AML Compliance Checklist: Tools and Processes for an Effective Program
August 14, 2020
Compliance teams are the gatekeepers for financial institutions (FIs) for identifying illicit activities like money laundering.
Failure to have an effective anti-money laundering (AML) compliance program has seen financial intelligence units (FIUs) hand out record fines in the tens of millions of dollars against organizations – fines that show they are serious about their call for compliance.
At the same time penalties have been handed out, FIs have also seen numerous changes in regulatory expectations.
To build an effective AML compliance program, FIs must implements tools and processes to protect the organization from high-risk customers and transactions. These components include internal processes and procedures, such as policies, training and risk management, as well as tools, including sanctions list screening, transaction monitoring, risk scoring and regulatory reporting.
While this is not an exhaustive list, the following article contains the major areas where you need to have written policies and programs in place and tools that will help to implement and monitor your AML program.
Before You Start, Appoint a Chief Compliance Officer
A strong compliance program begins with senior management setting the standards for the rest of the organization. That means compliance teams must thoroughly understand their institution and be aware of areas of risk where possible regulatory breaches can happen.
To meet the above objective, one of the first matters of business is to establish a chief compliance officer (CCO). A compliance officer must also effectively communicate the company’s key principles and compliance regulations to others in the organization.
Compliance officers are responsible for daily enforcement of the program, which needs to be clearly articulated to every employee. That culture of compliance must go across all corporate departments and will help encourage all employees to engage in good conduct.
The chief compliance officer is usually the head of the compliance department. Under that position come various levels of managers and compliance officers, depending on the size of the company and its corporate structure.
The compliance teams also include designated AML/CFT compliance officers with the necessary skills, authority and support to manage the AML/CFT compliance program across the entire organization.
The compliance team must have a strong working relationship with other groups within the organization, such as the legal and fraud departments.
The Chief Compliance Officer should also have a relationship with the Board of Directors who provide oversight of the institution’s BSA/AML compliance program. The compliance team must ensure that the board receives reports about the money laundering (and other) risks affecting the company.
To learn more about the responsibilities of an AML compliance officer, see our blog What is an AML Compliance Officer?
Perform Risk Assessments
One of the first tasks in an AML compliance program is to do a risk assessment and document risks faced by the organization. Ask yourself questions such as
- How do you handle clients?
- What is your overall risk tolerance?
- In what regions do you operate?
- What kind of products are you offering and what are their inherent risks?
- Are you willing to take higher risks in some areas, if so, define them.
Primary AML risk areas to evaluate include:
- Customers and their relationships
- Products and services
- Transaction activity
- Geographic presence
Risk assessments will vary by institution and jurisdiction but to help understand areas to include in your assessment, take a look at some of our recent webinars on this topic:
- Elements of Customer Risk: Profiles and Relationships
- Elements of Customer Risk: Products and Services
- Assessing AML Geographic Risk: A Methodology;
- Tackling Hidden Risks in AML Screening Programs;
In addition do doing an initial assessment of risks, you need to re-examine them on a regular basis (such as quarterly or semi-annually).
Write AML Policies and Procedures
You must thoroughly document your firm’s AML policies and procedures. FINRA has a sample policy template for smaller firms that can save you time.
The template gives you examples of required legal wording for small firms to assist them in fulfilling their responsibilities to establish the Anti-Money Laundering (AML) compliance program required by the Bank Secrecy Act (BSA) and its implementing regulations and FINRA Rule 3310. The template provides text examples, instructions, relevant rules and websites and other resources that are useful for developing an AML plan.
Other organizations that publish their policies or policy templates include the ones below and can be a good starting point for small firms:
When planning your AML processes, remember the following:
- Ensure you have in place procedures for onboarding new customers, monitoring transactions and investigating suspicious activities
- Implement procedures so your institution can operate within acceptable standards in the jurisdictions where you do business
- Ensure what you are doing is auditable and well documented
- Have procedures for internal reporting and investigation of suspicious activities
- Ensure you have monitoring and controls in place to report to regulators, including Suspicious Activity Reports (SARs) or Suspicious Transaction Reports (STRs)
- Continuously review processes to ensure that you are you doing what you promised to do and whether you are doing enough to address emerging risks
- Ensure new products or lines of businesses are in-line with your compliance program and risk tolerance
Maintenance of an AML Program
Whether implementing a new AML program or evolving an existing program, it’s important to keep the following in mind:
- Review company policies periodically to ensure they align with existing regulations. Don’t forget to research or consult with your legal team about new state, provincial or federal regulations.
- Carry out frequent risk assessments to identify new and emerging areas of risks in order to implement preventive or corrective strategies to address compliance issues.
- Your Know Your Employees and Know Your Customers programs need to meet the size, complexity and geographic reach of your institution. Needs might change as organizations grow or they include new products and services.
- Perform ongoing monitoring of operations and procedures of the different sections of your institution to ensure overall compliance
- Continuously monitor client activities to ensure they are legal and in compliance with internal and external bank policies. How and what is monitored may have to evolve as new products are introduced, new regulations are introduced or technology changes.
- Develop and evolve your procedures for the handling and resolution of policy violations.
- Work with senior managers to ensure compliance to existing policies and proper implementation of new policies.
- Collaborate with other departments such as the risk management or internal audit unit to forward compliance issues for investigation.
- Educate and train everyone on recent and already existing compliance requirements, policies and procedures. Participate in seminars, conferences, and workshops to improve knowledge.
- Document any changes in policies and procedures and ensure that everyone in the organization is trained on these changes.
- Perform periodic independent testing of the effectiveness of the AML program
- Ensure robust oversight of third-party arrangements to ensure they are meeting your compliance requirements.
- Conduct internal audits prior to an external audit to ensure policies and operations are up to standard.
- Provide regular reports to senior management to keep them updated on progress of compliance operations.
Apply Due Diligence – KYC, CIP, CDD and EDD
Knowing your customers is an integral part of an AML program. There are many terms used including, know your customer (KYC), customer due diligence (CDD) and enhanced due diligence (EDD), and it is important to understand the difference between them.
According to the white paper “How to Audit Know Your Customer (KYC) and Customer Due Diligence (CDD)”, a financial institution’s KYC process include:
- Customer Identification Process (CIP)
- Customer Due Diligence Process (CDD)
- Enhance Due Diligence Process (EDD)
A Customer Identification Program (CIP) gathers basic customer information (name, address, date of birth for an individual, and an ID number) to form a “reasonable” belief that the true identity of the customer is known.
A sound CDD process should include these seven elements:
- Full identification of customer and business entities, including the source of funds and wealth and beneficial ownership when appropriate
- Development of transactional activity profiles of each customer’s anticipated activity
- Definition and acceptance of the customer in the context of specific products and services
- Assessment and grading of risks that the customer or the account presents
- Account and transaction monitoring based on the risks presented
- Investigation and examination of unusual customer or account activity
- Documentation of findings
In addition to the above, CDD processes should include periodic risk-based monitoring of the customer relationship to determine whether there are substantive changes to the original CDD information (e.g., change in employment or business operations).
Enhanced due diligence is along the same lines as customer due diligence except it calls for additional measures aimed at identifying and mitigating the risk posed by higher risk customers.
It also requires developing a more thorough knowledge of the nature of the customer, the customer’s business and understanding of the types of business activities and transactions than a standard or lower risk customer. A financial institution, for example, should ensure account profiles are current and monitoring should be risk-based and conducted regularly.
Learn more about EDD with Alessa.
Screen Against Watch and Sanctions Lists
In most jurisdictions, institutions are required to screen new customers and transaction records against sanction lists as well as lists of known high-risk individuals (suspected terrorists, narcotics traffickers, etc.) for potential matches.
When an FI encounters a potential “sanction match” or “sanctions hit”, it must investigate further with additional information to evaluate whether the similarities in the text reveal a true sanctions exposure.
While this sounds relatively simple, there are many complexities that need to be addressed in order to have an effective sanctions screening and watchlist filtering process. Here are some questions that should be addressed about sanctions screening in an AML program:
- Are you using the right risk reference data? if you are at a small bank in Canada, your risk profile is going to be very different than if you are a tier-one financial institution on Wall Street. Therefore, the sanctions lists that you have to comply with may be different as well.
- Are you reviewing narrative sanctions? Narrative sanctions are those sanctions where the administering body does not only list specific individuals or entities, but lists of criteria that are required for inclusion. These non-listed entities are a challenge for financial institutions, as there is no finite sanction list to follow yet still they must ensure that they do not transact with them.
- Are you using law enforcement and adverse media data? You want to ensure that you are screening records for relevant risk against lists from local, national and international law enforcement agencies, like Interpol, Europol and the FBI, for FATF predicate offences. Adverse media or negative news is unfavorable information found across a wide variety of news sources, blogs, social media feeds and more. Like law enforcement data, you are looking for involvement in FATF predicate offences.
- How do you manage PEPs and State-Owned Entities? For Politically Exposed Persons (PEPs) data, some institutions will get this from the actual sources while others will get this from risk reference data. Either way, your institution needs to have a policy around how to handle entities that are tagged as PEPs. You also need a process for identifying and handling state owned entities. Whether that is from a data source or looking up ownership records, you need to make sure that you are identifying state owned entities and any entity that owns at least 25 per cent (or any state ownership, depending on the jurisdiction).
- Have you configured your screening software to take a risk-based approach to screening? From date of birth information to address information, there are many factors that can be used to identify potential sanction matches. Has your software been optimized to catch the high-risk individuals?
- Does your program address name variations? Name variations is an exceedingly complicated part of the screening process. Every organization should ensure that they spend enough time testing their system to ensure that it can handle name variations, nicknames and aliases.
- Does your system effectively handle transliteration and transcription? Screening names in their non-Latin native characters can be a challenge for FIs that communicate in languages that use Latin characters. However, even languages that use Latin characters, like Spanish, Portuguese, Dutch, French and German, can be challenging to test with their unique letters and accents. An effective screening program should be able to handle transliteration (process of transferring a word from one alphabet or language into the corresponding, similar-sounding characters of another alphabet) and translation (the meaning of a word in another language).
To learn more about how to address the above questions, download our white paper called Tips for Testing Your Sanctions and Watch List Screening Software.
Monitor and Screen Transactions
Transaction monitoring processes involve analyzing transactional data and identifying suspicious activities that are potential indicators of money laundering or terrorist financing activity.
According to ACAMS, the following reports from core banking systems or transaction monitoring systems are potential sources to identify suspicious transactions:
- Daily cash activity in excess of the country’s reporting threshold;
- Daily cash activity just below the country’s reporting threshold to identify possible structuring;
- Cash activity aggregated over a period of time (e.g., individual transactions over a certain amount, or totaling more than a certain amount over a 30-day period) to identify possible structuring;
- Wire transfer reports/logs with filters using amounts and geographical factors;
- Monetary instrument logs/reports;
- Check kiting/drawing on uncollected funds with significant debit/credit flows;
- Significant change reports; and
- New account activity reports
ACAMS also suggests that a typical suspicious or unusual transaction reporting process within a financial institution includes:
- Procedures to identify suspicious or unusual transactions or activity through various channels including employee observations or identification, inquiries from law enforcement or alerts generated by transaction monitoring systems;
- A formal evaluation of each instance, and continuation, of unusual transactions or activity;
- Documentation of the suspicious transaction reporting decision (i.e., whether or not a report was filed with authorities);
- Procedures to periodically notify senior management or the board of directors of suspicious transaction filings; and
- Employee training on detecting suspicious transactions or activity.
Read about transaction monitoring with Alessa
Report Suspicious Activities to Regulators
Financial Intelligence Units (FIUs) for most jurisdictions require that financial institutions report any suspicious transactions that could be indication of money laundering or terrorist financing. As part of this process most FIUs require that FIs:
- Identify and verify the identity of the parties involved
- Collect information about the transaction and provide reasons as to why the FI has flagged the transaction(s) as suspicious
- Not disclose to the client(s) that a suspicious activity is being filed
- Provide the information to the FIU
Exact requirements and processes vary by jurisdiction so FIs should verify their obligations with their legal team and/or FIUs.
For suggestions on how FIs can internally track investigations of suspicious activity reports, check out the blog called Suspicious Activity Report: How to Track Your Investigation.
Perform Independent Testing of AML Program
Your AML system should be independently tested periodically to ensure its effectiveness.
According to a white paper entitled, “Anti-Money Laundering Independent Testing Regulatory Expectations and Trends” many of the recent AML-related enforcement actions have included identification of deficiencies in the quality of an institution’s AML independent testing program.
According to this same white paper, here are some things to consider when evaluating an AML independent testing program:
- Independence – Anyone who participates in AML testing is not permitted to be involved in establishing or performing ongoing AML compliance processes. This rule applies both to staff members and to any external party to which financial institutions cosource or outsource testing responsibilities. Auditors completing the test plan should report directly to the board of directors, audit committee, or other supervisory committee of the financial institution.
- Frequency – The Federal Financial Institutions Examination Council (FFIEC) recommends that financial institutions conduct independent testing every 12 to 18 months, or more often if required by a risk profile. An acquisition or a money laundering incident, for example, could trigger the need for more frequent testing.
- Qualifications – Testing should be executed and supervised by people with expertise in the subject matter, auditing requirements, and institution type. Experience with specific AML systems or models is also a primary consideration when determining an individual’s qualifications.
- Coverage – Institutions struggle to demonstrate that audit coverage exists for all applicable risks and to retain sufficient documentation to support the decisions made when defining the audit scope. The following is a list of risks or factors that should be considered during an independent AML audit: planning, fieldwork, AML systems and models, suspicious activity monitoring and management of high-risk customers. (see white paper for more detail)
- Reporting – Written reports should clearly outline the audit scope, objectives, and reporting exceptions – if any – to allow the reader to reach an informed conclusion on the adequacy of the AML compliance program. An audit rating scale may be used to document the conclusion reached from the AML audit. Reports should be issued in a timely manner and distributed to important stakeholders and parties independent of the AML compliance program.
Use AML Technology Tools
Technology is a key tool that allows compliance teams to operate more effectively, maintain effective control, and reduce the amount of costly manual work. Areas where technology and automation is used in AML compliance programs include:
- Customer identification
- Customer due diligence
- Enhanced due diligence
- Ongoing validation of customer information
- Sanctions and watch list screening and filtering
- Transaction monitoring
- Suspicious activity detection and investigation
- Regulatory reporting to financial intelligence units
- Program reporting to management
- AML program effectiveness monitoring
Alessa has extensive experience in providing AML compliance solutions for FIs of different kinds and in different jurisdictions. Learn how Alessa can also help your FI with leveraging technology to reduce the burden of AML compliance.