2021 has been a busy year for reporting entities, with the repeating audit cycle for phase 1 reporting entities and the first-year audits for a significant number of phase 2 reporting entities. The challenges were clear due to the Covid-19 pandemic which resulted in lockdowns. Entities with hard copy files for compliance records were most affected due to restricted access to information for auditors while entities with cloud-based platforms for information recording found it easier to have auditors access their files and perform procedures remotely.
Audit cycles and reviews
The extension of the audit cycle to three years from 2-years was welcomed by reporting entities. However, from a risk perspective, entities with immature and developing systems, processes and procedures could be negatively impacted. It will now take 3 years for the auditors to perform official audit. Timeous audits assist with follow up review of remediation done on issues raised in audits. The onus is on the reporting entities to be proactive on follow up reviews with the auditors to ensure they have adequately addressed issues, especially the systemic and pervasive AML compliance issues. This can be done through interim reviews within the three year timeline. Another issue which reporting entities are to be aware of is that the extended timeline for audits does not reduce the effective audit scope, but will require reporting entities to have robust record keeping arrangements that ensure easy access to information dating 3-years back for the audits.
What our audits are finding
Our audits are finding significant improvement in the performance of client due diligence procedures by reporting entities, specifically client verification, however several other obligations are often neglected such as staff training, updating of risk assessments and compliance programmes, ongoing client monitoring and having an effective internal assurance programme to check effectiveness of the operation of the procedures and controls. There are several updates made by the regulators in 2021, the impact of these were expected to have been factored in the revisions of the risk assessment documents and compliance programs. In July 2021, the Regulators issued “Explanatory Note: Electronic Identity Verification Guideline” To be read in conjunction with For Part 3 – Amended Identity Verification Code of Practice 2013. This guide was very important as it clarified compliance regulations in the event of non-face to face contact with new customers during the lockdowns.
Who audits the auditor?
The AML audit process is not mandated by the AML regulators, it is interesting to know how reporting entities would be able to demonstrate that their auditor is “suitably qualified”, since there is no criteria set by the regulators. A good audit outcome is one that is characterised by a competent and knowledgeable assurance provider who follows an acceptable methodology and quality control. This is normally characterised by an auditor who has had training in providing assurance services and is also a member or a recognised professional body. It is strongly recommended for reporting entities to review the competence of their auditor to ensure they get the best value for money as they are crucial in providing pragmatic recommendations to enhance and develop the AML compliance process.
Not all is crystal clear
There still exists grey areas, which are currently being debated by reporting entities, these include perceived risk of money laundering relating to certain services such as tax balance transfers between IRD accounts owned by the same entity, a product in the accounting industry. There is a good argument how this could be a significant money laundering risk. As the AML risk awareness matures, a review of the AML risk concentration by the regulators at the product level which culminates in a revision of captured products or services based of factual data, or themes and trends would provide a more focused approach to mitigation of Money Laundering risk at the reporting entity level by focussing on the risky products.
AML risk is real
Financial crime does exist on our shores and there have been several arrests including one case where $10 million worth of assets, three vehicles, four houses and 23 bank accounts, cash, cryptocurrency were seized. This occurred in March 2021. It was alleged that the money was used for importation of illicit drugs into the country. A money transfer business was used in the process. It is therefore encouraged for reporting entities to continue being sceptical when dealing with existing customers relationships or taking on new customers by continuously revisiting their KYC (Know your client) procedures to ensure transactions are not associated with money laundering.
Read more about AML audits from Strategi Compliance who discuss why independent audits are important and what to look for in an auditor.
And see how you can make audit time a whole lot easier with ongoing quality assurance checks.