The cost of running a compliance function for anti-money laundering and countering the financing of terrorism (AML/CFT) in an organization is far less than the price it may pay for noncompliance. Because of increased regulatory focus, penalties levied affect the bottom line and become a going-concern issue with license suspensions or cancellations. Given the social, economic, and political ramifications of money laundering and terrorism financing, it is becoming more difficult for organizations to consciously ignore AML/CFT compliance. The next 10 years could witness enhanced regulatory compliance across jurisdictions, so internal audit's role in ensuring strict AML/CFT compliance assumes greater importance.
Money laundering is about channeling illegal, "dirty" money through a legitimate means to make it appear as "clean" money within the system. This can be explained in three phases: placement, layering, and integration. In the placement phase, illegal money physically enters into the financial system, such as huge bank account deposits via bank tellers or ATMs. The layering phase involves executing complex transactions with the sole intention of concealing the origin of the funds and diluting the audit trail for further investigations. In the integration phase, the proceeds re-enter the financial system as apparent legitimate funds. Money laundering is a derivative crime; in other words, it is a crime that derives out of another crime. Its nature as a crime depends on the genesis of the funds.
Internal Audit's Role
The money launderer's objective is to convert illegally obtained money into legal tender through inappropriate methods, and in the process avoid the attention of prosecutors or auditors. A clear understanding of AML/CFT helps internal auditors conduct reviews more effectively. At a minimum, internal audit should focus on these areas:
Top management intent. Conduct interviews with key top management individuals. Internal control questionnaires, checklists, and management letters are commonly used in these interviews. However, also assess the willingness and commitment of top management to protect the organization from the threat of money laundering and terrorism financing. This critical exercise should become the basis for review and the depth of sample coverage.
Business operations. Understand the business operations of the organization in detail. Without a thorough understanding, auditors will not be able to identify a transaction that is abnormal to the course of business.
Customers. In financial institutions, ensure that the organization is complying with know-your-customer procedures both in form and spirit. Policies and procedures should provide measures for updating know-your-customer forms annually, which establish the identity of the customer, the nature of the customer's activities, and money laundering risks, if any, associated with that customer. Check whether the declarations made by customers in their undertakings are being followed in reality. For example, a customer might declare that he may invest up to $25,000 per year in portfolio management. However, during the year he invests almost $50,000 from undisclosed income. The organization may not raise it as a red flag because of commissions on those transactions.
Risk assessments. Ensure the organization has conducted a risk assessment of customers, geographic affiliations, company products, channels of product routing, etc. Review the nature and volume of transactions and types of products the organization deals with.
Suspicious transactions. By nature, suspicious transactions are more complex and obscure. Internal auditors should get to the bottom of these transactions to ensure they are genuine and should not check them off their list unless they are completely convinced about their purpose. Enhanced due diligence measures should be taken for non-face-to-face business transactions when the customer has not been seen or the business site has not been visited.
Reporting culture. Review the number of suspicious transaction reports raised by the compliance officer during the review period and assess which ones were not reported to the financial intelligent units in the respective countries. These could be false alarms, but scrutinizing those unreported suspicious transactions that could potentially be money laundering transactions may reveal suppression by management and whistleblower silencing.
From and to. All transactions should have the required documentation, including originator and beneficiary details. Missing information in cross-border transactions has caused some of the largest money laundering cases to take a decade or more to resolve, so review all cross-border wire transfers in detail. AML systems also should be reviewed to ensure that the application does not have options to suppress data.
Blacklisted names. Review the AML system and test its capability of capturing data on time, and identifying and red flagging the blacklisted and Specially Designated Persons lists provided by the United Nations and the U.S. Office of Foreign Assets Control, respectively. Determine whether the system is capable of correctly identifying blacklisted names in English and local languages.
Politically exposed persons. People with diplomatic immunity, defined under the politically exposed persons category, are entrusted with a prominent public function and are at higher risk of getting involved in money laundering and terrorism financing transactions. Ensure the organization has mechanisms to identify customers of this category and conducts enhanced due diligence.
Nonprofit organizations. In many countries, organizations with an exempt status become the front-end and most misused vehicles to launder money. Review the grants received, nature and origin of receipts, and ultimate beneficiaries of grants, if it is a recipient organization. In donor organizations, determine whether the donations are made to genuine and reliable nonprofits for a purpose and that those monies are not routed to terrorist networks.
High-risk countries. Engaging with AML/CFT noncompliant countries (assigned as such by the intergovernmental Financial Action Task Force) poses a greater threat for noncompliance. Review how the organization is complying with procedures while dealing with subsidiaries or associates situated in such countries.
Employee protection. Review the whistleblower protection policy and protection to employees raising red flags. Internal sources are many times the strongest lead for an internal auditor in helping detect malpractices in money laundering.
Think Outside the Box
Detecting money laundering and terrorism financing transactions is a challenge for internal auditors because perpetrators bringing ill-gotten money into the system actively conceal the audit trail to avoid prosecution. Because of this, internal auditors conducting AML/CFT reviews should be more vigilant, attentive, and creative to find wrongdoing and ensure compliance.