100% failed.
That’s how many firms with overseas client connections properly identified this risk factor in their AML declarations. Every single firm with international clients, whether through overseas beneficial owners, emigrated tax clients, or foreign business operations, missed it completely.
This finding comes from the Institute of Chartered Accountants of Scotland’s 2025 thematic review of firm-wide money laundering risk assessments. ICAS examined 29 practices from their lowest and low-risk categories and found systematic failures in understanding what constitutes AML risk.
The overseas connections example wasn’t an anomaly. Across client risks, service risks, and procedural compliance, firms demonstrated fundamental gaps in their AML knowledge. 55% were operating at materially higher risk levels than their declarations suggested.
The implications go beyond regulatory penalties. These firms were exposed to money laundering risks they didn’t know existed and couldn’t possibly mitigate what they couldn’t see.
All compliance statistics and regulatory findings discussed in this article come directly from the ICAS Firm-wide Money Laundering Risk Assessment Thematic Review, October 2025.
Executive Summary: What the ICAS Review Actually Found
- 55% of reviewed firms had higher actual risk categories than they declared to ICAS
- 88% of firms with cash-based business clients failed to identify this risk factor
- 100% of firms with overseas client connections missed this critical risk
- 100% of firms with high-risk or sanctioned country connections omitted these from assessments
- 46% of firms providing Trust and Company Service Provision (TCSP) services failed to declare them
- 21% of firms were conducting insufficient customer due diligence procedures
- 7% of firms had unapproved Beneficial Owners, Officers, or Managers (BOOMs) operating illegally
- 11 firms increased from lowest/low risk to medium risk, fundamentally changing their monitoring obligations
- Zero firms had their risk ratings decrease after proper assessment
Why Accountancy Firms Are Actually Failing AML Compliance
The root cause isn’t negligence or corner-cutting. It’s fundamental misunderstanding. ICAS identified clear patterns in why firms consistently get their risk assessments wrong, and none of them involve deliberate attempts to mislead regulators.
- Off-the-Shelf Templates That Miss Critical Questions – Many firms rely on generic risk assessment templates that don’t ask about specific high-risk areas. These documents often omit questions about human trafficking vulnerabilities, dual-use goods, or proper definitions of cash-based businesses. Firms complete every question on the template and believe they’re fully compliant, unaware of the gaps the template itself contains.
- Confusing Risk Mitigation with Risk Elimination – Firms wrongly believe that having good controls means they don’t need to declare certain risks. The Money Laundering Regulations require you to identify risks first, then document your mitigations. You cannot skip the identification step just because you think your procedures are robust. If the risk exists in your client base, it must be declared, regardless of how well you manage it.
- Timing Gaps Between Declarations & Reality – Firms complete their AML declaration May each year, but client bases evolve constantly. New clients arrive; existing ones expand into new territories or change their business models. By the next declaration cycle, the firm’s risk profile has shifted materially, but nobody updates the assessment until the annual deadline forces it.
- Fundamental Knowledge Gaps About What Constitutes Risk – This represents the most serious issue. Firms don’t understand what constitutes an AML risk in an accounting context. They know the theory and complete the training, but when identifying risks in their actual client base, they miss obvious indicators. The National Risk Assessment explicitly identifies certain services and client types as high risk, yet firms routinely fail to recognise them in their own practices.
- Definitional Disconnect Between Regulators & Firms – Firms and regulators are reading different meanings into the same terminology. When ICAS says “cash-based business,” firms hear “cash-intensive business.” When the regulations reference “overseas connections,” firms think “overseas companies only.” This isn’t wilful misinterpretation. It’s a genuine gap between regulatory intent and practical understanding.
This disconnect creates a dangerous compliance gap where firms believe they’re declaring everything accurately while regulators see systematic under-reporting. The real problem isn’t intent. It’s clarity.
The Five Most Dangerous Gaps in Firm Risk Assessments
The ICAS review revealed five critical areas where firms consistently fail to identify money laundering risks. These aren’t minor oversights. They represent fundamental misunderstandings that leave practices exposed to regulatory penalties and reputational damage.
The Cash-Based Business Misconception (88% Failure Rate)
14 out of 16 firms with cash-based business clients failed to identify this risk. The confusion stems from a simple misinterpretation: firms think “cash-based” means “cash-intensive.”
A cash-based business is any business that CAN accept cash for goods and services, regardless of volume. A coffee shop taking 90% card payments is still cash-based. A tradesperson who occasionally accepts cash is cash-based. What matters is the capability to transact in cash, not the amount.
This creates money laundering risk because cash transactions are difficult to trace. Even small cash flows create opportunities to integrate illegally obtained funds. If you prepare accounts for cafes, salons, taxi firms, builders, or corner shops, you have cash-based business clients. Declare them.
The Overseas Connections Blind Spot (100% Failure Rate)
Every single firm with overseas client connections missed this risk. Ten firms had such clients. Ten firms failed to declare them.
Firms interpreted “overseas connections” narrowly to mean overseas companies or international traders. ICAS defines it broadly to include any international element: beneficial owners living abroad, clients born overseas, business branches in other countries, foreign suppliers or customers, parent companies abroad, directors based internationally.
Overseas connections complicate customer due diligence. Verifying foreign individuals requires additional steps. Different countries have different regulatory standards and corruption risks. Money laundering often involves moving funds across borders to obscure their origin.
Missing High-Risk Client Indicators
Firms consistently missed three client risk factors requiring enhanced scrutiny.
Five out of six firms failed to identify high-net-worth clients (assets over £2 million or income over £200,000 annually). Some firms acted for companies owned by wealthy individuals and concluded they didn’t have HNW clients. Wrong. If you know the beneficial owner is wealthy, factor it into your risk assessment.
Half of all firms with non-face-to-face clients missed this risk. Obtaining photocopied ID isn’t sufficient. A photocopy proves someone has access to that document, not that the person you’re dealing with is the passport holder. You need face-to-face verification, certified copies, or electronic verification with biometric checks.
One firm missed that they had a UK Politically Exposed Person in their client base. The client was a politician’s spouse. PEP status extends to family members and close associates. These clients require senior management approval and enhanced due diligence.
The TCSP Registration Trap (46% Miss Rate)
Six out of thirteen firms offering Trust and Company Service Provision didn’t declare it. Some didn’t realise they were providing TCSP services. Others thought declaring “company secretarial services” covered it.
TCSP work includes forming companies or trusts, providing registered office addresses, acting as director or company secretary, and completing Confirmation Statements on behalf of clients. That last one catches many firms. If you complete and submit the form for your client, you’re providing TCSP services.
Providing TCSP services without proper ICAS registration is a criminal offence. You need specific authorisation. Several firms had “stopped” providing TCSP but still maintained registered office addresses for legacy clients. These arrangements still count. You still need registration.
Human Trafficking Vulnerabilities Firms Never Consider
Four firms had clients in industries vulnerable to human trafficking. All four initially missed this risk.
The review identified employment agencies and haulage companies. Employment agencies can facilitate illegal labour arrangements or traffic individuals under the guise of legitimate placements. Haulage companies have been implicated in moving people illegally across borders.
Other vulnerable industries include construction, agriculture, beauty services, catering, garment manufacturing, and car washes. Be particularly alert when multiple risks combine: an employment agency that also operates rental properties for workers, or a client running both adult entertainment and beauty businesses.
Your responsibility is to identify the risk, assess it properly, and document your findings. You cannot fulfil that responsibility by pretending the risk doesn’t exist.
The CDD Crisis: 21% of Firms Are Failing Basic Compliance
Six firms were found to be failing basic customer due diligence procedures. This goes far beyond missing risk factors in declarations. These firms were not meeting fundamental legal requirements.