INDEPENDENT TESTING FOR FINANCIAL INSTITUTIONS AND DESIGNATED NON-FINANCIAL INSTITUTIONS
Financial institutions and designated non-financial institutions will need to have a means of independently validating the development and operation of the risk assessment and management processes and related internal controls, and obtaining appropriate comfort that the adopted risk-based methodology reflects the risk profile of the institution. This independent testing and reporting can be conducted by highly skilled professionals from E-Four and AAF who will evaluate the adequacy of the financial institution’s overall AML/CFT programme; and the quality of risk management for the financial institution’s operations, departments and subsidiaries; include comprehensive procedures and testing; and cover all activities.
Risk-based Audit Programmes will vary depending on the institution’s size, complexity, scope of activities, risk profile, quality of control functions, geographic diversity and use of technology. An effective risk-based auditing Programme will cover all of the institution’s activities. The frequency and depth of each audit activity will vary according to the activity’s risk assessment.
Independent testing by E-Four and AAF will (at a minimum) include:
Risk-based Audit Programmes will vary depending on the institution’s size, complexity, scope of activities, risk profile, quality of control functions, geographic diversity and use of technology. An effective risk-based auditing Programme will cover all of the institution’s activities. The frequency and depth of each audit activity will vary according to the activity’s risk assessment.
Independent testing by E-Four and AAF will (at a minimum) include:
- The evaluation of the overall adequacy and effectiveness of the AML/CFT Compliance Programme, including policies, procedures and processes. This evaluation will contain an explicit statement about the AML/CFT compliance programme’s overall adequacy and effectiveness and compliance with applicable regulatory requirements. At the very least, the audit should contain sufficient information for the reviewer (e.g. an Examiner, review auditor or Financial Intelligence Unit officer) to reach a conclusion about the overall quality of the AML/CFT Compliance Programme;
- A review of the financial institution’s risk assessment for reasonableness given the institution’s risk profile (products, services, customers, entities and geographic locations);
- Appropriate risk-based transaction testing to verify the financial institution’s adherence to the Financial Action Task Force record keeping and rendition of returns requirements on Politically Exposed Persons (PEPs), STRs and CTRs information sharing requests;
- An evaluation of management’s efforts to resolve violations and deficiencies noted in previous audits and regulatory examinations, including progress in addressing outstanding supervisory actions (if applicable);
- A review of staff training for adequacy, accuracy and completeness;
- A review of the effectiveness of the suspicious transaction monitoring systems (are they manual, automated or a combination?) used for AML/CFT compliance. Related reports may include, but are not limited to:
- Suspicious transaction monitoring reports;
- Large currency aggregation reports;
- Monetary instrument records;
- Funds transfer records;
- Non-sufficient funds (NSF) reports;
- Large balance fluctuation reports;
- Account relationship reports;
- An assessment of the overall process for identifying and reporting suspicious transaction, including a review of filed or prepared STRs to determine their accuracy, timeliness, completeness and effectiveness of the institution’s policy; and
- An assessment of the integrity and accuracy of MIS used in the AML/CFT Compliance Programme. MIS includes reports used to identify and extract data on the large currency transactions, aggregate daily currency transactions, funds-transfer transactions, monetary instrument sales transactions and analytical and trend reports.