Customer due diligence as the accounting firm’s invisible quality mark

If customer due diligence becomes something you “need to have in place” merely to pass supervision, applying the requirements in day-to-day processes can feel like an uphill struggle. The firms that excel use customer due diligence to build quality, trust and scalability into the engagement itself. The question then is: how should you design your customer due diligence procedures for accounting engagements so that they operate as an invisible quality mark?

In this article we take the Anti-Money Laundering Act (Sweden) as our starting point and view customer due diligence as a tool to reduce key-person dependency, strengthen delivery quality and make the firm more resilient to changes in both staff and client base. This is best achieved by applying a risk based approach to AML and embedding risk based customer due diligence in everyday work.

From legal duty to operational value – why a risk based approach to AML matters

The Anti-Money Laundering Act (Sweden) requires accounting firms to identify their clients, understand their business and assess the risks of money laundering and terrorist financing. This involves carrying out customer due diligence at the start of the business relationship and on an ongoing basis. Treated merely as a legal obligation, it risks sitting outside the “real” work, leaving routines exposed to time pressure, staff turnover and unclear responsibilities. Framed as part of a risk based approach to AML, it becomes a natural strand of quality assurance rather than an add-on.

Legal foundations in brief – the risk based approach to AML

The framework is built on a risk-based model. For accounting firms this typically means:

• The client and the engagement must be risk-assessed before onboarding.
• Customer due diligence measures must be tailored to risk – more information and controls where risk is higher, reflecting risk based customer due diligence.
• Information must be kept up to date and revisited when the client’s business or behaviour changes.

Beyond this, written procedures and guidelines, internal training and documentation of the measures taken are required. All of this must be demonstrable in a supervisory review. The same requirements are also an opportunity to build structure and continuity into the accounting engagement.

Customer due diligence as protection against key-person dependency

One of the biggest – and most underrated – risk areas in accounting firms is dependency on individuals. “Karin knows that”, “Amir handles that client” – knowledge of the client’s business, owners, payment patterns and risks sits in people’s heads.

When someone leaves, is ill or changes role, important signals can be lost:

• Why was the client originally classified as normal risk rather than high?
• Does the client have a history of late or unusual transactions that influenced the risk assessment?
• What questions were asked at previous anomalies and how did the client respond?

Well-designed customer due diligence procedures capture this knowledge and make it a shared firm asset. The firm – not a single consultant – “knows” the client, which is also a requirement for compliance with the Anti-Money Laundering Act (Sweden). This strengthens regulatory compliance and the firm’s delivery capability if a client needs to change contact person.

What is often missing: the link to the ongoing engagement

A practical challenge is that many firms conduct thorough customer due diligence at onboarding but maintain a weak link between the initial risk assessment and the ongoing accounting work. Customer due diligence lives in a separate tool, while staff primarily work in accounting and reporting systems.

The consequences may be:

• Anomalies in the client’s transaction patterns are spotted by the bookkeeper – but never feed back into the risk assessment.
• Changes in ownership or the beneficial owner are noted by one person – but do not trigger any formal reassessment of customer due diligence.
• A new type of advisory or service (for example international expansion) begins without anyone asking how it affects money-laundering risk or whether enhanced, risk based customer due diligence is required.

The key is to build explicit touchpoints between customer due diligence and the ongoing engagement: moments when staff are expected to “pause” and signal that due diligence needs to be reviewed under a risk based approach to AML.

Typical pitfalls in customer due diligence procedures

When we review accounting firms’ procedures we often see recurring patterns:

• The same checklist for every client: A fixed form is used whether the client is a local salon or an international holding company – neither efficient nor sufficiently risk-based.
• Unclear triggers for reassessment: No concrete list of events that must prompt a new customer due diligence assessment, such as a new owner, expanded business or unusual payment flows.
• Poor audit trail: It is unclear who made the assessment, when and on what basis. In supervision it becomes difficult to evidence that the firm applied its procedures.
• No link to the engagement letter: Customer due diligence says one thing about risk, but the engagement letter is not adjusted accordingly, even though higher risk usually entails more work and greater responsibility.

These weaknesses make customer due diligence fragile: it may look reasonable on paper but does not withstand either supervision or real-world risk events.

Building robust customer due diligence into accounting engagements

When customer due diligence is treated as an integrated part of the accounting engagement, the design of procedures changes accordingly. Practical starting points include:

• Start from the firm’s enterprise-level risk assessment: Use the overarching assessment to guide which client and engagement types typically require enhanced measures under a risk based approach to AML.
• Tailor information requirements by client category: Define the minimum information required for different client categories (for example local service businesses, cash-intensive operations, international groups) in line with risk based customer due diligence.
• Embed procedures in day-to-day workflows: Ensure systems, checklists and instructions make it natural for the person doing the client’s bookkeeping or reporting to flag when something falls outside the norm.
• Clarify accountability: Document who is responsible for initial customer due diligence, for ongoing updates and for decisions where there is uncertainty.
• Build in learning: After an internal incident, anomaly or supervisory review – update procedures and use concrete examples in internal training.

In this way, customer due diligence ceases to be a parallel track and becomes a natural part of how the firm takes on, delivers and follows up the accounting engagement.

A business-critical question – not just compliance

Well-functioning customer due diligence procedures protect the firm from sanctions in supervision by the Swedish County Administrative Board (Länsstyrelsen). They also serve other business-critical purposes:

• They reduce the risk of the firm unwittingly taking on work outside its risk appetite.
• They make it easier to resist “gut feel” when an attractive client wants to move quickly, because there is a clear process to rely on.
• They make it easier to document why the firm accepted or declined a particular engagement, which can be important if questions arise later.

For many accounting firms, customer due diligence becomes part of the brand: a way to show both clients and supervisory authorities that the firm takes its mandate seriously and works systematically with risk.

Support to translate regulation into practice

Developing robust, business-relevant procedures often requires more than reading the statute and filling in a template. It is about translating regulatory requirements into processes, accountabilities and documentation that actually work in the firm’s everyday reality – with existing systems, staff and clients.

At Morling Consulting, our AML lawyers help accounting firms analyse their risks, develop practical procedures and guidelines, and train staff so that customer due diligence becomes a natural part of the engagement – supporting both quality and commercial objectives.