The state of constant flux of the AML/CFT legal and regulatory landscape necessitates a dedicated function to assess the level of compliance and effectiveness of subject persons’ policies, procedures, measures and controls from time to time. 

External independent AML audits are key to uncovering the major pain-points surrounding AML/CFT procedures and controls by providing an objective, impartial perspective and unbiased understanding of the subject persons’ AML/CFT strategy. 

External independent AML audits can help to ensure the swift identification and appropriate mitigation of risk, elicit an authentic understanding of the subject persons’ standing in terms of AML/CFT compliance, assist with keeping up with the pace of regulatory and legislative change and devise remedial action plans to implement and maintain the evolving requirements in practice. 

The local regulatory framework itself places an important emphasis on the need to employ such an independent AML audit function with the purpose of evaluating the effectiveness of operations on a continuous basis.

While no time frame is specified for such independent AML audits to be conducted, a best practice is to conduct such independent audits annually, when there are significant regulatory changes, also following substantial revisions to the policies, procedures, measures and controls, as well as any other major changes in the business model or activities. 

This does not entail that a fully-fledged independent AML audit should be conducted every year, unless the size and nature of the business prerequisites such an approach, but subject persons could choose to focus on thematic or targeted areas from year to year, potentially those areas identified as posing a higher level of risk through the business risk assessment. 

Such areas could include the subject persons’ risk assessment and management strategies, alignment of policies and procedures with the applicable regulatory framework, customer onboarding and due diligence procedures, and transaction monitoring systems and procedures. Hence, a risk-based approach should be adopted to determine the areas that should be incorporated into the scope and design of these independent AML audits.

The benefits of independent AML audits are manifold. To begin with, engaging external consultants to assist with evaluating, enhancing and/or aligning policies, procedures, measures and controls with the respective regulatory framework provides subject persons with a holistic and unbiased view of their status when it comes to the level of technical compliance and effectiveness of their AML/CFT strategy. 

The quality of reporting that results from an independent AML audit is objective and systematic and provides recommendations which are informed and practical. 

“The level of expertise in AML/CFT of the independent AML auditors is an essential factor”

Moreover, the practice of having regular independent AML audits will enhance the subject persons’ image across factions, namely with clients, potential investors and regulators. Particularly in the case of regulators, adopting such a practice indicates that subject persons are committed to taking the necessary steps to ensure a high level of compliance with the regulatory requirements. 

A critical component for an effective independent AML audit is communication. Photo: Shutterstock.comA critical component for an effective independent AML audit is communication. Photo: Shutterstock.com

The contributions and insights of independent AML auditors can be integrated into processes and procedures and shared with staff and significant stakeholders to increase their awareness around the major pain-points, and to take on board the practical recommendations and, in turn, optimise their functions. 

Moreover, by maintaining ongoing independent AML audits, subject persons can ensure that any shortcomings or oversights in their AML/CFT strategy are identified and rectified in a timely manner, thereby assuring that subject persons are always compliant and prepared for potential regulatory examinations and avoiding incurring unnecessary fines or reputational damage.

An independent AML audit will include a review of the policies and procedures, interviews with the subject persons’ MLRO and potentially other relevant stakeholders, as well as a review of a sample of client files to ensure that the procedures, measures and controls outlined in the policies and procedures are being implemented in practice, and that there is overall compliance operations. The observations that emerge from such a review and testing against the applicable regulatory framework will be outlined and recommendations for remedial action will also be provided. 

Subsequent independent AML audits could then incorporate an assessment of the implementation of the recommended actions and commentary on the subject persons’ progress in this regard.

One essential component of effective independent AML audits is the quality and quantity of resources, including human, technological and logistical. In terms of the human aspect, the level of expertise in AML/CFT of the independent AML auditors is an essential factor which contributes to an effective independent AML audit. Proficiency with the respective legal and regulatory framework is necessary, however, a successful auditor will also possess industry-specific experience and a high level of commitment to the process. 

Technological tools and systems can support the independent AML audit function to categorise, organise, record and access information and data, and distribute this data to the relevant stakeholders. 

With respect to logistical elements, these should be decided against the scope of the assignment, which should be clear from the outset of each audit. 

Another critical component for an effective independent AML audit is communication. Subject persons and auditors should appreciate that the independent AML audit is not a regulatory examination, but a methodological and collaborative exercise focused on the AML/CFT strategy with the primary scope of identifying the main areas for improvement and recommending tangible solutions to progress. 

The auditors’ aim is to gain the best and most representative understanding possible, and this can only be achieved through keeping open communication and feedback loops to facilitate continuous improvement in the subject persons’ AML/CFT strategy.

How can we help?

KPMG’s Risk Consulting AML/CFT professionals are fully committed to assist you with carrying out these independent AML audits. We have proven expertise to help you in complying with the different legislations/guidelines and to provide you with valuable recommendations for the improvement of your AML/CFT programme.

Deborah Cassar and Louise Agius are associate director and assistant manager, AML, Risk Consulting Advisory Services, KPMG in Malta, respectively (deborahcassar@kpmg.com.mt; louise agius@kpmg.com.mt).

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.