How to Find Your AML Compliance Gaps (before your regulatory inspection finds them for you)
April 24, 2021
As an avid reader, my favorite genre is mystery. A good mystery writer will drop a clue now and then, just enough to keep me guessing and occasionally I may be able to figure out who did the deed once I reach The End.
However, as much as I love a good mystery, a compliance manual should not read like one. And yet, sadly, so many do. Too many require the reader to hunt for the clues to a company’s anti-money laundering (AML) processes and policies and approach to risk analysis.
Why are the manuals so badly written?
First, because AML compliance manuals have, historically, been an exercise in “just get it done”. We usually started with some template (Yes, I too am guilty of this) and then made some minor edits to “fit our business” and then ticked this item off our very long to-do list.
Second, because we hesitate to truly edit. Good editing requires cutting and we have this fear in compliance that to remove something that’s been working so far is a huge risk. This results in a compliance manual that changes little through the years except to get wider – like my waistline. This added girth is because the new AML directives, new money laundering trends, and the increased risk of AML fines and penalties add to our stress level. Consider these the cortisol of middle-aged compliance manuals.
Finally, because every year more people are tasked to review it so we can demonstrate that “culture of compliance” – a few Board members, a lawyer, the new IT manager, etc. They each have to add their “two-cents”, then it gets approved and emailed to staff. They flick through it, underwhelmed before putting it back on the digital shelf where it gather digital dust.
We need to change this. Why? Well, there are lots of good reasons to change but the one that counts is because auditors and regulators are actually reading these manuals now. And they don’t like mystery novels the way I do.
But where to start?
Here’s an idea, instead of it being a “manual” (i.e., boring, dull, a lot of CYA wording, and generally unhelpful), what if we refer to what we create as an “AML Compliance Map” – one we use to plan our exciting journey in the world of AML regulated services.
Have you ever been on a great journey? I know most of you have been on at least one hiking trail. Or maybe you prefer snow skiing. Or biking. Or you’ve been on a long road trip or exciting train ride. Whatever the journey you took, you will remember that the trip began before the trip began. And it began with a map.
That map may have been on paper and had multiple folds or it may have been on your device. Whatever the medium, there was a map. If you couldn’t read it properly, you risked getting lost. If the map was wrong, you definitely got lost. But the second you opened that map is when your journey truly began. How much time you spent studying that map and getting to know that map correlated to how successfully your journey ended. (And, think about it, when we get lost on a journey, do we pull out our car’s manual? No, we look at a map. Isn’t that what we want our staff to do if they get lost on their AML journey?)
AML compliance is a journey. It’s an exciting one too if you approach it with the right mindset. Yes, some people think I’m insane because I enjoy AML compliance. I find it exciting and interesting. I truly enjoy the Know Your Client (KYC) aspects of AML compliance. Reviewing Client Due Diligence (CDD) is, to me, like meeting the stranger on the train on my journey that soon becomes a good, lifelong friend that I happen to do business with. Or, they’re the stranger that makes me want to change seats.
That’s what CDD and KYC process is supposed to do. Help you decide if you want this person in your life – or not.
Yes, I wish I had the skills of a good AML compliance officer in my 20’s. It would have saved me from a lot of bad second dates. But I digress.
Let’s return to our AML compliance manuals.
I have been asked to review a few from clients lately. Why? Because regulators are stating that the manuals are missing some critical aspect (but they won’t say what exactly) or insisting they don’t meet their expectation or policies aren’t well states in the manual.
When I get the offending manual, I find myself flipping through the pages and sections and sometimes (god forbid) CHAPTERS. My first goal is to figure out how to start getting paid by the word because clearly that’s what’s going on out there.
My second (real) goal is to figure out, by just reading the manual, what I would have to do to onboard a new client or end a client relationship.
It’s a good thing I like mystery novels because more often than not that’s what I feel like I’m reading when one of these things lands on my desk. I’m searching for clues how to onboard and risk assess a new client.
A compliance manual is not, however, a mystery novel. The manual should, instead, be our map, our guide, on our journey. We want our readers to WANT to print it out, to refer to it multiple times in their AML compliance journey – especially at every crossroad.
If you are sighing heavily because you know your manual is not the helpful, well-written tool that it should be or you’ve been told (unhelpfully) that “there are gaps in your compliance process”, you’re probably wondering what to do next.
My advice: lock yourself in a room with a large whiteboard and lots of colored markers On that whiteboard you are going to draw a map of the AML compliance journey that you and your staff have to take to onboard, review, and end a client relationship. What you are creating is a called a flow chart.
This flow chart should be boxes and lines only. No long legal definitions or foot notes should be added. Just boxes and lines. Inside every box is one question that can only be answered with a yes or a no. Flowing out of those boxes will be two lines – one for when you answer yes, the other for now – each answer leading to another box with another question until you reach one of multiple final conclusion: Decline the business or onboard the new client at a specific risk assessment level.
Then, test it. Run your typical and a few atypical clients through that flow chart.
Our goal with this exercise is to efficiently identify those clients that are strangers on the train that make us want to change seats. Your flow chart should weed them out quickly – by box 2 or 3 is ideal.
The clients that do get to stay on the train with you, you’ll be able to move through the flow chart quickly and you’ll be able to assign the relevant AML risk assessment at the end.
You will likely find you need to create multiple flow charts. You’ll definitely need one for those clients that need to get escalated to senior management or your Board for review for politically exposed persons, or ones that have some negative press or are requesting some higher risk services or products that you provide.
What you should NOT have is a flow chart with only three boxes: (1) Do I have all CDD on file? (2) If Yes, mark client as completed. (3) If No, get more pieces of paper from them.
Sadly, I have come across a manual that essentially said just that.
If it must be said, let me say it now: Completed CDD does not mean completed AML obligations.
Let me repeat that: Completed CDD does not mean completed AML obligations. The initial CDD is merely that start point for your client risk analysis.
Your first question in a box could be “Do I have the minimum required CDD?” If yes, then the next question could be, “Are they sanctioned?” (Hint: your minimum required CDD should include a sanctions screening result.) If yes, they are sanctioned, push them off your train immediately. If no, then move on the next question which might be, “Are they from a high-risk country?” If no, they can stay on the train with you. If yes…. Well, you tell me – what does your compliance manual say you should do?
Once clear, comprehensive flow charts are drawn, you will have a map to guide you through every conceivable situation of onboarding, reviewing, and ending client relationships.
If you flow charts cannot guide you through every conceivable situation to an acceptable risk analysis or decision to end the relationship, then that’s where the gaps are in your policies and procedures. And you want to find those gaps before a regulatory inspection finds them for you.
The flow charts that you create are just one tool that you will need to pack for a successful AML compliance journey. And we’ve got some packing to do because the weather up ahead looks a little stormy. You’re going to need to buckle up, too, because the regulatory road is looking a bit treacherous. But like any exciting journey worth experiencing, you can take steps to be safe and be well prepared. And, who knows, if you are anything like me, you’ll still pack a good mystery novel to enjoy on the days you can rest. Just don’t make that mystery your compliance manual.
Kimberly Smith is co-founder of SILO Compliance System and a former compliance officer and MLRO. She has her AML certification from the International Compliance Association.