Developing an AML independent testing plan
One of the most important things an organization can do is to plan ahead by considering its complete AML independent testing needs for the year and determining how to reduce duplicated efforts. Areas that can be explored include:
- Is the organization operating globally?
- If operating globally, should the organization’s AML program be assessed by a single vendor with knowledge of global AML requirements?
- What other key stakeholders need to be considered?
- Do the organization’s banking partners have specific testing areas or key risk indicators that should be taken into account?
As organizations assess their AML independent testing needs for the year, they should consider two key questions:
- Do we operate under a global shared services model?
With the amount of competition in the financial services industry, customers’ expectations are high. Having access to global financial services and payment systems through a single platform or application has become an expectation. To meet these expectations, fintechs and other financial services companies have established global operations.
The number of regulations that need to be considered when doing business in multiple jurisdictions can seem complex and overwhelming, and the number of regulations continues to trend upward, as will the regulatory scrutiny and focus on fintechs. However, using centralized transaction monitoring and Office of Foreign Assets Control and sanctions screening processes and systems that incorporate specific country reporting requirements, typologies, and global lists is an effective way to help the organization adhere to compliance standards and regulatory requirements.
Given that processes are commonly centralized, having a vendor assess these programs while simultaneously considering specific country requirements can provide for a more comprehensive and efficient independent testing engagement. Any unique areas or products and services that are jurisdiction-specific should be discussed and considered during scoping with a potential vendor so that they are incorporated into the assessment in addition to the review of global processes.
- Are we involving our local compliance personnel and stakeholders?
Although an organization’s processes and systems might be centralized, local compliance personnel and stakeholders might be responsible for in-country filings and reporting to demonstrate commitment to compliance and to support the overall compliance function. Organizations should include these resources in the independent testing scoping and assessment process, as they are most familiar with the local requirements and regulations.
Any localized policies and procedures that have been developed in addition to global policies and procedures should also be shared with the vendor, discussed, and considered during the execution of the assessment.
The benefits of engaging a single vendor
Engaging a single vendor to meet global AML independent testing needs and requirements can streamline the review process and improve consistency and standardization. Central points of contact and consistent resources already familiar with policies, procedures, and processes will enhance the quality of the testing and limit the amount of time employees spend in walkthroughs with the vendor. Volume pricing might also decrease the overall cost of an organization’s independent testing.
Discussions should be held with the vendor during the planning and scoping process to determine capabilities, experience, and familiarity with local regulations, regulatory agencies, and in-country requirements.
Additional AML independent testing considerations
Other key items can make or break an engagement. They include:
- In-country expertise. If a regulator has recommended that an organization use an in-country provider or if the organization simply prefers a local subject-matter expert execute the work, it should discuss such details with the vendor. It is possible that the vendor might have a global network or partner firms that can accommodate the request.
- Technology and system access. Often, organizations find that providing company-owned technology or some form of system access to their vendors expedites the assessment and decreases the amount of time employees spend gathering documentation and testing evidence on behalf of the vendor. Identifying which systems would be beneficial to provide access to and discerning who the owners of those systems are can be a time-consuming process, so organizations should allow plenty of lead time to line up these details.
If organizations are not willing to provide system access or personally identifiable information to their vendor, they should be sure to discuss this exception with key stakeholders ahead of time and budget sufficient time for employees to share their screens to allow the vendor to execute testing.
- Managing documentation requests. The documentation request list provided by the vendor at the beginning of an AML independent testing engagement can prove overwhelming. Assigning a single point of contact who is responsible for the management and collection of the requested documentation is necessary to facilitate the assessment.
Typically, this point of contact is responsible for not only liaising with the vendor, but also for coordinating internally and ensuring information required to be collected from various teams and business lines is provided to the vendor in a timely fashion. For example, it’s not uncommon for data requests to be provided by an organization’s IT or engineering team. However, teams outside of compliance might be unaware of the regulatory requirements associated with such requests. Reviewing documentation provided by internal teams prior to sharing the documentation with the vendor can help minimize the amount of follow-up required and allow for a more seamless engagement.
- Banking partnerships. Organizations often rely on banking partnerships to access the banking system and transmit funds. If this is the case, organizations should discuss any requirements or scoping specifications in advance to verify that such requirements or specifications are considered during the AML independent testing.
With careful planning and these considerations in mind, organizations can confidently head into their next AML independent testing engagement.