With eye-watering fines being handed out for breaching the money laundering rules, Muhammad Hassaan Bhagat FCCA offers some practical advice on compliance audit
This article was first published in the April 2020 International edition of Accounting and Business magazine.
As regulation, new technologies and digital transformation combine to create an ever more complex business environment for financial services organisations, the risk of failing to comply with the controls and sanctions on money laundering and terrorism financing grows.
The Association of Certified Anti-Money Laundering Specialists (ACAMS) has reported that between 2009 and 2018 regulators imposed US$17bn in fines on financial services entities for failure to comply with anti-money laundering (AML) and know-your-customer (KYC) regulations. A recent report from Encompass Corporation found that global penalties for AML failures amounted to US$8.14bn in 2019.
Regulators around the world are only too aware of the potential for reputational loss arising from failures within their jurisdiction. This is reflected in the hefty penalties they hand down.
In 2012, HSBC was fined a record US$1.9bn by US regulatory authorities for allowing itself to be used to launder drug money. HSBC acknowledged at the time that it had failed to maintain an effective programme against money laundering and to conduct basic due diligence on some account holders.
Meanwhile in 2019, Swiss bank UBS was fined US$5.1bn by the French criminal court, one of the biggest fines to date for breaching AML rules.
The pressure is on financial institutions to ensure their compliance controls are sufficiently rigorous. They are spending significant sums on programmes to comply with anti-money laundering and combating the financing of terrorism (AML/CFT) regulations, but the number and size of fines and penalties suggests that their efforts are not keeping pace with that of criminals. Given the level of regulation and audits – internal and external – that organisations are subject to, what more can they do to ensure their defences are watertight?
The prevalence of fines suggests that the scope of AML/CFT compliance in these audits and reviews is inadequate or at best ill defined. It may also suggest that the auditors undertaking these reviews lack the technical skills required.
To be effective, an AML/CFT compliance audit should be embedded into the institution’s other audit plans. A specialised team (separate from the financial audit team) is needed to review the AML/CFT compliance framework and provide independent assurance on the adequacy of the control design and its effectiveness in operation.
This approach is not unique. A number of regulators around the world require financial institutions in their jurisdictions to engage an independent third party to review AML/CFT compliance and submit a report to the regulator. The UAE’s Insurance Authority, for example, requires regulated insurance companies to submit such a report alongside their annual filings. And the Central Bank of the UAE recently required currency exchange houses operating in the country to appoint an independent third party to review their AML/CFT compliance framework and submit a report to the bank.
Approach to AML audit
While there are multiple international standards, guidelines and regulations covering AML/CFT, there is no defined mechanism or standard for how a review of an AML/CFT compliance programme should be carried out. However, it makes sense for a compliance audit to mirror the mainstream regulations, which cover the following elements:
- governance framework and management oversight (resourcing)
- money laundering, terrorist financing and sanctions risk assessment framework
- monitoring and surveillance
- assurance and independent verification
- training and awareness
Paying adequate attention to these areas enables the auditor to assess critical areas of compliance and to identify weaknesses and opportunities for improvement.
An AML/CFT compliance audit does not form part of standard external or internal audit activity and requires a specific set of skills and competencies. Above all, the team conducting such an audit should consist of specialists in financial crime or AML/CFT compliance.
It is also important for compliance auditors to consider the nature of the business, its size and the volume of transactions it handles. Other areas of compliance audit focus include how the organisation identifies suspicious individuals and entities at the time of client onboarding and on a continuous basis, how it monitors transactions, its continuous due diligence and its risk-based mechanism for assessing the AML risk presented by clients.
During the interviews with key management personnel, the auditor should critically assess the compliance culture within the organisation, as this plays a significant role in increasing the operating effectiveness of controls.
While the importance of a specialised AML/CFT compliance audit cannot be ignored, it also offers a value proposition and should not be viewed either as another tick for the governance checklist or as a costly corporate exercise. The tangible benefits of an AML/CFT audit include:
- Prevention of reputational damage. If weaknesses in the design and operation of an organisation’s AML/CFT compliance are identified by the regulator, it may lead to a significant reputational loss. If, however, the organisation initiates this kind of audit internally, actioning any audit findings can prevent reputational loss.
- Avoidance of financial losses from penalties/fines. Rectifying weaknesses and improving the control environment on a preventive basis reduces the risk of being penalised by the regulators.
- Provision of assurance to stakeholders and financial institutions. Strong AML/CFT compliance systems demonstrate a commitment to upholding the regulatory requirement and the confidence of stakeholders.
While important, an independent AML/CFT compliance audit will only be effective if properly resourced and carried out by specialist personnel. Such programmes should form part of an organisation’s overall audit plan.
Muhammad Hassaan Bhagat FCCA is assistant manager in the advisory service of Grant Thornton UAE.
"The prevalence of fines suggests that the scope of AML/CFT compliance in audits and reviews is inadequate"