The weakest link: How AML software brought down the ICB 

The FCA’s censure of the Institute of Certified Bookkeepers is already being described as a watershed moment for UK AML regulation. But one part of the Final Notice deserves far more attention than it has received so far: the role of AML Software A, the data that fed it and the organisation’s inability to understand or validate how its risk model worked.

For law and accounting firms that will soon fall under direct FCA supervision, this is the real story. Because the ICB’s failings were not only governance failings, staffing failings or inspection failings. They were software failings. And the FCA has made it clear that ignorance, poor data and black box risk scoring will not be tolerated under the new regime.

When your AML framework depends on a system you don’t understand

The ICB relied on its AML software to generate risk profiles for more than 3,000 members. In theory this aligns with the MLRs 2017, which expect supervisors to use structured data to support a risk-based approach. In practice the FCA found that:

• data in the system was incomplete, inaccurate or missing for large portions of the population
• the algorithm had not been reviewed, updated or validated for years
• no one at ICB could access or explain how the algorithm calculated scores
• key risk data (such as TCSP and payroll activity) existed but was not understood or used
• staff lacked the training needed to extract and interpret the data

The outcome was inevitable. With unreliable inputs and an opaque scoring model, ICB could not trust the outputs, could not target inspections and ultimately could not supervise effectively.

Black box AML technology is no longer acceptable

One of the strongest messages in the Final Notice is a warning against outsourcing your risk brain to a system you do not control or understand.

The FCA explicitly criticised:

• the lack of visibility into how the algorithm worked
• the absence of documentation
• the inability to explain weighting, logic or methodology
• the total dependence on members inputting data correctly
• the absence of a plan when the data quality deteriorated

In other words: if you cannot explain how your risk model works, your risk model is not compliant.

This should concern law and accounting firms. Many still use AML software with hard coded logic, scoring tools that offer no transparency or update path, or even spreadsheets. Under professional body supervision this was often tolerated. Under the FCA it will not be.

The FCA expects real risk-based logic, not superficial scoring

The ICB case highlights a core regulatory expectation: a risk score is not a risk assessment. A risk model is not a compliance framework. An algorithm is not a substitute for documented reasoning.

A firm must be able to:

• explain what drives a client’s risk profile
• justify why certain factors matter more than others
• show how new risks are incorporated
• demonstrate that risk categories are reviewed regularly
• evidence the link between the risk score and the controls applied

ICB could not do any of these things. The algorithm could not be explained. The inputs were inconsistent. The outputs were not reviewed. High risk sectors were not flagged. And when concerns arose, the tool was not strengthened. Inspections were suspended instead.

Why this matters now for law and accounting firms

As the UK transitions to FCA supervision for AML across the legal and accounting sectors, every firm should treat the ICB’s experience as a preview of what is coming.

1. Opaque or outdated risk scoring will be challenged

If your firm uses:

• an outdated static risk matrix
• a vendor-generated risk score with no logic visibility
• a point solution that calculates risk with no algorithmic transparency

then you are already heading toward non-compliance in an FCA world.

2. Data quality becomes a regulatory issue, not an operational one

ICB identified that 45% of its members had not updated their AML software A data in 12 months. That alone should have triggered urgent escalation. Instead the software was left to operate on stale inputs.

Law and accounting firms face the same risk with:

• FWRAs and matter risk assessments that are never updated
• longstanding clients with historic KYC
• CDD data spread across emails, forms and shared drives
• beneficial ownership changes missed because there is no ongoing monitoring

Firms will need systems that enforce data completeness and recency, not ones that simply store whatever is entered.

3. Algorithms, workflows and risk models must be explainable

The FCA will not accept “we don’t know how the system calculates that”. If your AML framework depends on:

• automated PEP matching
• beneficial ownership unwrapping
• dynamic risk scoring
• workflow decisioning

then your firm must be able to explain the logic behind each step.

This is where configurable AML platforms will become essential. Static AML tools will not meet the new threshold.

A final warning: technology failure is supervision failure

Under FCA supervision your AML software is not a tool, it is part of your control framework. If the system fails, your controls fail. If the logic is flawed, your risk assessments are flawed. Weak data means a weak defence. The firms that will thrive are those that treat technology as auditable, explainable and continuously improving, not as a tick-box.