Fundamentally, an AML/CFT program should be risk-based. Certain aspects of a financial institution's business will pose greater money laundering risks than others and will require additional controls to mitigate those risks, while others will present a minimal risk and will not need the same level of attention.
Depending on the size of the organization, the anti-money laundering function may be managed as a dedicated/stand-alone department, integrated into other corporate departments such as the legal department or may be performed by people who have other compliance duties.
The AML/CFT program should establish minimum standards for the enterprise that are reasonably designed to comply with all applicable laws and regulations. It may be supplemented by the policies and procedures of various lines of business or legal entities that address specific areas, such as private banking, trade finance, cash handling, institutional banking, wealth management or investigations.
Compliance programs should also include corporate governance and overall management of money laundering and terrorist financing risks.
The Financial Action Task Force (FATF) urges risk-based controls. Per FATF, there are circumstances where the risk of money laundering or terrorist financing is higher, and enhanced customer due diligence (CDD) measures have to be taken. A risk-based approach requires financial institutions to have systems and controls that are commensurate with the specific risks of money laundering and terrorist financing facing them.
An AML/CFT Program should be
- flexible because money laundering and terrorist financing risks vary across jurisdictions, customers, products and delivery channels and over time;
- effective as companies are better equipped than legislators to effectively assess and mitigate the particular money laundering and terrorist financing risks they face; and
- proportionate because a risk-based approach promotes a common sense and intelligent approach to fighting money laundering and terrorist financing as opposed to a check-the-box approach. It also allows firms to minimize the adverse impact of anti-money laundering procedures on their low-risk customers.
Commonly referred to as the four pillars, the basic elements that must be addressed in an AML/ CFT program are
- a system of internal policies, procedures and controls (first line of defence);
- a designated compliance function with a compliance officer (second line of defence);
- an ongoing employee training program; and
- an independent audit function to test the overall effectiveness of the AML program (third line of defence).
A System of Internal Policies, Procedures and Controls
The establishment and continual development of a financial institution's policies, procedures and controls are foundational to a successful AML/CFT program. Together, these three parts define and support the entire AML/CFT program, and at the same time, act as a blueprint that outlines how an institution is fulfilling its regulatory requirements. All three parts should be designed to mitigate the identified AML/CFT risks and should take into account the applicable AML/CFT laws and regulations that the financial institution must comply with. They should clearly indicate the risk appetite of the business; in other words, what risks the business is prepared to accept and those it is not.
AML Policies, Procedures and Controls an AML/CFT
A compliance program should be in writing and include policies, procedures and controls that are designed to prevent, detect and deter money laundering and terrorist financing, including how the institution will:
- identify high-risk operations (products, services, delivery channels, customers and geographic locations); provide for periodic updates to the institution's risk profile and provide for an AML/ CFT compliance program tailored to manage risks;
- inform the board of directors (or a committee of the board) and senior management of compliance initiatives, known compliance deficiencies, suspicious transaction reports filed and corrective action taken;
- develop and maintain a system of metrics reporting that provides accurate and timely information on the status of the AML/CFT program, including statistics on key elements of the program, such as the number of transactions monitored, alerts generated, cases created and suspicious transaction reports (STRs) filed;
- assign clear accountability to people for performance of duties under the AML/CFT program;
- provide for program continuity despite changes in management or employee composition or structure;
- meet all regulatory requirements and recommendations for AML/CFT compliance;
- provide for periodic review as well as timely updates to implement changes in regulations (this should be done at least on an annual basis);
- implement risk-based CDD policies, procedures and processes;
- provide for dual controls and segregation of duties; " comply with all record-keeping requirements, including retention and retrieval of records;
- provide sufficient controls and monitoring systems for the timely detection and reporting of potentially suspicious activity and large transaction reporting. This should also include a procedure for recording the rationale for not reporting activity as a result of the findings of any investigation.
Most AML/CFT laws and regulations require financial institutions to have as part of their formalised AML/CFT compliance programs training for appropriate or relevant employees. Training is one of the most important ways to stress the importance of AML/CFT efforts, as well as educating employees about what to do if they encounter potential money laundering. Training also acts as an important control in the mitigation of money laundering risks to which the financial institution may be exposed.
Putting your AML/CFT compliance program into motion is not enough. The program must be monitored and evaluated. Institutions should assess their AML/CFT programs regularly to ensure their effectiveness and to look for new risk factors.
The audit must be independent (i.e., performed by people not involved with the organisation's AML/ CFT compliance staff), and individuals conducting the audit should report directly to the board of directors or to a designated board committee composed primarily or completely of outside directors
Establishing a Culture of Compliance
Embedding a culture of compliance into the overall structure of a financial institution is critical to the development and ongoing administration of an effective AML/CFT program. Typically, the ultimate responsibility for the AML/CFT compliance program rests with the financial institution's board of directors. The board and senior management must set the tone from the top by openly voicing their commitment to the AML/CFT program, ensuring that their commitment flows through all service areas and lines of business and holding responsible parties accountable for compliance.
Developing an AML/CFT program is the first step toward achieving regulatory compliance, protecting your reputation and have measures in place to combat money-laundering and terrorist financing. An in-depth knowledge and understanding of the complexities within the AML/CFT legislation is imperative and requires a competent advisor, even if it means seeking external assistance.
This article was originally published on the Malta Business Weekly on Thursday 21st October 2021.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.