Between the years 2010 and 2013, there have been over twenty‐five AML‐related consent orders, written agreements and cease and desist orders and more than $900 million in fines. According to a report issued by the U.S. Senate, recent prosecutions and legal actions relating to OFAC violations between 2010 and 2012 have amounted to over $1.4 billion, involving well‐known financial institutions3. Based on metrics from the U.S. Department of the Treasury, OFAC‐related penalties and settlements between January 2, 2013 and October 25, 2013 totaled $12,875,278.(Source: http://www.bankersonline.com/security/bsapenaltylist.html)
Based on a review of regulatory orders in 2012 and 2013, frequently cited AML program weaknesses included:
· Inadequate customer due diligence and enhanced due diligence practices.
· Incomplete identification of high‐risk customers.
· Insufficient policies, procedures and training.
· Failures in monitoring and identifying suspicious activity.
· Poor reporting and filing practices relating to suspicious activity.
· Ineffective independent testing and audit functions.
Many regulators expect that organizations to be more proactive than reactive by improving their risk management practices and auditing their AML compliance program to ensure effective AML compliance program.
The main objective of this article is to make the organization aware that they need to perform AML/CFT audit like audits like Financial Audit, External audits. Further, this article will also guide the candidate who is pursuing AML/CFT Audit. That is the reason why many jurisdictions have mandated independents audit in institutions like banks, non-banks, insurance companies and other corporations.
The last line of defense is the audit department. While preserving independence from compliance and business responsibilities, the audit is responsible for providing an objective evaluation of the AML compliance program for soundness, adequacy, and sustainability.
Advantages of AML/CFT Audit are:
- Independent audit helps organization to identify urgent matter like non-compliance with laws and also to improve standards to best practices for the prevention of money laundering, the financing of terrorism, as well as fraud and financial crime.
- AML Audit helps to identify mistakes and oversights, though ,this type of mistake in itself does not constitute criminal behavior, it does provide an opportunity for the regulators to consider fining the institution for a breach in the law.
- It supports corporate governance by strengthening the organization’s system of control. It assures that key controls are designed properly, operate effectively and efficiently to the different layers of management.
AML audit should be risk-based focusing on high risky clients, products, services, geography. It should be able to timely identify deviations from policy, laws, rules and regulations and test the adequacy of internal controls to ensure compliance with AML requirements.
The main objectives of AML/CFT audit are:
- Check to see if the entire AML/BSA compliance program is properly developed and operating.
- Identify any significant AML program flaws, internal control weaknesses, and opportunities for program, process, and control improvements, and report them to senior management and the board of directors (typically the audit committee).
- Assist management in spotting potential money laundering, terrorism financing, and other financial crime risks.
- Perform and document procedures and outcomes that regulators may find valuable in conducting supervisory examinations.
- Assess and identify potential gaps and opportunities for management to improve its suspicious activity detection, investigation, analysis, escalation, documentation, and reporting processes.
- Examine the AML strategic planning method used by management.
- Identify possibilities and techniques to assist management in making continuous program improvements.
- Examine how well AML compliance is integrated into the business.
Some of the key areas covered by AML/CFT Audit are:
1. AML/CFT Risk Assessment:
AML/CFT Risk assessment should be basis for AML/CFT program.The risk assessment should clearly identify all areas within the organization and specifically identify those Business Units (BUs) within the organization with direct BSA/AML responsibilities. The risk assessment should also clearly identify each BSA/AML responsibility specific to each Business Unit.The risk assessment should include a detailed, in-depth evaluation of the inherent risk of every risk factors like customers, geographies, products, services and systems used or offered by each BU within the organization including an evaluation of the effectiveness of systems and internal controls utilized by each BU and the determination of the resulting AML/CFT residual risk of each risk factors. Any major events or changes that have taken place within the organization should be reflected in the risk assessment, e.g., mergers, acquisitions, expansions, changes in the organization’s footprint/expansion into new markets, new or changes to products or services.
2. Auditing Policies and Procedures
It deals with evaluating whether the policies and procedures are comprehensive, customized, up-to-date, understood and used. The audit should also test that the AML compliance program has been reviewed and approved by senior management and the board of directors. The policies and procedure should mandatorily meet the provisions mentioned in laws and regulations.
3. Customer Identification Program (CIP)
The Customer Identification Program rules of the reporting entity should be in line with the internal policies and procedures of the know your customer (KYC), due diligence and enhanced due diligence (EDD) as per the regulatory requirements. CIP is intended to enable the organization to form a reasonable belief that it knows the true identity of each customer. The reason why KYC or CIP is required is that lack of it leads in failing to adequately represent the customer and may result in inaccurate risk ratings. Frequent or repetitive occurrences of customer accounts with
incomplete or deficient information may indicate systematic weaknesses in the KYC process.
4. Renewals, Updates and Periodic Reviews
Performing periodic risk‐based renewals and maintaining up‐to‐date customer information are critical components of understanding the customer base. This involves looking for changes in KYC information (e.g., expected account activity, employment or business details, business ownership, etc.). Customer profiles with outdated information may indicate additional risk exposure as there may be instances where a customer’s risk rating should be elevated and/or additional information collected. Best practices include updating customer information and reassessing customer risk ratings in accordance with established policies and procedures.
Customer Name Screening see the “OFAC and Sanctions” control section for details on OFAC screening
An essential aspect of “knowing your customer” lies with performing customer name screening and list comparison searches. This function usually occurs at account opening and renewal stages and includes the identification of PEPs, Sanction person or entities or in adverse media.
5.Suspicious Transaction Reporting
Policies, procedures and processes should be in place for referring suspicious activities from all areas of the Business Unit to the personnel or department. This includes establishing and documenting a clear and defined escalation process from the point of initial detection to the completion of the investigation. There should whistle blower channels for employees to refer suspicious activity privately should be available and communicated in policies and procedures. Information provided by FIs is used by Law Enforcement to execute investigations, gather intelligence about emerging money laundering tactics, identify illegal activities and prosecute criminals. Where a decision is made to file a SAR, the quality of the SAR content is critical to the effectiveness of the suspicious activity reporting system. A well‐written and detailed SAR will allow the FI to more effectively manage large volumes of filings and conduct more fruitful examinations of suspect customers or activity. Policies, procedures and processes should reflect standards and guidelines for ensuring that SARs are timely, complete and accurate.
6. Sanctions Screening
Organization should implement automated sanction screening system to prevent bad actor entering or conducting transaction. This can be use at time of on-boarding, passing international transaction and so on.Even with assistance from sophisticated automated solutions and advanced technology, there is often a need to implement manual processes, such as individualized reviews for double checking alerts, confirming false positives, managing data or adjusting and testing screening mechanisms.
7. Training and Awareness
staff should receive AML training in current rules and regulations, Business Unit‐specific information (e.g., products/services, customers, risk profiles, policies and procedures, etc.), targeted and more advanced training that is relevant to roles and responsibilities. Money launderers are constantly evolving and refining their strategies. As such, training should explore recent trends through case studies. The intensity, scope and frequency of training should be commensurate with each employee’s job level and respective duties
8. BSA/AML Department
There should be established a centralized AML/CFT Department responsible for overseeing and implementing the Bank’s BSA/AML Program and monitoring, investigating and reporting suspicious activity. Management should ensure adequate staff and competent staff is allocated.
Although above is not exhaustive list, other things will depend upon the situation organization considering its internal and external environment. If you are interested how to perform AML/CFT audit in these areas, you can go through the following course. The course will take you through AML/CFT audit process from initiation, planning, implementation and completion phases in a fictional company. We have used animation and other creative ways to make your learning journey fun and understandable. This course will help any external or internal auditor who want to do AML/CFT audit, compliance department staffs, to perform AML/CFT monitoring in their organization. Further, this will be useful for the candidates who are pursuing CAMS-Audit.
Risk of AML/CFT audit
To have successful completion of AML/CFT audit auditors need to be aware of the current hot topics that are cause of concerns for regulators and reporting entities. Lapses in AML/CFT audit have been due to inexperienced or inadequately trained testers; audit coverage that was inadequate or not appropriately risk based; insufficient transaction testing; limited understanding and inadequate testing of automated account monitoring systems; and deficient follow-up on previously identified issues.
Therefore, if you want to have proper AML/CFT audit in your organization, hire real experts. Or you can select us, Siorik Consultancy, who have dedicated team of CAMS certified, CAMS-Audit certified, who can help you in this endeavor.
Thank you for reading.