting them through your annual return. Regulated firms should complete the Standing data change form. Firms that do not have an audit, DPB (Investment Business) or probate licence should email members.records@icaew.com. Please also review the Changes in the composition of a firm helpsheet for details of issues to consider, as well as specific ICAEW requirements.

Best practice

During our phone call with you, we’ll go through things that you have to have in place to comply with laws and regulations and we will also advise you on areas of best practice. Here are some of the most common areas.

Alternate

If you’re a sole practitioner or a sole director, you should consider formally appointing an alternate to cover your clients’ requirements in case you’re indisposed. See Arrangements of alternates for sole practitioners in the UK helpsheet for the latest guidance.

Client acceptance

As you’ve set up a new firm, you’ll hopefully be taking on new clients. It will be important to take on the right clients for the right type of work. We have some helpsheets to assist you with this.

• Decision to accept appointment PAS2/HS09 contains a useful checklist of issues to consider before deciding to take on a new client.
• New client information PAS2/HS10 contains a pro-forma information sheet for gathering new client details.

Client screening service

In addition to your verification of identity as part of your client due diligence process, you may occasionally want to use the Library and Information Service’s client screening service to check clients against sanction lists, PEP lists and regulatory watch lists.

Though it is a free service, there is a limit on the number of searches per member per week and it is not a replacement for checking client identity. Further details can be accessed via the library client screening service.

Compliance review

After you’ve been trading for a year or so, it is beneficial to carry out a Practice Assurance compliance review from time to time. The Practice Assurance compliance review PAS4/HS01 helpsheet includes a suitable checklist. You should download a new copy of this checklist each time you carry out a review to ensure you’re working with the most up-to-date version.

Disclaimers in emails

You’re likely to use emails to communicate with clients. You should include a confidentiality clause and other disclaimers on outgoing emails. An example is:

This communication and the information contained in it are confidential and may be legally privileged. The content is intended solely for the use of the individual or entity to which it is addressed and others authorised to receive it. If you are not the intended recipient, it is hereby brought to your notice that any disclosure, copying, distribution, or dissemination, or alternatively the taking of any action in reliance on it, is strictly prohibited and may constitute grounds for action, either civil or criminal.

Control over email use

To avoid the risk of staff issuing an opinion in your firm’s name without proper review or approval, you should have a policy explaining to staff what they are allowed to communicate to clients by email.

Back-up procedures

To avoid losing critical data, you should take regular back-ups of all data files and other files required for the recovery of the system if it fails. You should store the back-ups off site and test them to make sure you can restore the system properly.

Data security

You should consider password protection and encryption of your clients’ personal data stored on your computers, back-ups (including USB sticks) and any other device used to access information (such as smart phones). This will both protect the information and minimise the risk of regulatory action by the Information Commissioner.

You should also consider putting policies in place to ensure that clients’ personal information is not lost or hacked. This should include having adequate security over any wireless (Wi-Fi) network which may put clients’ personal information at risk.

For transferring sensitive personal information, such as tax returns and payroll, to clients via email, you should the secure the transfer of such data, eg,

• encrypt emails;
• password protect emails; or
• use a client portal to transfer and exchange information.

CPD records

We recommend you keep a record of your CPD in the Reflect, Act, Impact style. Visit Our guide to CPD. Click on the link ‘Keep an online record’ for advice on how to record your CPD in this format. Please remember that we can ask for your records at any time.

CPD declaration

You must declare to us each year that you’ve done sufficient CPD. You do this by completing your declaration online at Our guide to CPD. We will send a reminder about this with your annual subscription reminder. If you don’t complete the annual CPD declaration, you could face disciplinary action.

Help from CABA

CABA offers support of up to £2,000 to unemployed chartered accountants who want to set themselves up in business. The funds can be used to cover a range of start-up costs and are aimed at helping members of the profession to make a move that would not otherwise be possible. To qualify, chartered accountants need to meet a range of criteria and also be assessed by CABA on their likelihood of success. For more details contact CABA on +44 (0)1788 556366.