Malta: How To Conduct An Internal AML/CFT Audit (Video)

In today's WH Insights episode, Davinia Cutajar (Partner WH Partners) talks about AML/CFT audits' best practices.

The first thing to identify when carrying out an AML/CFT audit is who should carry out the audit.

The ideal candidate is a person who would not be auditing his own work.

In other words, it should not be the Money Laundering Reporting Officer or someone from the compliance team. Similarly, you want to avoid the audit being carried out by someone who has a conflict of interest, such as the head of sales.

Once the right person is identified, the scope and extent of the audit should be clearly documented.

Most audits start with a review of the entity's policies and procedures manual to ensure it is in line with the law and any recent amendments.

Assuming the policies and procedures do not require revision, a sample of customer files is reviewed to document whether the entity is following its own policies.

You'll also want to review the Customer Risk Assessment, apart from the due diligence documentation collected, and ensure the documentation collected is in line with the entity's own policies and procedures and the law and document retention policy.

The entity's ongoing monitoring obligations towards each of its customers will dictate how much time you dedicate to reviewing the effectiveness of the monitoring procedures because the services being offered dictate the extent of monitoring to be carried out.

In my opinion, no audit is complete if it does not also review staff training records and whether the entity's internal and external reporting channels are known to staff and are being used properly.

Since the scope of AML/CFT laws is for obliged entities to report suspicious activity to the Financial Intelligent Unit, no audit would be complete if it did not check whether internal reports were being raised by the staff to the MLRO, and what the MLRO was doing with such reports.

This leads me back to my point about the MLRO and members of the compliance team not auditing themselves, since they would be blind to their own shortcomings, or have a vested interest in hiding them.

In conclusion, the audit should report findings in clear and unequivocal terms, and in my experience, companies welcome recommendations for improvement.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.