AML Risk Based Approach

What is a risk-based approach?

The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR) require firms and practitioners to implement a risk-based approach (see in particular regulations 18(1) and 19(1)).

All firms need to take an approach which is proportionate to the risks faced by your business and tailoring your approach is key as the risks and controls for a small sole practitioner will not be the same as for a medium sized tax business or for a large tax and accountancy firm.

How can firms adopt a risk-based approach?

The Financial Action Task Force (FATF) have provided guidance in Risk Based Approach Guidance for the Accounting Profession. It summarises the key elements of a risk-based approach as follows: 

  • Identify the Money Laundering, Terrorist and Proliferation Financing risks (MLTPF),
  • Identify and apply measures to mitigate and manage MLTPF risks,
  • Put in place policies, procedures and information systems to monitor changes to MLTPF risks,
  • Document risk assessments, strategies, policies and procedures to monitor, manage and mitigate MLTPF risks.

Identifying MLTPF risks

Firms should review the CIOT supervisory risk assessments as these identify the key risks and red flag indicators in the accountancy sector which includes tax advisers.

These supervisory assessments include consideration of the National Risk Assessment (NRA) which  views the risk of money laundering through accountancy service providers and tax advisers as high. There are a number of areas referred to including the fact that criminals seek legitimacy through the use of advisers.

Undertake an assessment of the risks

Having identified risks within the accountancy and tax advice sector, the next step is to consider the nature and size of your business to identify all relevant (MLTPF) risks and to produce a meaningful firm wide risk assessment.

 The risks are categorised by the MLR regulations as follows:

  • The type of client.
  • The country or geographic areas in which it operates.
  • The product or service being provided.
  • The transactions.
  • The delivery channel being used.

Examples of higher risk circumstances *

Type of client – Politically Exposed Persons, High Net Worth individuals, complex ownership, cash based-businesses.

Country or geographic areas – client based in or doing business in High Risk Third Countries, jurisdictions with high levels of corruption or countries linked to terrorism.

Product or service being provided – specialist tax work, one off work such as company formation.

Transactions – use of client money accounts to transfer funds in and out with no clear business rationale.

Delivery channel being used – client avoids face to face meetings with no form of identity verification, relationship with clients conducted through an intermediary for no clear purpose.

Examples of lower risk scenarios *

Type of client – individual with simple tax arrangements, businesses subject to regulation (AML or otherwise), publicly owned entities.

Country or geographic areas – local business well known to local advisor, business operating in countries with low levels of corruption and with effective AML regulations.

Product or service being provided – straightforward tax compliance, for example a small business’s corporate tax and VAT returns.

Transactions – existing/ongoing clients with tax refunds paid to the firm to cover client’s tax bills.

Delivery channel being used – met face to face, longstanding clients.

*These are not exhaustive lists and other higher risk and lower risk scenarios may apply to your business.

Where your assessment results in a high-risk rating for a client this does not necessarily mean you cannot act for them. Recognition of the risks enables you to put in place measures to manage and mitigate those risks.  This minimises the chances of you unwittingly providing services to clients involved in money laundering and puts you in a position to recognise where you need to be most vigilant in relation to potential instances where a suspicious activity report may be required.

Further detail on risk categories

Further information on different types of risks can be found in Section 4.6 of Anti Money Laundering Guidance for the Accountancy Sector (AMLGAS) and detailed lists of high-risk factors to be considered in Appendix D of AMLGAS. Firms should consider these factors as well as the NRA and CIOT Supervisory Risk Assessment when constructing your practice wide risk assessment this in turn will assist you in identifying the most appropriate measures to manage and mitigate.

Identify and apply measures to manage and mitigate MLTPF risks

Once you have identified and assessed relevant risks you then need to decide on the most appropriate and effective ways to manage and mitigate those risks. The key controls and measures are listed below (in the next section).  

For example, one area where you need to identify appropriate measures to take is in relation to Client Due Diligence (CDD) undertaken as set out in AMLGAS section 5.3. For engagements where risk is higher you should take enhanced measures to manage and mitigate risk. In lower risk cases it is proportionate to take reduced levels of client due diligence.

Other examples of relevant measures business might consider include:

  • Engagement and client acceptance policies so it is clear the level of risk acceptable in relation to clients taken on and how that will be identified at an early stage
  • Review and senior management approval processes for high risk rated clients
  • Internal or external annual AML reviews to check compliance in practice and consistency of application with a firm’s AML policies and procedures
  • Ensuring regular and relevant AML training for staff including regular reminders on how to make internal reports of knowledge or suspicion of money laundering.

Put in place processes to manage, mitigate and monitor the identified risks

Once you have undertaken your firm wide risk assessment, and identified appropriate risk management measures, this should help you develop appropriate AML policies and procedures, and information systems which are designed to manage and mitigate the risks identified. These should be proportionate and relevant to your business and address the following key areas:

  • Risk management practices
  • Internal controls
  • Customer due diligence (CDD) and reliance
  • Ongoing monitoring
  • Record keeping
  • Suspicious activity reporting
  • Monitoring and management of compliance
  • Communication of policies and procedures

AMLGAS section 3.6 provides more detailed guidance on what policies, procedures and controls are required.

Document risk assessments, strategies, policies and procedures to monitor, manage and mitigate MLTPF risks

Once you have considered the measures you need to put in place to manage and mitigate risk it is important to then document these. The MLR includes requirements on formal documentation which you must have in place, such as the written firm wide risk assessment (including a proliferation financing risk assessment), a written AML policies and procedures document, a documented risk assessment for every client and an AML training log for all staff.

In support of this CIOT provide guidance and pro forma AML documents that require tailoring which are suitable for smaller firms.

Regular reviews and training to stay up to date on MLTPF risks

Criminals and money launderers seek to circumvent the legislation and controls in place, so it is important to stay up to date on AML risks and changes in legislation: For example, emerging risks like use of crypto assets or the significant changes in the sanctions regime over the last 18 months.

AML training is key here for both staff and the Money Laundering Reporting Office (MLRO). Senior management must be involved in the risk management of the firm.

Practice wide risk assessments and policies and procedures should be reviewed regularly. The legislation doesn’t indicate how often a review should occur, but we would recommend you review them and consider any updates required annually (subject to changes in legislation or the identification of an emerging risk which impacts the firm).


The CIOT regularly send out newsletters to our AML supervised firms with updates on key topics such as emerging risks and important red flag indicators. These are available on the website here.

We have a recorded webinar on the risk based approach (including some helpful case studies) which members may find useful to watch, particularly if they are new to dealing with MLR requirements or setting up in business for the first time. See here for all available AML related webinars.