BECOME A LEADER. JOIN THE ACAMS ADVANCED CERTIFICATION PROGRAM

How Japanese Auditors Will Rise to AML/CFT

Challenges that Will Emerge in the Future

Hidehiro Kobayashi

Disclaimer: The views expressed in this paper are those of the author, and the author

alone. The author is not representing the views or opinions of the institution.

Table of Contents

1. Executive Summary 1

2. Introduction 1

3. Increased AML/CFT Risks in Japan 2

4. Changes of AML/CFT Environment and Future Challenges 3

5. Actions that Japanese Auditors Should Take 8

6. Conclusion 12

7. References 13

- 1 -

1. Executive Summary

Through a bitter experience with the third round of FATF Mutual Evaluations, Japan

has just begun the improvement of AML/CFT controls; however, it still needs further

enhancement to catch up with advanced AML/CFT countries. Additionally, Japan is

facing a difficult AML/CFT environment, as explained in depth below. Based upon my 24

years of internal auditor’s experience, How Japanese Auditors Will Rise to AML/CFT Challenges that Will Emerge in the Future is discussed in more detail below.

At present, Japan has faced the increased risks of AML/CFT such as, but not limited to,

(1) money laundering (ML) committed by Japanese boryokudan gangsters; (2) crimes

and ML by specialized fraud groups; (3) international Internet crimes; and (4) overseas

remittance to North Korea.

In the future, Japan will come to grips with the changed environment, including (1)

sophistication of specialized fraud groups/international Internet criminals; (2) increased

importance of AML/CFT controls that are suitable for business environment changes,

such as the promotion of digitalization/RPA (robotic process automation)/AI (artificial

information) and priority over the business of Internet banking/cashless

payments/cryptocurrencies; and (3) regulatory expectation of financial institutions to

catch up with AML/CFT advanced countries. Based upon such changes, Japan has to

address future challenges such as: (1) working together with many financial institutions

to combat money laundering, by designing a common KYC (know your customer)

database (DB) that many Japanese financial institutions can utilize; (2-1) effective

utilization of transaction data collected through the digitalization; (2-2) enhancement of

group-based governance to subsidiaries that do business of cashless

payments/cryptocurrencies; and (3) development of AML/CFT specialists to catch up

with advanced AML/CFT countries.

Japanese internal auditors should perform their role completely in the following areas:

(1) Collaboration audit to check the common procedures, including common KYC DB

(2) IT audit by using the knowledge of data science and RPA /AI

(3) Group-based audit to check the AML/CFT controls of subsidiaries

(4) Development of AML/CFT internal auditors through periodic skill assessment

To perform the actions listed above, auditors need to conduct a lot of good audits which

contribute to the enhancement of AML/CFT controls, and then gain

support/understanding from management that supports such an implementation.

2. Introduction

Japan had a bitter experience with the third round of FATF Mutual Evaluations in

2008. Japan could not comply with many FATF recommendations, as follows. From

October 2012, the enhanced follow-up of these non-compliant matters started; however,

it did not go well, and in June

2014, FATF expressed the

statement calling for quicker

remediation. In the end, such

a follow-up had continued

until October 2016. In order

to avoid the same mistake,

Japan issued a new guideline

to meet the FATF

recommendations sufficiently;

(1) (2) (3) (4) (3)+(4)

No. Country CompliantLargely

CompliantPartially

CompliantNon-

CompliantNeeds

Improvement1 America 15 28 2 4 62 Singapore 11 32 4 2 63 Belgium 22 20 6 1 74 Portugal(*) 13 23 10 2 125 England 24 12 10 3 13

18 Japan(*) 4 19 15 10 25(*) The countries have one item which was not applicable respectively.

- 2 -

however, the enhancement of AML/CFT controls has just begun. In order to catch up

with advanced AML/CFT countries, Japan needs to consider what should be done.

In addition, I think Japan is facing the difficult AML/CFT environment. The country is

the third-largest GDP country with economic powers, and the average family savings

amount is around 10 million yen. Especially elders of 60 years or over have more than

20 million yen in savings. Japan becomes an easy target of money launderers who have

grown more sophisticated. Japan also should examine the actions to reduce the increased

AML/CFT risks.

I have worked as an internal auditor for financial institutions for 24 years, and the

Institution of Internal Auditors (IIA) 1 emphasizes the importance of three lines of

defense. From the standpoint of internal auditors, How Japanese Auditors Will Rise to AML/CFT Challenges that Will Emerge in the Future is examined in more detail below.

3. Increased AML/CFT Risks in Japan

Based upon National Risk Assessment on Money Laundering and Terrorist Financing2,

the National Police Agency’s white paper3 , and other related documents, the main

exposed risks in Japan are summarized as follows. The number of such cases increased

year by year, and the sophistication of money laundering is growing.

Risk 1: Money Laundering (ML) Committed by Japanese Boryokudan Gangsters

Boryokudan gangsters

were one of the main

money launderers who

conceal and receive

criminal proceeds by habitual gambling/running a gambling place for unjust profit,

business deviating from the Public Morals Regulation Act, and narcotics-related crimes

as shown in the above chart, which is based upon National Risk Assessment of Money

Laundering and Terrorist Financing by National Public Safety Commission. Under the

ordinance for eliminating organized crime groups, financial institutions strictly check

their own bank accounts, which are difficult for criminals to have. Therefore, they tend

to increase the transactions with non-financial companies (i.e., starting businesses)

using dirty money.

Risk 2: Crimes and ML by Specialized Fraud Groups

Former boryokudan

and loosely-organized

criminal gangsters

committed organized

fraud to swindle victims (especially elders) out of money by phone calls as shown in the

chart which is based upon the statistics announced by the National Police Agency. The

dirty money is transferred to bank accounts in the names of other people who sold their

own bank accounts to get amusement expenses and/or living expenses. The people who

join specialized fraud groups are increasing because the wealth gap between the rich

and poor is widening.

1 Refer to IIA’s Exposure Document: Three Lines of Defense. 2 National Risk Assessment of Money Laundering and Terrorist Financing is issued by National Public Safety

Commission annually. 3 The National Police Agency issues an annual white paper including trends of crimes and preventive measures.

2016 2017 2018Cleared cases of ML offenses 388 361 511

Cases by Boryokudan gangsters 76 50 65% 19.6% 13.9% 12.7%

Description Year

Description Year 2106 2017 2018No. of cases 1,291 425 322

Total financial damages (\ mil.) 1,687 1,081 461

(1) Fraudulent remittance by illegal access to internet banking and phishing

- 3 -

Risk 3: International Internet Crimes

Internet crimes, such as (1) illegal access to Internet banking and phishing, (2) theft of

credit card information from online stores that have weak security4, and (3) hacking

attacks on cryptocurrency systems5, led a good deal of damage, as shown on these

charts which are based upon National Risk Assessment of Money Laundering and

Terrorist Financing by National Public Safety Commission and statistics formally

announced by Japanese credit cards association .

Money launderers use the same method as the specialized fraud groups. In addition,

they divide dirty money into the smaller amounts and also remit them overseas by

using cryptocurrencies, which may exchange into real currencies on the dark web and

real money trading (RMT) sites.

Risk 4: Overseas Remittance to North Korea

Japan is located near North Korea where people work away from their home country,

keeping their identities secret, and illegally trade seafood produced in North Korea (i.e.,

illegal ship-to-ship cargo transfer). They may remit earned money to home countries.

Risk 5: Failure to Prevent/Detect ML due to Insufficient AML/CFT Controls

Under the FSA guideline, Japanese financial institutions have begun the enhancement

of AML/CFT controls. In order to catch up with advanced AML/CFT countries, their

further development, including KYC procedures, trade-based anti-money laundering

(TBAL), utilization of AML/CFT system, and IT governance, is necessary.

It will take a long time to manage such further development, which is executed by only

about 700 Japanese CAMS, as of November 2019. They are just 0.17% of total worldwide

CAMS (about 42,500), and considering that the number of financial institutions is

around 550, this is shorthanded. With such few controls, there could be a risk of failure

to prevent and detect ML.

4. Changes of AML/CFT Environment and Future Challenges

The above current AML/CFT risks in Japan are expected to be changed, and the future

changes could be: (1) sophistication of specialized fraud groups/international Internet

criminals, (2) enhancement of AML/CFT controls that are suitable for business

environment changes, such as the promotion of digitalization and the priority over

business of Internet banking/cashless payments/cryptocurrencies, and (3) regulatory

expectation of financial institutions to catch up with AML/CFT advanced countries. For

such changes, the following future three challenges need to be addressed.

4 Refer to statistical information of Japan Credit Card Association. 5 Refer to statistical information of National Police Agency.

Description Year 2106 2017 2018No. of recognized cases 14,154 18,212 17,844

Total financial damages (yen) 40,765,652,881 39,474,870,491 38,286,761,222

Description Year 2106 2017 20182019

(9 months)

Total financial damages (\ bil.) 8.89 17.67 18.76 16.70

(2) Theft of credit card information from credit member stores

- 4 -

Change 1: Sophistication of Specialized Fraud Group/International Internet Crimes

As for the existing ML techniques, the financial institutions are taking related

preventive measures, however specialized fraud groups and Internet criminals are

developing new techniques, which become more diverse. Amidst the accelerated

collaboration between domestic and international groups, fraud groups are being

globalized.6

In addition, there were some cases in which the following money launderers use the

same sophisticated methods as the specialized fraud groups and Internet criminals, as

follows.

6 Summarized from Occupation Specialized Fraud Group by Nippon Hoso Kyokai interview group, and Fraudulent

Wire Transfer Association by Daisuke Suzuki

Risk Change of Environment

According to a National Police Agency survey, the number of Boryokudan

Gangsters has decreased to 30,000 in the last 15 years, which was because

Boryokudan Gangsters are controlled strictly under Boryokudan

Gangsters exclusion ordinance.

Such a trend will continue. Boryokudan Gangsters can make neither bank

accounts nor financial transactions in their names, because financial

institutions check with their database and then the difficulty in ensuring

the funds will increase. It is expected they wallow in crime to get more

criminal proceeds and get involved in Specialized Fraud Group.

ML committed by

Boryokudan

Gangsters

Risk 1ML committed by Japanese

Boryokudan Gangsters

Risk 2Crimes and ML by

Specialized Fraud Group

Risk 3International Internet

Crimes

Risk 4Overseas remittance to

North Korea

Failure to prevent/detectML due to insufficient

AML/CFT controlsRisk 5 Change 3 Challenge 3

Current AML/CFT Risks

Sophistication ofSpecialized Fraud Group/

International InternetCriminal

AML/CFT controls whichare suitable for changes of

business environment

Work together withmany financial

institutions to combatmoney launders

Effective utilizationof transaction

data/Group-basedgovernance

Challenge 1

Change of Environment Future Challenges

Challenge 2

Strengthening ofAML/CFT specialists

development

Regulatory expectation offinancial institutions tocatch up with advanced

countries

Change 1

Change 2

Past

Techniques ofDeception

Ore Ore Swindle(*)Billing Fraud/Loan Deposit

Fraud/Repayment fraud etc.

Way of money transfer Wire Transfer

Cash Delivery/Theft of CashCard/Hand-deliver of CashCard with passwords/Usageof Electronic Money etc.

Hacking attack targetInternet Banking

Credit Card SystemExtensionof target

Targeting the system ofcryptocurrency

brokers/online stores whichhave the weak security

Way of money transferMain Transfer to BankAccounts of Japanese

Internationalized ways

Transfer to Bank Accountsof Overseas People as well

as Japanese

(*) Swindler makes a phone call and starts the conversation with parents/grandparents from "ore ore" or "it's me".

SpecialFraudGroup

Description Present

Diversifiedtechniques

InternationalInternetCriminals

- 5 -

Challenge 1: Working Together with Many Financial Institutions to Combat Money

Laundering

Considering such sophistication, Japan needs to work together to combat money

laundering. It is useful for the financial institutions that have the experiences of ML to

share the risk information, including names of suspicious money launderers and their

techniques, with as many financial institutions as possible. The possible methods to

share are risk assessment and Japanese common KYC DB.

(1) Share of Risk Assessment

(2) Design of Japanese Common KYC DB

However, risk assessment and common KYC DB include corporate secrets and personal

information, respectively. The protection of such secrets and information should be

considered.

Change 2: Increased Importance of AML/CFT Controls that Are Suitable for

Business Environment Changes

(1) Digitalization and Utilization of RPA/AI

Customers have little appreciation for coming in to banks branches. Customer traffic has

decreased by 40% versus 10 years ago. Three mega-banks (MUFG, SMBC, Mizuho) are

promoting digitalization and reducing the volume of work as well as the number of

Current Situation Ideal Methods

Every financial institutions update

their own risk assessments at the

least annually, however they are

neither required to report them to

National Public Safety Commission

nor share with other financial

institutions, if possible.

The AML/CFT guidelines requires

all financial institutions to report

their own updated risk assessments

to National Public Safety

Commission, which share the useful

information with other financial

institutions as much as possible.

Current Situation Ideal Methods

< Boryokudan Gangsters>

Financial institutions update their own Boryokudan Gangsters ’ DB by their efforts.

The quantity and quality of database differ among corporations. The maintenance of

such a database is a cumbersome procedure for them.

<PEPs>

Based upon “Japanese Act on Prevention of Transfer of Criminal Proceeds”, financial

institutions purchase foreign PEPs list to check the customers with such a list.

However, the Act does not require the financial institutions to check their customers

with domestic PEPs.

< Beneficiary Owners >

Japanese Boryokudan Gangsters tends to conceal their identity by corporations and

non-profit organizations, representatives of which are not them.

However, “Japanese Act on Prevention of Transfer of Criminal Proceeds” only require

financial institutions to receive declarations of beneficiary owners from customers and

the Act does not clarify the reconciliation of such declarations with reliable evidences.

Commercial registration started including the beneficiary owners information from

2018, however, the updated procedures are not clear.

<Design of Japanese common KYC DB>

Japanese Common KYC DB including

Boryokudan Gangsters, PEPs and

beneficiary owners needs to be designed.

<Data governance/Model validation>

The procedures to ensure the accuracy

and completeness of data should be

clarified.

<Update of common DB>

Financial institutions may obtain the

new information through on-going

KYCs, which should be accumulated

and reflected in the common DB.

Risk Change of Environment

Overseas

remittance to

North Korea

North Korea are always looking for a loophole. The country is also

changing the ways of money laundering until the lifting of sanctions.

According to UN Security Council, North Korea employs government-

affiliated hackers and earn more than 500 million dollars by hacking into

crypto currency systems.

- 6 -

branches/offices (there are cases in which Internet banking business is given priority)7

to pursue more cost efficiency as follows.

Japanese banks are working on digitalization, which is the process of converting

information into a digital (i.e., computer-readable) format, and the transformation of

current branches/offices into next-generation branches/offices in which digitalization is

designed. In addition, banks will make the effort to pursue cost efficiency including RPA

/AI which will introduce automated procedures and contribute to a reduction of work. In

the areas including but not limited to KYC procedures and transaction monitoring, there

are banks that have introduced RPA/AI to create efficiency.

Internet banking users increased by 70% over previous years, and as a result, targeting

money laundering will expand the target of cyberattacking/phishing fraud.

(2) Cashless Payment

Payments will become multifaceted. The national projection is that cashless payments

will increase from 25% to 40% of total payments8 by the end of 2025. Cryptocurrency

transactions have increased year by year. Money launderers can use various methods,

such as credit cards, QR code payments, e-money, prepaid payments, and

cryptocurrencies, in order to receive criminal proceeds and transfer dirty money.

Challenge 2: Effective Utilization of Transaction Data/Group-Based Governance

(1) Effective Utilization of Transaction Data

Digitalization will increase the transaction data, which may benefit the prevention and

detection of ML. In such a situation, financial institutions may have data scientists who

can unify statistics, data analysis, machine learning, and their related methods in order

to understand and analyze actual phenomena with data. Current data scientists have

knowledge of data science and sometimes find the problems; however, there are some

cases in which they are hard up for solutions. Such scientists neither sufficiently acquire

the skills of determining business solutions to discuss with responsible operating

departments, nor obtain the knowledge of data engineering to implement the necessary

programs for the solution to problems.9

In addition, according to InfoCom Research, Inc., in Japan, the shortage of systems

engineers and data scientists will increase in the future. Financial institutions should

consider how to recruit and develop IT-related human resources.

A part of the problem found by data scientists could be solved by RPA/AI as mentioned

in the CRISP-DM below, which could lead to the enhancement of regulatory process. This

is known as regulatory technology (in short, regtech); the effective utilization started in

7 Refer to VoiceComm’s research: www.myvoicecomm.com. 8 Refer to the Cashless Road Map prepared by Cashless Promotion Association. 9 Summarized from book to understand data science by Ichiro Takahashi

No. ofTransformation

Target Date ofReduction

Volumes ofReduction

Target Dateof Reduction

No. of ReductionTarget Date of

Reduction

MUFG70-100

branchesEnd of 2023

Works of 6000bank employees

End of 2023 180 branches End of 2023

SMBC 430 branches End of 2019Works of 4000bank employees

End of 2019 - -

Mizuho All branches End of 2020Works of 19000

employees (group-basis)

End of 2026 130 offices End of 2024

Reduction ofemployees'

works volumesas the result ofefforts including

RPA/AI

Reduction of Branches/OfficesTransformation into Next-

generation branches Reduction ofWork Volumes

Bank

- 7 -

the field of KYC and transaction monitoring. When RPA/AI is introduced in a lot of fields,

the procedures for appropriate maintenance/review of the RPA/AI should be established

to avoid the risk of useless models which could not identify ML sufficiently.

(2) Enhancement of Group-Based Governance

As mentioned above, as payment methods become diversified with Internet banking,

credit cards, QR code payments, e-money, prepaid payments, and cryptocurrencies, the

targets of specialized fraud group/international Internet criminals will expand. First, if

Internet banking users, online stores with credit card information, and cryptocurrencies

brokers do not have sufficient security awareness, they become easy targets for crime.

Such companies need to carry out security training by themselves.

Banks have overseas and domestic subsidiaries that operate in expanded cashless

businesses, such as QR code payments, e-money, and cryptocurrencies businesses, and

perform onsite checking if necessary. Banks need to share AML/CFT know-how,

including digitalization and RPA/AI, with subsidiaries so that subsidiaries can build the

same defenses as banks.

Change 3: Regulatory Expectation of Financial Institutions

Japan’s Financial Service Agency (JFSA) issues a report on the actual situation and

challenges of AML/CFT every year. The following current main issues to be addressed

are summarized.

As mentioned above, the quality and quantity of AML/CFT specialists are not enough to

implement actions to enhance the above controls.

Challenge 3: Catching Up with Advanced AML/CFT Countries

In order to catch up with the advanced AML/CFT countries, how to increase the number

of AML/CFT specialists needs to be examined in Japan. Financial institutions should

give a great deal of importance to personnel evaluation/salaries of AML/CFT specialists

and develop training programs for learning the know-how of advanced AML/CFT

countries.

5. Actions that Japanese Auditors Should Take

Internal auditors’ core role should be

to provide assurance to

management/the board on the

effectiveness of AML/CFT controls

as shown in The ERM Fan10 on the

left. Internal auditing can also

extend its activities beyond this core

role as with consulting services

shown in the center of the Fan. If

internal auditors have already

acquired valuable skills and

knowledge, they can internally

share them in order to contribute to

10 Refer to the Institute of Internal Auditors’ Exposure Document: Three Lines of Defense, June 2019.

- 8 -

the enhancement of AML/CFT controls. In such a case, the application of certain

safeguards, including engagement to ensure the independence of the internal audit, is

necessary. Internal auditors can perform their role completely, especially in the following

areas.

Action 1: Collaboration Audit with Auditors of Other Financial Institutions

Besides checking the AML/CFT controls, including risk assessment and KYC procedures,

Japanese auditors will need to provide assurance on the effectiveness of procedures, such

as KYC DB’s procedures that are common to many financial institutions, if the common

KYC DB is designed as mentioned above in the “Challenge 1: Working Together with

Many Financial Institutions to Combat Money Laundering.” For such an assurance,

audit collaboration with auditors of other financial institutions is necessary. Practically,

the collaborating audit teams will utilize external auditors to check the main focus

points:

➢ To evaluate the effectiveness of

common procedures to ensure the

accuracy and completeness of DB

by reconciling between the input

data and DB on a sampling basis

➢ To check whether the fuzzy logic of

DB is operated in line with the

defined procedures (For example,

when the inputted names are 75%

matched with those of DB, DB

makes alerts.)

➢ To assess the security controls, including access controls and back-up procedures, by

the cooperative audit team composed of operational auditors and IT auditors

In order to increase the effectiveness of audit collaboration, audit know-how is necessary

to be shared with auditors of other financial institutions through regular communication

and seminars.

In consulting roles, Japanese internal auditors, in conjunction with auditors of other

financial institutions, should focus their ingenuity on design of integrated procedures

across many financial institutions that use different procedures.

Action 2: IT Audit by Using the Knowledge of Data Science and RPA/AI

Japanese internal auditors tend to be unfamiliar with data science and RPA/AI, as

mentioned above in the “Challenge 2: Effective Utilization of Transaction Data.” As the

first step, they should acquire related knowledge. By using such knowledge, they should

check the main points shown below in order to provide assurance on the effectiveness of

controls based upon data science and RPA/AI11:

11 Summarized from the following: Introductory Data Science by Kentaro Matsumoto, Understand Data Science by

Ichiro Takahashi, The Beginner’s Guide to Deep Learning by Deep Learning Study Group, and The Beginner’s

Guide to Machine Learning by Machine Learning Study Group

KYC DB

BankBankBank

External Auditor

Access to DB

Outsourcing

CollaborationAudit

- 9 -

➢ People: To confirm how to

secure data scientists who

can identify the

meaningful phenomena

with data and create

solutions together with

responsible operating

departments

➢ Process: To check the

effectiveness of data

quality controls which

ensure data accuracy and

completeness

➢ Data: To conduct the

model validation, such as

RPA/AI, in order to confirm whether the models are updated to identify ML in a

timely way

➢ Data: To verify machine-learning algorithms by attesting training data based on

mathematical models

➢ Data: To carry out independent data analysis by using internal auditors’

knowledge of data science/RPA/AI and compare that to the results of responsible

operating departments

➢ Technology: To evaluate the effectiveness of security controls for access to RPA/AI

and their business continuity plans

The following points are related to IT audit knowledge, and therefore, operational

auditors and IT auditors need to work together.

Japanese internal auditors can have more experience to check various controls and

accumulate more know-how than first/second lines. In playing consulting roles, internal

auditors can share such know-how with first/second lines through in-house seminars.

Action 3: Group-Based Audit to Check the AML/CFT Controls of Subsidiaries

Banks are the most advanced industry that has much experience to fight against money

launderers. As mentioned above in the “Challenge 2: Group-Based Governance,” the

money-laundering risks are expanding to subsidiaries of banks, which do business

using cashless currencies and cryptocurrencies. Japanese banks’ internal auditors

should share their audit programs with subsidiaries’ internal auditors, and then review

the audit work based upon the following audit programs.

Through the above audit experiences, banks’ internal auditors can have various

opportunities to see the coping actions for dealing with money-laundering risks across

different industries. In terms of consulting, banks’ auditors can enhance information-

sharing regarding subsidiaries’ AML/CFT controls among first/second lines of banks, and

Bank

CryptoCurrencies Com.Credit Card Com.

QA Code Payment Com.

E-money Com.Subsidiaries

Parent

Audit Programs Review

Source;https://www.slideshare.net/marylevins/stop-the-madness-18-april-2013

- 10 -

then provide advice on the improvement of group-based governance.

Action 4: Development of AML/CFT Internal Auditors

As mentioned above in the “Risk 5: Failure to Prevent/Detect ML Due to Insufficient

AML/CFT Controls” and “Challenge 3: Catching Up with Advanced AML/CFT Countries,”

the shortfall in Japanese AML/CFT auditors’ resources should be addressed. The skill-

gap analysis12 of AML/CFT auditors needs to be carried out periodically in order to

develop action plans to close the gap. The measurement of existing skills can include the

following main points:

➢ To check whether Japanese auditors have CAMS and other equivalent AML/CFT

qualifications

➢ To verify if they attend targeted AML/CFT trainings, which are matched with

AML/CFT risks and the level of auditors

➢ To make sure that auditors have enough skills of communication with first/second

lines

When such skill-gap analysis frameworks can be a good example of best practice,

Japanese auditors can give advice to first/second lines on such an analysis.

6. Conclusions

The implementation of the actions mentioned above requires a lot of resources as well as

budgets that are supported by the management. Recently, management is promoting a

better understanding and often raises AML/CFT risks as a top risk. In order to advance

such actions, Japanese internal auditors need to conduct a lot of good audits that

contribute to the enhancement of AML/CFT controls and gain support/understanding

from management.

12 The source is the Association for Talent Development, Los Angeles chapter (ATD-LA): https://www.atdla.org/.

- 11 -

7. References

Institute of Internal Auditors. (2019, June). Exposure Document: Three Lines of

Defense.

National Police Agency [Japan]. (2018). The White Paper.

National Public Safety Commission. (2018, December). National risk assessment of money laundering and terrorist financing.