Effective AML training: Four questions to answer

In the United Kingdom, for instance, the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR2017) have clear requirements on training, and the Financial Conduct Authority (FCA) sees it as a key system and control. While the obligation to train employees is clear, there are many ways training can be delivered.

With that in mind, we take a closer look at four key questions to consider when developing your AML training and strategy—examining FCA guidance and seeing what lessons we can learn from historic enforcement actions.

The essentials

First and foremost, in whatever jurisdiction you operate, your regulations should be the first point of call when determining AML training obligations.

In the United Kingdom, the MLR2017 outlines two key requirements for employee training. First, it requires employees to be “made aware of the laws relating to money laundering and terrorist financing.”

This awareness-level training can be carried out by any number of means. A popular choice is mandatory online learning, which can be an effective way to deliver knowledge to a large or disparate group of employees.

Second, the regulation requires employees and agents are “regularly given training in how to recognize and deal with transactions and other activities which may be related to money laundering or terrorist financing.” This second part is where it gets interesting, and there are a broad range of training solutions that can be acquired or designed to meet those needs.

Below are some important questions to consider for your own AML training program.

1. What are your training needs?

When determining your own training needs, consider the following:

• What are the risks facing your business?
• What do employees need to know?
• What do employees need to do differently?
• Are there any high-risk roles that have additional training requirements?

Typically, high-risk roles are categorized as such due to the activity undertaken in those roles. Relationship managers or employees in a payment processing team, for instance, are at the forefront of identifying potentially suspicious activity.

When determining the activities and roles that are high risk, consider what impact the roles have on the AML framework. Not all the roles will be customer facing, and therefore the risks they deal with will be different. Employees who need to assess risks when designing products, for example, should have training that enables them to appreciate AML risks and the control framework. This may lead to role-based training being the most appropriate solution, allowing it to be tailored to the specific activities unique to that role and the risks faced. This acknowledges the training needs of the AML teams will be very different to those in the first line of defense as well as those of your senior managers.

2. Is training the right solution?

It’s important to note training isn’t the one-stop solution for all of life’s problems—there can be other, systemic issues that training struggles to cover. If a team is under-resourced or there are technology issues, training alone won’t solve the problems. No matter how well employees are trained, if they have insufficient resources, they will not be able to carry out their functions appropriately.

Training is still, of course, a key component of the risk management framework. Procedures and job aides can often struggle to account for every instance and, by providing training that gives employees an understanding of the risks, they can apply those principles to different issues.

Once training has been determined as the right solution, the fun can begin with the design process, establishing the method for the training, the learning outcomes, and how they will be achieved through the content and activities. Establish the risks and subjects that need to be covered (remember, don’t overlook terrorist financing) and keep in mind how the effectiveness of the training will be measured.

3. Is the training provided on a regular basis?

The frequency of training must take into consideration the risks faced by the business while also being aware of practical considerations. Typically, a firm may choose to provide all learners with annual refresher training and then implement a cycle for more targeted training for high-risk roles led by a risk-based assessment. The FCA’s enforcement action against Canara Bank noted absence of training between 2012 and their visit in 2015 as a key issue.

Part of this means thinking about the time needed by employees to complete the training. The FCA said in a decision notice on Deutsche Bank that insufficient headcount led to AML personnel having less time to devote to oversight, supervision, training, and professional development.

There must be a culture and environment to support training, which will provide learners with the appropriate time to complete the training, whether it be time away from the office to attend training courses/conferences or uninterrupted time at the employee’s desk to study or complete training.

A record of the training employees have completed should be kept, as well as regular analysis to ensure training is kept up-to-date.

4. Are there business issues that need remediating?

Despite best efforts, there can be times when shortcomings are addressed after the fact. This is linked to the first question: determining training needs. Training can often form part of a remediation plan, ensuring employees have the appropriate skills and expertise to carry out their role to the required standard.

It may be that you have identified an issue with the fail rate of account openings during the customer due diligence process, despite having procedures in place. While there can be wider, underlying issues—such as technology and culture—it could suggest staff carrying out the role do not understand what is required of them, i.e. the practical application of the procedures. The FCA identified “ shortcomings in the application of … due diligence policies and procedures” in their final notice of Standard Chartered Bank in 2019. The FCA noted it appeared Standard Chartered Bank hadn’t ensured employees involved in the process received adequate training. Inadequate training for employees to effectively carry out their role was also identified in the enforcement actions against Canara Bank and Deutsche Bank.

Investing in training can demonstrate AML is high on the agenda and the appropriate steps are being taken to prevent a recurrence.

In its notice for Canara Bank, the FCA noted improvements to AML systems and controls, which included “increasing the training for new senior managers.” Standard Chartered Bank’s remedial steps were also noted by the FCA, specifically the bank’s launch of a “Financial Crime Compliance Correspondent Banking Academy” offering AML and sanctions training to its respondent bank customers.

Training should not only be directed at employees but to anyone that has an impact on the risk framework, including third parties. This is echoed by the FCA in its enforcement action against Canara Bank, where it noted Canara placed reliance on third-party firms for its third line of defense but the internal auditor received only standard AML training in their own firm—and no specific training on Canara’s business.

There are a multitude of factors that need to be established when determining training requirements. What is clear is that a one-size-fits-all approach doesn’t work. Employees should be given the skills and expertise to understand money laundering risks and the control framework, but also opportunities to enhance their ability to practically apply their knowledge. Depending on the risk profile of your firm, tailored training might be required to help your learners better understand how it works in practice and an environment to safely practice their skills.

The International Compliance Association is a sister company to Compliance Week. Both organizations are under the umbrella of Wilmington plc.