I love an AML Audit. I really enjoy reviewing Firm’s policies and procedures and seeing the different approaches Firm’s take in respect of AML. Best of all is seeing how the culture surrounding Compliance is changing.
So, what is an AML audit and what should an AML audit involve?
The AML audit process is a way to strengthen or improve a firm’s AML programme. It is a way of assessing whether Firm’s AML policies, controls and procedures are up to date, comply with The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR) and are functioning in practice as intended.
The purpose of the Audit is to:
- examine and evaluate the adequacy and effectiveness of the policies, controls and procedures adopted by the Firm to ensure compliance with the requirements of the Money Laundering Regulations;
- make recommendations in relation to those policies, controls and procedures; and
- monitor compliance with those recommendations.
Why Conduct an AML Audit?
Regulation 21 of the MLR requires a relevant person, where appropriate to the size and nature of the business, to establish an independent audit function. This does not necessarily need to be an external audit, however, it will need to be conducted by someone in the firm who is independent of the Risk/Compliance/Anti Money Laundering (AML) function, but equally has enough AML knowledge to be able to conduct the audit. It is important to note that any findings in an Audit Report carried out under regulation 21 are disclosable to the Regulator.
Non-Mandatory Audit (Internal Audit)
A Firm may choose to conduct an internal Money Laundering Audit as routine procedure, being a way of checking whether the Firm’s policies, controls and procedures are up to date and comply with the MLR. The Audit report in these circumstances would remain for internal purposes only and confidential to the firm.
What is the Process for Conducting an AML Audit?
The audit is a four-stage process:
- Policy Review – A Review of the Firm’s policies and procedures against the requirements of the legislation will need to be conducted.
- Test – The Firm should then test the knowledge, understanding and application of those processes.
- Audit Report – This contains the findings of the audit, as well as recommendations for changes.
- Review – Following the Audit, there should be a review following an implementation period to establish compliance with the recommendations. Any recommendations must be implemented.
Review of Policies and Procedures
A review of all the Firm’s AML policies and procedures, Firm Risk Assessment and the Firm’s matter-based Risk Assessment is conducted by the Auditor.
When carrying out the review the Auditor will assess whether the Firm’s AML policies and procedures meet the requirements of the MLR.
The Auditor will use a list/table of each specific regulation and check this against the Firm’s AML policies and procedures to confirm whether or not the Firm has met that requirement.
As part of the Audit the Auditor should test the knowledge, understanding and application of the Firm’s processes. This is normally tested through staff interviews and matter file reviews.
Interviewing staff will help the Auditor assess the staff’s knowledge and understanding of money laundering, money laundering red flags and the firm’s processes.
The Auditor will carry out a review of files and assess whether the matters comply with the Firm’s AML policies and procedures.
The Auditor may also request to review some closed files. Reviewing a closed matter will assist the Auditor in assessing whether there was on-going monitoring of risk and whether the completion instructions to accounts included information as to risk.
The Audit Report
The Audit will result in a written report on whether:
- The Firm’s risk assessment and AML policies, controls and procedures comply with the minimum requirements of the MLR.
- Changes which are required as a result of deficiencies identified (if any)
The Audit report should:
- Set out the law (what specific regulations of the MLR were checked against)
- Explain what was examined for that specific regulation.
- Document findings of areas of compliance and non-compliance as well as identifying areas for recommended improvement in behaviour and practice. It should be made clear which areas the Firm is compliant, non-compliant or partially compliant.
- Include an indication of where there are potential failings and a recommended course of action
The Firm should conduct a review following an implementation period to establish compliance with the recommendations. As part of the review the Auditor will be assessing whether the recommendations have been carried out and whether there is any evidence to show whether they are effective.
If you would like to discuss this further or feel your Firm requires an AML Audit, please get in touch and we would be happy to help. Drop us an email at email@example.com.