The newest Anti Money Laundering (AML) guideline for the legal industry reinforces regulators' expectations that businesses should evaluate whether to create an independent audit function and, if not required by law, evaluate if it would benefit them in any case. Regulation 21 of the Money Laundering Regulations 2017 necessitates establishing an independent audit function when suitable for the size and type of the organization. As a result, the firm's first barrier is determining if they are of sufficient size and character to require one.
It's helpful to analyze why the 2017 Regulations included this extra restriction. Despite having large teams of well-trained AML employees, regulated firms, notable banks were suffering AML errors. One of the issues raised was that if internal auditing teams were in place, their lack of independence meant they might not notice if something wasn't quite right or have the power to ensure that suggestions were followed.
1. What Does an Independent AML Audit Entail?
An independent AML audit is an examination of the company's anti-money laundering plan. It is not a financial audit but rather an analysis to verify if a company has a proper anti-money laundering program in place and is doing what it indicates it is doing.
In most cases, an AML audit contains the following:
- A total examination of the company's anti-money laundering compliance program document
- AML Policy and Procedures of the organization are being put to the test.
- Review of the Customer Identification Procedure (CIP)
- Transactional evaluation and testing
- OFAC investigations
- Review of FinCEN-related filings (CTRs and SARs)
- AML training evaluation
- Automated monitoring methods and management information systems are being evaluated.
- Examining previous audit reports to determine the effectiveness of recommendations that have been implemented
2. Who Can Conduct The AML Audit?
An AML audit can be carried out by corporate employees who are not involved in any areas where possible money laundering concerns exist, or by a third party. This implies that the independent audit cannot be conducted by the approved AML compliance officer (or anybody on his or her team). Many smaller businesses use competent independent third parties because they lack personnel who are knowledgeable in these areas or find it too expensive to commit the time and resources required to do so internally.
3. How Frequently Must an AML Audit be conducted?
The frequency is risk-based for financial organizations that are classified as loan and financing firms by the US Treasury's Financial Crimes Enforcement Network (FinCEN). According to FinCEN, the depth and frequency of testing must be relevant to the risks represented by the company's products and services.
The frequency of AML audits is typically dictated by the Self-Regulatory Organizations’(SROs) compliance standards for other financial companies and those who are members of SRO. The rule mandates an annual AML audit for broker-dealers who are members of the Financial Industry Regulatory Authority (FINRA). In addition, the AML audit requirements must be met every twelve months for commodity futures brokerage companies that are members of the National Futures Association (NFA).
4. The Difference Between an AML Audit and a Financial Audit
A licensed public accounting company conducts an independent financial statement audit. It entails examining evidence supporting the amounts and disclosures in the company's financial statements on a test basis, assessing the overall financial statement presentation to develop an opinion on whether the financial statements overall are free of material misstatement, as well as an evaluation of the accounting principles used, and significant estimates made by the organization. An AML audit, on the other hand, is a check to determine if a company has a proper anti-money laundering program in place and is doing what it claims to be doing.
Internal audit weaknesses draw regulatory attention in four key areas
Subject matter expertise: Auditors' qualifications are important to regulators. Organizations want to make sure their auditors have the required subject area expertise and experience.
Planning and scoping: Internal audit plans and scope papers have come under fire from regulators, particularly when companies fail to undertake audits on a regular basis. While the Federal Financial Institutions Examination Council does not require a specific timeline, it recommends 12- to 18-month intervals.
Execution and reporting: Regulators have often questioned execution, claiming that evaluations are not comprehensive. To comply with 2020 OCC advice, firms should establish thorough testing and reassess sample procedures.
Validation: Regulators frequently criticize institutions that lack comprehensive problem validation processes. The focus of enforcement currently is on rapid repair, the establishment of long-term controls, and independent testing.