The County Administrative Boards, tasked with inspecting accounting companies in Sweden to assess their compliance with the Anti-Money Laundering regulations, have had an intensive year supervising accounting firms.
In 2023, the supervisory authorities issued sanctions amounting to between 75.000 and 5.000.000 SEK. The Swedish Inspectorate of Auditors has issued a warning.
For an accounting firm that wants to avoid sanctions, it is highly recommended to follow best practices in the field and avoid common mistakes made by their peers.
How serious is the risk of accountants being used for money laundering?
The National Risk Assessment of Money Laundering and Terrorism Financing in Sweden found that the overall risk of money laundering in the accounting and auditing services sector is significant.
That is because even if auditors and accountants are not directly used to perform illicit transactions, they can still be exploited as part of economic crime schemes. For example, to build legitimate facades for companies or otherwise create the appearance of legality for illicit transactions.
Bookkeeping and accounting consultants have unique insights into clients’ transactions and should be able to detect those that arouse suspicions, both in the customers’ businesses and the activities with their stakeholders (such as their clients and supply chain). And that is especially true when working with companies in industries that are known to be more exposed to financial crime, such as construction and hospitality (where, historically, it has happened that seasonal employees have been paid off-books).
The requirements for accounting firms regarding risk assessments and due diligence procedures are now as far-reaching as for financial companies. However, in many cases, companies still use old templates and outdated working methods.
Which AML violations were the most frequent among Swedish accounting firms?
The County Administrative Boards has found breaches both relating to the internal risk assessment and the AML policies, procedures, and controls.
According to the Swedish AML Act, obliged entities must periodically assess the risk of their business being used for money laundering or terrorism financing. This internal risk assessment is necessary to identify and implement appropriate measures to reduce the risk.
Such measures must then be translated into policies, procedures, and controls on client risk assessment, risk management, customer awareness, investigations, reporting, and the preservation of documents and information to effectively prevent money laundering and terrorist financing.
Guidelines from the County Administrative Boards to accounting firms to correctly perform their internal risk assessments
To assess their own business risk, AML-obliged companies should conduct an internal risk assessment, which should be documented and made available to the supervisory authority. According to the Swedish AML Act regulations, the following factors should be taken into account by a company performing an internal risk assessment:
- the nature and complexity of the business
- the size of the company
- the sector in which the company operates (services, and customer relationships)
- the customer base of the company
- the countries where the company does business
- the distribution channels used
- information from the company’s own reporting on suspicious transaction to the authorities
- general information on trends, risks etc. provided by e.g. authorities
When inspecting accounting firms’ compliance, the County Administrative Boards found that companies were not sufficiently adapting the risk assessment to their own specific operations and distinctive business characteristics.
To perform a more compliant internal risk assessment (and successfully pass an audit from County Administrative Boards and the Swedish Inspectorate of Auditors, respectively), you can follow the guidelines below, which can serve as a checklist for accounting firms:
- The internal risk assessment should include all of the services provided by the accounting firm subject to anti-money laundering regulations.
- It must be clear how the company’s own services can be used for money laundering (“PT”) and terrorist financing (“FT”).
- The industries where the customers of the accounting firm operate must be specified in the internal risk assessment, as well as the risks that exist in each industry.
- The risks attributable to the accounting firm’s customers should relate to the specific firm’s customers, not the general customer types.
- Risk descriptions should include reasons and explanations for the risk levels, justifying when and where a given risk is relevant.
- Risk mitigation factors shall be linked to actual risks.
- Both actual threats and potential vulnerabilities must be addressed.
- If high-risk transactions occur, this should be indicated in the general risk assessment.
- General risk assessments should be updated regularly (at least once a year and more frequently in the event of changes in operations or operating environment). Updates must be documented and made available to the authorities.
- The general risk assessment should be based on the size and nature of the business activity.
- The general risk assessment should provide a picture of the overall level of risk for the entire business, including external factors.
Most common errors made by accounting firms when preparing their routines, guidelines and controls
Deficiencies in the internal risk assessment are a serious issue as the internal risk assessment forms the basis for the policies, procedures, and controls implemented in the firm – including practicalities such as how to classify customers based on their risk level.
The County Administrative Boards and the Swedish Inspectorate of Auditors found that some of the accounting firms inspected failed to properly comply with the requirements set for the policies, procedures, and controls. Below, you can find some examples of the oversights made by the companies audited (i.e., a list of mistakes that you should avoid to ensure full compliance):
- Entering into or maintaining certain business relationships that the policies prohibit entering.
- Relying on customer due diligence measures carried out by third parties not even covered by the Money Laundering Act.
- Failing to describe how to implement enhanced due diligence measures in practice.
- Failing to describe what exact data is to be collected in continuous KYC follow-up and how, or which concrete events can trigger an updated customer identity verification. More in general, some companies failed to document customer due diligence measures altogether.
- The information collected on customers were not sufficiently tied to the risks identified in the internal risk assessment.
- Failing to document the content of training courses which makes it impossible to assess whether they have been adapted to different categories of staff based on their functions and work duties.
- Failing to specify the procedures (and the measure actually implemented) for the protection of employees to ensure the safety and anonymity of whoever reports any suspicion of money laundering or terrorist financing.
- Failing to explain how to perform the continuous monitoring of the business relationships – i.e., how customers are to be checked or how the company is to detect activities and transactions that deviate from what the company has reason to expect; which activities and deviations may warrant a closer examination/investigation and how that investigation is to be conducted (e.g., what more stringent measures are to be taken).
- Lack of a system providing rapid and complete information on whether the company has had a business relationship with a particular person during the previous five years and, if so, on the nature of the relationship.
- Failing to clarify how internal controls are carried out in the business – e.g., what sampling is to be carried out, how, and with what frequency.
- Outdatedness of governing documents that still refer to repealed regulations.
- Sufficient regards has not been taken to the customer being in a high-risk industry when risk classifying the customer and applying measures to mitigate that risk.
- The information needed to be collected by the auditor in their capacity as an auditor is often not sufficient to also comply with the AML regulations. The auditor must also assess the individual risks associated with the customer in terms of money laundering and terrorism financing.
- Enhanced measures must be adapted to the type of risk indicator triggering the high risk classification.
- All measures under the AML regulations, including assessments, must be documented.
Meeting Swedish AML requirements with Penneo KYC
I collaborated with Penneo to develop the legal framework for their KYC software, adapted to the requirements of the Swedish AML laws.
Penneo KYC is now available in Sweden. Book a personalized session with our KYC experts.
Disclaimer: This article applies to the AML updates in Sweden. Be aware that country-specific differences exist, if you are dealing with AML compliance in a country different from Sweden.