Once a reporting entity (a business covered by the AML/CFT regime) completes its risk assessment, it must then put in place an AML/CFT (Anti-money laundering and countering financing of terrorism) programme that manages and mitigates these risks. A compliance programme has a direct relationship with the business risk assessment and must be based on it. When evaluating your programme (and risk assessment), supervisors and auditors will want to explore both its adequacy and effectiveness.
As with the risk assessment, there is no template for creating the compliance programme. The AML/CFT regime is risk-based so the compliance programme developed by each business should be specific to the characteristics of that business and its clientele, ie the programme must manage and mitigate the ML/TF risks actually faced by the business. Stock solutions are simply not good enough. For instance, if your business is low-risk you may only need a simple programme that is proportionate to its low risk.
The AML/CFT programme is a manual for your business that contains policies, procedures and controls on how to mitigate the risks that you’ve identified in your risk assessment, eg if you rated a category of customers as high risk in your risk assessment, your programme should have adequate and effective procedures, policies and controls to address it.
To fulfill your AML/CFT requirements your compliance programme must include the two cornerstones of the regime:
- Verifying client identity; and
- Reporting suspicious activity
Customer due diligence (CDD) is the gathering and verifying of information about your customers so that you can develop an understanding of them and the ML/TF risks they pose to your business. Your compliance programme must meet the CDD requirements of the regime and the risks identified in your risk assessment.
Suspicious activity must be reported to the Financial Intelligence Unit (FIU). Your AML/CFT programme must set out adequate and effective procedures, policies and controls for reporting suspicious activities.
Your compliance programme must set out the procedures, policies and controls in place for vetting senior managers, your compliance officer and any other employees who have AML/CFT duties. Senior managers are able to influence decisions that may pose a ML/TF risk. Employees can also be sources of ML/TF risk.
Your programme also needs to detail how often you’re going to:
- review your risk assessment; and
- review the AML/CFT programme itself
These requirements ensure that the programme stays up to date and that any deficiencies can be identified and remedied. Further, your programme must show evidence of any updates and the addressing of any deficiencies.
There are record-keeping requirements under the AML/CFT regime and your compliance programme must set out the policies, procedures and controls you have put in place to fulfill these requirements. Records must be kept for at least 5 years.
The AML/CFT compliance programme is a living document that is implemented on a daily basis. Like the risk assessment, the compliance programme must be owned and understood by senior managers and any other employees with AML/CFT duties. And the understanding is demonstrated by the tailoring of the programme to the unique needs and risks of the business. It is not the sole responsibility of the compliance officer to implement the programme. It needs to be put into practice by the people who own it, not just dismissed as a finite job well done.
The programme should be something that a new staff member with AML/CFT duties can read and thereby understand what they need to do to discharge their AML/CFT obligations. It must also set out the AML/CFT training you have in place for senior managers, your compliance officer and any other employees with AML/CFT duties.
Next in the Dirty Money Series: Customer due diligence
Sue is an accountant and financial advisor. A new client, Jenny, comes to see her and asks Sue if she can look after her company books and manage the funds. Sue takes Jenny through her company on-boarding process and records her name, a PO box address, and date of birth. Jenny wants Sue’s office to be the business address and registered office of her company. When Sue asks Jenny for her identification documents Jenny prevaricates and says she’ll drop them in next week but could Sue get started on her work in the meantime.
Should Sue commence work for Jenny while waiting for her identification documents?
Hint: Money launderers and the financers of terrorism can only use the financial system successfully if they can mask their identity.