Sanctions List Checks for Accounting Firms: A Mandatory Part of AML and KYC
Finnish accounting firms are subject to anti-money laundering obligations. Sanctions list checks, customer due diligence and monitoring of suspicious activity belong in the accounting workflow.
Anti-money laundering obligations have become a practical compliance issue for Finnish accounting firms. This is not only a bank problem or a large financial institution problem. Accounting service providers are also reporting entities under Finnish anti-money laundering legislation, and the obligations apply to firms of every size.
Tulos.ai takes a practical view: a sanctions list check should not be a separate spreadsheet reminder or an occasional manual search. It should be part of client onboarding, customer due diligence updates and ongoing client monitoring. That is why Tulos.ai includes sanctions list checks as part of the accounting firm workflow.
This article is not legal advice. It is a practical overview of what an accounting firm should consider when designing its AML, KYC and sanctions screening process in Finland.
Table of Contents
- Why sanctions screening belongs to accounting firms
- What the Finnish AML framework requires in practice
- Why personal familiarity with a client is not enough
- Subcontracting: who is responsible for customer due diligence?
- How Tulos.ai includes sanctions list checks in the workflow
- Practical checklist for accounting firms
- Summary
Why sanctions screening belongs to accounting firms
Rahanpesu.fi lists accounting as a sector where businesses and professionals can identify risks related to money laundering and terrorist financing. A reporting entity’s core obligations include a risk assessment, customer identification and customer due diligence, ongoing monitoring of the client relationship, and reporting suspicious transactions to the Financial Intelligence Unit.
Accounting firms are in a specific position because they see the client’s everyday financial data:
- sales and purchase invoices
- bank transactions
- salaries and personnel expenses
- owner withdrawals and related-party transactions
- unusual payment methods, cash and unusual counterparties
- missing documents, explanations and repeated corrections
In a Tilisanomat interview, the Regional State Administrative Agency noted that accounting firms filed only 84 suspicious transaction reports in 2023, even though more than 2,800 accounting service providers were in the supervisory register. The practical message from the authority was clear: accountants are well placed to detect irregularities, but too few reports are being filed.
Sanctions list checks are one part of this wider control framework. They do not satisfy every AML obligation on their own, but without them an accounting firm’s customer due diligence is incomplete.
What the Finnish AML framework requires in practice
Accounting firms should treat these duties as a process, not as a one-off form.
| Obligation | What it means in an accounting firm |
|---|---|
| Risk assessment | The firm identifies money laundering risks linked to its client base, services and operating model. |
| Customer identification | The customer and the customer’s representative are identified and verified from a reliable source. |
| Beneficial owners | The ownership and control structure of corporate clients is identified and documented. |
| Understanding the client’s business | The firm understands what the client does, where it operates, who it serves and what kind of cash flow is expected. |
| Sanctions and freezing-decision checks | The client, responsible persons and beneficial owners are checked against sanctions and freezing-decision lists in a risk-based and documented way. |
| Ongoing monitoring | The client is not checked only at onboarding. Changes, exceptions and new risks are handled during the relationship. |
| Inquiry and reporting | Unusual transactions are investigated. If suspicion remains, a report is filed with the Financial Intelligence Unit. |
| Internal instructions and training | Staff know what must be checked, when to check it and how findings are documented. |
The current Finnish Anti-Money Laundering Act includes a specific provision on customer due diligence related to sanctions regulation and national freezing decisions. The core point is that a reporting entity must have effective policies, procedures and internal control to ensure compliance with sanctions regulation and freezing decisions.
In practice, an accounting firm should be able to answer at least these questions:
- Who is responsible for sanctions screening?
- When is the check performed?
- Which persons and entities are checked?
- Which sources are used?
- How is a potential match handled?
- How are the time, target, result and follow-up actions documented?
- How does the firm make sure the process is not skipped during busy periods?
Why personal familiarity with a client is not enough
Many small accounting firms work locally and have known their clients for years. That is a commercial strength, but it does not remove the legal duty to know the customer.
In the Tilisanomat interview, the authority reminded accounting firms that Finnish AML legislation does not treat personal familiarity as an exception to customer due diligence. A familiar client must still be identified, verified, risk-assessed and monitored.
This matters for three reasons:
- a familiar entrepreneur may operate in a sector where cash, cross-border trade or complex ownership increases risk
- the client’s owner, representative or beneficial owner may change
- sanctions and freezing lists can change during the client relationship
A good client relationship is not in conflict with sanctions screening. A professionally documented check protects both the accounting firm and the client.
Subcontracting: who is responsible for customer due diligence?
The Finnish Association of Accounting Firms has separately discussed situations where an accounting firm acts as a subcontractor. The distinction matters in practice:
- If the subcontracting firm has no direct engagement agreements with end clients, the principal firm generally carries the main AML responsibility.
- The subcontractor may still be the party with the best visibility into the client’s accounting data and possible suspicious activity.
- The subcontractor and principal must agree on how observations, exceptions and training are handled.
- If the accounting firm also has direct client relationships of its own, it is generally subject to AML obligations such as registration in the supervisory register and preparing its own risk assessment.
This should be documented in contracts and internal instructions. Otherwise the principal may assume the subcontractor is monitoring the client, while the subcontractor assumes the principal has handled everything.
How Tulos.ai includes sanctions list checks in the workflow
A sanctions list check is useful only if it happens at the right point in the process and leaves an audit trail. In Tulos.ai, sanctions list checks are designed to be part of normal client administration for accounting firms, not a separate manual step.
In practice, this means:
- Client onboarding: when a new client is added, the sanctions list check can be performed in the same workflow where client details, responsible persons and due diligence data are collected.
- Beneficial owner and responsible person checks: the check is not limited to the company name. It also covers the people through whom ownership or control is formed.
- Documented audit trail: the accounting firm must be able to show that the check was performed. The checked target, time and result should be retained.
- Exception handling: a potential match is not automatically a final conclusion. It requires review, false-positive handling and, where needed, further inquiries.
- Support for ongoing monitoring: a client relationship is not a one-time check. When client data changes or risk increases, the process should bring the check back into view.
Important limitation: software does not make the accounting firm’s legal assessment and does not decide when a suspicious transaction report must be filed. It helps ensure that sanctions screening is not forgotten and that the firm has a verifiable process trail.
This is where automation is most useful. Humans must assess unclear cases, but the system should make sure mandatory checks appear at the right time.
Practical checklist for accounting firms
If sanctions list checks are not yet a clear part of your firm’s process, start here:
- Update the risk assessment. Describe what kinds of clients the firm serves, where they operate, which payment methods they use and where sanctions risk may appear.
- Define who and what is checked. At minimum, check the client, the client’s representatives and beneficial owners. Where relevant, check other counterparties on a risk-based basis.
- Connect the check to the client process. Make sanctions screening a required step in new client onboarding and client data changes.
- Document the result. An undocumented search is not enough. Record the time, target, result, handler and follow-up actions.
- Create a match process. Define who reviews a match, how false positives are ruled out and when the case is escalated.
- Train the team. Everyone working with client data should know when an exception must be investigated.
- Keep the reporting channel ready. Rahanpesu.fi explains that suspicious transactions are reported to the Financial Intelligence Unit. The firm should prepare the practical process in advance.
- Use the system. When sanctions screening is included in the Tulos.ai workflow, it does not depend on one accountant remembering a separate task.
Summary
Sanctions list checks are not an optional add-on for accounting firms. They are part of customer due diligence, AML risk management and compliance with sanctions regulation.
Accounting firms should think about this on three levels:
- Law: a reporting entity must have a risk assessment, customer due diligence, ongoing monitoring and procedures for complying with sanctions and freezing decisions.
- Process: checks must be performed for the right persons and entities, at the right time and with documentation.
- Tooling: Tulos.ai includes sanctions list checks in the accounting firm workflow so the mandatory compliance step does not become a separate manual task.
The practical conclusion is clear: an accounting firm cannot outsource its responsibility to a checklist. It needs a repeatable operating model. Tulos.ai helps make sanctions screening part of daily operations, just like document processing, reconciliation and reporting.
Do you want sanctions list checks as part of your accounting firm’s client process without a separate manual workflow? Tulos.ai includes sanctions list checks as part of client administration and accounting operations. Explore Tulos.ai
Sources
- Rahanpesu.fi: Reporting entities
- Finlex: Act on Preventing Money Laundering and Terrorist Financing 444/2017
- Tilisanomat: AVI concerned about accounting firms’ suspicious transaction reporting
- Finnish Association of Accounting Firms: Responsibility for customer due diligence in subcontracting arrangements
