The Accountant's AML Dilemma

 

Jurisdictions: United Kingdom, Singapore, Hong Kong, Global/FATF

Sectors: Accountancy firms, statutory auditors, tax advisers, bookkeepers, forensic accountants, insolvency practitioners

Introduction

Ask an accountant whether their firm is subject to AML obligations, and the answer will depend almost entirely on which accountant you ask. The senior partner at a large audit firm will say yes confidently and point to the firm's AML policy, its MLRO, and its annual compliance training programme. The sole practitioner running a small tax advisory practice will say she is not sure. The head of a mid-sized firm offering a mix of audit, tax, and corporate advisory work will give you a careful non-answer that reflects the genuine ambiguity she encounters every time she looks at the relevant guidance.

All three answers are, in their own way, correct, and that is precisely the problem. The accountancy sector is not a monolith. It spans statutory audit, management accounts, tax advisory, bookkeeping, payroll, forensic accounting, insolvency work, corporate finance, and company secretarial services. FATF Recommendation 22 designates accountants as DNFBPs but only when they carry out specific activities. The problem is that the line between designated and non-designated activities has never been drawn with the precision that practitioners need. And in the absence of that precision, the sector defaults either to sweeping overcompliance that treats every engagement as AML-obligated, or to quiet under-compliance that treats AML as somebody else's problem.

Neither position serves anyone well. Overcompliance imposes cost and friction on client relationships without commensurate risk reduction. Under-compliance creates legal exposure that most firms have not properly assessed. And in between, there are specific, well-documented problems client monies held without a payments licence, the collision between materiality in audit and the suspicion-based standard in AML disclosure, and the UBO gap in group audits, which many firms have not yet addressed through a formal AML protocol.

This article is written for the accountants, auditors, and compliance officers who manage these questions in real firms. It covers what the law actually says, where the genuine grey zones are, what firms should do about them in practice, and what supervisory bodies across the UK, Singapore, and Hong Kong must publish if they are serious about making compliance workable for this sector.

This article does not suggest that regulators or professional bodies have ignored the accountancy sector. The concern is narrower and practical: firms often need more consolidated, service-line-specific direction on how AML obligations apply differently to statutory audit, tax compliance, bookkeeping, advisory work, client money handling, and group audit arrangements. The purpose is to encourage clearer interpretation, better documentation, and more proportionate controls.

This article is intended as a professional discussion of AML/CFT grey zones in the accountancy sector. It does not constitute legal advice. Domestic law, supervisor guidance, professional rules, and the specific facts of each engagement should always be considered before a firm reaches a final compliance position.

Part One: The Problems

1. Does Statutory Audit Actually Trigger AML Obligations?

This is the question that sits at the heart of accountancy sector compliance, and it is the one that most guidance documents either avoid or answer too vaguely to be useful.

FATF Recommendation 22 designates accountants as obliged entities when they "prepare for or carry out transactions" for a client concerning the buying and selling of business entities, managing client money, organising contributions to companies, creating or managing legal persons or arrangements, and buying and selling real property. The common thread across these activities is that the accountant is acting transactionally, doing something on behalf of the client that directly affects the client's legal or financial position. FATF standards set the international baseline, but the binding legal position for any firm depends on how that baseline has been implemented in domestic legislation.

Statutory audit is different. An auditor's role is to form an independent opinion on whether a set of financial statements presents a true and fair view. The auditor does not create transactions. The auditor does not manage money. The auditor does not arrange corporate structures. The auditor reviews, assesses, and opines. A standalone statutory audit does not sit comfortably within the transaction-based wording of FATF Recommendation 22. However, FATF Recommendation 23 recognises that countries may extend reporting requirements more broadly to accountants' professional activities, including auditing. The domestic position, therefore, depends on how each jurisdiction has implemented the FATF framework.

In the UK, the position is materially different from a strict FATF-only reading. The Money Laundering Regulations 2017 expressly include auditors, insolvency practitioners, external accountants and tax advisers within the regulated sector. The practical issue is therefore less about whether auditors are named in the regime, and more about how audit-specific AML controls should be applied proportionately in practice. The Institute of Chartered Accountants in England and Wales and the Financial Reporting Council have, at various points, issued guidance that applies broadly to "accountancy services" without clearly distinguishing between the CDD and risk-assessment obligations that apply to audit engagements specifically.

In Singapore, the Accountancy sector is supervised for AML purposes by the Accounting and Corporate Regulatory Authority. ACRA's guidance applies to public accountants and accounting entities and references specific designated activities, but the treatment of audit as a standalone service rather than as part of a broader engagement has not been explicitly resolved.

In Hong Kong, the AML/CFT framework for professional accountants is structured around specified services under the Anti-Money Laundering and Counter-Terrorist Financing Ordinance, including activities such as managing client money, creating or managing legal persons or arrangements, and buying or selling business entities. Audit-only engagements, therefore, require a more nuanced analysis: while full CDD and record-keeping duties apply principally to specified services, suspicious transaction reporting and sanctions-related obligations remain relevant more broadly, regardless of whether a particular engagement involves a specified service.

The practical consequences of this ambiguity are significant. Firms that conclude that an audit is a designated activity conduct CDD at the engagement acceptance stage. They maintain AML files for audit clients. They train their audit teams on red flag recognition. Firms that conclude an audit is not designated do none of this. In jurisdictions where audit firms or auditors are expressly brought within the regulated sector, as in the UK under the Money Laundering Regulations 2017, the question of whether audit is covered is settled by the legislation itself. The remaining grey zone concerns how audit-specific controls should be designed and applied in practice. In jurisdictions where the domestic implementation is less explicit, firms may still reach different conclusions depending on their reading of FATF standards and local guidance. That is precisely why jurisdiction-specific analysis is essential.

2. Client Account Money: The Overlooked AML Risk

Accountancy firms routinely hold client money. A client's advance fee deposit sits in the firm's client account while the engagement proceeds. A disputed refund waits for resolution. A company's VAT liability is collected and held before remittance to the revenue authority. A client's funds are received and held pending disbursement to a third party.

These arrangements are common, commercially unremarkable, and in many jurisdictions, legally complex from an AML perspective.

In many jurisdictions, holding client money on a regular or systemic basis may, depending on the purpose of the holding, its duration, and the degree of control exercised over the funds, raise questions about whether a payment service, safeguarding activity, or financial intermediation licence is required. Payment service providers, e-money institutions, and regulated trust companies operate under dedicated licensing regimes precisely because they hold third-party funds.

Accountancy firms that hold client money do not typically hold a payment services licence. They operate under their professional authorisation. In the UK, the Professional Standards Boards of the major accountancy bodies authorise client account operations under professional indemnity and conduct frameworks, but this authorisation does not translate into a formal AML licence for the holding activity. From an AML perspective, any third-party funds held by a firm may require a risk-based assessment, particularly where the source, purpose, duration, or onward movement of those funds is unclear, and the professional conduct framework under which the account is supervised does not necessarily address that question.

This creates a gap that has not been formally acknowledged or closed. The question of whether a client account holding creates an AML obligation, separate from any designated activity obligation, has not been directly addressed by HMRC or by the professional bodies in their supervisory guidance. In Singapore, the Law Society's rules on client monies apply to law firms; the equivalent rules for accountancy firms under ACRA's framework do not map cleanly onto the AML designated activity structure.

In Hong Kong, accountancy firms that hold client monies may fall within the scope of the Anti-Money Laundering and Counter-Terrorist Financing Ordinance if the holding activity constitutes "dealing in financial assets" or a related concept, but again, this question has not been resolved definitively.

The practical risk is this: where a firm holds client money and later discovers indicators that the funds may be connected to criminal activity, it may need to explain what AML risk assessment, CDD, monitoring, escalation, or reporting process it applied at the time. Professional conduct compliance alone may not be sufficient to answer AML concerns, and the absence of detailed guidance or common market practice should not be treated as a substitute for a documented AML risk assessment.

3. Materiality Has No Place in AML: The Audit-Disclosure Collision

Audit is built on materiality. The auditor's objective is to obtain reasonable assurance that the financial statements are free from material misstatement. Materiality is the threshold below which errors, omissions, and irregularities need not be pursued. It is not a loophole or a shortcut; it is a fundamental concept without which audit would be operationally impossible. An auditor who investigated every transaction regardless of size would never complete an engagement.

AML disclosure has no equivalent concept. The obligation to file a suspicious activity report arises when a person knows or suspects that another person is engaged in money laundering. There is no de minimis threshold. There is no materiality carve-out. Where the legal threshold of knowledge, suspicion, or reasonable grounds to suspect is met, the fact that the matter is immaterial for audit purposes does not, by itself, remove the need for internal escalation or possible reporting.

The collision between these two frameworks is not theoretical. It arises regularly in practice.

An auditor conducting a review of a client's accounts may encounter a transaction that falls below the materiality threshold set for the engagement, perhaps a payment of a few thousand pounds to an obscure counterparty that cannot be readily explained. Under audit standards, the auditor may note the item, assess it as not material, and move on. Under AML law, if that transaction gives rise to suspicion, the internal escalation and potential reporting obligation may be triggered, regardless of size, regardless of materiality, regardless of whether the auditor has concluded the financial statements as a whole present a true and fair view.

The problem is compounded by the practical structure of the audit. An auditor working on a sample basis may never see the suspicious transaction. An auditor who sees it may assess it against audit standards rather than AML standards. A senior partner reviewing working papers may focus on audit quality rather than AML compliance. The organisational structure of most audit practices does not route below-threshold items to the MLRO as a matter of course.

In the UK, the Proceeds of Crime Act 2002 is unambiguous: the obligation to disclose is not limited by reference to any financial threshold. The ICAEW's guidance acknowledges the tension but does not resolve it operationally; it does not tell auditors at what point in the audit process a suspicious transaction below materiality should be escalated, or what the standard of suspicion is in an audit context. Singapore's CDSA framework and Hong Kong's OSCO framework are similarly absolute in their disclosure obligation and similarly silent on how auditors should manage the interface with materiality-based audit work.

4. The Group Audit and the UBO Nobody Owns

Group audits present a structural challenge for AML compliance that the accountancy profession has not yet resolved and that supervisory bodies have not formally addressed.

Under international auditing standards, a group auditor takes responsibility for the group audit opinion. The group auditor may rely on the work of component auditors, other firms, or other offices of the same network in respect of subsidiaries, joint ventures, and other components. The responsibility for the audit opinion is concentrated in the group auditor. The work that underpins it is distributed.

Now consider the AML dimension. The client of the group audit engagement is, typically, the parent entity. The group auditor conducts CDD on that entity, identifies its beneficial owner, and maintains an AML file in respect of the group engagement. The component auditors, in other jurisdictions, each conduct their own audit work on their respective components. They may or may not have an independent client relationship with the subsidiary they are auditing. They may or may not have conducted CDD on the subsidiary as a standalone entity. They will almost certainly not have conducted CDD on the subsidiary's beneficial owner because the beneficial owner of the subsidiary is, almost always, the parent entity's shareholder, and that CDD sits with the group auditor in another jurisdiction.

The result is a structure in which the AML responsibility for the group as a whole sits with the group auditor, but the group auditor may not have direct relationships with every entity in the group, may not have visibility of transactions at the subsidiary level, and may be relying on component auditors whose AML standards and supervisory frameworks differ from their own.

Under FATF's reliance framework, the group auditor could, in theory, rely on the CDD conducted by a component auditor, provided the component auditor is subject to equivalent AML obligations. But in practice, whether a component auditor in a different jurisdiction is subject to equivalent obligations is a question that requires legal analysis of that jurisdiction's AML framework, an analysis that most group auditors do not conduct.

In the UK, the Financial Reporting Council's standards address the audit responsibilities of group and component auditors in detail. They do not address the AML responsibilities of those parties in a group audit context. ICAEW guidance covers CDD for accountancy clients generally, but does not specifically address the group audit structure. The same gap exists in Singapore and Hong Kong.

5. When the Annual Return Arrives: Reporting Without a Baseline

Once a year, or more frequently in some jurisdictions, a regulated accountancy firm faces the most concentrated expression of all these ambiguities: the supervisory annual risk return. The form asks for transaction volumes by regulated product type, client counts by category, STR filing numbers, training records, and policy documentation, all broken down with a precision that assumes the underlying law is clear.

For an accountancy firm with a mixed service portfolio, the return is a series of impossible questions dressed as simple ones. How many of your clients received services that fall within the scope of AML regulation? If the firm is not certain which of its services are designated, this question cannot be answered accurately. It can only be answered cautiously, either overcounting, which inflates the apparent risk profile and triggers supervisory scrutiny, or undercounting, which creates a gap that may be viewed as non-disclosure.

The client categorisation problem is acute. Return frameworks ask firms to segment clients across dozens of categories, legal persons, legal arrangements, PEPs, HNWIs, complex ownership structures, nominee arrangements, DNFBPs, VASPs, and more. An accountancy client who is a private company, whose beneficial owner is a PEP, with a complex holding structure and nominee directors, appears in multiple categories simultaneously. The return does not explain whether such a client should be counted in each applicable category, only in the most specific one, or only in the highest-risk one. Different firms make different choices. The resulting supervisory data is not comparable across the sector.

Then there is the materiality problem, compressed into a single line item. The return asks for the total number of STRs filed. It does not ask how many suspicious transactions were identified during audit engagements and assessed against the materiality-disclosure interface. It does not ask how many potential disclosures were investigated, escalated to the MLRO, and ultimately not filed because the suspicion could not be sustained. It does not ask whether the firm has a formal decision framework for these situations. It asks only for the number filed, a metric that tells a supervisor almost nothing about the quality of the firm's suspicion detection process.

The group audit of the UBO problem also surfaces in the return. Firms are asked for the number of beneficial owners, broken down by nationality. For a group audit engagement where the group auditor has CDD on the parent entity but not on the individual subsidiaries, and where the beneficial owner is a natural person whose nationality has not been independently verified at the subsidiary level, firms may be asked to provide data at a level of granularity that is difficult to generate where service-line scope, group structures, or client categorisation have not been standardised across the engagement. Firms may be forced to make judgment-based classifications without a fully harmonised methodology. Or they complete the field for the entities they know and leave others blank. Neither approach reflects the true state of knowledge, and neither is technically wrong because the return provides no guidance on how group structures should be handled.

Part Two: Practical Solutions for Accountancy Firms and Auditors

Establish a Covered Activity Map for Every Service Line

The starting point for any accountancy firm's AML programme is a clear, documented map of which service lines bring the firm within the scope of FATF Recommendation 22 and the applicable national legislation. This exercise should be conducted for every jurisdiction in which the firm operates.

The map should address each service line separately: statutory audit, review engagements, agreed-upon procedures, bookkeeping, payroll, tax advisory, tax compliance, management accounts, corporate finance advisory, transaction support, valuations, insolvency, forensic accounting, company secretarial, and any others the firm provides. For each service line, the firm should document its conclusion as to whether the activity constitutes a designated activity, the legal basis for that conclusion, and the AML obligations that follow from it.

This document should be reviewed annually, updated whenever a new service line is launched, and approved by the MLRO and senior management. In the event of a regulatory inquiry, it provides the foundation for a good-faith defence. In the event of a supervisory consultation, it structures the conversation. Most importantly, it forces the firm to confront the question it has been avoiding.

For Audit Practices Specifically

Where domestic law expressly includes auditors within the regulated sector, as in the UK, audit engagements should be treated in line with that legal position. In jurisdictions where the treatment of standalone audit is less explicit, a prudent and defensible approach is to apply proportionate client acceptance CDD and document the firm's rationale. In either case, this does not mean treating audit clients as high-risk by default. It means having a documented basis for accepting the engagement that includes a basic assessment of the client's identity, ownership structure, and the nature of the audit instruction.

Build a Client Monies AML Protocol

Every firm that operates a client account should have a documented protocol addressing the AML implications of client money holdings. That protocol should address three questions.

First: what categories of client money does the firm hold, and for how long? Advance fees held for a few days present a different risk from funds held for months pending resolution of a dispute. The protocol should categorise holdings by type, duration, and value band, and assign a risk rating to each category.

Second: what CDD does the firm have in place for the clients whose money it holds? If a client whose funds are held in a client account is not otherwise subject to the firm's CDD process because they are, for example, a counterparty rather than a direct client, there should be a process for capturing basic identity information before funds are received.

Third: What is the escalation path if funds held in the client account give rise to suspicion? The MLRO should be the designated escalation point. The protocol should confirm that AML obligations in respect of client account holdings are not considered discharged by compliance with the professional body's client money rules alone.

Bridge the Materiality and AML Disclosure Gap

The single most important structural change an audit practice can make is to build an explicit AML checkpoint into the audit process that operates independently of materiality. That checkpoint should require audit staff to ask, at each stage of fieldwork, whether any transaction or pattern of transactions, regardless of size, has given rise to suspicion.

The question should be asked by the engagement manager at the planning stage, by senior team members during fieldwork, and by the engagement partner at the completion stage. Negative answers should be documented. Positive answers should trigger immediate MLRO consultation.

The documentation of this process is as important as the process itself. A firm that can demonstrate it asked the right questions, in the right sequence, and escalated appropriately is in a fundamentally different regulatory position from one that cannot show any AML review occurred during the audit.

Training is equally important. Audit teams are trained in audit standards. Most are not trained in how to recognise money laundering in the context of an audit engagement. That training gap, the inability to see a suspicious transaction as suspicious rather than merely immaterial, is one of the most significant practical risks in the accountancy sector.

Establish a Group Audit AML Protocol

Group auditors should establish a formal group audit AML protocol that addresses the division of AML responsibility between group and component auditors. The protocol should specify which party maintains the group-level AML file and UBO record, what AML information component auditors are required to share with the group auditor, the threshold at which suspicious transactions identified at the component level must be escalated to the group auditor's MLRO, and what the group auditor's obligations are in respect of jurisdictions where component auditors operate under AML frameworks of uncertain equivalence.

This protocol should be documented in engagement letters with component auditors and reviewed at the engagement planning stage. It does not need to be complex. It does need to exist.

Where component auditors are in jurisdictions with materially lower AML standards, the group auditor should consider whether additional AML procedures are required at the group level to compensate for the gap, and should document the basis for whatever decision is reached.

Part Three: Areas Where Supervisory Clarification Would Help

United Kingdom

The UK accountancy sector is supervised for AML purposes by a collection of designated professional bodies, including ICAEW, ACCA, ICAS, AAT, and others. HMRC acts as the supervisor of last resort for accountants not covered by another body. This fragmentation produces inconsistent guidance and uneven enforcement.

The ICAEW and the other professional bodies could usefully publish binding guidance, rather than advisory notes, that specifically addresses three questions: whether statutory audit is a designated activity for AML purposes; what AML obligations attach to a firm that holds client money but does not perform any other designated activity; and how the materiality-disclosure collision should be managed operationally. These three questions have been unresolved for too long. Available guidance has not always addressed these operational questions in the level of detail that firms need to make defensible compliance decisions.

The Financial Reporting Council should update its ethical and quality management standards to require auditors to document an AML assessment as part of their engagement quality procedures, independent of materiality. This may not require legislative change. It may be capable of being addressed through audit methodology guidance, supervisory expectations, or coordinated guidance between audit and AML supervisors.

Singapore

ACRA could usefully publish a comprehensive guidance note addressed specifically to public accountants and accounting entities that maps the designated activity concept clearly across all common accountancy service lines. The guidance should confirm whether a statutory audit is designated, and if so, what minimum CDD standards apply to audit engagements specifically. It should address client account money holdings directly.

The guidance should be published in a format that allows firms to use it as a self-assessment tool, ideally including a worked example for each service line and a summary table that practitioners can refer to without needing to read the full guidance document every time.

Hong Kong

The HKICPA's AML guidance is among the most developed in the region, but it has not been updated to reflect the growing complexity of the services that accountancy firms provide. A revised guidance document could usefully address the group audit AML protocol question, confirm the treatment of client monies, and provide worked examples of the materiality-disclosure interface in an audit context.

The Hong Kong Institute should also consider establishing a formal mechanism through which members can submit queries about the AML treatment of specific service line configurations and receive a documented response. The absence of any formal query mechanism means that firms are making consequential compliance decisions in silence, with no record that they sought guidance and no assurance that their interpretation is shared by their supervisor.

---