overview of a 360-degree group advisory audit: the last...

WHITE PAPER

Overview of a 360-degree

Group Advisory Audit: The

Last and Best Control to

Ensure Enterprise-wide

AML/CFT Compliance

Jose Thottungal CPA, CSSP, CAMS, MA

CAMS - AUDIT

Overview of a 360-degree Group Advisory Audit

Page 1 of 19

Table of Contents

EXECUTIVE SUMMARY -------------------------------------------------------------------------------- 2

INTRODUCTION ------------------------------------------------------------------------------------------- 2

BACKGROUND --------------------------------------------------------------------------------------------- 3

WHAT IS A BIG BANK? -------------------------------------------------------------------------------- 3

INTERNAL CONTROL STRUCTURE FOR A FINANCIAL INSTITUTION------------------------------- 3

LINES OF DEFENSE ------------------------------------------------------------------------------------- 3

COMPONENTS OF AN AML COMPLIANCE AUDIT -------------------------------------------------- 4

CHALLENGES IMPACTING AN AML PROGRAM ---------------------------------------------- 5

JURISDICTION RISK AND TYPOLOGIES --------------------------------------------------------------- 5

DIVERSE PRODUCTS ----------------------------------------------------------------------------------- 5

CHANGE IN RISK PROFILE ----------------------------------------------------------------------------- 6

VARIATIONS IN THE REGULATORY STANDARDS --------------------------------------------------- 6

LEVEL OF EXPERIENCE -------------------------------------------------------------------------------- 6

DATA QUALITY STANDARDS ------------------------------------------------------------------------- 7

OTHER FACTORS --------------------------------------------------------------------------------------- 7

SOLUTION: 360-DEGREE INDEPENDENT AUDIT ---------------------------------------------- 8

SELF-ASSESSMENTS ON AML COMPLIANCE ------------------------------------------------------- 8

AUDIT FEEDBACK ------------------------------------------------------------------------------------- 10

DEVELOPMENT OF A QUESTIONNAIRE---------------------------------------------------------------- 10

DISTRIBUTION AND COLLECTION OF THE QUESTIONNAIRE ----------------------------------------- 10

PRE-ADVISORY AUDIT ------------------------------------------------------------------------------- 10

GROUP AUDIT PROFILE ------------------------------------------------------------------------------- 10

OBJECTIVITY AND INDEPENDENCE ------------------------------------------------------------------- 10

AML PROFICIENCY AND DUE PROFESSIONAL CARE ------------------------------------------------ 11

ADEQUACY OF AML TRAINING ----------------------------------------------------------------------- 11

AUDIT RISK-------------------------------------------------------------------------------------------- 11

AML COMPLIANCE ADVISORY AUDIT PROGRAMS -------------------------------------------------- 11

RISK ASSESSMENT FOR THE BANK -------------------------------------------------------------------- 12

AML RISK ASSESSMENT BY GIA ------------------------------------------------------------------- 13

SCOPING AND PLANNING ----------------------------------------------------------------------------- 13

FIELDWORK AND TESTING --------------------------------------------------------------------------- 14

REPORTING -------------------------------------------------------------------------------------------- 15

REPORT TO THE BOARD ------------------------------------------------------------------------------ 16

GROUP COMPLIANCE DIVISION SENIOR MANAGEMENT UPDATE ------------------------------- 16

FOLLOW-UP ON CORRECTIVE ACTIONS -------------------------------------------------------------- 16

CONCLUSION ---------------------------------------------------------------------------------------------- 17

WORKS CITED -------------------------------------------------------------------------------------------- 18


Page 2 of 19

Executive Summary

The objective of this paper is to research, analyze, and conclude the way(s) to sustain AML

regulatory compliance for a big bank environment.

The strategy of a bank should be to maintain the best level of controls to serve the best interests of

all the stakeholders, shareholders, board of directors, customers, and regulators. Internal control,

supported by an appropriate structure, is a process—affected by the board of directors and

management—designed in such a way as to ensure the achievement of the bank’s strategic

objectives to a reasonable extent.

In the realm of AML control compliance, the three lines of defense are made up of: the first line

of defense (the business/front office of the business units and the subsidiaries); second line of

defense (the subsidiary and the group compliance and monitoring personnel); and the third line of

defense (the internal audit, or IA, at the subsidiary-level and group internal audit at the group-

level). The internal audit function was initially used as a means to provide assurance on the bank’s

compliance practices since 1970, when the Bank Secrecy Act was introduced. This practice

evolved into the AML compliance assurance as routine process.

This paper highlights a number of challenges faced by a bank while ensuring the sustainability of

AML enterprise-wide compliance, such as jurisdiction risk (i.e., country risk) and typologies,

diverse data quality standards bank-wide, variations in regulatory standards among jurisdictions,

diverse product and documentation standards bank-wide, diverse level of experience and training

bank-wide, and risk profile changes from time to time due to introduction/expansion of new

products, services, and/or channels within a bank.

I propose that a 360-degree AML Group Advisory Audit (GIA) is the last and best control to ensure

bank-wide compliance through key components, such as: self-assessments by key stakeholders at

the group/business unit level; feedback from key stakeholders on AML compliance at the

group/business unit level; independent group audit testing results; assessment of the

adequacy/effectiveness of AML enterprise-wide compliance through the analysis and evaluation

of results of self-assessments/feedback on the group audit and independent GIA audit test results;

identification of the areas that need AML control gaps remediation and improvements in the group-

wide adequacy/effectiveness of AML compliance; and reports to the group/subsidiary boards and

management, including the group compliance, for updating the group AML compliance risk

profile, with timely follow-up of the mitigation of the AML risk by the management.

Introduction

AML compliance cost has been skyrocketing, even to the tune of over USD $1 billion in the last

10 years, and huge penalties have been imposed on certain big banks, such as: HSBC, to the extent

of USD $1.9 billion; recent Officer of Comptroller of Currency (OCC) penalty on National Bank

to the extent of USD $100 million; and very recent Australian Transaction Reports and Analysis

Center (AUSTRAC) charging a fine (proposed civil settlement) on Commonwealth Bank of

Australia (CBA) to the extent of AUD $700 million (rough equivalent of USD $530 million) on a

large number of money laundering and counter terrorism violations. There have been similar, if


Page 3 of 19

not larger, penalties that have been imposed on several other banks in the United States. All these

indicate the need to emphasize sustainable AML compliance on an ongoing basis.

In recent history, U.S. regulators have emphasized the necessity of independent testing while

imposing civil money penalties on several banks, including but not limited to USD $1 million on

Merchant Bank of California in 2017, and USD $75 million on U.S. Bank National Association of

Cincinnati in 2015 (15) (16).

Federal Reserve Board: Financial Crimes Enforcement Network and the U.S. Attorney’s office of

the Southern District of New York also imposed a penalty of USD $613 million on US Bancorp,

alluding to the necessity of independent testing (17).

Under this context, the role of internal audit in a sustainable AML compliance is all the more

critical, as stated by The IIA in their publication, “BSA-AML Compliance by Internal Audit’s

role” (14).

Background

WHAT IS A BIG BANK?

As per the Federal Reserve Board of Governors, if a bank has more than USD $250 billion of total

assets, or more than USD $10 billion in foreign exposures, as per the balance sheet, then the bank

is classified as a big bank. These thresholds were determined more than 10 years ago, and the

thresholds are currently under review (1). Big banks have a consolidated approach to managing

the aggregate risk of all risk types across all business units to optimize the efficiencies of managing

the identification and monitoring of controls. This includes corporate compliance function

supporting and overseeing the enterprise AML compliance program (2). The AML compliance

program aggregates AML risks across the bank.

INTERNAL CONTROL STRUCTURE FOR A FINANCIAL INSTITUTION

The strategy of a bank should be to maintain the best level of controls to serve the best interest of

all the stakeholders: shareholders, board of directors, customers, and regulators. Internal control

supported by an appropriate structure is a process—affected by the board of directors and

management—designed in such a way as to ensure the achievement of the bank’s strategic

objectives, to a reasonable extent. In short, everyone in the financial institution has some

responsibility for internal control, including AML control, as applicable. This is per the standards

set by various organizations, such as the Committee of Sponsoring Organizations of the Treadway

Commission (COSO), Basel Committee on Banking Supervision (BCBS), Sarbanes’ Oxley

(SOX), Financial Services Authority (FSA), and Institute of Internal Audit (IIA).

LINES OF DEFENSE

In the realm of AML control compliance, the three lines of defense are made up of: the first line

(the business/front office of the business units and the subsidiaries); the second line of defense (the


Page 4 of 19

subsidiary and the group compliance and monitoring personnel); and the third line of defense (the

independent GIA) (23).

The first line of defense is responsible for identifying, assessing, and controlling the AML risks

within the business. It is responsible for periodical internal testing and monitoring of control

effectiveness, either through the SOX unit, or any other dedicated team, for the business unit. As

part of the first line of defense, policies and procedures should be clearly specified in writing and

communicated to all personnel. They should contain a clear description for employees of their

obligations and instructions, as well as guidance on how to keep the activity of the bank in

compliance with regulations.

As part of the second line of defense, the chief officer in charge of the AML program should have

the responsibility of ongoing monitoring of the fulfilment of all AML duties of the bank. As per

the BSA AML Examination manual (3), the second line of defense, or the corporate AML

compliance function, has the overall responsibility of managing and monitoring AML control

activities across all the lines of applicable business lines/subsidiaries. The staff responsible for the

implementation of compliance control procedures is deployed within various business

lines/subsidiaries, both local and overseas. Under this scenario, the expectations with regard to the

reporting line responsibilities, and the relevant independence in performing this role while

embedded within the business lines, are established. The roles and responsibilities of the key

stakeholders are defined.

Internal audit, the third line of defense, plays an important role in independently evaluating the

risk management and controls, and discharges its responsibility to the audit committee of the board

of directors, or a similar body of oversight, through periodic evaluations of the effectiveness of

compliance with AML policies and procedures. Regarding the third line of defense, the GIA, in

coordination with the individual business unit/subsidiary units’ IAs, has a very important

independent role: to provide enterprise-wide assurance through evaluation of AML compliance

design, and to control effectiveness, enterprise-wide, in order to ensure the adequacy of the AML

controls and effectiveness of management oversight and quality control, including parameters

criteria for automated AML alerts and effectiveness of AML training of the relevant personnel (4).

The GIA is in a position to provide this assurance to the group board audit/subsidiary board audit

committee, and also to group/subsidiary senior management, on the design and effectiveness of

the key control processes supporting the AML program (5).

COMPONENTS OF AN AML COMPLIANCE AUDIT

Banks used to seek the help of GIA as an advisory role, initially to provide assurance on bank

compliance practices, since 1970. This practice evolved into AML compliance as a routine

process. The objective of the audit of the AML compliance framework and supporting controls

was focused on the assessment of the overall adherence to the risk-based framework. Since then,

there is a lot of focus on the 2010 standards covered by the International Professional framework

(IPPF). If one looks at the history of the evolution of compliance audit, including AML controls,

it started with individual compliance controls at the micro-level and progressed to the review of

compliance committee meetings/compliance governance. Further, the compliance audits


Page 5 of 19

progressed into the compliance framework and central regulatory coordination guided by the

advisory practice standards under the IPPF.

As per Chapter 13, "Road Ahead," of "Implementing the Professional Practices Framework: 2nd

Edition” from the IIA Research Foundation: "Internal Auditing is an independent, objective

assurance and consulting activity designed to add value and improve an organization's operations.

It helps an organization accomplish its objectives by bringing a systematic, disciplined approach

to evaluate and improve the effectiveness of risk management, control and governance process"

(11) (12).

Overall, banks should establish policies for conducting audits of:

The adequacy of the bank’s AML policies and procedures in addressing identified risks

The effectiveness of bank staff in implementing the bank’s policies and procedures

The effectiveness of compliance oversight and quality control, including parameters of criteria

for automatic alerts

The effectiveness of the bank’s training of relevant personnel

Challenges Impacting an AML Program

In order to ensure the sustainability of AML compliance enterprise-wide, banks have to overcome

different types of challenges, outlined below.

JURISDICTION RISK AND TYPOLOGIES

Challenges vary in regard to overseas jurisdiction risk. Some jurisdictions could be already under

Office of Foreign Asset Control (OFAC) sanctions, including that of state sponsors of terrorism.

Certain countries may also be supporting international terrorism as stated in section 6(j) of the

Export Administration Act of 1979. Certain countries or geographical areas could be considered

as having "primary money laundering concern" by the Secretary of State, and are often subject to

special measures under section 311 of the USA PATRIOT ACT (6).

Some geographic regions/countries may not be monitoring enough to ward off the menace of

money laundering and terrorist financing, and they may be considered non-cooperative by the

Financial Action Task Force (FATF). Some of them could be registered abroad, where there are

less stringent regulations. Some could be major money laundering countries/jurisdictions of

primary concern and already listed in Department of State's annual International Narcotics Control

Strategy Report (INSCR). Banks may have the potential risk of heavy drug trafficking or heavy

predicate financial crimes in the area where they could be operating.

DIVERSE PRODUCTS

Banks usually have a diversified product set, such as electronic banking, private banking, trust and

asset management services, foreign correspondent accounts, and services in the group, such as

electronic funds payment services with pre-paid open-loop cards, wire transfers (both domestic

and international), automated clearing house transactions, and Automated Teller Machines.


Page 6 of 19

Meanwhile, documentation standards vary in different jurisdictions/countries where the overseas

subsidiaries of the bank operate in accordance with the local regulations (6).

CHANGE IN RISK PROFILE

The business lines/subsidiaries (both domestic and international) introduce and expand new

products, services, and/or channels from time to time. The key challenge in this context is to

identify and analyze the impact of these changes on the AML risk profile of the respective units

(both domestic and international) in a timely manner. Timely aggregation of these impacts in the

individual units across the group is cumbersome and vulnerable to the risk of missing out in the

aggregate risk profile of the bank. The absence of the established process in the banking group to

continually reassess AML risks and communicate to the business units/subsidiaries, functions, and

legal entities in a timely manner results in the bank, subsidiary, board and/or senior management

not understanding and appropriately mitigating the risks across the bank. This situation at the bank

increases vulnerability to inappropriate and inadequate AML risk management (6).

VARIATIONS IN THE REGULATORY STANDARDS

While there have been concerted efforts to have the consistent standards by the various standards-

setting organizations, such as FATF, BASLE, FCA/PRA, and JMLSG, there are a number of

variations among the standards set by various regulatory authorities based on the level of maturity

and typology of the jurisprudence they regulate. Some apply prescriptive approaches and some

principle-based approaches, depending on the level of maturity of the standards-setting authority

of the country.

The bank faces the key challenge of varied regulatory standards among jurisdictions, where

subsidiaries and business units operate. In the case of the United States, regulators have

implemented more stringent and strict regulations, such as the Dodd-Frank Act (Dodd-Frank) and

the Foreign Account Tax Compliance Act (FATCA), with the objective of bringing the foreign

banks on par with the regulatory requirements for the domestic banks (7).

The European Union, on the other hand, has been a bit slow in trailing the U.S. as far as

strengthening the regulatory regime goes. For example, its "Second markets in Financial

Instruments Directive (MiFID 11)” the equivalent of Dodd-Frank was adopted by EU in 2014 after

more than two years. This was finally implemented in the last quarter of 2016. They issued "Fourth

Anti-money Laundering Directive (AMLD IV)" in June 2015, and the objective was to bring its

member countries closer to that of United States.

The Australian Securities and Investments Commission (ASIC) issued principle-based guidance

on cross-border financial regulation. In this, it permits conditional relief from certain Australian

regulatory requirements to foreign banks operating in Australia. On the contrary, Australian

regulators seek similar relief from foreign regulations to the Australian Financial Institutions

serving those countries (8).

LEVEL OF EXPERIENCE


Page 7 of 19

The level of experience of AML controls and the adequacy of AML banking training group-wide

varies among the business/subsidiary units, both domestic and international. AML compliance

staff members under the business lines/subsidiary units overseas have not had the same level of

experience as that of their counterparts back in the United States.

The basic principle is that the AML policies and procedures in the individual business

units/subsidiary units overseas have not adopted the dictum that U.S.-based (parent-country)

regulations are the basis of their respective AML controls focus and have not been adopted

uniformly.

What is absent is a group-wide methodology to bring about harmony in the training approach at

the individual business lines/subsidiary units. The current training methodology does not focus

much on imparting adequate training to the group/subsidiary board and the senior management on

current AML regulations and changes from time to time.

There is no timely update of the training materials to incorporate the changes to the AML

regulations enterprise-wide. Training materials, incorporating relevant examples of money

laundering or suspicious activity, are not tailor-made specifically to the relevant audience.

Inadequacies and inconsistencies in the group-wide training and testing materials documentation,

the dates of the training sessions, and maintenance of attendance records, such as the absence of

acknowledgments by the respective user management and unavailability for the examiner's review,

are prevalent (9).

DATA QUALITY STANDARDS

Since the automation of a number of certain elements of the key processes, such as the customer

acceptance records, Customer Due Diligence (CDD), Enhanced Due Diligence (EDD), transaction

monitoring, sanction list management, and automated alerts, the application of big data, enterprise-

wide, is very critical to effective AML compliance. Therefore, the quality of the data should be

maintained enterprise-wide. However, the data quality across the bank group is not consistent, and

quality is not homogenous, due to various reasons. The quality of data in the subsidiaries, newly

acquired or without strict enforcement of the standards, is a potential impediment in maintaining

group data quality standards. Moreover, group data quality maintenance is not as robust as the

tools supporting it and is not equipped to improve data quality while performing data profiling,

data standardization, geocoding, matching or linking, setting up rules, monitoring whether in-batch

or real-time, and even when performing data cleansing. The timeliness and reasonableness of data

quality is not mandatorily enforced. Overall, the effectiveness of the AML controls is adversely

impacted under the current scenario.

OTHER FACTORS

1. The front line of business, which is supposed to be the first line of defense, as far as AML

compliance is concerned, usually shifts the responsibility to the second line of defense

(compliance function).


Page 8 of 19

2. Inadequate strength of AML compliance resources to cope with the increased volume of labor-

intensive controls, including but not limited to performing the root cause analysis, could lead

to ineffective controls.

3. There are several controls, many of which are strong enough to mitigate AML risk. However,

the business unit is not aware of the few most critical controls, which could mitigate the AML

risk most significantly, as a result of which, cost effectiveness is minimal. As a result, the

controls are ineffective, as they are not adequately understood. This results in poor risk

management.

4. There are duplications and overlaps between the testing and risk assessment programs of the

AML compliance function and those of the first line of defense activities. While consolidating

and reconciling the findings/outputs of the AML compliance risk testing, operational risk, and

third-party risk testing by various teams applying different approaches periodically, huge

amounts of time and effort are put in, decreasing cost effectiveness.

5. The basis of the AML compliance framework of the bank is now more risk-based, away from

the procedures oriented, as in the past. However, the compliance staff in the business lines, and

the compliance functions themselves, are finding it difficult to move away from procedural

adherence to the residual risk-focused approach.

6. Many of the metrics are not set up on forward-looking measures of risk, most of which are not

defined properly, resulting in the generation of data with unclear implications. There is

potential risk in bypassing the high-risk exposures (10).

Solution: 360-degree Independent Audit

The Code of Ethics, Internal Audit Attribute Standards from 1000 to 1322, Performance Standards

from 2000 to 2600, Practice Advisory Attribute Standards from PA 1000-1 to PA 1321-1, and

Performance Standards PA-2010-1 to PA 2500 A1-1, and Information Technology Audit/testing

follows the Standards Global Technology Audit Guidelines as well as Guide to the Assessment of

the IT Risk (GAIT) as propounded through the International Professional Practice Framework by

The Institute of Internal Auditors, —are well ingrained in the audit and advisory methodologies of

the GIA of the bank.

While considering the complex challenges (primarily under the above section, “Challenges”) in

the banking environment, ensuring the sustainability of AML compliance entails the special

exercise of advisory/audit by the GIA. This is to be carried out through a 360-degree independent

enterprise-wide internal advisory audit, structured and executed in the following way:

SELF-ASSESSMENTS ON AML COMPLIANCE

The main objective of the GIA is to organize and facilitate an independent, confidential, and

objective self-assessment of the enterprise-wide AML compliance by key stakeholders from the

business lines and subsidiary units, both domestic and international. This exercise should be

approved by the respective boards as Key Performance Indicator (KPI) for the management of the

enterprise-wide operating units.

The following are some of the key benefits of this exercise:


Page 9 of 19

This is to bring out key stakeholders’ true opinions on the design and overall effectiveness of

the controls.

This will also bring out the self-consciousness of the ownership of the AML controls, as they

are vested with the key stakeholders. This will drive the timely and earnest mitigation by key

stakeholders once the results are applied as an integral part of the audit.

Such independent self-assessment will help the key stakeholders to identify the gaps or areas

for further improvement in AML control designs, resulting in a better understanding of the key

risks, controls gaps, and the number of efforts required to remediate those gaps.

This will also enable key stakeholders to indulge in more informed decisions about risk

appetite.

This will also generate a better understanding of the structure of their own unit and the state of

alignment of its own AML compliance program to its risk profile.

This will also help them make strategic decisions about de-risking through exiting the business

relationship.

The scope and objective of this self-assessment exercise as a part of the 360-degree GIA advisory

audit should be clearly communicated to the auditee senior management.

Following steps to be undertaken by the GIA under this process:

1. Identify the key stakeholders in the enterprise (group) based on their impact on the AML

compliance

2. Develop questionnaires/surveys for key stakeholders including, but not limited to, the

group/subsidiary board directors in the compliance board committee, the relevant management

of the business units, including the AML compliance management (including in the respective

business lines and the group/subsidiary training faculty covering the AML compliance).

3. The components of the questionnaire should be customized to the audience geared towards

meeting the GIA perspective of this exercise (i.e., the sustainability of the AML controls from

time to time). The questionnaire should be structured in such a way that ensures confidentiality.

The GIA is to distribute and to collect the self-assessments of the key stakeholders, enterprise-

wide, in confidence.

4. The collection should take place prior to embarking on the planning sessions with the auditee

senior management by the GIA teams. However, the results of the self-assessments should be

kept in sealed envelopes, away from the respective audit teams, and with the group Chief Audit

Executive (CAE) office such that the auditors are not privy to the details of the control

weaknesses identified by the auditee management until the independent audit testing is

completed and findings are finalized in the form of the initial report. This is with a view that

these results should not influence the upcoming GIA’s independent group-wide risk

assessment and independent testing. The objective is to keep the independent and objective

element of the GIA intact.

5. The GIA team, separate from the independent testing team, has to identify the hotspots/areas

for improvements under AML compliance. They should analyze the results of the survey to

identify the gaps and the impact on the AML compliance enterprise-wide. This analysis is very

important, as this will provide the management’s perspective of the gaps. This will form an

integral part of the 360-degree exercise, which the GIA will complete to ensure sustainable


Page 10 of 19

AML compliance. This approach will provide a holistic assessment of the control gaps with a

whole-hearted acceptance and ownership from the key stakeholders.

AUDIT FEEDBACK

As part of the 360-degree GIA advisory audit of AML compliance, the GIA ensures that relevant

and timely feedback is obtained from various audit stakeholders under the group, as applicable.

This is to obtain the auditee’s perspective of the overall performance of the GIA’s independent

testing. The following key steps are to be completed:

DEVELOPMENT OF A QUESTIONNAIRE

Develop the questionnaire to obtain the feedback from the respective audit stakeholders including,

but not limited to, the group/subsidiary board compliance committees, and the business lines’

management, as well as compliance management. This questionnaire should cover advisory audit

scope, objective, risk assessment, AML key controls tested by the GIA in the respective

business/compliance function units, subsidiary units (both domestic and international), risk ratings

of the findings, and communication. This will bring out any deficiencies/weakness in the

independent testing process, which will help the GIA consider other measures to offset such

weaknesses in this advisory exercise and further improve the reliability of the accuracy of the test

results.

DISTRIBUTION AND COLLECTION OF THE QUESTIONNAIRE

The GIA team is to distribute to the applicable business lines, functional units, and subsidiary units

(both domestic and international), group-wide. This distribution is to be completed immediately

after the planning meetings with the respective senior management of the units with a target date

of collection immediately following the independent testing by GIA. The objective of this

feedback exercise as a part of the 360-degree GIA advisory audit should be clearly communicated

to the auditee senior management. This exercise should be approved by the respective boards as

KPI for the management of the enterprise-wide operating units. The GIA is to collect the feedback

of the internal audit key stakeholders via the questionnaires. The GIA is to collate and identify

areas to improve the GIA process.

PRE-ADVISORY AUDIT

The next step under this special exercise is the independent testing to be performed by the GIA.

As pre-audit preparation, a number of key steps are to be performed, including some of the

following.

GROUP AUDIT PROFILE

The following are some of the key standards adopted by the GIA audit/advisory methodology:

OBJECTIVITY AND INDEPENDENCE


Page 11 of 19

As per the International Professional Practice Framework (IPPF) standard No. 1100and PA 1120-

1 set by The Institute of Internal auditors (IIA): “The internal audit activity must be independent

and internal auditors must be objective in performing their work.”

The IIA interprets further that independence is the freedom from threats to the internal audit or the

CAE to enable them to perform the audit function without any bias.

The IIA defines objectivity as: “an unbiased mental attitude that allows internal auditors to perform

engagements in such a manner that they believe in their work product and that no quality

compromises are made.” There are established processes to deal with the potential risk of

impairment of the objectivity and independence already in place and effective in GIA. The

responsibility of the GIA while executing consulting/audit work are well-defined.

AML PROFICIENCY AND DUE PROFESSIONAL CARE

As per the International Professional Practice Framework (IPPF) standard No. 1200/PA 1200-1

set by The Institute of Internal Auditors (IIA), it is very important that the internal auditors

performing the AML consultancy/audit should have sufficient knowledge, skills, and other

required competencies to conduct this results-oriented job. The team as whole performs the

activities collectively with sufficient knowledge, skills, and competency in AML regulations.

ADEQUACY OF AML TRAINING

The training framework of the GIA emphasizes essential key elements, such as assessing the

training needs, establishing and updating the AML training plan and process of delivery, tracking

and reporting under the GIA and subsidiary IAs, and independent testing skills and resource plans.

The training plan focuses on key areas, such as AML group compliance programs, group risk

assessment processes, Customer Identification (CIP), Customer Due Diligence/Enhanced Due

Diligence, Suspicious Activity monitoring/reporting, sanctions screening, communication

protocols, data collection and analysis, AML tools controls for supporting IT auditors, new

products and channels, and controls awareness.

AUDIT RISK

The GIA performs the annual assessment of the acceptable level of audit risk (the risk that the

auditor may make incorrect conclusions/omissions to identify a material/significant deficiency in

the findings from the advisory audit perspective). Further, they do have documented guidelines

and procedures. The key elements they consider are planned detection risk, inherent risk, and

control risk to arrive at the acceptable audit risk. The audit evidence collected also depends on the

acceptable level of audit risk. If the inherent risk and control risk are high, then the planned

detection risk will be lower, and vice versa.

AML COMPLIANCE ADVISORY AUDIT PROGRAMS

The following are the key components of the Bank’s AML compliance programs:

The Framework consists of policies and controls procedures supported by the relevant

implemented controls


Page 12 of 19

Independent testing of AML compliance group-wide

An individual or a team specifically assigned to manage AML controls group-wide (chief

compliance officer along with a special team to support the position)

Adequate and appropriate training plan and execution

The key components are the four pillars of the AML compliance program as per FinCEN. A fifth

pillar was added to the AML compliance program (i.e., the establishment of a risk-based, Customer

Due Diligence procedure) on May 2018. (The “Fifth Pillar” of AML/BSA Compliance FinCEN

Issues Final Rule for New Customer Due Diligence Requirements under the Bank Secrecy Act”

by FinCEN) (18).

The group audit program is updated to cover all of the above in regard to new customers, products,

geography, and channels for all the applicable business lines/subsidiaries (domestic and

international). The AML audit program based on the current audit methodologies is effective as

per the following characteristics:

All the deviations/violations are identified and the resulting risks/impacts explained

Maintenance of the quantitative or qualitative data supporting the findings/conclusions

Findings/observations are communicated in a timely manner to the auditee to reconfirm the

supporting facts and also explore whether there are any other mitigating controls already in

place (to assess the residual risk for issue-rating purposes and remediation-ranking).

The corrective actions are incorporated into the report, and the necessary remediation tracking

mechanism is already in place.

There is an established process to communicate the findings/recommendations with

remediation plans from the auditee to the group/subsidiary senior management and

group/subsidiary boards in a timely manner.

RISK ASSESSMENT FOR THE BANK

The group-wide AML risk profile is required to be updated as part of the pre-audit preparation.

This is carried through updating the latest available group-wide AML risk assessment completed

by the central group compliance unit in the GIA central risk assessment database. The GIA has to

apply due diligence to ensure that the aforesaid information is accurate and relevant, and this

covers all the applicable business lines/subsidiary units, including the controls functions relevant

to the AML risk profile.

The auditors should ensure that the risk assessment is duly supported by appropriate qualitative

and quantitative data. The GIA should assess whether there is a process in the group to periodically

review and update the group profile, and that the responsibilities are clearly assigned and carried

out. They should also assess whether the group compliance function has adapted the key steps as

per their policies and procedures, which include some of the following:

1. Identification of specific AML risk categories covering customers, products, geography, and

channels

2. Detailed analysis of collected data is performed


Page 13 of 19

3. AML program is evaluated in consideration of the results of the analysis, and the group AML

risk profile, which covers the business line/subsidiary units (both domestic and international),

is updated.

In brief, timely evaluation and updating of group-wide risk profile in the group audit central risk

assessment database, in tandem with that of the AML group compliance risk assessment, should

be completed as a part of the pre-audit (consultancy) under this exercise (19).

AML RISK ASSESSMENT BY GIA

Overall, the bank has taken guidance from The Wolfsberg Group, blended with that of the Basel

Committee on banking supervision; and FFEIEC’s AML Examination Manual; and the Practice

Advisory Standard number 2120-1 of International Professional Practice Framework by the IIA,

in its enterprise-wide AML risk assessment, appropriate to the size and structure of global

operations. The GIA strives to mimic a similar approach internally in its enterprise-wide group

audit risk assessment prior to embarking on the enterprise-wide independent testing process, one

of the five pillars of AML compliance regime.

The GIA is cognizant of the fact that the risk assessment should consider consequential risk, which

reflects the bank’s internal and external environment. This is unique to AML risk, as opposed to

credit or market risk assessments, where risk can be easily quantified, usually before accepting the

risk.

GIA uses the bank enterprise-wide AML risk assessment for the following purposes:

Identify, and or update, the changes/additions in the customer segments, products, geography,

and channels in the GIA enterprise-wide AML risk assessment process

Understand the new or modified AML tools used by the group

Update, and understand, the change in regulatory requirements enterprise-wide

Understand the bank’s risk-based approach to calculate the inherent risk and the method of

assigning score and weight to each factor

Understand and identify gaps or opportunities for the improvement of the design of AML

controls spanning five pillars, enterprise-wide, from the bank’s senior management perspective

Perform GIA’s own AML enterprise-wide risk assessment with regard to the five pillars of

activities covering the customer, products, geography, and channels

Assess the amount of effort and resources required based on the residual risk (high, medium, and

low risk) and ensure their alignment with the bank’s risk profile (13) (20) (21).

SCOPING AND PLANNING

The GIA is to execute a structured approach towards the scoping and planning of the AML

advisory audit exercise based on methodology, which was primarily adopted from the IIA IPPF

standards number 2010-1, 2200 to 2240, and 2210-1. As a practice, the scope was designed to

satisfy the objectives of this advisory engagement. The scope also includes consideration for the

relevant AML systems/tools, personnel, key processes (including but not limited to the outsourced

activities, such as the major parts of the Customer Due Diligence and sanctions screening). The


Page 14 of 19

control weaknesses already identified by the regulators review, external auditors, and other

external factors impacting the bank’s risk profile are incorporated into the group audit enterprise-

wide risk assessment exercise, which is already underway.

As a part of the scoping and planning processes, the GIA also undertakes the review of group AML

compliance program, group AML compliance committee charter/and or minutes, and board of

directors meeting minutes. This is to decide on the extent of sample size, testing, and

documentation, covering all appropriate areas with appropriate inclusion of the areas required by

the regulators.

As a part of the planning process, the GIA embarks on the key steps, some of which are given

below:

GIA ensures that the audit plan is linked to the AML risk and exposures, and that it is updated

to reflect the changes in the management directions, objectives, emphasis, and focus.

Prepare the enterprise-wide audit schedule with the date and availability of the respective

auditees (i.e., business units/head office/subsidiary units, both domestic and international).

Develop and document the engagement work program that will enable the team to achieve the

engagement objectives.

Schedule the planning meetings with the auditee senior management in the order of the audit

planning schedule already established.

Collect the initial data, such as the policies/procedures and any other guidelines, which the

GIA has not already seen before, required to initiate the audit process.

Share with the auditee the communications protocol, expectations, and deliverables, along with

the timelines.

Share the scope and objectives, respective responsibilities, and other expectations of this

special advisory audit.

Exchange the names of the coordinators from the GIA and the auditee.

Schedule the travel plans for the respective audit teams covering the enterprise-wide review.

FIELDWORK AND TESTING

GIA methodology for field work and testing currently in force under GIA advisory practice

engagements is primarily based on the IPPF standards propounded by the IIA for the advisory

practice. This advisory engagement is a fully integrated risk-based review covering the

manual/automated AML controls, internal or outsourced, to mitigate the risk, which cover the five

pillars of AML activities and the systems/tools that support them. These also cover the entity-level

and activity-level, controls some of which are also fully automated or partially automated.

GIA covers all the key control activities based on the GIA AML risk assessment. Some of the

critical ones are customer acceptance and onboarding, Customer Due Diligence, Enhanced Due

Diligence, transactions monitoring, sanctions screening, Suspicious Activity Monitoring (SARs),

management of high-risk customers, escalation process, whistle-blowing, AML group risk

assessment process, reporting to the regulators, law enforcement agencies, and OFAC compliance.

Some of the key steps are enumerated below:


Page 15 of 19

1. Review the applicable policies and procedures related to the adequacy of the documentation

and appropriate level of approval

2. Interviews/walkthroughs with key process owners, including but not limited to the respective

subsidiary/group board and senior management

3. Identify inherent risks and evaluate the control design’s adequacy.

4. Test the operating effectiveness of the AML key controls, including but not limited to the

AML training; or, assess the effectiveness of testing the key controls as a part of SOX testing

group-wide AML compliance. This is to be performed as per the GIA testing standards and

sampling methodology. Extended testing, if required, is performed.

5. Maintain adequate level of documentation of the testing and results to provide the basis for

findings to be escalated within the group audit management and to the board.

6. Communicate the audit findings and the related risk with the auditee management in a timely

manner, and obtain their feedback. Conduct a findings discussion with the immediate auditee

management. This is to confirm the observations/findings are factually correct, and to identify

if there are any additional compensatory controls in the respective AML control environment

not taken into account earlier. This part of the exercise is to enable the internal auditor to

refine the residual risk. This will help the auditor to develop the recommendations to mitigate

the risk in concurrence with the auditee. Good communication, direct with the auditee at this

juncture, is critical, as this would get a buy-in on the findings and their remediation from the

auditee, who will be willing to take the ownership for timely remediation (22).

REPORTING

The GIA is to perform the following steps to prepare for the final reporting assessment of the

adequacy/effectiveness of AML enterprise-wide compliance:

The GIA is to collate the results of the self-assessment by the bank’s senior management on its

AML compliance under their respective units on page #8. Similarly, GIA is to collate the feedback

on GIA from the respective senior management on page # 10. GIA is to also collate the results of

the independent test by GIA themselves on page # 14. GIA is to analyze and evaluate these three

results for the individual respective units to fine-tune the identification of control gaps in the AML

compliance and the severity of the residual risks for the individual units.

GIA is to consolidate the final results and complete the final risks, as well as rank them; identify

the areas that need improvements in the group-wide adequacy/effectiveness of AML compliance,

including the GIA AML compliance independent audit; and perform the evaluation of the overall

adequacy and effectiveness of the AML compliance program group-wide.

Meanwhile, GIA is to obtain the final remediation plan from the group-wide auditee/stakeholders

for the control gaps with residual risks, with well-defined deadlines.

GIA is also to compile the final report with an executive summary along with the AML compliance

heat maps and detailed reports, incorporating all relevant details to be supported by the audit issues

on the AML compliance program and the key stakeholders issue/risk remediation timetable for

respective units, both domestic and international.


Page 16 of 19

REPORT TO THE BOARD

GIA is to schedule a meeting with the respective subsidiary (both domestic and international)

board audit committees/compliance committees, as the case may be. GIA is to present the full

report, highlighting key elements and a key control gap remediation management plan specifying

the respective report ratings. The opinion of the respective board committees should be

incorporated into the respective reports.

Once this exercise is completed, the consolidated enterprise-wide final report is to be compiled by

the GIA. A meeting is to be scheduled with the group board audit committee/compliance

committee. The group board should be appraised of the highlights of this special 360-degree

enterprise-wide advisory group audit and the key findings, along with enterprise AML compliance

risk heat maps describing how this unique exercise ensures the facilitation of the sustainability of

AML compliance throughout the enterprise to an acceptable level in line with the risk appetite of

the bank as a whole, and the units in particular.

GROUP COMPLIANCE DIVISION SENIOR MANAGEMENT UPDATE

The GIA is to coordinate and plan to hold a meeting supported by a workshop session with group

compliance senior management to brief them of the consolidated AML control gaps, updated

residual risks, and updated risk ranking, with the senior management-committed control gap

remediation plans and deadlines of the group, business lines, and domestic as well as international

subsidiaries. This will help group compliance, and eventually the business lines and subsidiaries

to update the respective account key risks identified in the group advisory audit for updating their

AML risk assessment matrix.

Meanwhile, it should be emphasized to both the group compliance management and the

management of the business lines and subsidiaries (both domestic and international), that they

should have a very good understanding of their own updated AML compliance risks in light of

this particular exercise carried out by the GIA; and they should be accepting the ownership and

responsibility of their impact on the effectiveness of compliance controls. This does not absolve

them from their responsibility to update their AML compliance control risks in the respective units

from time to time, or whenever there is a change in the control environment, either due to the

customers, products, geography, and/or channels.

The GIAs themselves ought to update their own internal group audit AML risk assessment as a

precursor to the proceeding similar annual exercises.

FOLLOW-UP ON CORRECTIVE ACTIONS

The GIA should track and validate any corrective actions identified during the audit to gain

assurance that management has resolved the issues and that the corrective actions taken to resolve

the issues are implemented and sustainable. The following steps are to be completed by the GIA

as a part of the follow-up process:


Page 17 of 19

GIA is to hold the meetings with the respective business lines and subsidiaries (both domestic

and international) to review and verify the implementation of the respective management

action to rectify the key control gaps on a quarterly basis.

GIA is to update the respective group board/subsidiary audit/compliance committees on the

progress on a quarterly basis.

Similar updates are to be given to the group compliance for their updates in the control designs

and risk mitigation process for the group and subsidiaries/business lines. These updates should

also be reflected simultaneously in their respective AML risk assessment model, resulting in

the residual risk for AML group-wide risk profile.

Group senior management should ensure that the remediation of the group-wide key control

gaps and update of group-wide risk profile are factored into the key performance indicators of

the individual members of the senior management of the group, including that of compliance,

business lines, and subsidiaries (both domestic and international).

Conclusion

The above solution ensures that there is a continuum of the sustainability of AML compliance

enterprise-wide with an ongoing improvement of the AML compliance controls.

Regardless of the fact that the group AML team is putting in a lot of efforts to ensure the control

compliance is ongoing, the challenges, and their related inherent risks in this environment, are

continuous. There is the potential that some of these may elude the controls executed by the

activities of the first and second lines of defense, respectively.

Hence, this specific exercise by GIA (the third line of defense) is to be repeated every year: the

last and the best control to ensure that the challenges and their related risks, including but not

limited to the following, are mitigated to an acceptable level so that the residual risk is maintained

within the risk appetite of the organization on an ongoing basis:

Jurisdiction risk (country risk) and the risks from their typologies

Inherent risks from the diverse products and their varied documentation standards group-wide

Risk profile changes from time to time due to introduction/expansion of new products

/services/channels group-wide

Variations in the regulatory standards among group jurisdictions

Diverse level of experience and training group-wide

Diverse data quality standards group-wide

Moreover, this is the last and best resort to ensure that all key AML compliance risks are identified

and mitigated enterprise-wide in the hierarchy of the AML internal control environment.

Hence the GIA 360-degree AML group advisory audit is the last and best control to ensure enterprise-

wide AML compliance is sustainable on an ongoing basis.


Page 18 of 19

Works Cited

1. US Feds. US Fed rethinks how to define a big bank; https://www.fnlondon.com/articles/fed-

rethinks-how-to-define-a-big-bank-20181002. [Online] 2018.

2. FFIEC. AML Compliance Program Structure Overview;

ttps://www.ffiec.gov/bsa_aml_infobase/pages_manual/olm_039.htm. [Online]

3. FFIEC BSA_AML Infobase. BSA AML FFIEC Examination Manual

(https://www.ffiec.gov/bsa_aml_infobase/pages_manual/olm_039.htm. [Online] 2014.

4. AML_CFT.NET; https://aml-cft.net/library/three-lines-defence/

5. The IIA UK; https://www.iia.org.uk/resources/audit-committees/governance-of-risk- three-

lines-of-defence/

6. FFEIEChttps://www.ffiec.gov/bsa_aml_infobase/pages_manual/olm_005.htm" BSA/AML

Risk Assessment-Overview

7. Protiviti; https://www.protiviti.com/sites/default/files/united_states/challenges- managing-

global-aml-program-protiviti-2017.pdf -The Challenges of Managing a Global AML

Program

8. Trulioo Global Identity Verification; https://www.trulioo.com/blog/why-do-banks-struggle-

with-cross-border-compliance/ Why Banks struggle with Cross Border Compliance

9. FFEIEC; https://www.ffiec.gov/bsa_aml_infobase/pages_manual/olm_007.htm; BSA/AML

Examination Manual _2018

10. Mckinsey; https://www.mckinsey.com/business-functions/risk/our-insights/sustainable-

compliance-seven-steps-toward-effectiveness-and-efficiency

11. Internal Audit Institute of Australia Internal Audit Competency; IPPF Practice Guide-

Creating an Internal Audit Competency Process

12. The IIA Research Foundation; Internal Auditing: Assurance and Consulting Services

13. The Wolfsberg Group; https://www.wolfsberg-

Principles.com/sites/default/files/wb/pdfs/faqs/Wolfsberg-Risk-Assessment-FAQs-2015.pdf

–Frequently asked questions on Risk Assessments for Money laundering, Sanctions and

Bribery and Corruption

14. The IIA; https://dl.theiia.org/FSACPublic/BSA-AML-Compliance-NM.pdf; BSA-AML

Compliance by Internal Audit’s role

15. Office of Comptroller of Currency (OCC); https://www.occ.treas.gov/news-issuances/news-

releases/2017/nr-occ-2017-23.html-OCC Assesses Penalty Against Merchants Bank of

California

16. Office of Comptroller of Currency (OCC); https://www.occ.gov/news-issuances/news-

releases/2018/nr-occ-2018-17.html-OCC assess USUSD75Million Civil Money Penalty

against U.S. Bank National Association.

17. American Banker Journal; https://www.americanbanker.com/news/.

https://www.americanbanker.com/news/regulators-fine-us-bank-more-than-600m-for-aml-

errors

18. FinCEN; https://www.financialservicesperspectives.com/2016/07/the-fifth-pillar-of-amlbsa-

compliance-fincen-issues-final-rule-for-new-customer-due-diligence-requirements-under-

the-bank-secrecy-act/The “Fifth Pillar” of AML/BSA Compliance

19. FFIEC Bank Secrecy Act/anti-Money laundering Examination Manual 2014;

http://www.ffiec.gov./bsa_aml_infobase/pages manual/manual on-line.htm.

20. Auditing -updating an-AML -Risk-Assessment by donna-Dafidek.pdf


Page 19 of 19

21. The Wolfsberg Group https://www.wolfsberg-

principles.com/sites/default/files/wb/pdfs/faqs/Wolfsberg-Risk-Assessment-FAQs-2015.pdf.

Anti-money Laundering Risk Assessment FAQs (2014)

22. The IIA Standards Nos. 2010-1, 2020-1, 2030-1,2040-1, 2050-1, 2060-1, 2120-1, 2130-1,

2200-1 to 2240-1,2330-1 and 2500-1. International Professional Practice Framework

(IPPF)The IIA Standards 2020-1, 2050-1, International Professional Practice Framework

(IPPF)

23. Basel Committee -Sound Management of Risks Related to Money Laundering and Financing

of Terrorism issued in June 2017

overview of a 360-degree group advisory audit: the last...

Documents