Maturing international frameworks, coupled with national and regulatory demands, mean a firm’s AML framework has never been higher priority or profile. An AML program is not simply a manual or a piece of paper, but a number of key features that work in conjunction to safeguard a firm from being used to launder the proceeds of crime.
Here are five key strategy elements which should be considered as part of an AML program.
Risk appetite. A firm’s risk appetite sets the foundation of the AML program. Simply, risk appetite is the level of risk that a firm is willing to take in order to meet its strategic and commercial objectives.
Risk appetite will be different for each organisation and will be steered by the board. It will be dependent on the sector in which the firm operates and its expertise. A small domestic bank only serving U.S. customers will not have the same risk appetite as a money service bureau whose main customers are migrant communities sending money to relatives in developing countries.
Money laundering risk cannot be eradicated but, by understanding the level of risk that the firm is comfortable being exposed to, an effective AML program can start to be built on that knowledge.
Risk assessment. The risk assessment is a crucial part of all AML programs. It allows the firm to adopt a risk-based approach: identifying the money laundering risks that the firms is exposed to, assessing the risk, and then taking steps to ensure that it is appropriately mitigated.
The risk assessment is a complex process and will involve looking at the firm’s business model and the vulnerabilities relating to the sector it operates in. What products are being offered? Are they likely to be misused? Who are the customers? In which jurisdictions are you doing business?
The risk assessment is not a one-time exercise but should be seen as an ongoing process, identifying any changes to the risks the firm faces.
Once you have identified risks, they need to be assessed and compared to the risk appetite. Are they activities, products, or customers that fall outside of the risk appetite? What can be done to mitigate the risk?
Internal systems and controls. By carrying out the risk assessment the firm is now in a position to implement controls that are proportionate to the risk that it is exposed to. Controls can take a number of forms and can include policies, procedures, business practices, or tools designed to mitigate money laundering risk.
In line with the risk-based approach, the controls will be consistent with the risk that it is designed to mitigate. An example is carrying out simplified due diligence measures for customers that have been identified as low risk and enhanced due diligence measures for high-risk customers.
A number of key controls, such as know-your-customer requirements and enhanced due diligence on Politically Exposed Persons (PEPs) are required by law and regulations.
Independent review. Having controls in place is not sufficient: You must also ensure that the controls are effective. There are a number of reasons why a control may not be working effectively, such as issues with a system or procedures not being followed by employees. Sample testing provides a firm with comfort that the controls are working, or it highlights at an early stage any problems.
In addition to the type of testing typically carried out by the compliance team, the internal audit function can independently evaluate the AML program to ensure that it is adequate and effective.
Training and culture. Employees are the first line of defence against money laundering. Employees that are equipped with knowledge of money laundering threats and the firm’s controls are better able to recognise suspected money laundering and spot red flags.
A culture which prioritises compliance and ethical behaviour is vital to an effective AML program. Employees who truly understand and value the importance of the controls are more likely to adhere to requirements. Employees need to understand their own individual responsibilities and the responsibilities of the firm.
It is crucial that through the training, employees know when and how to escalate concerns and through the culture, there are no barriers to escalating concerns.
Training can also be risk-based, with frontline staff receiving more tailored, in-depth training that ensures they are competent to carry out their role.
Conclusion. These are certainly not the only considerations for developing a robust AML program, but are intended to give an overview of some of the key elements. Perhaps the main point is that it shouldn’t be something that works in isolation. A well-considered strategy will add value and structure to a firm, building confidence throughout the organisation that risk is appropriately controlled.
Simone Jones is Senior Research & Development Manager for International Compliance Training.
The International Compliance Association (ICA) provides internationally recognised qualifications in AML, GRC and FCP. Take a look at the ICA Diploma in Anti Money Laundering here.
Be sure to attend the ICA Open House event in New York on March 9. Register here