We all know having an AML compliance programme in place is in our best interests if we want to comply with regulatory requirements, but it should be more than just an exercise to keep the regulators at bay.
On one hand you can implement a relatively easy programme which means you have followed the rules, but you could go above and beyond with your efforts and really do what’s right to protect against money laundering.
Invest now in really understanding the role of your business and those you’re doing business with, ask the right questions, dig deep, and make your compliance programme a critical tool in detecting and preventing money laundering activities.
Key to a robust AML compliance programme
Keep it unique
Tailor your AML compliance programme to the specific needs of your business, and include detailed policies and procedures. It may seem easier or more efficient to use a pre-made compliance template but don’t be tempted to rely on this alone. Your programme needs to be designed for your specific business risks.
It should also be designed to detect and report suspicious activity, and to protect you from being used as a vehicle for illegal activity.
It shouldn’t be about ticking a box – an effective AML compliance programme should help prevent money laundering and other financial crimes, as well as assist in meeting your AML policy requirements.
Keep in mind policy, procedure and control
Back in October 2021 the Pandora Papers highlighted deficiencies in AML compliance programmes in countries around the world, including New Zealand. It showed that in some cases meeting compliance obligations as laid out by regulators doesn’t necessarily mean you’re taking enough measures to truly prevent money laundering, particularly when dealing with Trusts.
Having robust risk-based policies, which are focused on reducing AML risk and are rigorous in approach will help ensure you are doing more than the minimum.
Your compliance programme will fall into three buckets:
1. Policy – what you’re going to do;
2. Procedure – how you’re going to do it; and
3. Control – making sure the Programme and the obligations are adhered to.
Your policies should typically cover the documentation that must be gathered, the systems that must be used, and the information which needs to be confirmed. While these policies should align with your obligations under the AML/CFT Act, they should also take into account the individual needs of your business.
Detail how you are going to carry out activity and what systems you are going to use to do this, and the people who are going to do it. Consider the skills required and whether some tasks need the support of the compliance manager. For example, in many cases staff vetting may be carried out by HR personnel but you might need support from the compliance team for specific critical roles.
Documentation of procedure needs to be explicit enough for anybody in your team to easily follow the process.
Show in your programme how you ensure policies and procedures are being followed, and how you ensure you are meeting quality standards. For example, detail when senior management or board level approval needs to be applied, and what internal controls you have in place to ensure this.
What to include when completing your AML compliance programme
1. Conduct a risk assessment
Before you get started creating your programme, take the time to carry out a risk assessment to determine how likely your type of business activity could be used for money laundering or the financing of terrorism, and how this could occur.
Consider the type of clients you work with, the services you offer, how services are delivered, if you’re dealing with people outside of your country of business, or if you meet every client in person.
2. Build a team of skilled staff
Ensure you have appointed a Compliance Officer who is well trained, with the expertise to manage and maintain your compliance programme. Provide support and ensure compliance activity is only carried out by trained staff who have been thoroughly vetted. Document how you carry out these processes.
Include details of the staff training provided in your AML compliance programme and document completion of training.
3. Apply know your customer processes
Create a customer due diligence framework which clearly outlines the steps taken to identify and verify customers, beneficial owners and persons acting on behalf of customers.
And commit to doing these checks really, really well. It’s not always easy to obtain accurate information. Trusts in particular can require some hard investigative work to identify the ultimate beneficial owner but it’s worth getting this right to mitigate the risk to your business.
4. Keep detailed records
You need to be able to show how you keep records which enable you to easily access client activity and the processes applied. State how you will keep written findings about your business relationships and transactions, and what additional measures you take when dealing with high-risk countries or clients.
5. Report suspicious activity
Detail how you will report suspicious incidents. Ensure you state who is responsible for submitting the report, how it is determined a report needs to be submitted, and advice for staff on how to complete a report.
6. Conduct regular reviews
Your business and clients can change so you must review your AML programme regularly to ensure that it remains current and to identify any deficiencies. If nothing in your business changes, a good practice is to review your AML/CFT documentation at the time you need to submit your Annual Report.
If you find your programme is no longer meeting requirements you need to make the necessary changes to your programme to resolve any deficiencies.
You can review your programme by running regular quality assurance checks. Take a look at whether your outputs are matching up to AML obligations, review policies, documentation and work out what you need to do to improve them.
7. Get ready for your external audit
Auditors will always review your compliance programme so it pays to have a well written, up-to-date document available for your review which will take place every three years whether you’re ready for it or not.
If you’ve been conducting regular reviews, and carried out quality assurance checks, preparing for your audit will make life a whole lot easier.
There are a number of elements to include in your AML compliance programme to ensure you remain compliant, but the reality is it should involve more than just ticking off requirements, and instead embrace a risk-based approach which is individual to your business activities and clients.
If you need help to get started, or support with quality assurance checks, get in touch to discuss how we can help write a compliance programme, or review your current programme to ensure it’s well designed for your risk profile and AML/CFT requirements.