The state of constant flux of the AML/CFT legal and regulatory landscape necessitates a dedicated function to assess the level of compliance and effectiveness of subject persons’ policies, procedures, measures, and controls from time to time. External independent AML audits are key to uncovering the major pain-points surrounding the subject persons’ AML/CFT procedures and controls, by providing an objective, impartial perspective, and unbiased understanding of the subject persons’ AML/CFT strategy. External independent AML audits can assist subject persons to ensure the swift identification and appropriate mitigation of risk, to elicit an authentic understanding of the subject persons’ standing in terms of AML/CFT compliance, assist subject persons to keep up with the pace of regulatory and legislative change, and devise remedial action-plans to implement and maintain the evolving requirements in practice.
The local regulatory framework itself places an important emphasis on the need to employ such an independent AML audit function with the purpose of evaluating the effectiveness of the subject persons’ operations on a continuous basis. Whilst no timeframe is specified for such independent AML audits to be conducted, a best practice is to conduct such independent audits annually, when there are significant regulatory changes, also following substantial revisions to the subject persons’ policies, procedures, measures, and controls, as well as following any other major changes in the subject persons’ business model or activities. This does not entail that a fully-fledged independent AML audit should be conducted every year, unless the size and nature of the business prerequisites such an approach, but subject persons could choose to focus on thematic or targeted areas from year to year, potentially those areas which are identified as posing a higher level of risk through the subject persons’ business risk assessment. Such areas could include the subject persons’ risk assessment and management strategies, alignment of the subject persons’ policies and procedures with the applicable regulatory framework, customer onboarding and due diligence procedures, and transaction monitoring systems and procedures. Hence, a risk-based approach should be adopted to determine the areas that should be incorporated into the scope and design of these independent AML audits.
The benefits of independent AML audits are manifold. To begin with, engaging external consultants to assist subject persons with evaluating, enhancing, and/or aligning their policies, procedures, measures, and controls with the respective regulatory framework provides subject persons with a holistic and unbiased view of their status when it comes to the level of technical compliance and effectiveness of their AML/CFT strategy. The quality of reporting that results from an independent AML audit is objective and systematic and provides recommendations which are informed and practical. Moreover, the practice of having regular independent AML audits will enhance the subject persons’ image across factions, namely with clients, potential investors, and regulators. Particularly in the case of regulators, adopting such a practice indicates that subject persons are committed to take the necessary steps to ensure a high level of compliance with the regulatory requirements. The contributions and insights of independent AML auditors can be integrated into the subject persons’ processes and procedures and shared with staff and significant stakeholders to increase their awareness around the subject persons’ major pain-points, and to take on board the practical recommendations and in turn optimize their functions. Moreover, by maintaining ongoing independent AML audits, subject persons can ensure that any shortcomings or oversights in their AML/CFT strategy are identified and rectified in a timely manner thereby assuring that subject persons are always compliant and prepared for potential regulatory examinations thus avoid incurring unnecessary fines or reputational damage.
An independent AML audit will include a review of the subject persons’ policies and procedures, interviews with the subject persons’ MLRO and potentially other relevant stakeholders, and a review of a sample of client files to ensure that the procedures, measures, and controls that are outlined in the policies and procedures are being implemented in practice, and to ensure overall compliance in the subject persons’ operations. The observations that emerge from such a review and testing against the applicable regulatory framework will be outlined and recommendations for remedial action will also be provided. Subsequent independent AML audits could then incorporate an assessment of the implementation of the recommended actions and commentary on the subject persons’ progress in this regard.
One essential component of effective independent AML audits is the quality and quantity of resources. This includes human, technological, and logistics. In terms of the human aspect, the level of expertise in AML/CFT of the independent AML auditors is an essential factor which contributes to an effective independent AML audit. Proficiency with the respective legal and regulatory framework is necessary, however a successful auditor will also possess industry-specific experience and a high level of commitment to the process. Technological tools and systems can support the independent AML audit function to categorise, organise, record, and access information and data, and distribute this data to the relevant stakeholders. With respect to the logistical elements, these should be decided against the scope of the assignment, which should be clear from the outset of each audit. Another critical component for an effective independent AML audit is communication. Subject persons and auditors should appreciate that the independent AML audit is not a regulatory examination, but a methodological and collaborative exercise focused on the subject persons’ AML/CFT strategy with the primary scope of identifying the main areas for improvement and recommending tangible solutions to progress. The auditors’ aim is to gain the best and most representative understanding possible, and this can only be achieved through keeping open communication and feedback loops to facilitate continuous improvement in the subject persons’ AML/CFT strategy.
How can we help?
KPMG’s Risk Consulting AML/CFT professionals are fully committed to assist you with the carrying out of these independent AML audits. We have proven expertise to assist you in complying with the different legislations/guidelines and to provide you with valuable recommendations for the improvement of your AML/CFT program.