Risk & Compliance

Wwft audit function at accounting firms: four areas for improvement 

Date:March 29, 2023

The Wwft requires financial institutions and trust offices to have a Wwft audit function, to the extent appropriate to the nature and size of the institution (The Bft indicates that this is appropriate for organisations with more than 50 employees). This audit function monitors the organisation’s compliance with the Wwft, including the exercise of the compliance function in this context. 

The audit function should be set up as independently as possible. Accounting firms know better than anyone else what this means in practice. However, the size of the organisation often does not make setting it up independently easy. Also because the compliance function is often already in-house. It is therefore understandable that (besides smaller financial institutions|) more and more accounting firms, notaries and lawyers are choosing to outsource the audit function. Charco & Dique performs this function for several accounting, law and notary firms. Based on our experiences, we often see the following areas for improvement, which incidentally apply more broadly than just to these firms. 

The Wwft policy should be a logical consequence of a risk analysis. This is something most parties know. Yet the risk analysis is often limited and lacks a clear link to the policy. 

But where should you start? Our advice is to start by defining the ‘typical’ customer for your firm. Where do your clients come from (which countries/regions), what type of services do they purchase and what sectors do they operate in? Based on this analysis, you can then determine what Wwft risks are associated with this typical client and how they are/can be  mitigated.  

The analysis then focuses on the characteristics of the ‘non-typical’ clients. This is because it can be used to determine whether these characteristics have a risk-increasing effect and what measures the firm has in place to bring these risks to an acceptable level. 

Risk appetite is described too briefly and is defined primarily qualitatively 

A good analysis of the client portfolio is the starting point for defining the risk appetite. This involves specifying the client portfolio according to the various risk categories/indicators. By discussing what the qualitatively formulated risk appetite means in relation to the risk profile of the client portfolio, this discussion becomes more concrete. It can then be determined, for example, that no more than x per cent of the portfolio should consist of customers from a particular sector. 

Peculiarities in customer underwriting are not sufficiently explicitly documented 

The next area for improvement that we regularly encounter at audit firms concerns the process around client acceptance. Specificities noted during client acceptance are often implicitly recognised but insufficiently explicitly documented. The client acceptance form is often mechanically set up with ‘tick boxes’ and opportunities to include brief explanations. The questions included do not invite to explain the risk and, in particular, consider what measures can be taken to mitigate it. 

An example: when accepting a particular customer, an increased risk of money laundering is recognised because the industry handles a lot of cash (generic risk indicator). What is then often missing is an explanation of the specific customer situation. What measures has the customer taken to mitigate this risk? For example, by implementing a PIN-only policy. Or, on the contrary, does the customer deliberately not have a PIN machine? How the customer deals with these risks is important for the risk assessment and classification. 

The policy framework does not include all legally required aspects 

It is obviously important that compliance with legal requirements is demonstrably detailed in the policy framework. For instance, it is often not clear what should be done in case of heightened scrutiny and how the risk assessment should be kept up to date. Comparing your own policy with NBA or SRA guidelines is a simple solution for this. 

Want to know more? 

Our specialists not only have broad experience at financial institutions, but also detailed knowledge of the Wwft at other types of institutions. We will be happy to help you perform the Wwft audit function in an independent manner, naturally in a manner appropriate to the nature and size of your organisation. Would you like to know more about the possibilities? Then contact us without any obligation.