1. Status Quo
The compliance function and independent internal audit function have become integral parts of financial institutions. As key functions of the three-lines of defence model, both functions address internal and external risks in order to continuously improve financial institutions, operational and organizational models, systems and processes and internal guidelines and standards. Understanding, identifying, analyzing and evaluating relevant risks related to AML/KYC is essential for a complex and global financial institution to ensure future growth and success.
In post-financial crisis times of 2008, financial institutions were burdened with continuously tightened regulatory requirements around the globe. Compliance functions – tasked with ensuring regulatory compliance with all relevant requirements – are often unable to do so effectively. Thus, the internal audit function of financial institutions is increasingly asked to add value to bank operations as part of an internal audit.
Current developments indicate that continuous improvement of a compliance organization can be facilitated through an effective internal audit function. The independent internal audit function increasingly ensures that the front, middle and back-office – first and second lines of defense, respectively – guarantee compliance with regulatory requirements, up-to-date internal standards, processes and systems as well as operational and organizational guidelines.
2. Goal/Target: The effective audit of an AML/KYC compliance function
The target for a financial institution is to professionalize a compliance function including the set-up of institution-wide (or group-wide) ethics, values and understandings. The compliance function must strengthen its role and relevant compliance processes, implement the understanding of a safe and trusted partner to each business unit as well as society, and the need of a strong culture including ethics within the entire financial institution (demonstrated in recent history by the “Panama Papers”).
The aim of the internal audit function should be to ensure that an organization has the proper controls, governance and risk management processes in place, whilst evaluating compliance risks, consolidation of possible compliance processes and implementing an end-to-end compliance process. Modern internal audit functions can find and correct deficiencies quickly as well as limit risks i.e. (balance sheet risks, reputational risks, etc. in a financial institution).
3. An adequate Audit Risk Assessment Tool at the heart of a contemporary internal audit approach
Key contributor to setting up a suitable AML/KYC compliance function through the internal audit is an effective Audit Risk Assessment Tool. The tool allows auditors to identify, quantify assess and document inherent risks. In order to do so, internal auditors must directly address obstacles when implementing an effective KYC/AML compliance function:
- Increased regulatory requirements
- Inadequate customer due diligence and enhanced due diligence practices
- Incomplete identification of high‐risk customers
- Insufficient policies, procedures, and training
- Failures in monitoring and identifying suspicious activity
- Poor reporting and filing practices related to suspicious activity
- Ineffective independent testing and audit functions
Introduction to passcon’s 4-step contemporary audit approach
In order to address all relevant AML/KYC challenges, passcon has derived a contemporary audit approach for financial institutions based on four steps.
The initial step is to set up a holistic ‘Risk Assessment and Financial Crime Program’. The process is essential as the approach analyses policies and procedures regarding AML, FATCA, bribery and corruption or “Know your Entity (KYE)” with a focus on 1) basic factors, 2) risk factors, and 3) control factors.
- Basic factors are defined by a financial institution to assess the current state of controls connected to e.g. the management; policies guidelines and procedures, etc.
- Risk factors are inherent risk considerations. The internal auditor should set up a process in order to identify and assess inherent risk to quantify the extent of residual risk to make valued audit planning decisions.
- Control Factors control KYC risks or the detection of suspicious activities as well as sanctions. AML expertise and coverage of the own employees and the overall AML infrastructure, framework and practices can be considered a control factor.
As a second step, the internal audit function should perform targeted interviews with key personnel to set, monitor, implement and deliver the risk assessments and financial crime programs. This may include senior management through to front office staff if necessary. As part of the second step, the internal audit function may install a support practice in order to determine and increase subject matter expertise of employees – but also to continuously train and guide employees on AML/KYC risk assessments.
An integral part of the success when implementing an effective AML/KYC compliance function is related to testing. The aim is to test a series of selected processes like client onboarding, U.S. client identification, transaction monitoring or KYC processes. Results of the testing can be used for data quality checks, comprehensive risk-based audit planning and the set-up of an institute-wide / group-wide AML organization.
In order to evaluate quantitative and qualitative factors, the result of the audit can be displayed on a scorecard. The scorecard directs auditors towards relevant considerations, facilitate thoughtful analysis, encourage supported conclusions through a support framework including SMEs, continuous training and guidance, planning for supporting data and drafting strong narratives.
The final audit opinion consolidates the results, findings and suggestions of an internal audit. It is important to report to senior management in the organization directly by crafting a strong narrative. However, it is crucial to also communicate the respective narrative to staff as well as KYC analysts in order to present findings as well as suggestions.
Having a coordinated AML audit program will put a financial institution’s internal audit function in a position of strength and hopefully reduce future penalties as well as safeguard the reputation of a financial institution by addressing your…
- Governance Framework: An internal auditor must have unrestricted access to all information, data, records and systems.
- Policies and Procedures: AML standards and principles have to be outlined through a clear set of policies and procedures.
- Execution: A standardized testing program/process should exist in order to comprehensively audit the AML/KYC compliance function including prohibited business relationships as well as suspicious transactions.
- Reporting: An effective and consistent reporting must ensure that AML/KYC issues are escalated adequately.
… with a contemporary AML audit approach whilst creating an effective AML/KYC compliance function.
In conclusion, the contemporary audit approach designed by passcon allows internal audit functions to effectively and comprehensively assess AML/KYC risks and support the set-up of a AML/KYC compliance function. Consequently, financial institutions benefit from a strong basis for effective AML programs. The programs are based on relevant risk determinations parallel to fulfilling global and national AML/KYC regulatory requirements leading to reduced operational risks (e.g. reputational risks) and costs due to the improved efficiency of the compliance function.