Independent AML/CFT Audit obligations- Have you completed yours?
The Financial Services Commission (“FSC”) has recently published an updated Anti Money Laundering and Counter Financing Terrorism (“AML/CFT”) handbook for financial institutions comprising of a new chapter namely “Independent AML/CFT audit”. This new chapter has been brought at an important time where the financial services sector is currently facing major challenges with the classification of Mauritius on the grey list of FATF, Blacklist of the European Union and High-Risk Third countries of the UK. Moreover, this new chapter is a guidance to Section 22 (1) (d) of The Financial Intelligence and Anti-Money Laundering Regulations 2018 “FIAMLR 2018” which requires every financial institution to conduct an independent AML/CFT audit of their existing compliance framework.
By Hishaam Mohammoodally
Legal & Compliance Executive
HLB Risk & Compliance Consultancy Ltd
WHAT IS AN INDEPENDENT AML/CFT AUDIT?
An independent AML/CFT audit is an audit conducted by an external professional AML/CFT auditor or firm using best practice. It a special assessment of whether the provisions of the applicable laws, rules & regulations and various orders, instructions issued by the competent authority are being complied with. It is an evaluation of the existing Risk Assessment and AML/CFT framework of your company through file testing, transaction testing and the testing of live application of policies and procedures. It also helps to identify the money laundering and terrorist financing risks (ML/TF) faced by an organization, that it is keeping the assessment up to date, and effectively determining the levels of risk faced by its business. In essence, the independent audit of the Risk Assessment and AML/CFT Program is also geared towards assessing the adequacy and effectiveness of its implementation. It is an opportunity for an organization to obtain another view of how well the AML/CFT program is designed and functioning.
WHO SHOULD CARRY OUT THE INDEPENDENT AUDIT (INTERNAL OR EXTERNAL PROFESSIONAL)?
An independent AML/CFT audit may be conducted by either an internal team or an external audit professional or firm. However, the audit process should be carried out independently as stipulated by the FIAMLR 2018. This indicates that the internal auditor should be independent and must not have been involved in the development of risk assessment, or the establishment, implementation, or maintenance of the organisation’s AML / CFT framework. Thus, the audit function should be separate from operational and executive team dealing with the AML/CFT processes of the company.
In cases where an external audit professional has been appointed to conduct AML/CFT audit, the financial institution will have to demonstrate that the external auditor is adequately independent from its business and that there is no conflict of interest.
Where a reporting entity has retained the services of an auditor to perform AML/CFT audit, the company must conduct due diligence on the person or firm to ascertain that the selected auditor has the necessary skills, experience and qualifications. This will ensure that the AML/CFT audit is properly conducted, and the Auditor provides quality recommendations, so that the reporting entity can use the findings and recommendations to improve upon deficient areas. The criteria considered by the financial institution when assessing the independence and relevant experience of the external auditor to perform the audit, should be properly documented and shall be made available to the FSC upon request.
METHODOLOGY OF AN INDEPENDENT AML/CFT AUDIT
The independent AML/CFT audit covers a review of your Risk Assessment and AML/CFT Programme to ascertain that it meets the requirements of the FIAMLA, FIAMLR and relevant rules & regulations.
Typically, an AML/CFT audit should adopt the following methodology which is in line with best practice:
- A full review of your company's AML existing compliance program manual
- Whether the program has been effectively implemented and whether the entity is complying with the policies and procedures in place
- Adequacy of AML risk-assessment procedures of the AML program
- Whether the organization is addressing the risk faced by its business in an effective manner
- Review of past audit reports to assess the efficacy of recommended implemented changes
- Compliance Officer functions and effectiveness
- Money Laundering Reporting Officer functions and effectiveness
- Customer Due Diligence and Enhanced Due Diligence
- Transaction Monitoring and evaluation of automated monitoring systems
- Suspicious transaction reporting process
- Targeted Financial Sanctions policies
- Record keeping processes
- Employee screening
- AML/CFT Training
FREQUENCY OF INDEPENDENT AUDIT REVIEW
The frequency and extent of the review should be proportionate with the licensee’s size, nature, context, complexity and internal risk assessment. Company applying a risk-based approach will need to determine the frequency and scope of the independent AML/CFT audit review but is encouraged that it is conducted on an annual basis. The frequency and the scope may also depend on the business risk assessment of a company. If the business risk assessment changes, then it is advisable to conduct more frequent audit review. High risk organizations should conduct their independent audit more frequently.
INDEPENDENT AUDIT REPORT
An independent AML/CFT audit report usually includes helpful recommendations. The more thoroughly an auditor understands your business and processes, the more helpful they can be. It is to be noted that the report should be duly signed and dated by the audit professional or firm. The report must cover all components of a compliance program. It should clearly outline other different components such as audit scope, audit objectives, audit methodology, audit observations, gap analysis and relevant recommendations to allow the reader to reach an informed conclusion on the adequacy of the AML/CFT program. Compliance audit reports must be issued in a timely manner to the Board of Directors of a company to allow them to take appropriate actions to address deficiencies and areas of non-compliance.
After a compliance audit has been completed, the reporting entity must seek to implement the necessary changes recommended in the report, share the findings with the relevant employees who are directly involved in the deficiencies that need to be corrected, solicit the advice of these employees, especially Front-Line staff on how they feel the Program could work better. Additionally, the risk or AML/CFT committee must set deadlines and timeframes for the changes and list those who are responsible for getting the tasks completed. Finally, detailed records of the Audit must be kept. These may be requested by FSC.
WHAT ABOUT YOU: HAVE YOU COMPLETED YOUR INDEPENDENT AML/CFT AUDIT?
HLB Risk & Compliance Consultancy Ltd has a dedicated team to help companies and Designated Non-financial Business Professionals (“DNFBPs”) to conduct independent AML/CFT audit. We have proven expertise to assist your company in complying with the different legislations/guidelines and to provide you with valuable recommendation for the improvement of your AML/CFT program. We use best practices and innovative methodologies which ensure quality, completeness and reliability.
Do you require a quote for an independent Audit?
Please contact us on legal@hlb-mauritius.com or on +(230) 203 3900.