Listen to AML Compliance Checklist: A Self-Audit Guide for FIs (8 min):

Your organization is obligated to maintain an effective and regulatorily sound anti-money laundering (AML) compliance program. Effective being the key word. The stakes are high if you do not perform. Follow this AML compliance checklist to audit the effectiveness of your program.

1. Consider Your Financial Institution’s Risk Appetite

Your financial institution (FI) will have a “risk appetite/tolerance” that sets the tone from the top and considers how much risk your organization is willing to accept in its business operations. Are they risk-averse or a risk-taker? Somewhere in between is the likely outcome. A risk-based approach will be the crux of your AML program and its control structure. From onboarding clients to product/service usage to monitoring their activity, all are viewed through a risk lens. Consider your FI’s risk appetite as you move on to the next step, your risk assessment. 

2. Perform a Thorough Risk Assessment

An end-to-end risk assessment should be the next item on your FI’s AML compliance checklist. FIs need to understand if any area (or areas) of business operations, products, and/or services are vulnerable to money laundering activities. Ensure your controls address your risks; if there are gaps, address them swiftly. 

It’s also a good time to look at the geopolitical landscape and assess whether some regions are becoming riskier due to shifting political events. While you’re at it, consider if customers are still using your product and services in the same manner. Has the risk profile of your business offerings changed, and therefore, so have the risks? 

3. Internal Controls & Anti-Money Laundering Policies

Risk assessment complete. Next item on your FI’s AML compliance checklist: are there any gaps in your internal controls? As one of the five pillars of an AML compliance program, effective internal controls are essential. Keep them fresh, keep them applicable, and try not to layer too many when fewer are just as impactful. Consult with relevant stakeholders.   

Are your controls (and processes) sorted? How are your AML policies looking? These policies range from clearly addressing AML strategy to how your organization will onboard new customers, flag and investigate suspicious activities, monitor transactions, maintain adequate record-keeping, communicate effectively, and identify the regional and global regulations the FI needs to follow. Your organization should regularly evaluate and monitor your AML compliance program for adequacy, effectiveness, and deficiencies. 

4. Name a Chief Compliance Officer

FIs must designate an individual responsible for managing the organization’s AML program. In some organizations that may be the BSA Officer/Money Laundering Reporting Officer (MLRO). It could be the Chief Compliance Officer (CCO). Regardless of the title, this individual must have the requisite experience and knowledge to effectively manage the role. They must be hyper-focused on the AML program and not distracted by “additional” responsibilities. They will be looked at as a leader by their teams, the Board, and regulators to ensure a culture of compliance is established and regulations are appropriately addressed in the AML program.   

5. Train Your Staff

An FI’s staff is responsible for ensuring the organization meets its AML compliance responsibilities on a daily basis. Therefore, appropriate steps must be taken to ensure staff are trained on the latest policies, understand the regulatory landscape, and operate with a compliance-first mindset. Training and education sessions should not be considered “one and done” tasks. This will be an ongoing effort as the regulatory landscape changes and FIs update their controls to address new risks and threats to their organization.   

6. Know Your Customer/Customer Due Diligence (KYC/CDD)

The newest pillar to the AML compliance program, Customer Due Diligence (CDD), is a crucial component in the fight against financial crime. FIs need to understand the “why” and “how” their customers intend to interact with them. This happens during onboarding and should continue throughout the customer lifecycle. This process entails assessing the customer’s demographic data, screening them against global watchlists and adverse media, analyzing the beneficial ownership that a person has over a business (if applicable), and assessing inherent risks. FIs should consider taking their CDD to the next level by embracing a solution that also incorporates operational and transactional patterns as well as interactions into a customer’s risk profile. Given the continual evolution of cryptocurrency in the global economic sphere, firms should factor in these unique risks as well.

7. Sanctions and Watchlist Screening

The consequences of doing business with an individual or entity that is named on a global sanctions watchlist is severe for FIs. There will be investigations, fines, and public scandal for allowing sanctioned individuals and entities to conduct business with your institution. And sanctions apply to everyone, not just regulated institutions. FIs must ensure updated watchlists are considered in the process for both sanctions and risk-related watchlists, such as politically exposed persons (PEPs), relatives or close associates (RCAs), and adverse media. Sanctions screening should be applied during the payment screening process and the data should be expanded to include risk-related and ownership data at the customer screening level.

8. Transaction Monitoring & Reporting

FIs must remember that AML compliance is perpetual. This includes keeping a close eye on transactional activity. They must establish transaction monitoring (TM) protocols based on risk attributes to detect potentially suspicious activity and take appropriate action to consider case creation and SAR/STR filing. Firms should consider incorporating customer risk scores into their review and decision-making process and consider embedding typologies and/or enriching the data set in their AML TM solution. 

9. Recording-Keeping

Keep fastidious records of your activity ᠆ period. An audit trail is an essential part of every AML program. You will receive questions about why decisions were made, be required to show evidence that you have followed your own policies and procedures, and have documented risks. These requests will be both internal (audit, oversight/governance committees) and external (regulators). Always be able to explain your actions. 

How can RiskOps help FIs take more risks without compromising trust, security, and compliance? Watch our on-demand webinar The Evolution of Risk and AML to learn more.