The crucial role of internal audit in navigating AML/CFT Risk Management

Mr. Rajith Perera
Partner, Financial Accounting Advisory Services, EY Sri Lanka

In today’s increasingly complex financial landscape, the significance of robust Anti-Money Laundering (AML) and Counter Financing of Terrorism (CFT) compliance cannot be overstated. As organizations face escalating risks associated with money laundering and terrorist financing, the Internal Audit function emerges as a pivotal player in ensuring that banks not only adhere to regulatory requirements but also effectively manage inherent risks. This article explores the critical role of Internal Audit in conducting comprehensive risk assessments, a fundamental component of successful AML/CFT audits.

The Imperative of Comprehensive Risk Assessment

A thorough risk assessment serves as the cornerstone of an effective AML/CFT audit framework. Internal Audit must undertake this assessment at least annually, tailoring it to the specific business model of the bank. By analyzing the customer base, Internal Audit can identify potential risks linked to high-risk customers or jurisdictions. This analysis involves considering various customer types—corporate, individual, private, and public—and recognizing material changes that may elevate risk levels, such as the presence of Politically Exposed Persons (PEPs), High Net Worth Individuals, or complex ownership structures.

The risk assessment should also cover the inherent AML/CFT risks tied to the bank’s products, services, and delivery channels. Special focus is needed for areas like correspondent banking, trade finance, deposits, payments, and both local and cross-border fund transfers. AML risks across delivery channels should be assessed by looking at face-to-face, non-face-to-face, and proxy interactions—especially where beneficial owners are hidden or hard to verify—as these increase the bank’s exposure to money laundering and terrorist financing. By prioritizing these aspects, Internal Audit can effectively gauge the bank’s exposure to potential risks and ensure that appropriate controls are in place.

Evaluating Control Effectiveness

In addition to identifying risks, Internal Audit plays a crucial role in evaluating the effectiveness of existing controls designed to mitigate residual risks related to AML/CFT compliance. This evaluation involves reviewing past issues, including overdue internal, external, or regulatory matters, as well as recurring problems that may indicate systemic weaknesses. The assessment of risk events, incidents, and near-misses is equally important, as it provides insights into the severity and frequency of risks encountered by the organization.

Internal Audit must closely review the AML/CFT risk assessments conducted by the second line of defence. This includes evaluating screening operations, changes to controls and processes, controls related to Know Your Customer (KYC)/Customer Due Diligence (CDD), customer risk assessments, onboarding procedures, the quality and timeliness of name screening alert dispositions, and the effectiveness of investigations and Suspicious Transaction Report (STR) filings. By analyzing these areas, Internal Audit can offer valuable insights on control adequacy and suggest improvements where needed.

A Collaborative Approach to Risk Assessment

To enhance the effectiveness of risk assessments, Internal Audit should foster collaboration with third parties, including external auditors and regulatory bodies. This collaboration not only strengthens the audit process but also facilitates the sharing of insights and best practices. By engaging with external stakeholders, Internal Audit can gain a broader perspective on emerging risks and regulatory expectations, ultimately leading to more robust risk assessments.

Continuous Improvement through Training and Upskilling

The dynamic nature of the financial sector necessitates continuous training and upskilling for Internal Audit professionals. By providing ongoing education on AML/CFT regulations, emerging risks, and audit methodologies, banks can ensure that their Internal Audit teams remain well-equipped to navigate the complexities of compliance. This commitment to professional development is essential for maintaining a proactive approach to risk assessment and audit execution.

Ultimately, the Internal Audit function is integral to the success of AML/CFT compliance efforts within banks. By prioritizing comprehensive risk assessments, evaluating control effectiveness, fostering collaboration, and investing in continuous training, Internal Audit can significantly enhance the bank’s ability to manage inherent risks associated with money laundering and terrorist financing. As the financial landscape continues to evolve, the importance of a robust Internal Audit function in safeguarding against these risks will only grow, making it a timely and critical focus for banking institutions worldwide.