With anti-financial crime compliance at the top of every regulator’s agenda, on-site and off-site compliance exercises are an increasingly regular occurrence. Regulators expect subject persons not only to have the appropriate policy frameworks in place, but also to be able to demonstrate adherence to rules and policy through appropriate governance structures, record keeping arrangements and technical systems. Similar reassurance is also being sought by other players such as correspondent banks and other financial counterparties. Anti-financial crime audits have also become a typical component of pre-acquisition due diligence processes.
In this article we present a typical anti-financial crime audit checklist. Of course checklists by themselves are never sufficient, and an effective programme requires genuine management buy-in and cultural adoption. However any institution that can provide credible evidence of adherence to this checklist will be well on its way towards demonstrating the effectiveness of its compliance programme. The checklist is geared for credit and financial institutions, but various aspects such as governance, CDD and name screening are relevant across most business types.
Anti-Financial Crime Governance and Policy Framework
Governance is a fundamental component of any effective compliance programme and is typically the starting point of any discussion. Regulators expect subject persons to demonstrate that management communicates the right “tone at the top” and shows engagement and leadership with respect to anti-financial crime compliance matters. Items which may be requested include:
- Policies related to financial crime compliance, including: (i) anti-money laundering policy (ii) client acceptance policy (iii) sanctions policy (iv) anti-bribery and corruption policy (v) conflicts of interest policy
- Procedural documentation such as (i) name and payment screening procedures (ii) investigation procedures (iii) customer risk assessment procedures (iv) customer risk assessment methodologies iv) transaction monitoring procedures
- Business risk assessment and related methodology
- Organisational charts and associated responsibilities relating to financial crime compliance including role of third party vendors and outsourced providers
- Terms of reference and minutes of board meetings and anti-financial crime governance bodies such as compliance and/or client acceptance committees
- Management information such as customers by risk rating, geography and interface type; number and type of PEPs; customers on-boarded and off-boarded
- Compliance monitoring plans as well as reports generated in accordance with such plans
- Independent reports and/or internal audit reports on financial crime compliance
- Records of previous regulatory audits and relevant regulatory dialogues including existing regulatory commitments
- Employee training materials and records
Customer Due Diligence
CDD quality and frameworks are a focal point of any financial crime audit. Regulators expect firms to be able to demonstrate a good understanding of their customer base, an appreciation of the relevant risks, and adherence to any mandatory documentation procedures. Requests may include:
- Organisational charts and associated responsibilities relating to CDD
- CDD guidance and procedures
- Data and technology systems and architectures relating to CDD
- Current and recent customer risk assessment methodologies, including evidence as to how they were developed and approved
- Ongoing due diligence and enhanced due diligence triggers
- KYC storage procedures
Name and Payment Screening
Name and payment screening are processes which increasingly attract granular scrutiny from regulators. Name screening refers to the screening of static names derived from KYC information, while payment screening refers to the screening of payment data embedded in payment files. Effective name and payment screening typically require the deployment of appropriate technical systems. However the deployment of systems is not, by itself, a sufficient measure: such systems also need to be governed, tested and monitored on an ongoing basis.
- Organisational charts and associated responsibilities related to name and payment screening
- Guidelines and procedures related to name and payment screening
- Data and technology systems and architectures relating to name and payment screening, including screening tools and list providers
- List of elements screened against (sanctions / PEPs / law enforcement / adverse media)
- Process diagrams relating to name and payment screening (including system process flows, operational processes, investigative processes, STR disclosure processes, asset freezes, public body requests for information).
- Details of system testing to screening effectiveness and efficiency
Payment screening refers to the screening of payments before they are released, while transaction monitoring refers to the analysis of payments post-facto, typically for the purpose of detecting unusual patterns that may be indicative of suspicious behaviour.
- Organisational charts and associated responsibilities related to transaction monitoring
- Guidelines and procedures related to transaction monitoring
- Data and technology systems and architectures relating to transaction monitoring
- Process diagrams relating to transaction monitoring (including system process flows, operational processes, investigative processes, STR disclosure processes, asset freezes, public body requests for information).
- The scenarios, business rules and analytical models designed to monitor and detect suspicious transactions.
- Evidence of calibration including effectiveness testing to confirm any system generated alert delivers the expected outcome.
Shoulder Compliance is your dedicated partner in your anti-financial crime efforts. If you want to ensure that your business is compliant and prepared for its next anti-financial crime audit, get in touch.