Reuters reports that payment transfer company MoneyGram International Inc agreed to forfeit US$100 million and admitted it aided in wire fraud and failed to maintain an effective anti-money laundering program. According to the U.S. Justice Department, MoneyGram processed thousands of transactions for its own agents who often tricked victims into wiring them money by posing as relatives or promising large cash prizes.
It is common to hear about the dangers of losing money to scam artists and money launderers, but this case surrounding fraudulent transactions within a large payment transfer company is more surprising. It appears that MoneyGram agents were using tactics similar to those from which they were supposed to protect their customers, such as contacting unsuspecting people and posing as relatives who had an immediate, urgent need for money to be transferred to them via MoneyGram.
According to the report, MoneyGram has taken several steps to address weaknesses by, for example, agreeing to retain a monitor who will provide regular reports to regulators, adding executive-level positions to combat fraud, and creating an independent compliance and ethics committee on its board. However, an important additional step in determining whether MoneyGram has turned a corner in addressing weaknesses is to allow an auditor to assess the organization's governance, risk management, and control processes with a particular focus on the degree to which its anti-money laundering and anti-fraud programs are effective, including:
- Adequacy of the risk assessment and risk mitigations around fraud and anti-money laundering activities that impact the organization.
- Customer due diligence policies, procedures, and processes to determine compliance with requirements.
- Adequacy of the organization's anti-money laundering and fraud policies, procedures, and processes and whether employees are complying with them. It is the latter potential employee fraud concern that is key to deterring and detecting the kind of behavior reported in this case.
- Transaction testing with particular emphasis on high-risk operations.
- Adequacy of employee and third-party human resources policies, processes, and compliance, including recruitment, security and background checks, training, and code of conduct and discipline.
- Integrity and accuracy of management information systems used in fraud and anti-money laundering compliance.
- Adequacy of controls over financial transactions, including suspicious activity/transaction reporting systems.
Overall, when developing and administering an audit of an organization's anti-money laundering and anti-fraud programs, auditors should be mindful of the five key components of COSO's Internal Control–Integrated Framework (control environment, risk assessment, control activities, information and communication, and monitoring) and address both deficiencies as well as best practices.