Tips for testing anti-money laundering programs: independent tests by knowledgeable internal auditors are critical to ensuring the program is robust and fully aligned with regulatory requirements.MONEY LAUNDERING, including terrorist financing, is a global problem. According to the International Monetary Fund (IMF), money launderers exploit differences among national anti-money laundering systems and move their funds through banks, securities dealers, insurance companies, and money service businesses in jurisdictions with weak or ineffective laws. In countries that fail to address money-laundering issues, the problems become more entrenched and protracted. The serious economic and social consequences of money laundering can include: * Increased crime and corruption resulting from the use of laundered proceeds (e.g., to purchase weapons to protect illicit assets). * Undermining of the legitimate private sector due to the launderer's access to substantial illicit funds that can be channelled through front companies at levels below market rates. * Weakening of financial institutions, as money laundering and terrorist financing can negatively affect the stability of financial institutions. * Economic distortion and instability. Because money launderers are only interested in hiding the origin of their illicit funds, they "invest" their money in activities that are not necessarily economically beneficial to the country where the funds are located. * Loss of control of, or mistakes in, decisions regarding economic policy. Due to government concerns globally, laws have been enacted in countries such as the United States (the Bank Secrecy Act (BSA)), Canada (Proceeds of Crime (Money Laundering) and Terrorist Financing Act), and Australia (Anti-Money Laundering and Counter-Terrorism Financing Act 2006) to combat money laundering and financing of terrorist activities. Such legislation embodies recommendations from the Financial Action Task Force (FATF), a Paris-based intergovernmental body formed in 1989 by the Group of Seven industrialized nations. As a result, financial institutions in many countries have taken initiatives to implement appropriate policies and infrastructure for ensuring compliance with applicable money laundering requirements and practices. One such step has been to implement anti-money laundering/counter-terrorist financing (AML/CTF) programs based on FATF recommendations. Independent testing by knowledgeable internal auditors is critical to ensuring AML/CTF programs are robust and fully aligned with regulatory requirements. The testing of these programs should be cohesive and integrated and include a well-defined strategy that takes a risk-based enterprisewide perspective. START WITH A STRATEGY To develop a strategy for testing an AML/CTF program, it is necessary that the audit team understand the organization's products and delivery channels as well as its types of clients and their geographic location. It is also necessary to understand the company's organizational structure, infrastructure, policies, procedures, and controls for mitigating money laundering and terrorist financing risks. Also as part of the audit strategy, auditors should list all regulatory requirements in the countries in which the organization does business. Once these components are clearly defined and understood, a risk profile can be developed to ascertain risk levels and enable the creation of appropriate audit programs, staffing, and overall management of the audit assignment. The audit strategy should be approved by the audit executive. TESTING AND VALIDATION Separate audit programs should be developed for testing and validating activities associated with mitigating AML/CTF risks. Examples of key activities of AML/CTF programs include processes for: * Identification of terrorist and drug trafficker activities. * Transaction monitoring and reporting of suspicious activities to government authorities. * Staff training programs. The temptation to use boilerplate or template audit programs should be minimized by disciplined and measured audit programs aligned with the specific nature of the area being audited. One of the biggest challenges in developing the audit program is determining appropriate sampling methodologies for performing the required testing and validation. Inappropriate sampling will lead to incorrect and unsupportable conclusions. Sampling criteria and attributes must be defined clearly and be consistent with audit objectives. The audit manager should approve the sampling methodology before execution. The auditor needs to verify compliance with local regulations, which is not an easy task due to the high transaction volumes. However, in most organizations, transaction-based processes are automated and queries can be developed to create exception reports where deviations from expected outcomes exist. Examples of the various types of automated exception reports include: * Cash deposits of US $10,000 or greater where the required regulatory reporting has not been completed. (This threshold applies to Canada and the United States and may vary in other countries.) * Transactions with countries where trade sanctions exist. * Industry codes listing clients in high-risk industries to assess the level of enhanced due diligence performed. * List of employees who have not completed required AML/CTF training. * List of clients with Post Office box addresses. * List of clients with missing Taxpayer Identification Numbers. * List of wire transfers from accounts owned by governments into accounts of private investment companies and politically exposed persons. Additional tests may include: * Referring to the Office of Foreign Assets Control (OFAC) to ascertain whether transactions are processed for clients who reside in sanctioned countries (e.g., Cuba, Iran). OFAC falls under the U.S. Department of Treasury and administers and enforces economic and trade sanctions based on U.S. foreign policy and national security goals. * Validating that "know your client" and customer identification requirements are compliant with local regulatory requirements. * Validating that enhanced due diligence is performed on high-risk businesses. Because criminals are creative and money laundering methods and techniques change in response to evolving countermeasures, a useful reference for auditors is FATF typologies that provide insights into emerging threats and may suggest new areas for auditors to test. These typologies are available via FATF's Web site at www.fatf-gafi.org. REPORT FINDINGS AND FOLLOW-UP The results of the audit review should be documented and rated in a formal report distributed to the business owners, senior management, and, depending on the severity of deficiencies, the board and audit committee. The highest level of severity would represent issues where there are no compensating controls in place for deficiencies that directly contravene local laws. Medium level of severity would encompass those issues that are material; however, some compensating controls are in place. Low-level risks are minor control weaknesses where correction should be considered. The severity levels would ultimately be useful for assigning an overall rating to an organization's AML/CTF program. Each organization will have its own criteria for determining a good, weak, or unsatisfactory overall rating. Although there is an element of subjectivity involved in this assessment, it is suggested that guidelines be provided for rating the overall quality of controls. A process should be instituted to ensure action plans are implemented in accordance with committed completion dates. Responsibility for ensuring corrective actions are undertaken timely resides with the business or process owner. When issues are left unresolved, reporting protocols should be formalized for escalation to senior management. The internal audit department can perform this function. A GROWING RISK Business culture has traditionally revolved around management of risks relative to sales, markets, economic trends, and reputation. Only relatively recently has regulatory risk as it relates to AML/CTF requirements received more intense scrutiny. Regulators have adopted a zero tolerance position, as evidenced by penalties against financial institutions for noncompliance with AML/CTF legislation. The ultimate example of how not to conduct an independent audit of AML/CTF programs was offered by the former Riggs Bank N.A., based in Washington, D.C., where systemic violations of law reportedly occurred within all principal compliance areas. The U.S. Financial Crimes Enforcement Network stated in its report: "Riggs did not implement an adequate system for independent testing of BSA compliance. The independent testing for compliance with the BSA was neither timely nor effective for the level of risk within Riggs. The internal audit could not verify that management's corrective action for identified deficiencies was effective or timely. In addition, the scope of the audit failed to include an evaluation of the areas of money laundering vulnerabilities, BSA compliance, or the suspicious activity reporting process." The organization was fined US $25 million by the U.S. Department of Treasury for AML violations. Financial institutions are considered an integral defense in the fight against money laundering and terrorist financing. It is imperative that these organizations implement effective independent testing programs to assess the quality of controls relative to their AML/CTF programs. Sound independent testing by auditors who have in-depth knowledge of AML/CTF regulations, risks, controls, and businesses is considered a key control within an organization. Their audit work provides management with the necessary intelligence for proactively managing deficiencies and ensuring that a well-aligned top-down control environment with appropriate resources and infrastructure is in place for mitigating AML/CTF risks. To comment on this article, e-mail the author at shoukat.khan@theiia.org. SHOUKAT M. KHAN AUDIT MANAGER, INTERNAL AUDIT SERVICES ROYAL BANK OF CANADA RELATED ARTICLE: Dirty Money Money laundering is the process of making dirty money look clean. The Financial Action Task Force defines money laundering as: [ILLUSTRATION OMITTED] * The conversion or transfer of property, knowing it is derived from a criminal offense, for the purpose of concealing or disguising its illicit origin, or assisting any person who is involved in the commission of the crime to evade the legal consequences of his or her actions. * The concealment or disguising of the true nature, source, location, disposition, movement, rights with respect to, or ownership of property, knowing that it is derived from a criminal offense. * The acquisition, possession, or use of property, knowing at the time of its receipt that it was derived from a criminal offense or from participation in a crime. Crimes such as smuggling human beings, embezzlement, insurance fraud, bribery, and drug trafficking can produce large profits and create an incentive to "legitimize" the proceeds through laundering using financial institutions. Criminals use financial institutions as the conduit for disguising the source of their income. RELATED ARTICLE: Key Elements of an AML/CTF Program An effective AML/CTF program includes: * Appointment of a senior officer responsible for ensuring risks are understood, addressed, and mitigated enterprisewide. * Development of formal policies, procedures, and controls that are aligned with the FATF recommendations, as well as local regulations. * Implementation of a risk-based approach for identifying risks by client, geography, product, and delivery channels. * Implementation of dynamic rules-based transaction monitoring for purposes of identifying and reporting suspicious activities. * Implementation of training programs customized to specific functions and activities. * Independent testing of the program. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion