An AML/CFT Independent Audit remains a vital element of any effective Compliance Program for Regulated Financial Institutions. All regulated Financial Institutions and Non-Financial Businesses and Professionals (NFBPs) are required to have at least one (1) annual Audit completed of their AML/CFT Framework and Systems. This must not be mistaken for any assessment done by the internal or outsourced Compliance Officer. This is the responsibility of the Board and Senior Management and they should have knowledge that the Compliance Officer cannot be the one conducting this Audit or it would be a Conflict of Interest. Communication with the Auditors and Regulators also plays an integral role during the Audit Process.

In Antigua and Barbuda, According to the Money Laundering (Prevention) (Amendment) Regulations, 2009 – “A financial institution shall maintain an adequately resourced and independent audit function to test compliance including sample testing with AML/CFT procedures, policies and controls.” An AML Audit is not a “check box” exercise or a task to be done in haste to meet or satisfy regulatory demands. The person or firm conducting the Audit should have the necessary skills, experience and qualifications. This will ensure that the Audit is properly conducted and the Auditor provides quality recommendations, so that the regulated entity can use the findings and recommendations to improve upon deficient areas.

In deciding and selecting the Auditor, the regulated entity should ensure that pertinent areas are addressed. These include:

 Whether the Auditor has knowledge of regulatory expectations and that of the industry in which the entity operates.

 Whether the Auditor understands the evolving Laws, Regulations and AML/CFT Auditing Methodologies.

 Whether the Auditor understands the risks and red flags of the business being audited.

 Whether the Auditor will be able to work and communicate with all stakeholders of the entity in a professional manner.

 Whether the Auditor has the integrity and ethics due to the sensitivity and confidentiality of information and documents that will come up during the Audit.

Some Dos before the Auditor comes in:

 Prepare, Prepare, Prepare for an Audit – There is no such thing as being overly prepared.

 Look for anomalies, deficiencies, gaps in your AML/CFT Program and correct them – Ensure there is a Task Force headed by the Compliance Officer and this requires months of planning before the Audit.

 Use past AML/CFT Reports as a guide to improve upon deficiencies.

 The Compliance Officer should conduct internal assessment/verification exercises leading up to an Audit.

 Focus on AML/CFT Risk Management during the course of operations and ensure the tone is set from the top by the Board. The Board and AML/CFT Risk Committees (if in place) should take ownership and ensure oversight of the Program and should not leave everything up to the Compliance Officer.

 The Compliance Officer, Management, Board and employees should have ongoing discussions on the AML/CFT Program, its successes and its weaknesses and ensure discussions are documented.

 Auditor are people just like you so never be intimidated – Employees should be prepared in advance on how to handle an Audit.

After an Audit has been completed, the institution must seek to implement the necessary changes (if any) from the report. Share the findings with the relevant employees who are directly involved in the deficiencies that need to be corrected. Solicit the advice of these employees, especially Front Line staff on how they feel the Program could work better and never rely on just seniority. Additionally, the Task Force appointed internally must set deadlines and timeframes for the changes and list those who are responsible for getting the tasks completed. Finally, try to keep detailed records of the Audit. These may be requested by examiners, bear in mind fines and sanctions can be levied against the institution if it fails to address Audit issues.

Most common deficiencies that can be found in an AML/CFT Audit are generally lack of rigorous Risk Assessment Process and Board and Senior Management Oversight. Both areas if non-compliant or even partially compliant, will pretty much affect all other areas assessed by the Auditor. Lack of sufficient transaction testing, monitoring and follow-ups, ensuring actions are taken from decisions made are also significant gaps identified. Additionally, insufficient scope and methodology, as well as, an unqualified and/or inexperienced AML/CFT Auditor can contribute to legal deficiencies. In order to avoid these deficiencies it is important that you have a qualified and experienced Team, including that of the Auditor. Make sure your Compliance Officer and the person or institution conducting the Audit has at least a Certified Anti-Money Laundering Specialist (CAMS) designation or other similar qualification.

It is also important to establish a professional relationship with the Regulators and FIUs, as well as, ensuring that your AML/CFT Program is risk based. Be proactive rather than reactive and comply, comply, comply by your internal AML/CFT Program’s requirements, and laws and regulations of your country.

Remember that any comments and queries can be sent to us at kaw@kawmanagement.com and info@kawmanagement.com or visit our website at www.kawmanagement.com.