The legal and regulatory landscape of the anti-money laundering/counter-terrorist financing (AML/CTF) sector is in constant flux and necessitates a dedicated function to assess the level of compliance and the effectiveness of obliged entities’ policies, procedures, measures and controls regularly.
External independent AML audits are key to uncovering the major pain points surrounding the obliged entities’ AML/CTF procedures and controls by providing an objective, impartial perspective and unbiased understanding of the obliged entities’ AML/CTF strategy. External independent AML audits can assist obliged entities in ensuring the swift identification and appropriate mitigation of risk, elicit an authentic understanding of the obliged entities’ standing in terms of AML/CTF compliance, assist obliged entities in keeping up with the pace of regulatory and legislative change and devise remedial action-plans to implement and maintain the evolving requirements in practice.
The local regulatory framework emphasises on the need to employ an independent AML audit function to evaluate the effectiveness of the obliged entities’ operations on a regular basis. While no timeframe is specified for independent AML audits to be conducted, a best practice is to conduct independent audits annual or when there are significant regulatory changes. Following substantial revisions to the obliged entities’ policies, procedures, measures and controls, as well as following any other major changes in the obliged entities’ business model or activities is also important. This does not entail that a fully-fledged independent AML audit should be conducted every year unless the size and nature of the business requires such an approach, but obliged entities could choose to focus on thematic or targeted areas yearly, potentially those areas that are identified as posing a higher level of risk through the obliged entities’ business risk assessment. Such areas could include the obliged entities’ risk assessment and management strategies, alignment of the obliged entities policies and procedures with the applicable regulatory framework, customer onboarding and due diligence procedures and transaction monitoring systems and procedures. Hence, a risk-based approach should be adopted to determine the areas that should be incorporated into the scope and design of these independent AML audits.
The benefits of independent AML audits are manifold. To begin, engaging external consultants to assist obliged entities in evaluating, enhancing, and/or aligning their policies, procedures, measures and controls with the respective regulatory framework provides obliged entities with a holistic and unbiased view of their status when it comes to the level of technical compliance and effectiveness of their AML/CTF strategy. The quality of reporting that results from an independent AML audit is objective and systematic and provides recommendations which are informed and practical. Moreover, the practice of having regular independent AML audits will enhance the obliged entities’ image across factions, namely with clients, potential investors and regulators. Particularly in the case of regulators, adopting such a practice indicates that obliged entities are committed to taking the necessary steps to ensure a high level of compliance with the regulatory requirements. The contributions and insights of independent AML auditors can be integrated into the obliged entities’ processes and procedures and shared with staff and significant stakeholders to increase their awareness of the obliged entities’ major pain points, in addition to adopting the practical recommendations to optimize their functions. Moreover, by maintaining ongoing independent AML audits, obliged entities can ensure that any shortcomings or oversights in their AML/CTF strategy are identified and rectified in a timely manner, thereby assuring that obliged entities are always compliant and prepared for potential regulatory examinations and thus avoid incurring unnecessary fines or reputational damage.
An independent AML audit will include a review of the obliged entities’ policies and procedures, interviews with the obliged entities’ money laundering reporting officer and potentially other relevant stakeholders, and a review of a sample of client files to ensure that the procedures, measures and controls that are outlined in the policies and procedures are being implemented in practice, and to ensure overall compliance in the obliged entities’ operations. The observations that emerge from such a review and testing against the applicable regulatory framework will be outlined and recommendations for remedial action will also be provided. Subsequent independent AML audits could then incorporate an assessment of the implementation of the recommended actions and commentary on the obliged entities’ progress in this regard.
One essential component of effective independent AML audits is the quality and quantity of resources. This includes human, technological and logistics. The level of expertise in AML/CTF of the independent AML auditors is an essential factor that contributes to an effective independent AML audit. Proficiency with the respective legal and regulatory framework is necessary; however, a successful auditor will also possess industry-specific experience and a high level of commitment to the process. Technological tools and systems can support the independent AML audit function to categorize, organize, record and access information as well as data and to distribute this data to the relevant stakeholders. Concerning the logistical elements, these should be decided against the scope of the assignment, which should be clear from the outset of each audit. Another critical component for an effective independent AML audit is communication. Obliged entities and auditors should appreciate that the independent AML audit is not a regulatory examination but a methodological and collaborative exercise focused on the obliged entities’ AML/CTF strategy to identify the main areas for improvement and recommend tangible solutions to progress.
The auditors’ aim is to gain the best and most representative understanding possible, and this can only be achieved through keeping an open communication and feedback loops to facilitate the continuous improvement in the obliged entities’ AML/CTF strategy.
Deborah Cassar, CAMS-RM, associate director, AML Risk Consulting Advisory, KPMG Malta
Louise Agius, assistant manager, AML Risk Consulting Advisory, KPMG Malta