AML internal audits: A need or a must?

Just over €4,150,000,000. This is the total amount of penalties imposed on financial institutions globally for their lack of compliance with anti-money laundering obligations in 2022. This figure was published in a report issued by Fenergo, which identified a 52% increase in fines imposed for breaches in AML legislation over 2021. If we shift the spotlight to Malta, financial and non-financial institutions have been subject to more than a €12.3 million administrative penalties just in 2021. While the monetary value of penalties decreased during the course of 2022, the actual number of penalties imposed by local authorities remained largely unchanged.

One may disagree as to whether these penalties are justifiable or otherwise. But without a shadow of doubt the numbers are staggering and any entity subject to AML compliance obligations would do well to ensure that it does not fall foul of its anti-money laundering obligations. Failure to do so would not only create the ideal environment for criminals to reap the benefits of ill-gotten gains but also increase the risk of penalties being imposed on the subject person.

International efforts to fight financial crime keep increasing year on year. As do associated enforcement actions. Not surprisingly, the tangible risks faced by operators which are subject to anti-money laundering obligations (referred to as ‘subject persons’), has led to a number of subject persons to consider undertaking a thorough internal health check of their risk assessments, systems, processes, policies and procedures. Subject persons are therefore recognising the need to have robust internal controls, with the aim of ensuring full compliance with their AML/CFT obligations.

The strength of any financial crime framework lies in its weakest link. It is therefore fundamental that subject persons remain vigilant to ensure that internal systems and controls are indeed strong enough to face the evolving challenges faced by subject persons as gatekeepers against financial crime. Ensuring that policies and procedures are workable and effective is imperative; ongoing training is fundamental; ongoing risk assessments remain key; employing a thorough third line of defence, through the appointment of an independent internal auditor capable of identifying potential weaknesses in internal systems, is crucial to strengthen one’s financial crime framework.

The Prevention of Money Laundering and Funding of Terrorism Regulations does not mandate the appointment of an internal auditor for all subject persons. Such appointment is only required in case where it is deemed proportionate by the subject person. However, given that subject persons are continuously exposed to money laundering risks, and since they remain responsible to manage and mitigate such risks at all times, the appointment, or otherwise of an internal auditor is a decision which could make or break a business.

The internal audit function: the Pros

Internal auditors are to be given a brief and it is really up to the board of directors to determine the scope of such brief. Internal audits may be full-scope audits (ie assessing all aspects of the financial crime framework) or may focus on areas which the board of directors view as requiring specific scrutiny. In the latter case, the internal auditor would thus focus its review efforts solely to those areas requiring internal health checks.

The ultimate aim of an internal audit is that of identifying potential areas of weaknesses which could make the subject person more vulnerable to financial crime risk. These weaknesses are reported to the subject person at the end of the audit. A thorough and effective internal auditor should make the necessary recommendations to improve internal processes, to update risk assessment methodologies, and to revise policies, procedures and processes of the subject person. Ultimately, the objective of an internal auditor is achieved if the subject person’s anti-money laundering framework is rendered more effective in identifying and dealing with instances of money laundering.

That being said, one should not automatically assume that an internal auditor’s review of internal processes and procedures would invariably lead to greater bureaucracy. Indeed, a truly effective internal auditor should be able to improve the efficiency of the customer on-boarding and ongoing monitoring processes. Indeed, this may lead to a more practical application of legal and regulatory requirements, by moving away from a tick the box approach to truly implement a risk-based approach.

The greatest objection typically raised in in the context of the appointment of an internal audit is that the subject person already appoints a compliance officer and an MLRO, which together, constitute the subject person’s second line of defence. Admittedly, the compliance function would be undertaking certain checks on the subject person’s financial crime framework as part of the compliance monitoring programme. However, this would only be effective to the extent that the compliance function has the necessary skill, competence and knowledge to be able to undertake the assessment in a proper manner. In case where the compliance function is not well equipped from a skill, knowledge, competence on seniority perspective, the board of directors might be receiving reports which are not factual, accurate or complete, thus having the opposite effect of increasing regulatory risks. An internal auditor could fill in this gap and ensure that board of directors is receiving meaningful reports on the entity’s AML/CFT framework.

Specifically, with respect to those subject persons who are individuals, such individual operators naturally do not have second line of defence function. Since the latter’s role is to assess the adequacy and effectiveness of the controls adopted and their implementation in practice, it would be very unlikely for the individual subject person to identify shortcomings in his or her own anti-money laundering framework. In such instances, the appointment of an internal auditor, although not mandatory, becomes key to ensure that the AML framework implemented by the individual subject person is adequate and is being implemented in line with legal and regulatory requirements.

The choice of Internal Auditor

An effective internal audit function requires the appointment of an independent internal auditor who is fit for the job. While it is obvious that the person or entity chosen to undertake the audit, should be knowledgeable on applicable legislative requirements, it is imperative that the internal auditor also understands the subject person’s business. Laws and regulations do not exist in a vacuum. They need to be mindfully applied to the type of business being undertaken by the subject person. Anti-money laundering obligations need to be seen and applied in the context of the business being audited. The internal auditor chosen must be skilled, knowledgeable and competent in both pillars; if any one of these two core strengths is found wanting, then, inevitably, the internal audit assessment will be flawed at inception, rendering it, invariably ineffective.

The Audit Process

The scope of the audit, its scope, objectives, timeline, schedule, and responsibilities need to be established at the outset. It goes without saying that an audit should not cause any disruption to the normal course of business, or create any inefficiencies. Rather, it is key that the internal audit remains a background operation, with minimal interference with the operating units.

On a more practical note, before the audit process is kicked off, the internal auditor should first understand the modus operandi of the subject person within the context of the services which it offers its clients. Indeed, an audit process would only add value to the extent that the internal auditor understands the financial crime risks to which the subject person is exposed to. On the other hand, the subject person would need to assess the effectiveness of the control framework adopted by the subject person to mitigate such risks. Failing to do so, would result in yet another tick-the-box exercise providing little to no value to the subject person.

The relevant process flowcharts, risk assessments, policies, procedures and other manuals should be reviewed by the internal auditor in order to assess compliance with legal and regulatory requirements. Interviews should also be held with employees of the subject person in order to assess whether they are fully aware of the internal procedures and the manner in which they are to be implemented.

Testing of the systems and screening software is also an integral part of the audit process. Through such processes, the internal auditor would determine whether such systems are fit for purpose or whether there is scope for further improvements.

The internal auditor could also sample customer files in order to assess whether the customer due diligence and the relevant screening undertaken on the customers, is adequate, and is in line with legal and regulatory requirements.

The end of the audit process is marked by the submission of an audit report to senior management for their consideration. The report would contain details of the findings of the audit process, identifying weaknesses and making recommendations to senior management for the strengthening of the subject person’s AML / CFT framework.

Whether the internal auditor remains involved in the remediation process is up to the subject person to determine. Notwithstanding, it is crucial for the subject person to adopt a plan with realistic timeframes within which the recommendations of the internal auditor are implemented. Failure to implement the recommendations made would result in the subject persons being exposed to financial crime risks, thereby making the business more vulnerable to money laundering and increasing risks of regulatory fines.

Peace of Mind

There is no doubt that compliance requirements have increased substantially over the years. Through the appointment of an internal auditor, the board of directors of the subject person would have the peace of mind of knowing that checks are being undertaken on whether the subject person is complying with its anti-money laundering obligations in line with the applicable requirements. That being said, the appointment of an internal auditor does not exonerate board members from receiving reports and questioning the results of the internal audit to ensure that they are aware of, inter alia, the manner in which the obligations are being satisfied.

Looking ahead

No matter how effective AML frameworks are, crime and money laundering will subsist. Notwithstanding, this should not mean that subject persons should put down their guard or turn a blind eye. It is hard to imagine the fight against money laundering to succeed without there being regulation at the level of the gatekeepers. Furthermore, greater international coordination in the fight against financial crime will almost invariably lead to increased regulatory oversight.

While there is no doubt that subject persons must up their game to meet regulatory expectations, there is an ever-increasing sense of awareness amongst customers of the reputation of the service providers they deal with. In the long run, the survivors will be those subject persons who will be able to keep providing a pleasant customer experience, without compromising their regulatory compliance obligations. Finding the right balance between these opposing forces may be the key to success…and an internal audit might just be the archstone required to achieve this.

This article was first published in the Malta Independent on 04/05/2023.