Two-thirds of Reporting Entities have completed an internal review of their Risk Assessment and AML/CFT Programme
Nearly two-thirds of reporting entities told us they have completed an internal review of their risk assessment and AML/CFT programme in the two years leading up to the end of June 2015. This is great progress. Remember that a reporting entity must review its risk assessment and AML/CFT programme to ensure the risk assessment and AML/CFT programme remain current; and identify any deficiencies in the effectiveness of the risk assessment and the AML/CFT programme; and make any changes to the risk assessment or AML/CFT programme identified as being necessary from the internal review. If you have not completed an internal review of your risk assessment and AML/CFT programme you should make this a priority as compliance with this requirement is assessed by the Department during a programme review or on-site inspection.
When there are changes to a reporting entity’s business, such as a new type of customer, product or service, or method of delivery, the risk assessment must be revisited and any potential ML/FT risk identified and analysed. From there, a reporting entity’s AML/CFT programme must be reviewed and updated to reflect any additional or amended procedures, policies or controls that are being introduced or required.
Likewise, any deficiencies in the effectiveness of a risk assessment or AML/CFT programme must be identified and changed. This may be something that is picked up in an independent audit. Or it may be something triggered by account monitoring, for example, if a ML/FT risk is identified relating to a particular customer, or a type of customer and/or their transaction behaviour. It could also be something that is identified because there has been a change in ML/FT methods or trends, whether domestically or internationally.
The non-compliance we have encountered includes reporting entities:
that have not updated their risk assessment or AML/CFT programmes since the Act took effect, and for whom there was no evidence that it had ever been reviewed
with AML/CFT procedures in practice that were significantly different from those stated in their programme
that cannot tell us the version of their risk assessment and AML/CFT programme that applied at what point in time.
Good record-keeping practices and version control are the key to ensuring that a risk assessment and AML/CFT programme remain current and compliant. Every time a risk assessment and AML/CFT programme are reviewed or updated, there should be a record kept, with the reasons for it and any changes clearly documented for future reference.