In 2023, 11 Banks in UAE were fined USD 12.5 million for poor money laundering and terrorism funding controls. Deutsche Bank AG fined $1.9 million for poor AML internal controls. Standard Chartered Trust USD 194 thousand penalties related to onboarding, client due diligence, risk evaluation practices, and systems. Bank of China UK fined 2.3 million for facilitating terrorist financing. Payoneer levied a fine of $1.4 million for sanction violations.
What was one thing that you found common in all these cases?
Right, all of the institutions were found because either they did not have proper AML/CFT program or even if they have, it was not effectively implemented.
The Financial Action Task Force’s (FATF) AML/CTF methodology recommendations state that “Financial institutions should be required to maintain an adequately resourced and independent audit function to test compliance (including sample testing) with procedures.
In general, AML/CFT Audit is a dynamic, risk-based, independent oversight process that allows institutions to understand the effectiveness of AML/CFT controls. This includes determining whether the organization is compliant with applicable financial crime laws, regulations, and internal policies and procedures.
In summary, AML/CFT auditor performs the following activities
- Perform testing to assess the design and effectiveness of controls aimed at mitigating AML/CFT Risk
- Identifying and escalating control weaknesses to senior business and compliance management
- Coordinating with compliance and business groups to develop corrective action plans where control gaps are identified
- Ensuring that corrective actions have been implemented sustainably
Why is AML/CFT Audit different from other types of the audit?
Most audit professionals are a historian who provides an opinion on the truth and fairness of a set of financial statements covering a period in the past.
The auditing and independent testing of Money Laundering/Terrorist Financing (ML/TF) are very different. There is a requirement to look at every business process with customer transactions. Whereas the financial statements are required to be materially correct, in the ML/TF world there is almost zero tolerance for error. In AML/CFT audits, the auditor should put greater emphasis on the design of effective controls to prevent and detect potential ML/TF events in the future.
We are not against Certified Public Accountants and Chartered Accountants, but we are suggesting, the audit team should have the right subject-matter expertise. If an audit is performed by anybody, it can put the company at risk that is, when examiners come in to look at work effectiveness, they find flaws in the report, therefore, perceive the whole organization to be weak on AML. An organization needs to Hire subject-matter experts, not just accountants or career auditors. Make sure the audit team includes people who have “been there and done that” from within business lines and compliance teams.
The auditor is the last line of defense in the context of Risk management three lines of defense. Ultimately, if internal audit fails as the last line of defense, meaning unable to detect loopholes in AML/CFT program, the financial institution can be exposed to enforcement actions as well as their executives might be as well.
Having Internal audit or Compliance Testing Function is enough?
Independent review is one of the pillars of having a strong AML/CFT Program.
Principle 7 of the Basel Committee of Banking Supervision also considers monitoring and testing as one of the key compliance function responsibilities. The principle says that the “Compliance function should monitor and test compliance by performing sufficient and representative compliance testing.”
Therefore, Compliance Testing can be defined as a periodic, independent, and objective assessment of AML/CFT-related processes and controls. Compliance testing aims to assess whether the elements, processes, and controls of the AML/CFT program are designed appropriately and are operating as designed.”
A few of the key issues to consider to ensure the effectiveness of a compliance-testing program is listed below:
- The commitment of Top Management
- The corporate culture of integrity
- Clearly defined purpose and responsibilities
- Technological Sound
- Apply a robust and consistent methodology
- Ensure buy-in from the business
- Work effectively with other control functions
- Maintain flexibility in the monitoring plan
Sadly, this is not always the case.
Few problems with the Internal audit and Compliance Testing Function
Despite the entire regulatory framework, compliance monitoring and testing adopted in many banks is still a “tick-box” or checklist approach. It is performed periodically without consideration of the overall risks. This myopic approach by many banks fails to adequately assess the control framework and hence runs the big risk of regulatory censure or hefty fines.
In several instances, compliance monitoring and testing are embedded in business as usual with no or very limited powers to influence the business actions. This ultimately leads to a situation where compliance testing reports are not taken very seriously.
Often the senior management behaves in an intimidating way toward the compliance testing staff. There are also cases of compliance officers in some of the biggest banks experiencing intimidation by business management to suppress the results of their compliance testing or other compliance-identified issues.
What should you expect from AML/CFT Audit?
In sections to follow, we will discuss, what a good AML Audit looks like. This will also help you in drafting Request for Proposal(RFP) for AML/CFT Audit.
1. Understanding Business Needs
Good AML Auditors will understand specific features of Institution situations For example, does the institution have a very high cash-intensive customer base? Does it send and receive large volumes of international funds transfers? Are there any imminent changes impacting AML risks, such as branching into a new market, new products, or service lines? What types of AML problem areas have been identified in previous examinations?
2. Considering the Needs of Stakeholders
Good AML auditors have very good communication skills, they know that clients and other stakeholders need their help. They try to understand their needs and devise audit scope and objectives accordingly. They don’t have a police attitude and they want to try to add value to the organization by identifying AML’s weaknesses.
3. Reviewing AML/CFT Governance
Good AML Auditors look at AML Governance. It is not surprising that without a strong culture of compliance coming from the board and senior management, there is a likelihood of failure of internal controls no matter how the Second line of defense tries to mitigate risk. Throwing all the money in the world into control without culture is a waste.
4. Verifying AML/CFT Risk Assessment
Good AML Auditors will review the Risk Assessment of your organization if not they will perform risk assessment by themselves and identify risky areas like organization risk assessment and management strategies, alignment of policies and procedures with the applicable regulatory framework, customer onboarding, and due diligence procedures and transaction monitoring systems and procedures. Hence, a risk-based approach should be adopted to determine the areas that should be incorporated into the scope and design of these independent AML audits.
5. The Clarity in Scope and Methodologies
Good AML Auditors will have clarity in audit scope and what methodologies to be applied during the audit, like assessing the policies and procedures to confirm that the design of controls is appropriate and aligned with regulatory requirements as well as industry best practices, bank’s pre-existing compliance risk assessment, and other self-assessments, testing the effectiveness of controls through a sampling approach like reviewing your opening and closing procedures, reviewing process of filing Suspicious Activity Reports, AML Traning Program. The resulting risk profile for each of these areas/units will drive the extent of testing coverage and determine the Audit plan
6. Good AML/CFT Audit Plan
Good AML Auditors will have an Audit plan as a road map of potential testing areas or units that are each assessed and risk-rated via a combination of quantitative and qualitative9 inputs. The universe should cover all relevant financial crime risks (e.g., customers, products/services, transactions, markets/geographies) and other areas (e.g., mitigating controls, business functions, organizational entities) that may warrant potential testing coverage. The proper audit plan which will include
- The review topic/area: business area, relevant risk/control categories
- The timing of the review: when to start audit relevant quarter/year
- The type of review: limited scope, the full scope
- The objective of the review: what the results of the testing are intended to show
Different factors will be considered by AML auditors while developing an audit plan include:11
- Existing or prior testing coverage, including internal and external examinations
- Areas where there is a regulatory expectation or mandate to review the area
- Changes/additions since the last testing review (e.g., in regulations, business practices, products/services, risk, controls)
- Relevant issues or risks that are trending in the industry
- Information collected and/or learned through ongoing compliance monitoring
7. Subject Matter Experts
Good AML Auditors will provide resumes, bios, or credentials of the individual(s) who will be on-site performing the work. It recommended that they possessed certification like CAMS-AUDIT or some kind of certification relation Anti-Money Laundering. Auditors need to be proficient with the respective legal and regulatory framework; however, a successful auditor will also possess industry-specific experience and a high level of commitment to the process.
They will be knowledgeable and remain updated about new topics, trends, and requirements of Anti-Money Laundering.
The auditor will understand what type of technologies you are using in achieving AML/CFT objectives. After a brief introduction, they will able to measure its effectiveness. Since they are familiar will similar kinds of technologies, as they have audited in other organizations, they can suggest features that you are missing.
Auditors will have embraced new technology like data analytics, machine learning, and other tools so that they can more quickly identify the root cause of compliance shortfalls and promptly deploy resources to correct issues that present the greatest risk. Automating testing processes can help financial institutions enhance their overall risk assessment and testing processes, while also freeing up skilled personnel to focus on areas of higher complexity or risk.
Would like to conduct AML/CFT audit or compliance testing by yourself? How about checking out following online course.
8. Reasonable Time and Cost
Good AML Auditors will provide a reasonable time frame to complete the audit depending upon their scope. They will provide a reasonable cost of audit based on the scope of the assignment, by explaining their logistical elements as well as manpower requirement, these should be clear from the outset of each audit.
9. AML Auditors are your Friends
The auditor will not only raise issues but provide a practicable and effective solution. They will recommend what course of action should be taken to protect the organization from any kind of AML/CFT risk. During the review, the auditor must critically challenge the entire AML program and the related products and services covered by AML requirements.
One of the more critical components of the independent review process is reporting all observations to the compliance officer so the officer can develop a remediation plan. The compliance officer should communicate the noted observations to senior management and track the remediation progress. Regular, independent reviews are essential for identifying deficiencies and continually strengthening an AML program.
The auditor may provide you with a sample report so that you can know the level of detail of findings and recommendations these reports include.
If you are facing any kind of AML/CFT issues in your organization, let us know by filling this form. We may able to guide you.
If you consider all the above points discussed above, you will be able to select the best AML/CFT auditor for your organization. Good Audit not only helps to improve your AML/CFT program but also prevents your organization to suffer from any regulatory fines and penalties which in turn reduces chances of reputation risk, operation risk, and financial risk.
Make the right choice call us for free consultancy
Contact No: +977- 9803008930
We are risk simplifiers, our expertise includes AMl/CFT Risk assessment, AML/CFT Audit, and any other matters related to AML/CFT to help you manage AML/CFT risk in your organization easily.
We will help you in performing AML/CFT audits and improve existing Internal audits or existing compliance testing.