Professional accountants play an important role in the development of an economy. The accounting profession’s dedication to high audit quality is underpinned by independent oversight and regulatory mechanisms that include licensing, audit practitioner and firm reviews, among others. All these initiatives create a robust public interest protection framework. High quality audits support a functioning economy and protect the public interest.

During an audit of financial statements, an organisation is supposed to have applied International Standards (International Financial Reporting Standard (IFRSs) or IFRS for Small and medium-sized enties (SMEs) including declining engagements especially where the advice or services being sought, such as regulatory and compliance advice or just a general busines advice are not within an accountant’s competence, risk appetite or somehow compromises the institute’s code of conduct. If for whatever reason, an auditor reveals that a particular entity’s records of its client(s) is or are missing or incomplete, it may be an area of greater risk for Money Laundering/ Terrorism Financing (ML/TF).

Meaning of money laundering / terrorism financing

Money Laundering could be simply defined as the process of transforming the proceeds of crime into legitimate assets, whilst Terrosrim Finanacing relates to the collection or the provision of funds for terrorist purposes. Both ML and TF have direct socio-economic consequences on an economy such as weakening financial institutions, loss of tax revenue, economic instability, undermining of the legitimate private sector, legal risk among others. The main difference between Money Laundering and Terrorism Financing is that funds under ML are always proceeds of a criminal activity while under Terrorism Financing, funds could have come from legitimate sources but their purposes remain illegal.

Vulnerable accounting services

The biggest risk lies in failing to determine who the Ultimate Business Owners (UBOs) - natural persons who ultimately own or control a natural person on whose behalf a transaction is being conducted; of an entity are, while conducting some engagements or functions. The obligation to identify beneficial ownership does not end with identifying the first level of ownership, but requires reasonable steps to be taken to identify the beneficial ownership at each level of the corporate structure until an UBO is identified. According to the Financial Action Task Force (FATF), some of the most vulnerable accounting services when it comes to AML/CFT may include:

Performing financial transactions – where a practitioner may be used by a criminal to perform various financial transactions on their behalf such as retail foreign exchange operations, issuing and cashing cheques, purchase and sale of stock, among others;

Financial and tax advice – where a criminal could pose as someone needing financial or tax advice, yet the objective is to avoid future liabilities by placing assets out of reach;

Company and trust information – where a criminal may attempt to disguise the links between the proceeds of a crime and the perpetrator through the formation of a legal company or other complex legal arrangements (i.e., trusts);

Buying and selling of property – where a criminal may use property transfers to disguise originality of proceeds either at the layering level – moving illegal money from one account to another or at the Integration stage – investing proceeds after the laundering process.

Accountancy services could also be used to facilitate tax evasion and VAT fraud.

Applying a risk-based firm wide risk assessment

Deploying a Risk-based Approach at a firm level would therefore help a practitioner to identify and assess ML/TF risks facing a firm given its clients – i.e, those with complex ownership structures; services - i.e, trust and company services; delivery channels – i.e., non face to face clients; and countries of operation - i.e., those subjected to sanctions. After risk identification, the practitioner would be expected to carry out risk management and mitigation by applying measures that could effectively and efficiently mitigate and manage ML/TF risks. The next step would include ongoing monitoring, where a practitioner puts in place policies, procedures and Information Systems (IS), where possible, to monitor changes in the ML/TF risks before documenting risk assessments, strategies, policies and procedures to monitor, manage and mitigate ML/TF risks.

To discover a suspicious transaction will not only require that a firm conducts a due diligence based on its risk assessment and the nature of the services being provided, but also requires application of their professional scepticism. Conducting a risk-based assessment is a legal requirement and also reccommended by the FATF – the global ML/TF watchdog.

It is therefore important to note that under the AML/CFT Law No. 028/2023 of 19/05/2023 on prevention of money laundering, terrorist financing and the financing of proliferation of weapons of mass destruction, as amended to date, requires all licenced practitioners, to comply with all the requirements of that law including the reporting of suspicious transactions to the Financial Intelligence Centre (FIC) within 24 hours from the time of the engagement, without which, non compliance sanctions shall be applied which are ultimately effective, proportionate and dissuasive.

Practitioners are prohibited from "tipping off” once a Suspicious Transaction Report (STR) such as misappropriation of funds by the client or false invoicing has been filed with FIC. Non compliance with that requirement is equally punishable by the same law.

The rationale for a Risk Based Approach (RBA) is to allow a firm to apply ML/TF mitigation measures that are commensurate with the identified risks, thereby avoiding the use of unnecessary excessive resources. Besides, a RBA requires strong governance and internal control policies and procedures created by the firm management to enhance the culture of compliance and risk control mechanisms.

Approach to Customer Due Diligence (CDD)

In application of CDD, the following measures should be adopted: (a) identification and verification of the client’s identity; (b) identification and taking reasonable measures to verify the identity of the beneficial owner; (c) understanding the purpose and nature of the business relationship; and (d) on-going monitoring of the relationship. Usage of artificial intelligence and analytical tools (where possible) could be applied to facilitate the spotting of unusual transactions.

Consequently, where supervised firms determine that the ML/TF risk via its firm-wide risk assessment to be posing a high risk based on either high risk client base, size and nature of practice; enhanced measures should be adopted, otherwise, standard control measures should be appropriate. Such an assessment that is usually carried out as part of the overall client and engagement acceptance processes, should be kept up to date, documented and availed to the institute, FIC or any other Competent Authority that is allowed by the Law to access it.

In circumstances where a client is a Politically Exposed Person (PEP) – individuals entrusted with prominent public functions, the firm should perform additional procedures which should include: seeking senior management approval prior to engaging in such a business relationship; develop measures to establish source of funds and wealth; carry out an enhanced monitoring of the business relationship.

Even in circumstances where a practitioner is either carrying out an audit or not, applying ISA 240: The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements and ISA 315: Identifying and Assessing the Risks of Material Misstatement should further provide additional red flags of higher risky areas to complement the country/geographic risks; client risks; and transaction/ service and associated delivery channel risks.

Rwanda conducted a National Risk Assessment (NRA) on ML/TF in 2018 and the assessment revealed the accountancy profession's overall risk to be low, whilst the sector risk assessment that was conducted by the institute in the third quarter of 2022, rated the overall ML/TF risk as Medium.

Sunday Kalisa is Director, Professional Development Services – ICPAR