GRC in Malta: The Pillars of Sound Financial Crime Compliance: A Comprehensive Guide Author: Jonathan Camilleri Published on April 23, 2024 As the various practices employed by criminals to disguise economic benefits from illicit activities continuously evolve, organisations should be well-equipped to manage risks arising from such trends. Financial crime extends to various criminal practices including money laundering, tax evasion, bribery and corruption and financial market abuse. Whilst certain regulated entities have additional regulatory obligations to act as gatekeepers and manage risks, other non-regulated entities are also exposed to such risks and therefore, they should seek to establish processes to ensure that their business operations are not conducive to such offences. Main pillars of sound financial crime compliance Instil a culture of compliance Embedding a compliance culture within an organisation is fundamental to the ongoing development and implementation of an effective financial crime compliance (“FCC”) program. The tone from the top is key in ensuring that employees adhere to the highest standards of compliance. Having board members and senior management with the right skillset, character and ethical standards helps in instilling a compliance culture. The board of directors should, through their actions, evidence to employees that compliance matters, by also communicating the expected standards of compliance. Remuneration packages having key performance indicators linked to compliance objective criteria also improves the compliance culture. Ultimately, the management of financial crime risks should not be compromised by profit interests. Enterprise Risk Assessments Each organisation is exposed to different risks based on its business model, the services, and products it offers, its interaction with the customers or suppliers, and geographical exposures. Through risk assessments, senior management should identify, measure, and monitor the risk exposures of the organisation. Policies and procedures are built on the results of risk assessments, thereby ensuring that the organisation’s management of risks is adequate and proportionate. Organisations which do not complete a holistic FCC risk assessment may be exposed to legal, regulatory, and reputational risks, which are problematic to manage, and therefore, thorough risk assessments also protect the organisation’s value. Internal policies, procedures, systems and controls Collectively, internal policies, procedures, systems, and controls are the backbone of a complete FCC program. These act as a blueprint outlining the way an organisation adheres to its regulatory requirements and mitigates its financial crime risks. Policies should establish the parameters within which the organisation is set to manage its financial crime risks. Risks may need to be managed in different ways by different persons. Therefore, responsibilities of the stakeholders throughout the organization should be recognised in such policies. Also, the tone from the top is key to ensure that the policies clearly define the key aspects to manage the relevant risks. Procedures should translate the policies adopted into acceptable and workable practices and should be updated on an ongoing basis. The internal systems and controls, including technological systems, should ensure that the organisation’s FCC program is functioning as intended, also through the checks adopted by the compliance and internal audit functions. Risk-based due diligence Customer, counterparty, and asset risk assessments have become of great relevance within the context of sanctions (but not only). It is therefore key, to establish risk-based procedures to assess one’s customer, counterparties and/or assets relating to investments, and apply measures to manage the relevant risks. From a sanctions’ perspective, understanding any connections to manage risk circumvention is also crucial in managing such risks. Procedures should help in guiding the employees in managing risks. Also, technological tools facilitate the due diligence process, thereby ensuring that the onboarding and assessment is done in an efficient and seamless manner. Therefore, organisations should prioritise the design of risk assessments and well documented procedures to identify any red-flags or trigger events which would merit additional scrutiny. Employee training and awareness programme Well-trained employees with strong analytical skills are key in ensuring that financial crime risk is managed appropriately. Whilst qualifications provide employees with knowledge on the relevant risks and ways to be managed, nowadays, training should be continuous and address the risks to which the organisation is exposed to. Effective training programmes should not only include legislative and regulatory changes, but extend to the organisation’s policies, procedures, systems and controls, and the applicable emerging trends of financial crimes. Designated compliance function A compliance function ensures that the organisation is operating in line with the applicable laws and regulation and the internal policies and procedures. The adoption of a risk-based compliance monitoring plan is the cornerstone of an effective compliance function. Compliance officers are often seen as showstoppers or even, an expense to the organisation. However, this should not be the case, as compliance officers assist the business to operate in a compliant manner by advising it how innovative business practices can be compliant with the applicable legislation. It is therefore vital, to have compliance officers which help the organisation grow in a compliant manner, without imposing unnecessary hurdles to such growth. Independent testing of the financial crime compliance program Independent testing of the FCC program should be carried out by a sufficiently qualified internal auditor (either established internally, or an external party) and include assessments and testing to ensure that this is implemented in line with the organisation’s policies and follows the relevant regulatory requirements. Whilst legally, internal audits are not always mandatory, their value should not be underestimated. The frequency of internal audits should be determined on a risk-sensitive basis, thereby focusing on those areas which merit the highest attention. Internal audit results should be reported to the board of directors for it to undertake the necessary oversight over the relevant functions. Any recommendations are to be followed-up and closed within the stipulated timeframe. Moving forward Financial crime compliance should concern not only regulated entities, but organisations in general. With the ever-evolving technological landscape and the innovative business models being adopted, managing financial crime has become a critical challenge. A dedicated management team, robust internal risk assessments, systems, policies, and procedures, and knowledgeable and competent employees are the key components to navigate safely through this ever-changing landscape. This article forms part of a series of publications focusing on cross-sectoral matters relating to governance, risk, and compliance. This series aims to offer legal and practical insights, a valuable resource for understanding and navigating the dynamic landscape of GRC in Malta. This article was first published on the Times of Malta on 22/04/2024. Go back