CEOs and AML officers in financial organizations (and not only) understand what a massive impact AML program has on business. Crafting a program that perfectly suits all angles of your organization, as well as your business model, is a challenge.
At the same time, money launderers study AML laws as diligently as you do, and are equally motivated. The challenge, while coming up with an AML program, is to encompass all the needed parts, while staying creative, cornering all risks, and reinforcing your safeguards.
In the process of creating a program, we need to keep in mind that effective programs are costly, but not having one will eventually cost even more: either in the form of hefty fines and/or reputational damage, both of which might be hard to recover from for a Financial Institution (FI).
Below is a high-level guide for designing and implementing an effective AML program:
1. Risk assessment
To help develop a risk assessment of your business activities and clients, you need to use certain prescribed elements.
FIs need to be aware of recognizing products and services, or combinations of them, that may pose higher risks of Money Laundering/Terrorist Financing (ML/TF), and their delivery channel (Non-face-to-face transactions, Agent network, etc.). Here are some examples of high-risk products and services:
Your business faces increased ML/TF risks when funds are received from or destined to high-risk jurisdictions. Also, when a client has a material connection to a high-risk country. Risks associated with residency, citizenship or transactions should be assessed as part of the inherent risk assessment of your clients.
At the beginning of a relationship with a client, and periodically throughout it (your policies and procedures must reflect this), you should consider the purpose and intended nature of your business relationship. You should understand your clients’ activities and transaction patterns to determine their level of ML/TF risk.
Some characteristics or patterns of activities will have an inherently higher risk of ML/TF, and they must be considered when assessing the overall risk of a client or a business relationship.
Below are three indicators that will automatically place clients in the high-risk category:
2. Risk-Based Approach (RBA)
RBA was first encouraged in the Third EU Money Laundering Directive (2005) and, subsequently, mandated in the 2012 Financial Action Task Force (FATF) Recommendations
In the context of ML/TF, a risk-based approach is a process that encompasses the following:
It is paramount to remember that assessing and mitigating the risk of ML and TF is not a static exercise. The risks that have been identified may change or evolve over time as new products or new threats enter your business context. Consequently, your risk-based approach should be re-evaluated and updated when the risk factors change.
3. Tolerance level
Risk tolerance is an important component of effective risk management. It is paramount to take your risk tolerance into account before moving on to considering how risks can be addressed. When considering threats, the concept of risk tolerance will allow you to determine the level of exposure (e.g. the number of high-risk clients, inherently high-risk products, etc.) that you consider tolerable. To do so, you may want to consider the following risk categories that could affect your organization:
Some of the questions that you may want to answer are:
4. AML Officer
Leadership needs to appoint and empower a qualified AML Officer to oversight manage and drive the AML program with adequate authority to make decisions and be the point of contact in front of Law Enforcement agencies and local regulators.
5. Regular review of AML controls
AML Officer needs to implement a periodic review of the AML program to ensure internal compliance controls and policies, as well as procedures, are in place and applied correctly.
The process of review needs to be documented in accordance with record-keeping policy, and it has to be able to demonstrate that the FI’s due diligence is in line with the policy.
It is expected that review happens both periodically and when needed: when launching new products, expanding business activities into new jurisdictions, new regulations, in the wake of other factors that might contribute to a higher risk of money laundering and terrorist financing.
6. Independent audit of the AML program
It is crucial and mandatory for FIs to test and assess their AML program and controls against local laws, the Bank Secrecy Act (BSA) and Financial Action Task Force (FATF) recommendations.
The assessment and audit can be performed either by an independent and qualified function within the organization or by a third party audit firm.
Independence is critical for audit to be objective.
Audit findings need to be reported, documented, and adequately addressed to rectify any lapses and achieve improvement of processes.
7. Effective technology
If you ask millennials on their expectations of opening a bank account, together with the trend of digitizing everything from applying for loans, crowdfunding, shopping, and online banking, you would expect the growing challenge nowadays for online and digital banks to keep up with the competition while managing financial crime risk and the evolving regulatory requirements.
Banks can’t manage the money laundering risk without technology and machine learning to perform KYC (Know Your Customer) onboarding and monitoring during the client’s life cycle. Therefore, relationship with innovative RegTech is critical for compliance to achieve its objective.
8. Employee training
Regular, documented and formalized training for staff and the executive board is mandatory and key in demonstrating awareness of ML risk and mitigation tools. This training can be carried out in different methods: whether in personal training and awareness sessions or via online tools.
It’s important to differentiate between regular awareness sessions and training of new employees, whether they are client-facing teams or AML specialists.
9. Enhanced Due Diligence (EDD) measures
FIs need to define the different levels of KYC due diligence which differ from customer to customer based on the level of money laundering risk they pose to the FI.
Enhanced due diligence should apply during the onboarding stage and also during the relationship with high-risk clients.
Here are some of the EDD’s purposes:
10. Compliance and control culture
Establishing the right environment and speaking-up culture is critical to the management of a robust AML program.
The leadership needs to demonstrate the right tone for enforcing the required controls and also to promote speaking-up culture to encourage and motivate employees to report any potential misconduct, whether it’s a breach of policy or national law.
This is achieved by establishing clear whistleblowing and non-retaliation policy that emphasize the FI’s commitment to addressing any misconduct reports. Such practice establishes a solid ground of trust between leadership and employees, which leads to conditions in which the management is able to hear about severe problems on time before the regulators do.
© All Rights Reserved