The Dirty Money Series #12: Reviews, audits, records and reporting

Posted by Dacreed on Jul 22, 2019 11:37:00 AM

Blog #12


You must review your AML/CFT (anti-money laundering and countering financing of terrorism) programme to:

  • ensure it stays up to date
  • identify any deficiencies in its effectiveness

You must make any necessary changes as a result of your review. Ideally your review should be annual.


A reporting entity (other than a high-value dealer) must ensure that its AML/CFT risk assessment is audited every 2 years, or at any other time at the request of its AML/CFT supervisor. The auditor must be suitably qualified but doesn’t need to be a chartered accountant or financial auditor, e.g. they could be an insurance broker or AML specialist. They must also be independent, i.e. they must not have been involved in the establishment, implementation or maintenance of your AML/CFT risk assessment or compliance programme. An employee can carry out the audit provided that they are sufficiently separated from the area of the business carrying out the relevant financial activities.


The audit is a systematic check of your risk assessment and programme to assess whether:

  • the minimum requirements have been met
  • your programme was adequate and effective during the specified period; and
  • whether any changes are required


The auditor may also report any suspicious activities detected during the course of the audit.


Your AML/CFT compliance programme must reflect the record-keeping requirements under the regime. You must keep transaction records for 5 years after the completion of the transaction or longer if your supervisor or the FIU requires it. Transaction records are vital for investigators to effectively carry out the functions of the regime. Therefore your records must contain the information necessary to enable the transaction to be readily reconstructed at any time including its nature, amount, date and parties. There are similar record-keeping obligations for any suspicious activity report you have filed, customer identity and verification documents, and your AML/CFT risk assessment, compliance programme, and audits.

Your AML/CFT compliance programme must include adequate and effective procedures, policies and controls for meeting the regime’s record-keeping requirements including how and where you will store your records, and your method of identifying when and how records are destroyed.

Annual reports

You must also prepare and submit an annual report of your risk assessment and AML/CFT compliance programme to your AML/CFT supervisor. It must be in the prescribed form and submitted at a time appointed by the supervisor.


Next in The Dirty Money Series: Non-compliance and penalties


Advance quiz

What is the maximum fine for a company that knowingly or recklessly fails to conduct customer due diligence?

  1. $200,000
  2. $1 million
  3. $2 million
  4. $5 million

Hint: To be effective, the AML/CFT Act imposes strict penalties to ensure businesses do not profit from breaching the Act.


Topics: Insider, Business Management, AML/CFT

Proactively train your staff in AML/CFT

With the Dacreed online compliance training system you can:

  • assess your team’s knowledge, application and retention of AML/CFT training
  • keep track of your team’s completion dates and completion rates
  • tailor the training for different employees depending on their roles and tasks