Don’t let the title fool you. Establishing a comprehensive AML Program may involve “Five Steps” – but the steps are giant. We’ll break them down, but each area is time-consuming and takes a focused mindset.
We don’t suggest holding someone new to the AML profession solely responsible for implementing an AML Programme. Senior Management needs to understand that there are significant financial and reputational risk exposures if you have an underdeveloped AML Programme. Seek the input of an experienced advisor rather than trying to build a programme alone if you don’t have the experience.
Because money laundering and terrorist financing is a global problem and requires global cooperation to combat, an international agency called the Financial Action Task Force (FATF) has provided recommendations that countries must apply in their legislative framework. These recommendations are known as the FATF 40+ Recommendations.
Allowing each country to draft its laws to meet the FATF 40+ Recommendations enables local governments to consider their specific regional economic risks, resources, and objectives.
You’ll often read about using a “risk-based approach” to implementing these recommendations. The risk-based approach takes away the need for everyone to follow the same prescriptive rules, and instead allows for the effective use of resources by those impacted by the regulations.
Typically, these local laws and regulations are called Anti-Money Laundering (AML) laws. However, ancillary legislation and guidance publications work together to guide a good AML programme in many countries.
The first step in establishing a good AML Programme is knowing the FATF 40+ Recommendations and ensuring that you understand the AML laws, along with any industry-specific regulations or guidance that apply to your business. Your local industry associations may also issue best practices.
Review Corporate Governance roles and responsibilities. Determine who is accountable for the AML compliance programme. Furthermore, choose the individuals that will be the Compliance Officer, the Money Laundering Reporting Officer, and which Board Members will oversee AML compliance from a high level.
Detail the frequency of reports to the Board, along with the information contained in those reports. Detail the number of meetings held, any review or escalation committees, and the coverage of duties, such as who will review potential sanctions hits or reviews.
Also, keep in mind – only employ and appoint persons who are fit and proper for these roles. Your regulator may even require their approval or, at the very least, notification of appointments to these specific functions.
Conduct a Business Risk Assessment. Perform this assessment on your entire organisation and local operations. Review every product/service you provide in all regions to all types of customers/clients.
Larger organisations need to ensure the person(s) performing the Business Risk Assessment has access to all divisions and departments. This way, they can obtain information on the products/services offered – like how they are used, who uses them, and why. Accounting teams will need to provide information on the client/customer portfolio, including where they reside and how they pay (wire transfers, cash, checks, bitcoin). The assessor may also require extra support, depending on your organisation.
Your AML Manual will have the following sections:
- Client Due Diligence (CDD) – what you require as standard due diligence measures.
- Risk Assessment Procedures – what factors you consider when performing the risk assessment, and how you can tell if a client/customer is at higher risk for money laundering or terrorist financing.
- Enhanced Due Diligence (EDD) Requirements – the additional steps you take when identifying higher risk clients/customers.
- Sanction Screening and Politically Exposed Persons Review procedures – which sanctions lists you check, how you check, how often (if not automated), and how you identify potential PEPs.
- Escalation Procedures for Higher-Risk clients/customers – who in Senior Management will review higher risk clients/customers and approve acceptance.
- Ongoing Monitoring – how frequently you review all clients/customers, and procedures taken during the review.
- Suspicious Transaction/Activity Reporting – how to report, to whom you report, how to avoid tipping-off, what to expect when you report.
- Record Retention – how long you retain all related compliance documentation and the procedures for destroying any documentation.
- AML Awareness Training of Staff – how frequently, who provides, what constitutes AML training.
- Any other internal controls that apply to your industry or business.
Keep in mind, larger organisations may need separate manuals across different regions or departments.
Sequentially organize the manual sections for the audience’s benefit, including Board members, non-compliance staff, and regulators. Include clear term definitions, and require non-compliance staff to read the manual. You should also log the times of initial drafting and review, along with who did them. Make sure to keep version variations as well.
Consider whether your firm requires supporting policies and procedures. The main difference between policies and procedures is that a policy defines the rules, and the procedures provide a step-by-step guide on the execution of that policy. For example, you may need a procedure manual on the different data information systems (e.g., compliance and accounting systems).
There is a time and a place for each. But first, draft the policies. They provide expectations and directions for staff. The procedures are essential for unique applications, and they also highlight places where there could be exceptions to the policy.
Review your AML programme – from your business risk assessment to any procedures – at minimum once a year. Bring forward the review during certain trigger events such as implementing new systems, staff changes, role and responsibility changes (e.g., annual promotions), when new products/services are rolled out or no longer offered, or if there are regulatory changes.
Never assume that nothing has changed. You should review the entire programme and its supporting documents.
Depending on the size of your organisation, a policy writer could be a full-time job. If you rely on staff with additional responsibilities, allow them to block out a week (or more) each year to focus entirely on the review of the AML programme. The business risk assessment alone could take several days of reviewing your client/customer data and getting an understanding of all products/services you provide to ensure a thorough understanding of money laundering and terrorist financing risk.
Smaller firms often make the mistake of assuming that a fully documented AML Programme is unnecessary. This thinking could put you at risk of inconsistent application of an AML programme, duplication of efforts, possibly missed steps, and a fine or penalty for non-compliance.
The Five Steps for a comprehensive AML programme are not small. In fact, you could consider each step described above a journey. But if you invest the time and focus, you can establish a solid and efficient AML programme and be confident of AML compliance when it comes to an audit.
About the Authors:
Shelly Forde holds a dual bachelor’s degree in Business Administration and Finance, a master’s degree in Finance with a certificate in Risk Management, a graduate diploma in Law and a certification as an advanced certified AML Specialist in Risk Management. Based in Turks and Caicos, Shelly has over 15 years of professional experience in the banking, insurance, shippling, law and trust industries. Shelly focuses on conducting risk assessments, staff AML training, and creating a strong AML program for her clients. You can reach Shelly at email@example.com.
Kimberly Smith is co-founder of SILO Compliance System, a client due diligence and anti-money laundering compliance technology used by dozens of small and mid-sized businesses globally. She has her Graduate Diploma in Anti- Money Laundering from the International Compliance Association and a Bachelor’s degree in Finance. Kimberly hosts the webinar series AML Compliance Grey Matters, discussing areas of AML with little guidance or unclear best practices. You can reach Kimberly at firstname.lastname@example.org.