FOCUS ON: Trends from AML compliance reviews and inspection visits

IPA Insolvency Practitioner newsletter AML Digest, August 2025

As part of the IPA’s role as an AML Supervisory Authority, the IPA is obliged to undertake activity to check compliance from supervised members with the requirements of the Money Laundering Regulations 2017 (as amended) and associated regulations.

The IPA undertakes:

• Dip samples of BOOMs
• Dip samples of Reg18/18A firm wide risk assessments
• AML Compliance Reviews – desk-based reviews of AML policies and procedures
• AML Inspection Visits – an onsite visit that focuses on AML compliance in the firm. The visits require interviews with members of staff as well as the MLRO and IPs, a review of SAR reporting and a review of a number of cases to check compliance with due diligence requirements
• General Inspection Visits – the IPA will review AML compliance on all general insolvency inspection visits. For all firms this will be a review of due diligence on selected cases. For IPA AML supervised firms this can include a review of policies and procedures as well as a review of SAR reporting
• Volume Provider reviews – the IPA has a dedicated team that monitor the IVA Volume Provider firms where the IPA has licensed IPs. Part of the reviews include checking AML compliance

Dip Sample – BOOMs

A reminder that BOOMs are ‘Beneficial Owners, Officers and Managers’ and under Reg 26 MLR17, no person can act as a BOOM without approval from the firm’s AML Supervisor. Information on how to comply with the provisions on BOOMs was provided in the August 2024 AML Newsletter.

Each year, as part of licence renewals, you will be asked for your firm’s BOOMs details. The dip sample took the information provided as part of the renewals for 2025, reviewed against the 2024 information and – where appropriate – checked the information against Companies House.

Pleasingly, only one review indicated a BOOM that had not been advised where approval was required.

Compliance considerations

1. Please remember that any change or additions to BOOMs must be advised to your AML Supervisor. Your AML Supervisor will advise what information they require to review and approve a BOOM.
2. For the IPA, we need to know why they are a new BOOM (i.e. a new shareholder or MLRO etc.) and a copy of a recent DBS check for the individual. Providing the details are in order it is likely that the BOOM will be approved.

Dip samples – Reg18/18A firm wide risk assessments

We also look at a sample of Firm Risk Assessments that are provided as part of licence renewals to check that the assessments comply with the requirements of Regs 18/18A and also that it is clear where any heightened risks from work that is undertaken by the firm may occur.

Remember that the risk assessment is bespoke to each firm and your staff should be sent any updates and be able to clearly understand where there may be increased risks so they can ensure that proper Enhanced Due Diligence is undertaken and cases flagged appropriately.

Any trends?

1. Proliferation Financing (PF) – we are still seeing too many firm risk assessments that do not take into account, or consider, the risks from PF as required under Reg 18A. 

The IPA has advised that the risk for insolvency work is low and the assessment should highlight potential industry types where PF may exist. This includes industries like:

• Chemical production or sales
• Electronic/computer board manufacture or sales
• Large scale agricultural/fertiliser/chemical manufacturing or sales
• Highlighting higher risks for the firm – the risk assessment provided is a generic risk of types of cases, but does not highlight which (if any) are considered for the firm to hold a potentially higher risk of money laundering

Compliance considerations

1. Ensure that your risk assessment is not generic – remember this is the risks to YOUR firm from YOUR work undertaken
2. Ensure that all the elements in Reg18/18A are covered
3. Consider the higher-risk indicators from the IPA – do any apply to work you undertake?
4. Make sure it is clear to all staff who are required to understand the Reg18/18A risk assessment where the possible higher risks may appear in cases, so they can carry out Enhanced Due Diligence and ensure higher risk cases are effectively managed
5. Please include a PF risk assessment! The IPA is happy for this to be a paragraph or two as part of the overall risk assessment, rather than a full assessment

AML Compliance Reviews

AML Compliance Reviews are desk-based reviews that look at policies and procedures in detail. A small selection of cases (2 or 3) can be requested to view due diligence and a request to review SAR submissions made to check quality and timeliness of SARs reporting.

Any trends?

• Training policy – the requirement for training to be ‘regular’ training frequency should be based on how effective your policies and procedures are shown to be. Ensure that your policy advises how often ‘regular’ is for AML training and how is the frequency assessed. Ensure details on how new joiners are brought up-to-date on AML training and internal policies is set out and consider how training is tested for its effectiveness
• Training log – the log of AML training should capture when training was undertaken, how long the training was for and any test score (if applicable)
• SARs policy – better and clearer details on DAML requests and details

Compliance considerations

1. Ensure policies are kept under regular review and updates circulated to all relevant staff
2. Check Reg19 for required policies and procedures (also remember Reg19A is to consider any issues from PF for policies and procedures)
3. Also remember that SARs policy will be linked to S330 of POCA 2002 (through to S334) and ensure that the policy covers DAML issues. The IPA recommends included examples so staff know when they should be considering if a DAML is required in discussions or communications with the MLRO
4. Training policy – ensure this advises when AML training will be rolled-out to relevant staff and that the policy deals with how training will be provided to new joiners and staff returning to work after a career break, or maternity/paternity leave or long-term sick leave
5. Training log – ensure that this captures the date of any training, training provider, content and any test score

AML Inspection Visits

Visits take place at a firm’s office and not only look at all policies and procedures and a review of SARs lodged, but also a number of cases to test due diligence work.

Visits also involve meetings with the MLRO, IPs and 2-3 members of staff to ascertain their understanding of AML matters, internal AML policies and their responsibilities under the MLR17 and POCA 2002.

Any trends?

The trends marry with the trends seen for AML Compliance Reviews. The pleasing part of the visits undertaken to date are that the SARs reviewed show that the reports made are completed in a timely manner and provide sufficient information to the NCA of the activity being reported.

Any further compliance considerations?

USE FILE NOTES! The most important point to take from the newsletter is the need to ensure that there is proper file notes used as part of the due diligence/case risk assessment form used.

Most findings on due diligence are due to a failure to highlight work done on matters such as:

• Review of Politically Exposed Person (PEP) findings from searches
• Review of possible sanctions issues from searches
• Conclusions as to why the risk assessment is agreed at a level where the checklist indicates a higher risk rating applies

The file note allows you to highlight the work done and conclusions reached on the work done as to the level of case risk.

• MLRO training – your MLRO should undertake training to understand the requirements of their role. The IPA also recommend that the MLRO undertakes regular refresher training on their role. REMEMBER – the MLRO training should also be included on the AML training log for the firm
• Include a review of AML issues and due diligence in file reviews. Remember Reg28(11) MLR17 requires ongoing monitoring of a business relationship. Including a check of due diligence and risk as part of the file reviews ensures that you effectively comply with the requirement

Findings from General Insolvency Visits and Volume Provider reviews

In respect of other insolvency visits undertaken, the following are Advisory Notices (ANs) issued by Inspectors in relation to AML issues.

An AN is not a disciplinary finding. An AN is where an Inspector considers that there needs to be an urgent change to AML policies and procedures to prevent potentially more serious issues from arising if not corrected.

Each AN outlines the issue, advises of what is needed to do to amend and correct the issue and provides a timeline where the remedial action is required to be completed by. ANs are reviewed and checked to ensure that changes are embedded in the practice and are effective.

Reg breach	AN finding	What can be done to avoid the issue?
BOOMs – Reg26	This has been found twice where a director has not been previously advised as a BOOM and requires approval. The remedial action was to confirm the date of appointment as director and provide a DBS check.	Remember that where there is a new BOOM (director, shareholder, MLRO etc.) that you notify your AML Supervisory authority to have the BOOM approved.
CDD – Regs 27/28	This was a finding in 2 visits in 2025 to date and is where there was inadequate or incomplete due diligence work. Remember that due diligence is in 3 stages: Identify, Verify, Assess. Holding a passport and/or an electronic check and not assessing the risks in the case is not completing your due diligence work.	Review your CDD policy. Ensure that it is clear on the stages required for CDD and what you expect to see under CDD checks on an appointment. When you are passed CDD to review, make sure that all the relevant information is provided. Make sure that any ‘red flags’ have been reviewed and closed off. Check that there is a note on file of the reasons for the risk rating and confirm the position.
CDD – Reg 30	This is where due diligence work is undertaken or completed after the establishment of a business relationship. Whilst there are occasions (for example a hostile appointment) where due diligence may be completed post appointment, for ordinary appointments the due diligence work must be completed prior to the establishment of the business relationship. This was an AN in 2 visits in 2025 to date.	Linked to the detail above – just remember to confirm that CDD must be completed prior to the establishment of a business relationship. For hostile/emergency appointments –CCAB Insolvency Appendix Guidance – see paras F.3.5 – F.3.3.7 – remember that the position is that CDD can be completed post appointment – not commenced post-appointment. Ensure that there is some initial due diligence work and notes on file and a file note of remaining work required. Ensure that this is actively followed-up and CDD completed.
S330 POCA 2002	One case in 2025 to date has had an AN issued due to the failure to assess and review the information provided to the MLRO on whether a SAR should be issued.	The IPA recommends the use of a SARs form – this allows the staff member to note the suspicions and provide information to the MLRO. The MLRO can then use the form to note why a SAR is being lodged with the NCA – or, more importantly – why on the information held a SAR is not made.
S333A POCA 2002	One case had an AN issued to date in 2025 as the SAR was held on the case file. This put the IP and firm under risk that if there were any legal actions or requests for information raised, the detail on the SAR could have been provided to a third party and potential issues arisen on tipping-off.	Check your SARs policy. Ensure the detail on tipping-off is clear Ensure the detail on not holding SARs or SAR detail on file is clear. Check staff understand the requirement.