Service-line AML risk: Tax, payroll, bookkeeping, accounts, and TCSP work
Every accountancy practice is responsible for assessing how its services could be used to conceal criminal funds, support misleading financial records, or give credibility to questionable activity.
In practice, the firm-wide risk assessment (FWRA) should begin with the services the practice actually provides. Each service line is important because it affects what the firm is likely to see, influence, or rely on when dealing with clients.
The next step is to decide how much detail the assessment needs.
For example, a small firm offering a narrow service range might only need a short explanation of how those services affect its AML exposure.
In contrast, a multi-service practice will usually require more detail, especially when work is handled at volume or several services are provided to the same client.
Key takeaways
- Each significant service should be considered separately because the route for misuse will differ.
- For bookkeeping and accounts work, risk often depends on the reliability and completeness of the underlying records.
- Tax and payroll services can support false positions or records, so the assessment should reflect that specific exposure.
- Company formation and related TCSP work need separate consideration when ownership, control, or commercial purpose is unclear.
- Linked services for the same client can change the overall risk picture and should be assessed together.
- A concise service-line matrix can record the initial risk, controls applied, and remaining exposure.
Service mix belongs in the firm-wide risk assessment
Service-line risk starts with what the client is using the practice to produce.
The firm-wide risk assessment should therefore consider whether the service could affect the client’s legal or financial position, direct funds, or give authority to information that others may rely on.
For example, regular bookkeeping can give the practice continuing access to source records and transaction patterns, while year-end accounts work might involve formalising summaries supplied after the event.
In each case, the risk depends on how much context the firm has to test whether the client’s information makes commercial sense.
The same analysis should be applied when services overlap. If one client receives several linked services, the assessment should explain whether the combined engagement changes the firm’s visibility, influence, or exposure.
Note that this service-line view is part of the FWRA, rather than a replacement for the client risk assessment carried out on a specific client or engagement.
Bookkeeping and accounts work create different visibility risks
Accounts preparation converts client information into formal accounts or returns that could be relied on by HMRC or other third parties. The main exposure arises when unreliable figures acquire an appearance of professional credibility.
Bookkeeping affects an earlier stage, as it compiles or maintains the primary accounting information from which accounts and statutory submissions might later be prepared.
This can provide better ongoing visibility, although that advantage falls away when the client withholds evidence or pushes the bookkeeper to accept entries without an adequate basis.
For instance, a client might repeatedly provide unexplained totals without the records needed to support them. If the practice accepts those figures, unsupported activity can become embedded in the client’s accounting records.
This is why the supporting evidence needs to be assessed. HMRC’s latest guidance identifies incomplete or unverified source records as an exposure for both accounts preparation and bookkeeping.
Practical takeaway: The inherent risk can differ according to how frequently the work is performed and how reliable the underlying accounting information is.
Tax and payroll risks: Unsupported positions and fabricated employment
Tax work can be misused to disguise criminal income or misstate a client’s liability or repayment position. Risk depends on the nature of the work and the strength of the evidence provided.
If a client dismisses clear advice and demands an aggressive outcome, the exposure differs from that of a return backed by third-party records.
Payroll creates a different route for misuse because it generates a recurring record of employment and payment. The service can make illicit funds appear to be wages or benefits through fabricated employment records or payments that do not fit the client’s operations.
Payroll information can also reveal fraud or worker-exploitation concerns, including signs of modern slavery.
Tax and payroll, therefore, require controls and staff examples tailored to their distinct misuse pathways.
Company formation and TCSP work need separate weighting
Trust or company service provider activity can include forming legal persons and providing related address or representative arrangements. Some administrative company-secretarial work falls outside that scope, so classification must follow the activity provided.
Once the work falls within TCSP activity, the risk analysis needs to consider what the structure enables. This is because these services can create structures that distance a beneficial owner from a business or give an operation a respectable UK presence.
Risk can increase when formation activity lacks a clear commercial rationale or obscures who controls the business and why it exists.
The FWRA should also reflect how formation work is delivered.
HMRC classifies trust or company service provider services as high risk for money laundering at the sector level, but an individual formation’s purpose and wider circumstances still determine its risk.
For example, forming a company for a known client is different from handling higher-volume formation work through indirect channels, where the practice could have less visibility over who is behind the company and why the structure is being used.
The risk position can also change when formation work is combined with later accountancy support. Multiple engagements can add layers of apparent legitimacy when a practice establishes a company before continuing to support it.
HMRC states that adding accountancy services to trust or company services can increase the overall risk.
Recording service-line risk in the firm-wide assessment
A compact service-line matrix will usually be more useful than a lengthy narrative, provided it shows the judgement behind each rating.
For each service, the record should explain the scale of the work and the main route by which it could be misused, including any effect on the client’s legal or financial affairs.
It should also explain what information is normally available to the firm and how much visibility the engagement creates. Any circumstances that materially increase or reduce the exposure should be recorded separately.
The entry can then close with the inherent risk level and a brief rationale that another reviewer could follow.
The matrix only needs to cover services the practice actually performs. HMRC’s sector assessment should inform the firm-wide risk assessment, but the firm’s record needs to be anchored in its own operating model and available evidence.
Service-line risk should lead to controls and review triggers
Each material AML risk needs a corresponding control.
Controls should define evidence standards and require targeted review or escalation if the instructions or justification for the engagement appear unusual.
After applying those controls, the firm should record the residual risk. Crucially, the recorded rating needs to reflect how the controls reduce the exposure and what risk remains in practice. The analysis can then influence how the practice manages client risk.
Because service-line risk depends on the work the practice actually performs, the FWRA also needs to be reviewed after any material change to the practice, such as new services or structure.
In summary
A strong FWRA makes the basis for each service’s risk rating clear to an independent reader. It needs to identify the records normally available, and the AML controls that operate in day-to-day work. It should also explain any gaps that require further scrutiny.
This analysis needs to stay aligned with the way the firm operates, so any material changes in services, delivery method, or connected engagements should prompt a fresh assessment of the AML exposure and the evidence needed to manage it.
FAQs
A small firm should consider how each main service could be misused, since the risks in bookkeeping, tax, payroll, and company formation differ. The assessment can remain proportionate to the firm’s size and service range.
The risk usually depends on how the service is delivered and how reliable the client’s records are. With regular bookkeeping, the firm has a clearer view of transactions as they happen. This visibility is weaker when supporting records are missing. Conversely, year-end accounts work can involve figures supplied long after the transactions took place, leaving fewer opportunities to check their background.
Misuse can arise when a client seeks a position unsupported by reliable evidence, especially after the firm has advised against it. Fictitious jobs and salary payments can appear genuine in payroll records. Warning signs include employees or wage payments inconsistent with the client’s business activities, as well as payroll data suggesting fraudulent activity or worker exploitation.
Company formation warrants focused analysis when the firm is carrying out TCSP activity. The key factor is whether there is a genuine operational reason for using the structure and whether the people who own or control it are properly understood. Risk can be higher if the firm handles formation work indirectly or in large volumes with limited knowledge of each client.
The firm should consider the combined effect of the services. For example, forming a company and then providing bookkeeping, payroll, or accounts work can make the business appear more established than it is. The review should therefore cover the relationship as a whole, including the company’s purpose, client instructions, and how reliable the available information is across the different services.
Revisit the firm-wide risk assessment whenever the firm materially alters its services or operations. A review might also be needed after a significant increase in company formation work or once the practice begins combining multiple services for individual clients. The revised FWRA should reflect how those changes affect the firm’s exposure.
References and Source Material
- HMRC, Risks common to accountancy service providers
- The Money Laundering Regulations 2017, Regulation 18: Risk assessment by relevant persons
- HMRC, Risk assess your business for money laundering supervision
- CCAB, Anti-Money Laundering and Counter-Terrorist Financing Guidance for the Accountancy Sector
- HMRC, Risks common to Trust or Company Service Providers
- HMRC, Check if you need to register for money laundering supervision if you’re a trust or company service provider
- HMRC Economic Crime Supervision Handbook (ECSH52525 – Introduction to accountancy service providers)

