100% failed.
That’s how many firms with overseas client connections properly identified this risk factor in their AML declarations. Every single firm with international clients, whether through overseas beneficial owners, emigrated tax clients, or foreign business operations, missed it completely.
This finding comes from the Institute of Chartered Accountants of Scotland’s 2025 thematic review of firm-wide money laundering risk assessments. ICAS examined 29 practices from their lowest and low-risk categories and found systematic failures in understanding what constitutes AML risk.
The overseas connections example wasn’t an anomaly. Across client risks, service risks, and procedural compliance, firms demonstrated fundamental gaps in their AML knowledge. 55% were operating at materially higher risk levels than their declarations suggested.
The implications go beyond regulatory penalties. These firms were exposed to money laundering risks they didn’t know existed and couldn’t possibly mitigate what they couldn’t see.
All compliance statistics and regulatory findings discussed in this article come directly from the ICAS Firm-wide Money Laundering Risk Assessment Thematic Review, October 2025.
Executive Summary: What the ICAS Review Actually Found
- 55% of reviewed firms had higher actual risk categories than they declared to ICAS
- 88% of firms with cash-based business clients failed to identify this risk factor
- 100% of firms with overseas client connections missed this critical risk
- 100% of firms with high-risk or sanctioned country connections omitted these from assessments
- 46% of firms providing Trust and Company Service Provision (TCSP) services failed to declare them
- 21% of firms were conducting insufficient customer due diligence procedures
- 7% of firms had unapproved Beneficial Owners, Officers, or Managers (BOOMs) operating illegally
- 11 firms increased from lowest/low risk to medium risk, fundamentally changing their monitoring obligations
- Zero firms had their risk ratings decrease after proper assessment
Why Accountancy Firms Are Actually Failing AML Compliance
The root cause isn’t negligence or corner-cutting. It’s fundamental misunderstanding. ICAS identified clear patterns in why firms consistently get their risk assessments wrong, and none of them involve deliberate attempts to mislead regulators.
- Off-the-Shelf Templates That Miss Critical Questions – Many firms rely on generic risk assessment templates that don’t ask about specific high-risk areas. These documents often omit questions about human trafficking vulnerabilities, dual-use goods, or proper definitions of cash-based businesses. Firms complete every question on the template and believe they’re fully compliant, unaware of the gaps the template itself contains.
- Confusing Risk Mitigation with Risk Elimination – Firms wrongly believe that having good controls means they don’t need to declare certain risks. The Money Laundering Regulations require you to identify risks first, then document your mitigations. You cannot skip the identification step just because you think your procedures are robust. If the risk exists in your client base, it must be declared, regardless of how well you manage it.
- Timing Gaps Between Declarations & Reality – Firms complete their AML declaration May each year, but client bases evolve constantly. New clients arrive; existing ones expand into new territories or change their business models. By the next declaration cycle, the firm’s risk profile has shifted materially, but nobody updates the assessment until the annual deadline forces it.
- Fundamental Knowledge Gaps About What Constitutes Risk – This represents the most serious issue. Firms don’t understand what constitutes an AML risk in an accounting context. They know the theory and complete the training, but when identifying risks in their actual client base, they miss obvious indicators. The National Risk Assessment explicitly identifies certain services and client types as high risk, yet firms routinely fail to recognise them in their own practices.
- Definitional Disconnect Between Regulators & Firms – Firms and regulators are reading different meanings into the same terminology. When ICAS says “cash-based business,” firms hear “cash-intensive business.” When the regulations reference “overseas connections,” firms think “overseas companies only.” This isn’t wilful misinterpretation. It’s a genuine gap between regulatory intent and practical understanding.
This disconnect creates a dangerous compliance gap where firms believe they’re declaring everything accurately while regulators see systematic under-reporting. The real problem isn’t intent. It’s clarity.
The Five Most Dangerous Gaps in Firm Risk Assessments
The ICAS review revealed five critical areas where firms consistently fail to identify money laundering risks. These aren’t minor oversights. They represent fundamental misunderstandings that leave practices exposed to regulatory penalties and reputational damage.
The Cash-Based Business Misconception (88% Failure Rate)
14 out of 16 firms with cash-based business clients failed to identify this risk. The confusion stems from a simple misinterpretation: firms think “cash-based” means “cash-intensive.”
A cash-based business is any business that CAN accept cash for goods and services, regardless of volume. A coffee shop taking 90% card payments is still cash-based. A tradesperson who occasionally accepts cash is cash-based. What matters is the capability to transact in cash, not the amount.
This creates money laundering risk because cash transactions are difficult to trace. Even small cash flows create opportunities to integrate illegally obtained funds. If you prepare accounts for cafes, salons, taxi firms, builders, or corner shops, you have cash-based business clients. Declare them.
The Overseas Connections Blind Spot (100% Failure Rate)
Every single firm with overseas client connections missed this risk. Ten firms had such clients. Ten firms failed to declare them.
Firms interpreted “overseas connections” narrowly to mean overseas companies or international traders. ICAS defines it broadly to include any international element: beneficial owners living abroad, clients born overseas, business branches in other countries, foreign suppliers or customers, parent companies abroad, directors based internationally.
Overseas connections complicate customer due diligence. Verifying foreign individuals requires additional steps. Different countries have different regulatory standards and corruption risks. Money laundering often involves moving funds across borders to obscure their origin.
Missing High-Risk Client Indicators
Firms consistently missed three client risk factors requiring enhanced scrutiny.
Five out of six firms failed to identify high-net-worth clients (assets over £2 million or income over £200,000 annually). Some firms acted for companies owned by wealthy individuals and concluded they didn’t have HNW clients. Wrong. If you know the beneficial owner is wealthy, factor it into your risk assessment.
Half of all firms with non-face-to-face clients missed this risk. Obtaining photocopied ID isn’t sufficient. A photocopy proves someone has access to that document, not that the person you’re dealing with is the passport holder. You need face-to-face verification, certified copies, or electronic verification with biometric checks.
One firm missed that they had a UK Politically Exposed Person in their client base. The client was a politician’s spouse. PEP status extends to family members and close associates. These clients require senior management approval and enhanced due diligence.
The TCSP Registration Trap (46% Miss Rate)
Six out of thirteen firms offering Trust and Company Service Provision didn’t declare it. Some didn’t realise they were providing TCSP services. Others thought declaring “company secretarial services” covered it.
TCSP work includes forming companies or trusts, providing registered office addresses, acting as director or company secretary, and completing Confirmation Statements on behalf of clients. That last one catches many firms. If you complete and submit the form for your client, you’re providing TCSP services.
Providing TCSP services without proper ICAS registration is a criminal offence. You need specific authorisation. Several firms had “stopped” providing TCSP but still maintained registered office addresses for legacy clients. These arrangements still count. You still need registration.
Human Trafficking Vulnerabilities Firms Never Consider
Four firms had clients in industries vulnerable to human trafficking. All four initially missed this risk.
The review identified employment agencies and haulage companies. Employment agencies can facilitate illegal labour arrangements or traffic individuals under the guise of legitimate placements. Haulage companies have been implicated in moving people illegally across borders.
Other vulnerable industries include construction, agriculture, beauty services, catering, garment manufacturing, and car washes. Be particularly alert when multiple risks combine: an employment agency that also operates rental properties for workers, or a client running both adult entertainment and beauty businesses.
Your responsibility is to identify the risk, assess it properly, and document your findings. You cannot fulfil that responsibility by pretending the risk doesn’t exist.
The CDD Crisis: 21% of Firms Are Failing Basic Compliance
Six firms were found to be failing basic customer due diligence procedures. This goes far beyond missing risk factors in declarations. These firms were not meeting fundamental legal requirements.
The review showed that firms were struggling in several ways:
- Three firms had clients they had never met in person or via video call, relying only on photocopies of identity documents. A photocopy proves access to a document, not that the client is who they claim to be
- Three other firms were not collecting enough information about the client’s business, transactions, funding sources, or geographic connections. They also lacked documented risk assessments for each client
- None of the firms conducted ongoing monitoring after onboarding. CDD is not a one-time task. Client circumstances change, new risks emerge, and CDD information must be updated regularly
These failures are not minor oversights. They represent breaches of core regulatory requirements and would trigger immediate action if found during a regulatory inspection.
The BOOM Problem: When Your Company Secretary Isn't Approved
Two firms had individuals acting as Beneficial Owners, Officers, or Managers without proper ICAS approval. In both cases, the person was listed on Companies House as Company Secretary.
This is a criminal offence.
Every person who is a beneficial owner (generally 25% or more shareholding), officer (director, company secretary), or manager of an ICAS-supervised firm must be approved as a BOOM by ICAS before acting in that capacity. There are no exceptions.
The firms involved hadn’t deliberately flouted this requirement. They didn’t realise their Company Secretary needed BOOM approval. Perhaps the role seemed administrative rather than managerial. Perhaps the individual wasn’t involved in day-to-day operations. Neither factor matters. The Companies House record says they’re an officer. They need approval.
Other common BOOM mistakes include:
- Failing to register spouses or partners who are beneficial owners but not actively involved in the business
- Failing to register AML personnel such as AML managers, Money Laundering Compliance Principals, or Money Laundering Reporting Officers
Firms must review their BOOM register annually when completing their AML declaration. Check your Companies House record, share ownership, and AML compliance personnel. Cross-reference against your approved BOOM list. If there’s a mismatch, you need immediate resolution.
Operating with unapproved BOOMs will likely result in Committee reporting and regulatory penalties when discovered. It also calls into question your overall compliance culture.
The Real Cost of Getting Your Risk Assessment Wrong
The consequences of inaccurate risk declarations extend far beyond paperwork corrections.
The review highlighted several immediate impacts and risks for firms:
- Eleven firms moved from lowest or low risk to medium risk, meaning they now face reviews every four years and potential onsite inspections, requiring more preparation and resources
- Regulatory guidance makes clear that serious delays or omissions can trigger formal action and financial penalties
- Certain offences carry criminal risk, including operating as a TCSP without registration or having unapproved BOOMs. These are criminal matters, not minor administrative breaches
- Unrecognised money laundering risks are particularly serious. Failing to spot cash-based clients, overseas connections, or human trafficking vulnerabilities means firms may inadvertently facilitate financial crime
How FigsFlow Prevents These Severe Mistakes
The ICAS review revealed that firms fail AML compliance primarily because of definitional confusion, inadequate templates, and inability to maintain current information. FigsFlow addresses these systemic problems through automated workflows and built-in compliance guidance.
Automated Client Verification & Screening
FigsFlow completes comprehensive AML verification in under 5 minutes. Clients receive a branded secure portal to upload documents via mobile. The system verifies authenticity against government databases and completes identity verification in 30 seconds. This eliminates the photocopy passport problem that caught out multiple firms in the review.
The platform screens clients, beneficial owners, and directors against major national and international sanctions lists and PEP databases. It continuously re-screens your entire client base whenever lists update daily, catching changes that manual processes would miss.
Organised Client Information & Risk Profiling
FigsFlow ensures every piece of client information is well-organised in one place. Client profiles are automatically labelled as low risk, medium risk, or high risk based on your risk assessment and timestamped AML check results. This makes it immediately clear which clients require enhanced monitoring and removes the guesswork that led to 55% of firms misjudging their risk categories.
Companies House Integration for Beneficial Ownership
Enter a company number and FigsFlow automatically pulls company details, identifies all Persons with Significant Control, maps ownership structure, and alerts you when records update. This ensures you properly verify beneficial owners and catch unapproved BOOMs before they become criminal offences.
Guided Risk Assessment with Pre-Built Templates
Pre-built templates guide you through evaluating business factors and automatically score risk with written rationale. The system flags relevant risk factors based on client data, catching cash-based businesses, overseas connections, and industry vulnerabilities that firms consistently miss.
Risk assessments are tailored to each client type, allowing junior staff to gather information while senior staff assign the final rating. Based on this rating, the system applies the appropriate level of due diligence, whether simplified, standard, or enhanced.
Ongoing Monitoring & Audit Trails
The system schedules periodic reviews, re-screens automatically, and sends document expiry alerts. Every action generates timestamped records. You can export compliance reports with one click, providing the complete audit trail that 21% of firms in the review were missing.
Integrated Practice Management
Beyond AML compliance, FigsFlow handles proposal management, engagement letters, and pricing solutions in a single integrated platform. You can manage your entire client onboarding and compliance workflow from first contact through ongoing relationship management.
All of this comes at a price you won’t believe
- £8/month for proposals and engagement letters
- £10/month for AML module + £2.10 per check
Compare that to standalone AML tools charging £60 to £80 per check or £200+ monthly subscriptions.
Try FigsFlow free for 30 days and see how it completes AML checks in minutes with automatic documentation that proves compliance.
Additional Resources
- Money Laundering Regulations 2017 – Money Laundering Regulations 2017: consultation – GOV.UK
- HMRC Customer Due Diligence Guidance – ECSH33335 – Enhanced due diligence – HMRC internal manual – GOV.UK
- What is an AML Check? – What is an AML Check| FigsFlow
- Complete Guide to AML Software for Accountants –Complete Guide to AML Software for Accountants, Bookkeepers & Tax Advisors | FigsFlow
- Difference Between KYC & AML – Difference Between KYC & AML: What You Need to Know | FigsFlow
- AML Software for Accountants – Best 6 AML Software Every Accountant Needs – #Last Will Surprise You!
Conclusion
55% of firms reviewed by ICAS had misjudged their money laundering risk. These weren’t rogue practices. They were established firms with policies, procedures, and regular compliance reviews. They simply didn’t understand what ICAS required.
The failures were systematic.
- 88% missed cash-based business risks
- 100% missed overseas connections
- 46% failed to properly declare TCSP services
- 21% weren’t conducting adequate customer due diligence
These problems are fixable. ICAS has clarified definitions. The guidance exists. The question is whether you’ll act before a monitoring visit exposes your gaps.
FigsFlow prevents the definitional confusion, missed risks, and inadequate procedures that affected most firms in the review. By automating risk identification and enforcing proper workflows, it turns compliance from an annual guessing game into a systematic process.
Fix your AML compliance before ICAS finds the gaps
See how FigsFlow automates risk identification, enforces proper workflows, and creates complete audit trails. Book a free demo and ensure your firm isn’t next in the compliance failure statistics.
Frequently Asked Questions
ICAS reviews your firm’s compliance with Money Laundering Regulations based on your risk level. Low-risk firms are reviewed every 4–10 years, medium-risk every 4 years, and high-risk every 2 years. The review looks at your risk assessment, client due diligence, and annual AML Declaration.
Reasonable grounds exist when client circumstances don’t make commercial sense, such as transactions inconsistent with their business activities, reluctance to provide information, or unusual payment structures. Red flags include cash transactions that don’t fit the business model, rapid fund movements without reason, overly complex corporate structures, or sources of wealth that don’t align with the client’s background and income.
If you provide services covered under the Money Laundering Regulations, AML checks are mandatory. These services include tax advice, accountancy services, audit work, insolvency services, and trust and company service provision. If you provide one of these services, you are required to conduct customer due diligence on all clients, assess money laundering risks at firm and client level, maintain ongoing monitoring.
Most AML providers charge £60 to £80 per check, with monthly subscriptions reaching up to £200 or more. The worst part is they only fulfil part of the requirement, focusing solely on identity verification and screening without handling risk assessments, ongoing monitoring, or compliance documentation. However, you can use software like FigsFlow that charges £2.10 per AML check and comes with integrated risk assessment tools, ongoing monitoring workflows, complete audit trails, and practice management features all in one platform for £10/month plus the per-check fee.
AML checks verify current identity and screen against current sanctions lists, but you must retain CDD records for five years after the business relationship ends. ICAS monitoring reviews will examine your historical compliance practices and client files going back several years. The key is maintaining up-to-date client information through ongoing monitoring rather than relying on outdated checks.
