For more than five years, entities conducting relevant financial business in the Cayman Islands have been required to maintain an appropriate internal audit function to test and evaluate its anti-money laundering and anti-terrorist financing system of controls.
The word “appropriate” is used twice throughout the wording of Regulation 5, thus there is a generous amount of discretion available in determining the type, scope and frequency of audit to take place. And whilst one could look overseas for inspiration and a benchmark, one will find the position there to be a little different. This article will examine the AML/CFT audit requirement in Cayman, the U.S. and the U.K. and the relevant international standards and critique the reasons for the different approaches and the implications.
The Money Laundering Regulations have required that all entities conducting relevant financial business maintain an appropriate internal audit function as part of its internal controls as may be appropriate for the purposes of forestalling and preventing money laundering.1 The guidance2 further describes this as an “AML/CFT Audit” and requires financial services providers to conduct, on a regular basis, an AML/CFT audit to:
- attest to the overall integrity and effectiveness of the AML/CFT systems and controls;
- assess its risks and exposures with respect to size, business lines, customer base and geographic locations;
- assess the adequacy of internal policies and procedures;
- test compliance with the relevant laws and regulations;
- test transactions in all areas with emphasis on high-risk areas, products and services;
- assess employees’ knowledge of the laws, regulations, guidance, and policies & procedures;
- assess the adequacy, accuracy and completeness of training programmes; and
- assess the adequacy of the process of identifying suspicious activity.
As yet there are no prescribed standards on the conduct of the audit outside of the U.S. It is sometimes seen to be part of or an extension to the internal audit. It is interesting to compare and contrast this aspect of the Cayman Islands’ compliance regime with that seen in the U.S. and U.K.
In the U.S. there is a clear requirement to have an independent AML Audit and this is one of the four pillars of the AML regime3. The AML audit requirement comes from the Bank Secrecy Act and is fully described in the FFIEC Examination Manual.4
Back in 2007 the EU requirements for an independent AML audit, were compared with the equivalent in the U.S.5 Delston and Owen highlighted that whilst the U.S. mandated an independent audit, the same was not explicit in the 3rd EU AML Directive.
Interesting it is then that the proposed 4thEU AML Directive goes further than the 3rd by explicitly requiring an independent audit, to test internal policies, procedures and controls but again providing that this is to be appropriate with regard to the size and nature of the business.6 Article 8 of the 4th EU AML Directive examines the effective management and mitigation of the risk factors associated with AML/CT.
The European Banking Federation7 recently published their position and “believes it would be a natural responsibility of the compliance officer – rather than of the external independent auditors- to test these internal policies and procedures as compliance officers are expected to provide an objective view of company policies and make sure that the company complies with its outside regulatory requirements and internal policies.”
Financial Action Task Force
To add to the controversy whilst in the 2003 FATF Recommendations, an audit function to test the AML/CFT system was clearly required8, when carrying this over into the revised 2012 FATF Recommendations, it is now only in the interpretative note.9 This indicates the greater emphasis in the 2012 Recommendations, of a risk-based approach and whilst the proposed 4thEU AML Directive makes the audit a requirement, it emphasis the ability to take a risk-based approach.
Whose responsibility is it?
In Cayman the reference to the term “internal audit” rather than for example “evaluation” or “assessment” has been inferred to mean that the person conducting the audit is independent. This does not mean that an outside contractor need always be used but for certain, the auditor must have a separate reporting line than that of the compliance officer.10 In the U.K. the approach is to require the Money Laundering Reporting Officer to report on the operation and effectiveness of compliance systems and controls.
The U.K. FCA’s ‘Financial crime: a guide for firms’11 outlines how the firms systems and controls are built by:
- documenting what the firm’s approach is;
- regularly reviewing those policies and
- ultimately conducting monitoring through internal audits or other independent parties.
To emphasise the quality of oversight, decisions on resourcing be that for compliance or audit ultimately are risk-based and this is coupled with the audit personnel’s level of experience in financial crime matters.
A bad practice theme identified for financial institutions is categorically stipulated that “no internal audit resource is allocated to monitoring.”12 This then adds to the suite of financial crime challenges faced by firms.
Thus in the U.K. there is a lot more use of independent audits or regulatory health checks to either prepare for a scheduled regulatory inspection or as part of an on-going risk management strategy, to assess and report on key controls and compliance with applicable legislation, regulatory requirements and policies and procedures.
Ultimately within the U.K. the MLRO will act on advice and guidance directly from bodies like FATF, the world’s anti-money laundering standard setting body. Incorporated within Recommendation 18 is the outline of a financial institutions programme against ML; again policy stipulation and training of employees but the latter point is “an independent audit function to test the system.”13 Many in the U.K. would argue that the discretion afforded by the word ‘appropriate’ in the interpretative note regarding independent audits, as seen in the Cayman money laundering regulations leaves this decision ultimately with the head of compliance or money laundering reporting officer. Of course the responsibility on compliance and money laundering reporting officers is much greater in the U.K. regime.
In the U.K. annually the MLRO must submit to senior management an annual report on the operation and effectiveness of the firms ML systems and controls. Guidance on this is provided by the Joint Money Laundering Steering Group which states that the audience of this comprehensive report shall usually consist of approved persons, working within a controlled function14, CF 28 system and controls function, CF 29 significant management function or CF 30 customer function. Where the CF 11 (money laundering reporting officer) has written the company policies and procedures as well as provided the training, it could be deemed appropriate to commission another independent auditor of these aspects of the system of controls and include a gap analysis of these in relation to actual practice.
Ultimately within UFor more than five years, entities conducting relevant financial business in the Cayman Islands have been required to maintain an appropriate internal audit function to test and evaluate its anti-money laundering and anti-terrorist financing system of controls.
.K., compliance with ML regulations is driven by the personal responsibility of the money laundering reporting officer (CF 11). Taken together with the regular communications issued by the regulator (FCA) ranging from consultation papers to the anti-money laundering annual reports and evidence of ultimate enforcement; the result is a clued-up compliance function, armed with the knowledge and interpretation of ML law in order that they may make an informed decision should their firm require an independent heat map of their AML policies and procedures or an independent audit to test their systems and controls.
Aligning money laundering/terrorist financing, regulatory and reputational risk
Combining the effect of applying personal responsibility to compliance officers and money laundering reporting officers and the enhanced enforcement actions of the last two years results in firms seeking to mitigate all risks by means of frequent independent audits regardless of the regulatory requirement to do so. Ticking the box on the requirement to have an audit is not likely to be the primary driver. There will however be an effect on the type of audit report to be issued.
It is important to have a report that is available to the regulator and from which it can assess the actions taken by the board to address the gaps and weaknesses identified. It is of course not necessary to address all the gaps, as Goldzung warns; “You may elect not to implement recommendations made by the independent audit provider, but best practices dictate that you document the reasons the firm is willing to accept the risk of not doing so. Addressing deficiencies or weaknesses in controls and implementing corrections followed by documented self-testing will avoid a citation by FINRA.”15
An AML/CFT independent audit will clearly involve planning of scope, interviews, testing of transactions and reviews of records. In Cayman the auditor must attest with regard to AML risk and controls only and it is suggested that this could exclude regulatory, legal and reputational risk but in jurisdictions where these are the primary drivers a different approach will be seen.
Mandatory audit requirements are interesting in that if an audit is used properly it readily becomes an asset to the company rather than simply a regulatory cost. It provides reasonable evidence that the program is effective but also points to areas in need of remedy. Using the audit results to respond in accordance with the specific needs of the business can be a very positive process.
The use of audits, of whatever type and scope, are more evident where there is enforcement action and regular regulatory inspections.
The proposed 4th EU ML Directive uses the word “appropriate” which is used also twice in Cayman’s Regulation 5. This is a forceful indication of flexibility but it is clear that any independent AML/CFT audit will provide one or more of the following benefits:
- Compliance with requirement to have an audit;
- Indicate areas of weakness to facilitate remedy prior to a regulatory visit, and
- Evidence and support for the compliance officer and board of directors’ responsibilities to ensure compliance.
Finally, it is clear that despite the lack of international methodology and the different jurisdictional approaches some form of independent assessment and evaluation reported to the highest level in the entity is required. Once every 12 maybe 18 months is healthy and if longer periods are set this will need to be reflected in the scope of the audit.
- Regulation 5(1)(a)(iv)
- Guidance Notes on the Prevention and Detection of Money Laundering and Terrorist Financing (paragraph 6.5)
- (1) policies, procedures and internal controls, (2) designation of compliance officer, (3) training for appropriate employees, and (4) an independent audit function to test program.
- The Federal Financial Institutions Examinations Council Examination Manual is considered to be the standard for AML examinations among US AML professionals: http://www.ffi ec.gov/bsa_aml_infobase/pages_manual/OLM_007.htm See Laura Goldzung “Managing AML Audit Expectations” Practical Compliance and Risk Management for the Securities Industry Nov-Dec 2013
- “Independent AML audit – Essential Element or Nice to Have?” Delston and Owen, Money Laundering Bulletin June 2007
- Article 8
- European Banking Federation:http://www.ebf-fbe.eu/uploads/EBF_001279-2013%20-%20EBF%20Position%20on%20the%20EC%20Proposal%20for%20a%204th%20EU%20AML%20Directive.pdf
- FATF Recommendation 15(c)
- FATF Interpretative note to Recommendation 18.
- The Federal Financial Institutions Examinations Council Examination Manual, p40 para 5, and see Delston and Owen, Money Laundering Bulletin June 2007
- Financial crime: a guide for firms Part 1, FCA, April 2013; section 2 Financial crime systems and controls
- Financial crime: a guide for firms Part 1, FCA, April 2013, Section 7 Sanctions and asset freezes, Box 7.1 Governance
- FATF Recommendations Feb 2012: http://www.fatf-gafi.org/media/fatf/documents/recommendations/pdfs/FATF_Recommendations.pdf
- Laura Goldzung “Managing AML Audit Expectations” Practical Compliance and Risk Management for the Securities Industry Nov-Dec 2013