KYC for accountants

Customer due diligence (KYC) means, among other things, identifying the client and the beneficial owner, understanding the client’s business activity and assessing the risk of money laundering or terrorist financing. Measures must be risk-based and documented so the County Administrative Board can see that the firm follows the Anti-Money Laundering Act (2017:630). The need to establish or update KYC applies both to new engagements and when existing relationships change.

To meet the AML requirements, the accountancy firm must collect a number of basic details before an engagement starts. These form the basis for the client’s risk classification and ongoing monitoring, and include, among other things:

• Identity details: Name, company/personal registration number, address and contact details, etc.
• Beneficial owner: Information on who controls the company (including checks against the Swedish Companies Registration Office).
• Purpose of the business relationship: Type of engagement, scope and expected transaction volume.
• Risk factors: Sector, geographical exposure and whether the client or its representatives are PEPs (politically exposed persons).
• Source of funds: Understanding where money or assets come from; depth of evidence depends on risk.

On material changes in ownership, business or risk profile, and on an ongoing basis under the firm’s risk-based monitoring plan (for example every five years for low-risk clients and more frequently where risk is higher). Robust KYC for accountants routines help ensure timely updates.

The firm should combine the general business-wide risk assessment with an individual client assessment (low, some, high or unacceptable risk). The risk level is documented and determines which controls are performed. Morling Consulting’s AML lawyers provide templates and methodological support that meet the County Administrative Board’s expectations and reflect anti money laundering for accountants standards.

If an accountancy firm falls short in its AML work, the consequences can be costly and damage market trust. Common sanctions and adverse effects include:

• Administrative fines from the County Administrative Board, potentially significant depending on firm size and severity.
• Orders to implement corrective measures within short deadlines.
• Reputational damage with banks, partners and clients.
• Criminal liability for management in particularly serious cases.

The County Administrative Board assesses not only whether KYC has been performed, but also how measures have been documented and followed up over time. All information must be traceable, dated and retained for at least five years after the engagement ends.

• Dated risk assessments: Business-wide and client risk assessments with clear dates, responsible persons and approved risk levels.
• Written procedures and policies: Formal documents describing workflows, controls and escalation — including when enhanced due diligence applies.
• Client profiles and records: Consolidated data on each client’s identity, beneficial owner, purpose of the relationship and the reasoning behind the risk classification.
• Identity verification evidence: Copies of ID documents or electronic verification and confirmation of details in external registers (for example the Swedish Companies Registration Office’s beneficial owner register).
• Transaction monitoring: Logs showing how unusual or complex transactions were identified, investigated and handled.
• Training register: A record of staff who have completed AML training, content covered and date of latest update.
• Archiving and retention schedule: How documents are stored securely for at least five years and subsequently deleted appropriately.

Cross-border clients often require deeper checks of identity, beneficial owners and transaction flows. Exposure to the EU list of high-risk countries regularly leads to elevated risk classification and additional verification.

Simplified due diligence may be used where risk is low and involves more limited measures, whilst enhanced due diligence requires verification of source of funds, deeper background checks and more frequent follow-up for higher risk.

At least annually, or when the business or the framework changes materially. New joiners and anyone in roles applying the framework should receive induction training before handling client matters.

Digital solutions streamline the entire KYC process and reduce the risk of manual error. By integrating multiple tools into a cohesive workflow, the firm achieves better traceability, faster processing and consistent risk assessment.

• Electronic ID verification (for example BankID, eIDAS services): Automates client identification and reduces the need for physical ID copies.
• Real-time PEP and sanctions screening: Matches client data against international lists and alerts immediately on hits.
• API-based queries: Retrieves beneficial owner, board and ownership data without manual entry.
• Automated risk classification: Considers sector, geography, transaction patterns and history to propose a risk level.
• Cloud-based KYC/AML platforms: Consolidate documentation, risk assessments and follow-up in a system accessible to authorised users.

The firm must identify the persons who ultimately control the administration or activities, which may require reviewing statutes, board minutes and public registers, together with supplementary written certifications.

It is the continuous check that the client’s transactions align with the firm’s knowledge of the client’s business, risk profile and known sources of income — including review of new owners, unusual transactions and changed business patterns.

Under the Anti-Money Laundering Act, the firm must terminate a business relationship if KYC requirements cannot be met or if the risk of money laundering or terrorist financing cannot be reduced to an acceptable level. In some cases, the firm must also submit a suspicious activity or transaction report to Finanspolisen (Financial Intelligence Unit).

• Insufficient KYC: The client refuses or fails to provide identity details, beneficial owner information or the purpose of the engagement.
• Unacceptable risk level: The assessment results in an indefensible risk, for example exposure to high-risk countries or complex ownership structures.
• Suspicion of money laundering/terrorist financing: Indicators of criminality remain after client dialogue and the client cannot provide a credible explanation.
• Incorrect or false information: Supplied documents or answers prove forged or materially inaccurate.
• Client on a sanctions list: A match in EU or UN sanctions registers that cannot be cleared.

In all of the above situations the firm should immediately end the engagement and, where there is suspicion of money laundering or terrorist financing, file a suspicious activity or transaction report with Finanspolisen (Financial Intelligence Unit).

We perform a pre-review of procedures, support you in dialogue with the County Administrative Board and help remedy any deficiencies so your firm can continue operations with minimal disruption. Contact our AML lawyers for support with anti money laundering for accountants or to handle a request from the County Administrative Board.

We design pragmatic frameworks for KYC for accountants and provide hands-on materials that align with regulatory expectations while remaining workable in day-to-day delivery across Europe.