Remote working and delivery-channel risk in AML

Accountant using a laptop to review remote client information for AML risk assessment.

Accountancy firms must assess how remote onboarding, digital communication, and third-party delivery affect their ability to understand each client relationship. 

This becomes especially relevant when the firm is not dealing directly with the client or is relying too heavily on information from one channel. By extension, this makes it harder to confirm who is involved and whether the engagement makes commercial sense.

The way firms should handle AML responsibility depends on how the practice operates. 

A small firm with regular partner contact can often manage risk through direct oversight. However, in a more automated or outsourced model, responsibility should be clearly assigned, and the process should still give the firm a complete view of the client.

Key takeaways

  • Remote service delivery is a factor to assess within the overall AML risk picture.
  • The rating should reflect the visibility the practice has over the client and the engagement.
  • A separate source of evidence can strengthen assurance when all information is supplied through one remote route.
  • Intermediaries require closer attention when they limit direct engagement with the client or obscure the purpose of the arrangement.
  • The practice remains accountable for outsourced AML work, as well as its outcome and supporting records.
  • Channel assessments should explain which controls support the rating, where those measures fall short, and what risk remains.

Remote delivery and AML risk ratings

Regulations 18 and 18A of the Money Laundering Regulations require a regulated firm to consider delivery channels when assessing firm-wide exposure to money laundering, terrorist financing, and proliferation financing. 

The firm-wide risk assessment (FWRA) must be proportionate to the business and maintained as a current written record in most cases.

At the client level, Regulation 33 identifies non-face-to-face relationships without suitable safeguards, along with certain technology-enabled delivery models, as factors that may indicate increased risk. 

It also states that one or more factors do not always make a situation high risk. Remote contact, therefore, needs an evidence-based rating, instead of a blanket score for every client served online.

The core judgement is whether the channel materially limits the firm’s ability to understand and verify the client relationship at onboarding or over time, including when an intermediary is involved.

Face-to-face contact can provide useful evidence, although it does not guarantee authenticity or make a relationship low risk. 

Where remote service delivery can increase AML risk

A lack of meaningful direct contact with the people behind the client relationship can raise risk. Concern is greater when all supporting information arrives through the same unverified channel, leaving little independent evidence against which to test it.

Distance can also reduce the firm’s sense of whether the client’s description of its identity and operations is credible. Inconsistent communication or instructions can further weaken that picture.

HMRC’s accountancy sector material states that false documents can be harder to identify when supplied online and that limited ongoing face-to-face contact could reduce visibility of criminal involvement.

Delivery-channel risk from intermediaries, outsourcing, and digital workflows

Intermediary-led, outsourced, or digital delivery can create distance from the end client or divide information between organisations.

That distance becomes more significant when an intermediary obstructs transparent access to the client or the commercial rationale. 

HMRC also describes longer or overseas supply chains as potentially higher risk because they can make the relationship more challenging to understand.

The same concern applies when remote contact is paired with other features that reduce visibility. 

On its own, remote services often present little additional risk when the engagement is straightforward and supported by regular communication. 

In contrast, contact routed through an overseas intermediary points to a different conclusion when ownership, records, or the commercial rationale are unclear. 

The 2025 AASG Risk Outlook reflects this by highlighting the combined effect of remote delivery and complex operating models.

Delivery-channel risk in the firm-wide risk assessment

The firm-wide assessment should include a short inventory of how clients reach the practice and how services are delivered.

For each channel, the FWRA should address the information gaps it creates and the evidence available to close them.

The FWRA also needs to describe the practice’s actual model. For example, a firm that uses video calls occasionally has a different exposure from one built around automated onboarding with little subsequent client interaction.

In terms of the analysis, firms should start with inherent risk and then account for the safeguards in use to establish residual risk. The residual rating should then guide how the firm manages client risk in practice.

Delivery-channel controls for small accountancy firms

Accountancy firms should set approved channels and specify when staff must use direct contact, independent checks, or escalation to address reduced visibility. 

Procedures can state who is authorised to instruct and when unexpected changes in the relationship require escalation.

If the channel gives the firm substantially less visibility, the risk-management response needs measures that strengthen assurance and oversight and, where necessary, approval from the money laundering reporting officer (MLRO). Regulation 33 supports this risk-based response.

Workflow controls are equally relevant, as responsibilities across the delivery chain need to be clear, with timely access to required information. This oversight helps the firm check outsourced work and confirm that all significant information can be reviewed.

The same principle applies before a new channel is introduced. Under Regulation 19, new delivery mechanisms or technologies require proportionate risk assessment before introduction and closer monitoring during early use. 

If part of the process is outsourced, CCAB guidance confirms that using an external provider for due diligence does not remove the regulated firm’s responsibility for UK-standard work and records.

The FWRA also needs to translate into staff action. Employees should refer any gap or behaviour that compromises transparency to the MLRO. 

Our separate guide explains who should be the MLRO or nominated officer in a small accountancy practice.

Practice Takeaway:


For delivery-channel risk, the written FWRA record should document the basis of each channel rating, including the safeguards relied on, their limitations, and the resulting risk-management response.


The delivery-channel part of the FWRA should be revisited whenever the firm significantly changes its client-acquisition or delivery model, or when evidence shows that an AML control is weaker than expected.

In summary

Firms need to ensure they understand where each delivery route reduces visibility and what controls are needed in response. In addition, they should retain enough direct contact, reliable evidence, and internal oversight to form their own view of the relationship.

A defensible firm-wide risk assessment is specific to the practice’s working model and reflected in day-to-day procedures. It must provide staff with clear routes for escalation and leave a written record of why the chosen controls provide appropriate assurance.

Kane Pepi, Founder of Evidentia Compliance
Kane Pepi Founder, Evidentia Compliance

Kane Pepi is the founder of Evidentia Compliance, with a strong academic background in accounting, finance, and financial crime, and peer-reviewed research in money laundering and terrorist financing.

His work focuses on making AML compliance more practical for small regulated firms that face rising supervisory expectations and limited compliance capacity.

AMLWATCH BY EVIDENTIA
AML compliance updates and regulatory guidance for the accountancy sector

Stay informed on AML supervision, FCA developments, enforcement trends, and common compliance weaknesses affecting UK accountancy firms. AMLWATCH by Evidentia is written for small practices that need AML insight without the regulatory jargon.

    FAQs

    How should an accountancy firm assess AML risk when it never meets a client in person?

    The firm should consider whether remote contact gives it enough confidence about the client’s identity, activities, and reasons for seeking the service. Direct conversations and independent supporting information can strengthen the firm’s understanding. Yet, the final risk rating should take account of the whole relationship, including any other factors that make the client easier or more difficult to understand.

    What AML safeguards can support remote client onboarding?

    The response should address the loss of visibility created by the remote channel. For example, a direct video conversation or an appropriate electronic identity check can help confirm key information. If documents and explanations all arrive through one route, the firm might also need corroboration from a separate source before it is comfortable that it understands the client and the proposed engagement.

    When can an intermediary increase delivery-channel risk?

    Risk can increase if an intermediary restricts communication, makes the parties difficult to identify, or obscures the reason for the arrangement. An overseas or extended chain can also warrant closer scrutiny. The firm still needs reliable information to reach an independent judgement about the client relationship.

    Can an accountancy firm use an outsourced provider for AML checks?

    A firm can use another provider for parts of its due diligence, although it remains responsible for the outcome. It should be able to retrieve the relevant information promptly and satisfy itself that the checks and documentation meet the required UK standard. The arrangement should still leave the firm with a clear overall understanding of the client.

    When should remote communication concerns be referred to the MLRO?

    A referral is often appropriate when contact becomes inconsistent, instructions change unexpectedly, or the individuals directing the engagement become unreachable. Staff should also raise concerns if explanations or documents leave significant gaps that cannot be resolved through normal enquiries. The firm’s AML procedures should make clear when MLRO review or approval is expected.

    When should a firm review its delivery-channel risk assessment?

    The firm-wide risk assessment should be reviewed when the practice makes a significant change to how it attracts, onboards, or serves clients. This may include introducing a new remote channel or changing an outsourcing arrangement. A further review is appropriate when an existing control proves less reliable than expected.

    References and Source Material

    Leave a Reply

    Your email address will not be published. Required fields are marked *