You must review your AML/CFT (anti-money laundering and countering financing of terrorism) programme to:
- ensure it stays up to date
- identify any deficiencies in its effectiveness
You must make any necessary changes as a result of your review. Ideally your review should be annual.
A reporting entity (other than a high-value dealer) must ensure that its AML/CFT risk assessment is audited every 2 years, or at any other time at the request of its AML/CFT supervisor. The auditor must be suitably qualified but doesn’t need to be a chartered accountant or financial auditor, e.g. they could be an insurance broker or AML specialist. They must also be independent, i.e. they must not have been involved in the establishment, implementation or maintenance of your AML/CFT risk assessment or compliance programme. An employee can carry out the audit provided that they are sufficiently separated from the area of the business carrying out the relevant financial activities.
The audit is a systematic check of your risk assessment and programme to assess whether:
- the minimum requirements have been met
- your programme was adequate and effective during the specified period; and
- whether any changes are required
The auditor may also report any suspicious activities detected during the course of the audit.
Your AML/CFT compliance programme must reflect the record-keeping requirements under the regime. You must keep transaction records for 5 years after the completion of the transaction or longer if your supervisor or the FIU requires it. Transaction records are vital for investigators to effectively carry out the functions of the regime. Therefore your records must contain the information necessary to enable the transaction to be readily reconstructed at any time including its nature, amount, date and parties. There are similar record-keeping obligations for any suspicious activity report you have filed, customer identity and verification documents, and your AML/CFT risk assessment, compliance programme, and audits.
Your AML/CFT compliance programme must include adequate and effective procedures, policies and controls for meeting the regime’s record-keeping requirements including how and where you will store your records, and your method of identifying when and how records are destroyed.
You must also prepare and submit an annual report of your risk assessment and AML/CFT compliance programme to your AML/CFT supervisor. It must be in the prescribed form and submitted at a time appointed by the supervisor.
Next in The Dirty Money Series: Non-compliance and penalties
What is the maximum fine for a company that knowingly or recklessly fails to conduct customer due diligence?
- $1 million
- $2 million
- $5 million
Hint: To be effective, the AML/CFT Act imposes strict penalties to ensure businesses do not profit from breaching the Act.