AML, what are the common underlying issues found after an AML AUDIT?
The overall theme of the problems recorded in an AML AUDIT is:
- A failure to maintain effective systems and controls proportionate to the financial crime risks.
Within this broad description, Whilst there is a wide range of underlying issues, they generally fall into two groups:
Overtly material failings:
- Transaction monitoring not turned on
- Perpetual transaction monitoring alert backlogs
- Persistent and ageing CDD refresh backlogs
- Ineffective monitoring of complex products such as trade finance and correspondent banking
- Falsely attesting to the regulator remedial plans have been completed
Persistent minor issues:
- Late CDD reviews
- Late, vague or absent MLRO reports
- Poor and/or incomplete training
- Data accuracy and completeness inhibiting downstream controls
We have gone into greater detail below on the key themes and underlying issues across all of the institutions we have reviewed and helped.
Previous warnings or commitments unaddressed or not addressed sustainably:
- In our experience, without exception, the most severe regulatory intervention has happened where firms have failed to take sufficient and appropriate action to address previously identified weaknesses.
- This has included specific recommendations made by Regulators in previous visits or public statements as well as issues identified internally.
- This should not be a call for firms who feel they have addressed all previous issues to relax, however.
- The question inevitably comes down to how effectively matters have been addressed.
- The recent FCA Dear CEO letter to Retail firms not only highlights the need for controls to be effective but also the requirement to ensure they are well embedded.
- We have observed firms that could demonstrate that historical issues were addressed at a point in time.
- However, they had failed to recognise that mitigating activities had since drifted, or in some instances, been stopped entirely. This suggests a “ticking the box” mentality rather than the development of sustainable controls.
- Firms are expected to address all identified issues and deliver against recommendations. If things are left to drift or ignored, this will not be viewed favourably
- Controls need to be sustainable. This means they are well documented, communicated, and there is meaningful reporting resulting in a conscious understanding of why the control is in operation
- Firms must know how compliant they are in almost real-time. Compliance monitoring and audit functions need an extensive and continuous remit to independently validate compliance levels
Inability to articulate risks and controls clearly:
- The way individuals and collectively firms talk about their risk and control framework has a significant impact on outcomes.
- An effective framework is a cohesive one. It means all key personnel have a consistent and accurate understanding of risks and controls in place.
- If the messages provided are inconsistent, it creates doubt around the cohesion of the framework in place.
- A skilled auditor will explore these inconsistencies with a view to determining the “actual” answer, and in turn, the delta in understanding.
- Not only must messaging be cohesive, but it also needs to be plausible.
- That is that the articulation of risks and explanation of controls is objective and proportionate (for example, the firm isn’t trying to suggest it is low risk when peers all deem themselves high risk), and the explanation of controls is proportionate.
- A consistent and objective understanding of inherent and residual risk needs to be demonstrated both through documentation and discussion
- All senior managers need to be able to articulate the risks and controls in a consistent manner, albeit it is reasonable that their level of insight is proportionate to their role
Missing the “low hanging fruit.”
- We have observed a number of firms failing to get some of the basics right.
- These types of failings can suggest to an auditor that the firm is not taking the process seriously, that there are resource issues, or that compliance is just “lip service” with key processes in place which are unsupported by a strong control environment.
- Examples of what we have seen include
- failing to produce MLRO reports or producing very poor ones;
- producing management information but not identifying the messages contained within it; or
- providing untailored “out of the box” training.
- Many firms are able to explain how things work, but struggle to demonstrate this in practice because decisions or processes are not documented.
- Whilst some of this “low hanging fruit” might not be the big ticket controls which directly mitigate risks, we have seen that they sometimes receive disproportionate levels of focus from Regulators.
- Many firms fail to maintain an overarching view of the controls they have in place.
- This reduces their ability to both articulate the controls, but also to critically assess the purpose of the controls. By focusing on control purpose, we find that firms can ensure all controls add value.
- Have a control inventory and challenge yourself on how well controls work as a self-complementing ecosystem
- Don’t use the MLRO report to theoretically detail what the control environment is, use it to inform management on risks, issues and future threats
- Write it down. If it isn’t written down you can’t demonstrate to Regulators that you actually did it
Three lines of defence
- Most firms will describe themselves as utilising a three lines of defence model. However, we find many firms failing to really embed the model that they describe.
- Although frequently cited that the first line own the risk, a firm’s ability to demonstrate how this is achieved is often limited. Lack of decision making in the first line leads to too many decisions and sign offs occurring in the second line. This inherently undermines the second line’s ability to operate independently.
- Additionally, the business-critical nature of onboarding decisions or alert adjudication going in to the second line always takes precedent to “less important” tasks like oversight.
- Ensure everyone understands what three, distinct, lines of defence means
- Ensure your three lines of defence model actually operates as described – both in principle and in practice
- The first line needs to be equipped to make their own decisions unless there are truly exceptional circumstances
- Maintain the independence of your second line function. If they are executing controls themselves or making risk decisions, they will have to mark their own homework
- Business pressures can easily distract second line functions from performing their stated purpose – challenge yourself on whether this might be a risk
Systemic failings in key controls
- Perhaps unsurprisingly, systemic failings in key controls have a high likelihood of inviting regulatory scrutiny.
- Yet, it is common to see firms with known material deficiencies in CDD or transaction monitoring processes.
- Such failings are often well known within firms, even if they are not well understood.
- For instance, large backlogs of cases might be impacting business as usual activities. Sometimes the firm may be treating the symptoms, but not looking further into the root cause.
- We have increasingly seen some firms not know when transaction monitoring systems have been turned off or are not working as intended. This is often due to:
- A lack of technical expertise on the system operations and
- Shared ownership across lines of defence and
- Bank locations (such as the head office or offshore processing centres) of data capture and monitoring systems.
- Senior management and assurance functions need to be asking questions that drive towards an understanding of root cause
- Consider the cost implications of only reacting to the issue rather than improving the process
- Key processes and controls need to be identified as such and have their critical nature appreciated