An anti-money laundering (AML) audit is often viewed as a source of stress for compliance teams, with limited time and available resources making the process all the more challenging to undertake. But an AML audit does not need to be this intrusive. It can be an opportunity to enhance your compliance controls and help your firm meet and exceed regulatory requirements.

Head of Payment Services and Financial Crime, Heather O’Gorman, has extensive experience performing and reporting on compliance audits. Heather uncovers the secrets of an AML audit to help early-stage FinTechs know what to expect and how best to prepare.

What is an AML audit?

An external compliance audit plays a crucial role in confirming you have appropriate AML and financial crime controls in place. It provides vital evidence of your firm’s compliance with critical partners like banks, investors, and finance providers. Auditing experts can help you achieve this by undertaking a deep dive review of your firm’s interpretations of all the applicable financial crime regulations. This would typically include interviewing relevant stakeholders as well as reviewing your files, systems, and policy documents.

You will then receive a detailed report setting out the auditors’ findings and an action plan to help you address any weaknesses in your controls. You will also get the peace of mind that comes with knowing you are on top of your firm’s financial crime risk.

What does the process look like?

A firm should demonstrate its commitment to opposing the risk of money laundering and counter-terrorist financing by implementing a robust oversight and framework structure.

This includes:

• A comprehensive risk assessment
• The proportionality of risk-based prevention procedures
• Executive team commitment
• Due diligence policies and procedures
• Strong communication practices (including training)
• Monitoring and review processes

To demonstrate to an auditor that you have a robust AML framework, you will need to have detailed documentation in place. At a minimum, you must be able to provide your AML policy (outlining how the regulations apply to you), your AML procedures (with step-by-step instructions on how you onboard and monitor your customers), and your AML business risk assessment (clearly analyzing the risks associated with the firm’s customers, products, jurisdictions, delivery channels, and transactions, as well as explaining your mitigating controls).

The auditor will want to see evidence that you are following your framework requirements and that your day-to-day processes match the procedures you have documented. This will mean testing a sample of your client files and transaction monitoring systems.

Your senior management staff must be knowledgeable about the AML risks associated with the business and understand the necessary controls to have in place to mitigate these. The auditor will want to speak with the key stakeholders in the firm, especially the board and those senior managers that sit on any relevant risk or compliance committees.

Auditing became an interesting process throughout the pandemic, with firms and auditors having to adapt to “onsite visits” being conducted via video conference rather than in the clients’ offices. As more people return to their offices, most auditors would likely be willing to take a hybrid approach to onsite visits. While it is important to get a grasp of a firm’s culture by being in its working environment, it is also more convenient for everyone to have the flexibility to undertake some aspects of the interview process remotely.

Top tips for your AML audit

1. Ensure you engage with an AML auditor that truly understands your business model and your associated AML risks. You will want to feel comfortable with their level of knowledge and experience.

2. Gather all your AML documentation in one place. Make sure you have board approval on AML policies, procedures, and risk assessment. Sense check that policies are up to date with the latest regulations and industry guidance.

3. Have a simple naming convention for your client files and do a few file checks yourself to make sure you are confident your auditor will find everything they need.

4. Clear out any backlogs in your e-verification system, including any remaining open cases or monitor alerts.

5. Have a report ready covering all your clients and their risk ratings. The auditor is likely to ask for a certain proportion of client file reviews to include high-risk customers.

6. Remember the auditor only has a few days to get their head around your processes, system, and internal infrastructure. So, avoid company jargon and take the time to demonstrate how your tech works.

7. Don’t expect a clean bill of health. While you don’t want to end up with a non-compliant report, having a few recommendations and suggestions from your auditor is only going to strengthen your controls. The auditor will have seen a lot of different approaches to implementing a great – and sometimes not so great – AML framework, so they will be full of inspiring and independent ideas to help you push your AML controls to the next level.

How can we help you?

We are an award-winning compliance consultancy that provides financial services firms with expert compliance resources and capabilities to manage projects across all regulatory areas. For more information about our services and how we can help, contact us today on 0207 436 0630 – or email info@thistleinitiatives.co.uk.