Financial regulators in the European Union recognise that auditors, accountants and tax advisors have unique access to clients’ financial history. This does not just apply to spotting money laundering, but to suspected fraudulent activity more generally.
As we’ve discussed before, auditors, for example, have robust processes and audit methodologies that are designed to identify risks and more! So when a Partner of a major accountancy firm says ‘we are not set up to look for fraud’, either they are confused or something else might be going on!
It is true that auditors have knowledge of and access to their clients’ processes and it is also true that, at least in principle, they are in a perfect position to
(A) identify Anti Money Laundering (AML) controls,
(B) test the effectiveness of these controls and
(C) offer guidance to their clients on how to improve these controls and ensure the company, its employees and the community at large are protected from the crimes of Money Laundering.
Welcome to the Risk-Based Approach!
For firms based in Europe, the Fifth EU AML Directive means potentially new rules as of the beginning of 2020. Where the Fourth EU AML Directive was vague on who is covered by AML regulations, the Fifth specifies that the legislation extends to any external auditors, accountants, tax advisors and ‘any other person that provides material aid, assistance or advice on tax matters as principal business or professional activity’ (as well as extending it to other entities, like real estate agents under certain conditions and virtual currency providers, among others).
What are the key points that auditors have to keep in mind, then?
Where the Fourth AML EU Directive (4AMLD) requires corporate entities and trusts to hold information on who their beneficial owner is, 5AMLD strengthens the rules on the recording and disclosure of the beneficial ownership of corporate entities, trusts and other such legal arrangements. Importantly, Member States can now impose fines on companies/entities that do not hold accurate information on their beneficial ownership (Source: Linklaters).
This does make it easier for obliged entities like accountancy firms to do their customer due diligence (CDD). beneficial owners to provide corporate entities/trusts with this information, which is then meant to be passed on to the accountants.
Strengthening FIUs and International Cooperation
Responding to the sudden collapse of the Latvian Bank ABLV, 5AMLD strengthens Financial Intelligence Units (FIU) and enables them to collaborate across borders a bit more easily.
Have a look at some of the recent scandals that are shaping AML legislation:
High Risk Countries
Obliged entities have to apply enhanced due diligence (EDD) for business relationships/transactions that involve high-risk countries. How do we define a high-risk country? This is to be set at national level by each Member State.
The Directive goes a bit further and specifies that reviewing long-standing relationships with counterparties/correspondent banks in high-risk jurisdictions might involve even terminating correspondent banking relationships.
It is important to remember that the 5AMLD is written in the spirit of the Risk Based Approach codified in 4AMLD, and championed by the FATF, and does not see simply shutting off relationships with correspondent banks and similar entities as the solution.
So what actually is the impact on your audit firm and your client relationships?
Generally speaking in most jurisdictions external auditors are not expected to design their procedures with the objective to detect money laundering. As the effect of ML on financial statements is indirect, i.e. an increase in contingent liabilities that may be probably due to prospective court judgements, the auditor would be required to review the amounts of these liabilities as they depend on management’s judgement.
Some auditors are rightly unsure as to what exactly it is that they can be expected to do. For example, no one has defined the term ”suspicious behavior” and for sure the term ”reasonable grounds for suspicion.” Have a look at this quote from a report by the UK’s five biggest membership organisations, the ICAEW, ACCA, CIPFA, ICAS and Chartered Accountants Ireland, on suspicion:
“There is very little guidance on what constitutes ‘suspicion’ so the concept remains subjective. Some pointers can be found in case law, where the following observations have been made. Suspicion is:
- a state of mind more definite than speculation but falling short of evidence-based knowledge;
- a positive feeling of actual apprehension or mistrust;
- a slight opinion, without sufficient evidence.
Suspicion is not:
- a mere idle wondering;
- a vague feeling of unease.”
Reporting such suspicions can be no small cost if the line is drawn too low, in which case the auditors will spend resources in drafting reports with descriptions of activities while at the other end, readers of the reports will be spending resources reading, understanding and cross-referencing these reports if they are to be of any value to them.
Auditors do not normally “catch” a single occurrence as it happens but rather they review the history of past transactions. At the same time, they are reasonably armed with risk-based best practice that helps them eliminate risk at the outset.
Of course, the basic requirements to establish processes to combat ML like all covered entities are obliged to do, apply to auditors, e.g.,
- To ensure that they apply customer due diligence measures to confirm their clients' identities and company ownership, on a risk-based approach (Know Your Clients or KYC);
- To retain identification records for a minimum obligatory period of time depending on jurisdiction;
- To train all staff in identifying suspicious behavior and knowing how and to whom to report it;
- Report transactions connected with sanctioned states and territorial units as announced by the regulators.
Even at this level of obligation, how do auditors determine the level of risk? A risk-based approach requires one to judge a perceived risk of having a client (or continuing having that client - remember the Client Due Diligence is an ongoing process and does not simply freeze for years, only to then be re-started). It is based on this calculation that one decides whether to accept an engagement or not.
However, beyond this level of responsibility, an auditor will start having some problems, the most important being their role towards the clients.
So far auditors were never meant to be investigators. By definition, “Audit” derives from the Latin “Audire” which means “to hear”. Indeed, the auditors who usually were the representatives of the landlords who wanted an account of the estate’s status, would sit amongst the managers and accountants of the estate and “hear” all the explanations about the financial status and results of the estate. The profession evolved but the non-investigative nature of audit has remained until today.
Some of you might remember the case of the Bank of Credit and Commerce International (BCCI) and its auditor, Price Waterhouse. BCCI was shut down in 1991 after being charged with fraud on a multibillion dollar scale, including laundering the illicit funds of drugs.
The role of the bank’s auditor came under scrutiny:
In a confidential report to the directors of the troubled bank on April 18, 1990, Price Waterhouse expressed its mounting concern about several matters of the “utmost urgency.” They included a pile of troubled loans to customers, suspect lending to shareholders and transactions that Price Waterhouse said were “either false or deceitful.”
Price Waterhouse told the directors that it had tried to identify all the fraudulent transactions. But, the auditor added, “It is impossible, without an exhaustive inquiry, to know whether this has been achieved.”
Yet less than two weeks later, on April 30, 1990, Price Waterhouse signed BCCI’s annual report for 1989, attesting that the accounts gave a “fair and true view of the financial position of the group.” The annual report made no mention of false or deceitful transactions or the auditor’s other worries.
Source: The New York Times
Stories such as the above case study keep surfacing – with somewhat worrying regularity – to this day. Just take a look at our own article questioning auditors’ role in spotting financial irregularities.
However, it seems that the rules, and roles, are changing. The Panama Papers leak changed the financial regulatory landscape in the EU, with implications no doubt for the rest of the world.
What are your experiences of the Anti-Money Laundering regime? Is it affecting your audit business in the jurisdiction you are in?