Audit and AML/CFT

By

 

An audit is a detailed examination of a company's financial records, tax returns, internal processes, or operations to ensure accuracy and compliance. The word "audit" comes from the Latin word audire, which means "to hear". 

There are several types of audits, including:

Financial audits

Verify the fairness of an organization's financial statements. 

Performance audits

Also known as management audits, these audits evaluate the efficiency and effectiveness of government programs or agencies. 

IRS audits

Review an individual's or organization's books, accounts, and financial records to ensure that tax returns are reported correctly. 

IT audits

Examine an organization's information technology, including physical and environmental security, logical security, change management, backup and recovery, incident management, and information security. 

AML/CFT Audit

The significance of AML/CFT audit are as follows:

AML/CFT Audit is Independent function

AML/CFT audit is an independent evaluation of the AML/CFT system , Policies and Procedures from the records as well as interactions with relevant people associated with AML/CFT system of the firm

AML/CFT Audit: Internal/External

Audit may be conducted by internal/external experts depending on compliance requirement of the firm towards own needs /external pressures like statutory fulfillment.

Audits are usually conducted by an independent, external party. However, a business can initiate an internal audit to check its own processes and procedures

Assesses AML/CFT Program Efficiency

AML/CFT audit evaluates the effectiveness of the AML/CFT program and ensures that it aligns with the latest AML/CFT laws of India and the Enterprise-wide Risk Assessment (EWRA) of the Reporting Entity.

Provides Unbiased Suggestions to Combat the Identified Vulnerabilities

AML/CFT audit recognises vulnerabilities in the AML/CFT program and includes suggestions to overcome them and mitigate money laundering (ML), terrorism financing (TF) and proliferation financing (PF) risks.

Strengthens AML/CFT Compliance Culture

Regular AML/CFT audits strengthen the AML Compliance Culture of the Reporting Entity by demonstrating the commitment of Senior Management towards AML/CFT compliance.

Create Positive Reputation

AML/CFT audit improves the reputation of the Reporting Entity amongst its customers, investors, as well as AML/CFT regulators by demonstrating its commitment to AML/CFT compliance and combating ML, TF and PF risks.


AML and Financial Audits

Typically, a certified public accounting firm do a financial audit and, which involves a review of the financial statements. While an AML audit focuses on verifying the adequacy and effectiveness of a company’s anti-money laundering programme.

A comprehensive and informative database is essential to any audit, whether it’s a financial audit or an AML audit. Because a robust database easily retrieves information at multiple levels, providing valuable insight into the complexity of auditing processes and transactions.

 

It also enables auditors to gain deeper insights into context, underlying risks and potential anomalies. Maintaining a high quality database is therefore critical to ensuring thorough and reliable audit procedures, ultimately enhancing the effectiveness and trustworthiness of audit findings and recommendations.

The importance of maintaining a robust database for RE’s  risk assessment and transaction monitoring processes  ensures easy retrieval of valuable information essential for AML audits.

BIS on Audit of AML/CFT

The Basel Committee on Banking Supervision issued on 02 July 2020, the updated version of its guidelines on Sound management of risks related to money laundering and financing of terrorism, with guides on the interaction and cooperation between prudential and anti-money laundering and combatting the financing of terrorism (AML/CFT) supervisors.

According to BIS, there are three lines of defense against ML/FT risks viz,,..the Front Office supported by Board approved Policies and Procedures, Compliance Officer responsible for reporting FIU and creating and maintaining internal governance, training and laison with top management and last but not the least internal audit. 

 

Internal audit, the third line of defence, plays an important role in independently evaluating the risk management and controls, and discharges its responsibility to the audit committee of the board of directors or a similar oversight body through periodic evaluations of the effectiveness of compliance with AML/CFT policies and procedures. A bank should establish policies for conducting audits of (i) the adequacy of the bank’s AML/CFT policies and procedures in addressing identified risks, (ii) the effectiveness of bank staff in implementing the bank’s policies and procedures; (iii) the effectiveness of compliance oversight and quality control including parameters of criteria for automatic alerts; and (iv) the effectiveness of the bank’s training of relevant personnel. Senior management should ensure that audit functions are allocated staff that are knowledgeable and have the appropriate expertise to conduct such audits. Management should also ensure that the audit scope and methodology are appropriate for the bank’s risk profile and that the frequency of such audits is also based on risk. Periodically, internal auditors should conduct AML/CFT audits on a bank-wide basis. In addition, internal auditors should be proactive in following up their findings and recommendations.19 As a general rule, the processes used in auditing should be consistent with internal audit’s broader audit mandate, subject to any prescribed auditing requirements applicable to AML/CFT measures


FATF on Audit of AML/CFT

 The FATF Recommendations set out a comprehensive and consistent framework of measures which countries should implement in order to combat money laundering and terrorist financing, as well as the financing of proliferation of weapons of mass destruction. Countries have diverse legal, administrative and operational frameworks and different financial systems, and so cannot all take identical measures to counter these threats.

The FATF Recommendations, therefore, set an international standard, which countries should implement through measures adapted to their particular circumstances. The FATF Standards comprise the Recommendations themselves and their Interpretive Notes, together with the applicable definitions in the Glossary.   

 

INTERPRETIVE NOTE TO RECOMMENDATION 18 (internal controls and foreign branches and subsidiaries)

 Financial institutions’ programmes against money laundering and terrorist financing should include: (a) the development of internal policies, procedures and controls, including appropriate compliance management arrangements, and adequate screening procedures to ensure high standards when hiring employees; (b) an ongoing employee training programme; and (c) an independent audit function to test the system

Financial groups’ programmes against money laundering and terrorist financing should be applicable to all branches and majority-owned subsidiaries of the financial group. These programmes should include measures under (a) to (c) above, and should be appropriate to the business of the branches and majority-owned subsidiaries. Such programmes should be implemented effectively at the level of branches and majority-owned subsidiaries. These programmes should include policies and procedures for sharing information required for the purposes of CDD and money laundering and terrorist financing risk management. Group-level compliance, audit, and/or AML/CFT functions should be provided with customer, account, and transaction information from branches and subsidiaries when necessary for AML/CFT purposes. This should include information and analysis of transactions or activities which appear unusual (if such analysis was done); and could include an STR, its underlying information, or the fact that an STR has been submitted. Similarly, branches and subsidiaries should receive such information from these group-level functions when relevant and appropriate to risk management. Adequate safeguards on the confidentiality and use of information exchanged should be in place, including to prevent tipping-off. Countries may determine the scope and extent of this information sharing, based on the sensitivity of the information, and its relevance to AML/CFT risk management.


INTERPRETIVE NOTE TO RECOMMENDATION 19 (higher-risk countries)

 Requiring increased supervisory examination and/or external audit requirements for branches and subsidiaries of financial institutions based in the country concerned.

Requiring increased external audit requirements for financial groups with respect to any of their branches and subsidiaries located in the country concerned.


FATF conducts audit of members compliance with its 40 Recommendations in what is called Mutual Evaluation every 10 years and publishes the finalized report in the subsequent year. This help in coordinating and clipping any lapses in broad AML/CFT standards prescribed by FATF 40 recommendations.


RBI, India on AML/CFT  Audit

The relevant provisions of the MD dated 25 Feb 2016 updated as on Jan 04, 2024 from RBI, India is given below:

Video based Customer Identification Process (V-CIP):

Video based Customer Identification Process (V-CIP) is an alternate method of customer identification with facial recognition and customer due diligence by an authorised official of the RE by undertaking seamless, secure, live, informed-consent based audio-visual interaction with the customer to obtain identification information required for CDD purpose, and to ascertain the veracity of the information furnished by the customer through independent verification and maintaining audit trail of the process. Such processes complying with prescribed standards and procedures shall be treated on par with face-to-face CIP for the purpose of this Master Direction.

Compliance of KYC policy

REs shall ensure compliance with KYC Policy through:

        i.            Specifying as to who constitute ‘Senior Management’ for the purpose of KYC compliance.

      ii.            Allocation of responsibility for effective implementation of policies and procedures.

    iii.        Independent evaluation of the compliance functions of REs’ policies and procedures, including legal and regulatory requirements.

  iv.    Concurrent/internal audit system to verify the compliance with KYC/AML policies and procedures.

      v.            Submission of quarterly audit notes and compliance to the Audit Committee.


Customer Due Diligence(CDD)

In case e-KYC authentication cannot be performed for an individual desirous of receiving any benefit or subsidy under any scheme notified under section 7 of the Aadhaar (Targeted Delivery of Financial and Other subsidies, Benefits and Services) Act, 2016 owing to injury, illness or infirmity on account of old age or otherwise, and similar causes, REs shall, apart from obtaining the Aadhaar number, perform identification preferably by carrying out offline verification or alternatively by obtaining the certified copy of any other OVD or the equivalent e-document thereof from the customer. CDD done in this manner shall invariably be carried out by an official of the RE and such exception handling shall also be a part of the concurrent audit as mandated in paragraph 8. REs shall ensure to duly record the cases of exception handling in a centralised exception database. The database shall contain the details of grounds of granting exception, customer details, name of the designated official authorising the exception and additional details, if any. The database shall be subjected to periodic internal audit/inspection by the RE and shall be available for supervisory review.

CDD under V-CIP

The RE shall ensure end-to-end encryption of data between customer device and the hosting point of the V-CIP application, as per appropriate encryption standards. The customer consent should be recorded in an auditable and alteration proof manner.

The V-CIP infrastructure / application should be capable of preventing connection from IP addresses outside India or from spoofed IP addresses.

The video recordings should contain the live GPS co-ordinates (geo-tagging) of the customer undertaking the V-CIP and date-time stamp. The quality of the live video in the V-CIP shall be adequate to allow identification of the customer beyond doubt.

The application shall have components with face liveness / spoof detection as well as face matching technology with high degree of accuracy, even though the ultimate responsibility of any customer identification rests with the RE. Appropriate artificial intelligence (AI) technology can be used to ensure that the V-CIP is robust.

Based on experience of detected / attempted / ‘near-miss’ cases of forged identity, the technology infrastructure including application software as well as work flows shall be regularly upgraded. Any detected case of forged identity through V-CIP shall be reported as a cyber event under extant regulatory guidelines.

The V-CIP infrastructure shall undergo necessary tests such as Vulnerability Assessment, Penetration testing and a Security Audit to ensure its robustness and end-to-end encryption capabilities. Any critical gap reported under this process shall be mitigated before rolling out its implementation. Such tests should be conducted by the empanelled auditors of Indian Computer Emergency Response Team (CERT-In). Such tests should also be carried out periodically in conformance to internal / regulatory guidelines.

All accounts opened through V-CIP shall be made operational only after being subject to concurrent audit, to ensure the integrity of process and its acceptability of the outcome.

Reporting requirement under Foreign Account Tax Compliance Act (FATCA) and Common Reporting Standards (CRS)

Develop a system of audit for the IT framework and compliance with Rules 114F, 114G and 114H of Income Tax Rules.

Hiring of Employees and Employee training

  1. Adequate screening mechanism, including Know Your Employee / Staff policy, as an integral part of their personnel recruitment/hiring process shall be put in place.
  2. REs shall endeavour to ensure that the staff dealing with / being deployed for KYC/AML/CFT matters have: high integrity and ethical standards, good understanding of extant KYC/AML/CFT standards, effective communication skills and ability to keep up with the changing KYC/AML/CFT landscape, nationally and internationally. REs shall also strive to develop an environment which fosters open communication and high integrity amongst the staff.
  3. On-going employee training programme shall be put in place so that the members of staff are adequately trained in KYC/AML/CFT policy. The focus of the training shall be different for frontline staff, compliance staff and staff dealing with new customers. The front desk staff shall be specially trained to handle issues arising from lack of customer education. Proper staffing of the audit function with persons adequately trained and well-versed in KYC/AML/CFT policies of the RE, regulation and related issues shall be ensured.


An Independent AML/CFT Audit

 

An independent AML/CFT audit refers to the regular assessment of the quality and effectiveness of the internal AML/CFT Policies and Procedures and controls adopted by entities and resultant records and regulatory compliance thereof. It involves systematically examining the different components of the AML/CFT program of the Reporting Entity, such as the Know Your customer (KYC) process, Sanctions Screening, Customer Due Diligence (CDD), Record Keeping, etc.

 

Ensures Compliance with PMLA 2002

 

India’s AML regulations mandate independent AML audits. For example, the Guidelines issued for Dealers in Precious Metals and Stones, Real Estate agents and Virtual Digital Assets under the Prevention of Money Laundering act 2002(PMLA) require regular AML audits.

 

Assesses AML/CFT Program Efficiency

AML/CFT audit evaluates the effectiveness of the AML/CFT program and ensures that it aligns with the latest AML/CFT laws of India and the Enterprise Wide risk Assessment (EWRA) of the Reporting Entity.

Provides Unbiased Suggestions to Combat the Identified Vulnerabilities

 AML/CFT audit recognises vulnerabilities in the AML/CFT program and includes suggestions to overcome them and mitigate money laundering (ML), terrorism financing (TF) and proliferation financing (PF) risks.

 Strengthens AML/CF Compliance Culture

 Regular AML/CF audits strengthen the AML Compliance Culture of the Reporting Entity by demonstrating the commitment of senior management towards AML/CFT compliance.

 Builds Positive Reputation

 

AML/CFT audit improves the reputation of the Reporting Entity amongst its customers, investors, as well as AML/CFT regulators by demonstrating its commitment to AML/CFT compliance and combating ML, TF and PF risks.

After discussing the meaning and significance of an independent AML/CFT audit, let us understand when an independent AML/CFT audit is to be conducted.

 

Responsibility and frequency 

Staff not involved in money laundering risk areas can internally conduct anti-money laundering audits. For example, it can be a separate independent line of defence, or a third party.

An audit conducted for the purposes of the AML/CFT Act does not have to meet the auditing and assurance standards set by the Institute of Chartered Accountants of India (ICAI ) or professional accounting bodies. Statutory Audit under Companies Act 2013 is mandatory for all types of companies in India. Section 139 of the Act prescribes an auditor’s appointment for this purpose.

Section 13 – PMLA 2002 mentions the Powers of the Director as under:


(1) The Director may, either of his own motion or on an application made by any authority, officer or person, make such inquiry or cause such inquiry to be made, as he thinks fit to be necessary, with regard to the obligations of the reporting entity, under this Chapter.

(1A) If at any stage of inquiry or any other proceedings before him, the Director having regard to the nature and complexity of the case, is of the opinion that it is necessary to do so, he may direct the concerned reporting entity to get its records, as may be specified, audited by an accountant from amongst a panel of accountants, maintained by the Central Government for this purpose
(3) Save as otherwise provided under any law for the time being in force, every information sought by the Director under sub-section (1), shall be kept confidential.

(IB) The expenses of, and incidental to, any audit under sub-section (1A) shall be borne by the Central Government.;

 Note that where a member of a professional body is appointed to perform the audit, the professional body may require that person to comply with any applicable professional standards. The person must have relevant skills or experience to conduct the audit, such as knowledge of the AML/CFT Act and Regulations. For example, people with AML/CFT or relevant financial experience in the RE’s  sector might be suitably qualified. RE must be able to justify to the AML/CFT supervisor how the auditor is appropriately qualified.

The person appointed to undertake the audit may be a member of the staff, provided he/she is adequately separated from the area of the business carrying out the RE’s  AML/CFTrisk assessment and AML/CFT programme.

Similarly, RE may choose to appoint an external firm to undertake the audit, but the same separation must apply. Those within the firm undertaking the audit must be separate from those involved with the development of the AML/CFT risk assessment and AML/CFT programme.

The audit will provide the RE with an independent assessment of the AML/CFT risk assessment and AML/CFT programme. It is an opportunity for RE to obtain another person’s view of how well the AML/CFT programme and AML/CFT risk assessment are designed and working.  The audit may also inform RE’s AML/CFT supervisors opinion about the adequacy and effectiveness of the AML/CFT programme. RE’s supervisor is also likely to assess the adequacy and robustness of the audit. Their opinion and assessment may influence the way in which RE is supervised.

 

Recognizing the limitations of smaller companies in terms of resources and expertise, experts often recommend employing competent, independent third parties for this purpose. Even if an independent third party conducts the audit, the financial institution remains responsible for its quality and must therefore carefully select external auditors with sufficient competence.

Although requirements vary from jurisdiction to jurisdiction, there’s a general consensus that conducting audits regularly is essential. For instance, in the United States, the Financial Crimes Enforcement Network (FinCEN) has stated that testing scope and frequency should match the risks posed by the company’s products and services.

Also, the depth of audits should match the risks posed by the firm’s products and services in terms of depth and frequency. Larger financial institutions commonly practice auditing different AML areas each year. But the scope and depth of the audit will be much greater than if all AML areas were audited in the same year.

 Frequency of AML/CFT audit


To ensure that the AML/CFT program is effective against ML, TF and PF risks and up to date with the latest AML/CFT compliance requirements, AML/CFT audit should be conducted periodically. The best practice is to conduct the audits annually. Such periodic audits should assess both the individual business practices of the Reporting Entity as well as the overall entity-wide AML/CFT program.

However, the frequency of the AML/CFT audits depends on the nature and size of the Reporting Entity’s business. Its customer base, the products and services it offers, the geographies it serves, and the level of ML, TF, or PF risks it is exposed to as assessed under its Enterprise-Wide Risk Assessment (EWRA). For example, if the reporting entity provides services that are exposed to higher ML, TF, or PF risks due to their nature, the reporting entity needs to conduct the AML/CFT audit process more frequently.

 

The scope of an independent AML audit

An independent AML audit is an in-depth review of a company’s AML compliance programme.

This is distinct from a financial audit and may include a review of the firm’s AML programme and policies, enterprise-wide risk assessment, individual customer risk scoring, customer identification procedures, customer due diligence (CDD), enhanced customer due diligence (CDD), ongoing CDD and EDD, review of transaction monitoring systems and procedures, sanctions screening systems, periodic testing and back-testing of these systems, evaluation of other software used for AML purposes, procedures for internal investigations and submission of Suspicious activity reports (SARs), implementation of internal controls and quality assurance processes, AML training, record keeping, three lines of defense framework, reporting to senior management, management of conflicts of interest.

Previous audit reports are also reviewed to assess the effectiveness of the implementation of previous recommendations.

For an independent AML Audit to be comprehensive, it should evaluate the efficacy of the following components of the Reporting Entity’s AML program:


  • The EWRA of the Reporting Entity, taking into account its nature, size, and complexity of the business operations
  • The AML/CFT program and controls and its adequacy in countering ML, TF and PF risks
  • The robustness of the AML/CFT program against the dynamic ML, TF and PF risks evolved since the last EWRA
  • Red Flags to recognise ML, TF and PF risks
  • Changes made to AML/CFT program since the last audit, including the implementation of the suggestions made in the last audit
  • Employee training on the AML/CFT program and AML/CFT regulatory requirements in India
  • KYC and CDD procedures, including Enhanced Due Diligence (EDD) procedures, Politically exposed Persons (PEP) screening and adverse media screening
  • Sanction Screening/Media Screening  Procedures;
  • Transaction monitoring systems and their adequacy considering the ML, TF and PF risk exposure of the company
  • Procedures for submitting Suspicious Transaction Reports (STR) and other required reports both internally to the AML Principal Officer and externally to the FIU-Ind
  • Record-keeping practices and their alignment with AML/CFT regulatory requirements, including the quality, adequacy, and comprehensiveness of the records maintained
  • AML/CFT software adopted by the Reporting Entity, including its functioning and whether it is up to date with the latest regulatory requirements
  • Customer acceptance policy, customer onboarding process and customer exit policy
  • Periodic reports related to AML/CFT measures submitted by the AML Principal Officer or Designated Director of the Reporting Entity to the senior management or Board of Directors and the action taken on these reports
  • AML Principal Officer’s implementation of the directions or feedback received from the AML/CFT supervisory authorities
  • Correspondence or outcome regarding any AML/CFT inspection or review conducted by the AML/CFT supervisory authority
  • Responses of any AML/CFT related survey submitted
  • Status of remediation measures adopted to fill the gaps identified by the AML Principal Officer, the latest AML/CFT audit or inspection conducted by the AML/CFT supervisory authorities
  • Policy related to AML/CFT data access and archival
  • Status of compliance with other regulatory requirements, such as sector-specific Guidelines for Dealers in Precious Metals and Stones, Real Estate Agents and Virtual Digital Assets



As discussed in this section, an AML/CFT audit assesses a wide range of components, so it is crucial for entities to take proactive preparatory measures to streamline the auditing process. The following section provides a comprehensive guide on preparatory measures Reporting Entities can take for a smooth independent AML/CFT auditing process.

 

Finalisation of Requisites for an Independent AML Auditor

Reporting Entities need to prepare and approve their own list of requisites they expect from an independent AML/CFT auditor and the auditing process to ensure that the auditing process is aligned with their needs. Deciding on these requisites makes sure that the auditing process is smooth without any hiccups. This list should take into account the following components:

Period to be included for review

Reporting Entity needs to specify the timeframe for which the auditor will review and assess the AML/CFT program.

Scope of Audit: Limited or Full Scope

Limited scope audit involves an evaluation of identified areas rather than a comprehensive examination of the entire AML/CFT program of the Reporting Entity. For example, a Reporting entity may choose to audit only its CDD process or its KYC process. On the other hand, a full scope audit involves an auditing process covering all components of the AML/CFT program.

Before choosing an auditor RE should think and plan ahead. Matters to consider and discuss include: the level of assurance the RE  want the auditor to provide; the outcome; the estimated cost of the audit; an estimate of time required to complete the audit; and how the RE  want the findings reported to the RE.


The Expected Outcome

The reporting entity needs to decide and list the expected outcomes of the auditing process. For example, if the Reporting Entity requires so, it can specify that the auditing process should be followed by practical action plans to combat the vulnerabilities found.

The Budgeted Cost

Reporting Entity needs to outline the range of budget it aims to allocate to the auditing process. This depends on the scope of the audit that it has decided to opt for.

Time Estimation

The Reporting Entity needs to specify the time period in which it expects the auditing process to be completed.

AML audits are essential in assessing and improving a company’s internal control systems, policies and procedures. They all lead to ensuring compliance with AML regulations. That is why these audits assess are the procedures in place. Furthermore, it also evaluate how employees adhere to these procedures in practice through sample testing.

There are some important differences between an audit of the RE’s  AML/CFT risk assessment and AML/CFT programme. The table below sets out the key differences.

Some differences to consider:

Audits of the RE’s Risk Assessment:

Audits of the RE’s  Programme:

Arelimited to assessing whether this document complieswith all of the obligations in section 58(3)of the AML/CFT Act. n.b.: under the Act, auditors will assess the nature and extent of the AML/CFT risk assessment and its application. They are not expected to audit the judgment calls the RE  made in its risk assessment.

Include:whether it complieswith all of the obligations in section 57of the AML/CFT Act; whether the policies, procedures and controls are based on the RE’s AML/CFT risk assessment; whether the policies, procedures and controls are adequate;andwhether the policies, procedures and controls have operated effectively throughout the period.


The process of AML/CFT Audit

 

The AML audit can be carried out internally or outsourced to a third party.

 

  1. Define audit objectives

Audits should have clear objectives, whether they are routine or for specific purposes. Therefore selecting auditors with in-depth knowledge of AML laws and regulations is critical, as inexperienced auditors may overlook critical liabilities.

  1. Establishing an audit plan

Establishing an audit plan is critical to achieving the audit objectives efficiently. The audit plan should be much more detailed than the audit objectives. And therefore include a description of the audit areas and methodology. When preparing the audit plan, it may also be beneficial to review previously conducted AML audits.

  1. Preparation for the audit

Usually, an AML audit is a very extensive and comprehensive process that requires a lot of information, documents and data. In order for the process to run smoothly, it is useful not only for the auditors to prepare in advance, but also to help the department being audited to prepare, for example by explaining the process, schedules and deadlines, possible required documentation, etc.

  1. Execute the audit

The audit should be executed in accordance with the audit plan to assess the AML compliance programme. In addition, if during the audit the auditors identify significant deficiencies in other AML areas not included in the original plan, consideration should be given to expanding the scope of the audit.

  1. Post-audit findings and recommendations

After completion of the audit, it is important not only to describe what was found, but also to evaluate the findings based on their negative impact on the AML compliance programme and to make recommendations to improve the quality and effectiveness of the company’s AML compliance.

  1. Post-audit action plan and reporting to management

Once the audit is complete, its findings and recommendations should be presented to senior management and an action plan drawn up to address any deficiencies and implement recommendations.

  1. Auditor’s follow-up after the action plan

It is good practice for the auditor to follow up on actions completed by the auditee to check that recommendations have been properly implemented. It is also good practice to follow up not only on updated or newly adopted procedures but also on a small sample of client cases to assess whether deficiencies have been addressed not only on paper but also in practice.



Preparation of Information and documents

To streamline the AML/CFT audit process and avoid delays, the Reporting should prepare the following information and documents in advance:

1. Business Profile: This includes a comprehensive overview of the Reporting Entity’s nature and size of business, the products and services it offers, its customer base, the geographies it serves, its delivery channels, etc. This profile helps auditors understand the business and identify potential ML, TF and PF risks.

2. Certificate of Incorporation, Memorandum and Articles of Association: These documents provide information regarding the Reporting Entity’s establishment and its operational and ownership structure

3. Organisation Structure: This includes information about the hierarchy in the organisation to help auditors understand the management and decision-making process in the Reporting Entity

4. Annual Financial Statements: This includes financial statements of the entity for the immediately previous financial year.

5. Enterprise-Wide Risk Assessment: As a part of AML/CFT compliance, all Reporting Entities must have an EWRA in place. Assessing the EWRA helps auditors examine the ML, TF and PF risk exposure of the Reporting Entity, the actions it has taken to address these risks and the effectiveness of these actions.

6. AML/CFT Program: AML/CFT Program includes all policies, procedures and controls in place to comply with the AML/CFT regulatory obligations of the Reporting Entities and combat ML, TF and PF risks.

7. Red Flags Applicable to the Reporting Entity: Depending on factors such as the nature and size of the business, the products and services it offers, its customer base, the geographies it serves and its delivery channels, all Reporting Entities may have different red flags in place to identify any potential ML, TF and PF risks during its business operations. This list needs to be examined by the auditor.

8. AML/CFT Governance: This includes details on the oversight and management of AML/CTF/CPT activities within the Reporting Entity, and its adequacy needs to be examined by the auditor.

9. AML Principal Officer’s Profile: All Reporting Entities need to appoint an AML Principal Officer to oversee the AML/CFT compliance in the entity. Auditors need to be provided with the profile of the Principal Officer, which should include information about their qualifications, experience, responsibilities, powers, etc.

10. KYC, CDD, Customer Onboarding Procedures and Templates: This outlines the procedure of a Reporting Entity’s customer onboarding, identity verification and Customer Risk Assessment (CRA) process.

11. Procedures for Submitting Various Regulatory Reports: These reports include Cash Transaction Report (CTR), Counterfeit Currency Report (CCR), Property Transaction Report, Non-Profit Organisation Transaction Report, Cross Border Wire Transfer Report (CBWTR), and Suspicious Transaction Report (STR) to be submitted to Financial Intelligence Unit of India.

 

12. AML/CFT Record Keeping Policy: This policy outlines the procedure for maintaining and storing AML/CFT related records, including customer identification documents, transaction records, etc, as required under AML/CFT regulations of India.

13. AML/CFT Training Logs and Training Material: Training materials and logs should document the AML/CFT training provided to staff, including the regularity of such training, topics covered, participant details, etc.

14. Details of Targeted Financial Sanctions Program and Systems: This includes information on how the Reporting Entity implements and manages targeted financial sanctions, such as screening against various sanctions lists.

15. Customer and Supplier Registers: This includes a comprehensive list of all customers and suppliers of the Reporting Entity, including their details and ML risk profiles

16. Register for the AML/CFT Reports Filed with the Financial Intelligence Unit of India: This helps auditors examine the AML/CFT compliance function of the Reporting Entity as well as the accuracy of the reports submitted.

17. Employee Register: This includes a list of all employees and their roles and responsibilities in the AML/CFT program.

18. List of Countries Identified as High-Risk Countries: This list contains countries considered high-risk from AML/CFT perspective. Information given must also include the Reporting Entity’s association with customers from such high-risk countries.

19. The Procedures to Identify and Establish a Business Relationship with PEPs: Procedures for identifying Politically Exposed Persons (PEPs) and establishing business relationships with them should be shared with the AML/CFT auditor. This includes EDD measures in place for PEPs to mitigate any potential ML, TF and PF risks.

20. Previous Years’ Independent AML/CFT Audit Reports: These reports help auditors evaluate the effectiveness of past measures taken to improve past AML/CFT programs.

21. Information About the Inspection or Review Conducted by the Supervisory Authorities and Guidance Received from Them: This includes information regarding any inspections or reviews conducted by supervisory authorities, as well as action taken on any instructions provided by them.

22. Information About Administrative Fines and Penalties Imposed on the Reporting Entity: Under the PMLA or IFSCA Guidelines, penalties related to AML/CFT non-compliance may be imposed on Reporting Entities. This information should be given to the auditor to help the auditors assess the entity’s AML/CFT compliance culture and its response to regulatory supervision.

23. Periodic Report Submitted by the AML Principal Officer to the Senior Management: This report should summarise the AML Principal Officer’s observations and suggestions regarding the entity’s AML/CFT program.

24. Access to Staff Members and Senior Management: AML/CFT auditors should have access to relevant staff members and senior management involved in the AML/CFT program of the Reporting Entity to discuss and assess compliance practices, collect required information and address any concerns.

25. Access to Files and Various AML/CFT Compliance Records: Auditors should be given access to all relevant files and records related to AML/CFT compliance.

26. Disclosure of all Known Instances of Statutory Non-Compliance: Any known instances of non-compliance with AML/CFT statutory requirements under the PMLA, IFSCA guidelines or any other AML/CFT regulations should be disclosed to the AML auditor. This transparency helps the auditors understand the compliance issues that the Reporting Entity faces.

RE must provide the audit report to the  supervisor when asked. The annual report also requires RE to declare: whether the RE has  a procedure in place for independent audits; when the last audit was undertaken; if any deficiencies were highlighted; and whether the RE have made the changes identified as necessary to address deficiencies

The audit is a systematic check of the RE’s  AML/CFT risk assessment and AML/CFT programme by an independent and suitably qualified person (the auditor). The end result is a written report on whether: the RE meet the minimum requirements for the RE’s AML/CFT risk assessment and AML/CFT programme; the AML/CFT programme was adequate and effective throughout a specified period; and any changes are required.  The audit complements the RE’s  own review of its  risk assessment and AML/CFT programme (PMLA 2002) and PMLR 2005 as amended from time to time.

 


Happy Reading,


Those who read this also read:


1. AML/CFT Risk Management at RE level

2. Obligations by RE under PMLA 2002

3.RBI Guidance on Record Management

4. Suspicious Transaction -AML/CFT



Formerly Faculty for Finance & Associate Dean, IBS-Kochi MBA (Banking & Finance – CUSAT);CFA. Accredited Management Teacher from CME of AIMA, Delhi has been in Management Education from 1988. Exposure is in the field of Mutual Funds, Market Research, Project Report preparation & evaluation, Advertising & NGO Activities. This Chief Manager, UTI Asset Management Co Pvt. Ltd(1992-2003), Mumbai. Undergone training in Case Study method of teaching under Mr. Trevor Williams and Mr. Scott M Andrews conducted by the ECCH, UK . Published Books & Book Review, Series of academic articles and maintains a column on MFs under "Fund scan" in Business Manorama since January 2007,Contributes "Portfolio Doctor" column for 'Sampadyam' a wealth mgt publication in Malayalam from manorama group since February 2007, Listed her case studies at asiacase.com.Presented papers in national & international conferences on Mutual Funds. Faculty Member @ ASIET, Kalady from 2010 to June 2019. Dean @ SNGIST, N Paravur, Ernakulam from Sep 2019 -Jan 2021, I continue my efforts to spread the knowledge in area of Finance and contribute to Management Education

Comments

Post a Comment

Popular posts from this blog

National Risk Assessment (NRA): India

By
  India's National Risk Assessment (NRA) is  an ongoing exercise to identify sectors that are vulnerable to money laundering and terrorist financing (ML/TF) .  The NRA is based on recommendations from the Financial Action Task Force (FATF) and helps inform policy-making, resource allocation, and the implementation of effective AML/CFT measures. The NRA also ensures that national strategies address both domestic and international threats. The NRA provides a foundation for informed policy-making, resource allocation, and the implementation of effective AML/CFT measures . It ensures that national strategies are aligned with the specific risk landscape of the country and that they address both domestic and international threats. The subject matter of NRA  was discussed in the Anti-Money Laundering Steering Committee (AMLSC) set up with the approval of Finance Minister, and it was decided to conduct the NRA following the World Bank methodology. The Methodology requi...
Read more

Customer Due Diligence(CDD) : Individuals

By
Image
This post is based on RBI Master Circular dated Feb 25, 2016 updated on Jan 04, 2024  Part I - Customer Due Diligence (CDD) Procedure in case of Individuals For undertaking CDD, REs shall obtain the following from an individual while establishing an account-based relationship or while dealing with the individual who is a beneficial owner, authorised signatory or the power of attorney holder related to any legal entity: (a)     the Aadhaar number where,   (i) He is desirous of receiving any benefit or subsidy under any scheme notified under section 7 of the Aadhaar (Targeted Delivery of Financial and Other subsidies, Benefits and Services) Act, 2016 (18 of 2016); or (ii) He decides to submit his Aadhaar number voluntarily to a bank or any RE notified under first proviso to sub-section (1) of section 11A of the PML Act; or (aa) the proof of possession of Aadhaar number where offline verification can be carried out; or (ab) the proof of possession of Aa...
Read more

Periodic Updation of Customer Risk Profile

By
1. Preparation of Customer Profile from KYC Data In the initial years of KYC, RBI has been following a handholding approach as can be seen from their circular dated July 2009 and that of Feb 25, 2016 as updated on Jan 04, 2024. RBI requires REs to conduct risk profiling and risk categorization and periodic updation.  Extracts from RBI MD dated July 01, 2009 under Customer Acceptance Policy a)ii) Parameters of risk perception are clearly defined in terms of the nature of business activity , location of customer  and his clients, mode of payments, volume of turnover, social and financial status etc. to enable categorisation of customers into low, medium and high risk (banks may choose any suitable nomenclature viz. level I, level II and level III). Customers requiring very high level of monitoring, e.g. Politically Exposed Persons (PEPs) may, if considered necessary, be categorised even higher; b). Banks should prepare a profile for each new customer based on risk categorisatio...
Read more