Over the years we’ve seen some good AML/CTF Programs but, sadly, most have been substandard. That’s somewhat understandable considering the competing priorities of many compliance managers and the lack of experience in this environment that most have. There are many complexities involved and everyone has their own opinions, but we’ve distilled things down to our top 5 tips, based on my experience, for your consideration. No doubt you could add a couple more…
1. THINK LIKE A CRIMINAL.
Understand AML and CTF risk and consider them separately through their own specific lens. Too many people believe that because they understand business risks generally, and maybe fraud risks, that they understand AML/CTF risks. All too often, this has proven wrong or insufficient. Organise a group, don’t do this by yourself, and take the time to think like a criminal and then think like a terrorist. You know the vulnerabilities in your organisation, of course you do! Now, how would a criminal take advantage of them?
2. MAKE YOUR EFFORT WORTH IT.
Make the program meaningful and relevant to the actual operations of the business. Too often we see templates used with little or no modifications which show that it’s relevant to the actual business. Some small businesses have Programs so huge they would suit a multi-national company – ridiculous. The best Programs are often written by operational staff who do the work – not lawyers who know the law. You’re going to the effort of writing the thing, might as well make it worthwhile.
3. DON’T BE VAGUE.
Explain what you mean, and don’t be vague. You think you might be clever by apparently allowing yourself some ‘wriggle room’ when the Regulator comes for a visit, but what it really does is creates confusion. Part of this is about maintaining corporate knowledge, so if you leave or go on vacation or train someone to assist your role, they have a clear understanding of what must occur. We have performed reviews where the compliance manager looks at a paragraph and says “Hmmmm what was I trying to say there?” Vague language leaves things open to interpretation and therefore gaps. Gaps lead to breaches. No so clever now huh…
4. POLICY VS PROCEDURE.
Understand there is a difference and that the legislation bundles these words together and so it’s easy to read over the top of the actual requirements. Policies are the “what and why we do” components, while Procedures are the “how we do” components. Polices set the organisational expectations while procedures inform people of the steps required to complete the function. If you have procedures already created in other business units (e.g. staff vetting and training) simply reference that document rather than duplicating effort.
5. FRESH EYES.
This is where the benefit of internal and external review processes become valuable. Make sure you do an internal review and give the person “permission” to constructively criticise. Before submitting the Program to the CEO or Board for approval, have a peer review process in place. If someone else can not accurately interpret the document, it’s a good sign that it needs some amending. An external review, not one by the regulator, should be performed in the spirit of continuous improvement, not judgement and blame allocation. This will best prepare you for the regulators visit.
We hope you found some use in these tips. Of course, the devil is in the detail!!