The Crucial Role of the Third Line of Defence in Countering ML/TF

In UAE, the Designated Non-Financial Businesses and Professions (DNFBPs) and Virtual Assets Services Providers (VASPs) are required to have in place an adequate and suitable Anti-Money Laundering and Counter-Financing of Terrorism (AML/CFT) program that consists of appropriately qualified and trained personnel and defined workflows dedicated to identifying, assessing, and mitigating Money Laundering (ML), Financing of Terrorism (FT), and Proliferation Financing (PF) of weapons of mass destruction risks. In this article, we will learn about the crucial role of the third line of defence in AML compliance.

What is the Third Line of Defence in AML/CFT?

The Third Line of Defence is the independent audit function. It is in charge of examining the effectiveness of the DNFBPs and VASPs AML/CFT compliance program. The Third Line of Defence has an objective to identify the AML/CFT program’s weaknesses and gaps and recommend corrective strategies to increase its effectiveness.

Importance of the Third Line of Defence in Countering ML/FT

The independent audit team, which is commonly known as the Third Line of Defence, is an important component in countering ML/FT because of its ability to help with the following:

• Gauging how effective the existing AML/CFT measures are in preventing or mitigating the threats.
• Testing and reviewing the efficacy of AML compliance measures taken up by:
  • The First Line of Defence: It consists of client-facing employees carrying out Customer Due Diligence (CDD) activities and tasks.
  • The Second Line of Defence: It consists of a Compliance Officer (CO)/Money Laundering Reporting Officer (MLRO) who is responsible for overlooking the implementation of AML/CFT and Counter-Proliferation Financing (CPF) policies, procedures, controls, and systems within the business.
• Assessing the sufficiency, comprehensiveness, and learning outcomes achieved from AML/CFT training imparted to the employees in the business, as well as the quality and precision of the training material.
• Assessing the procedural aspect that covers workflow of the case management and regulatory reporting to Financial Intelligence Unit (FIU) through the go AML portal. This includes reviewing the AML policies, procedures, systems, and controls that contain the governance and process governing regulatory reporting.

Understanding the Three Lines of Defence (3LoD) in AML/CFT Compliance

The guidelines for DNFBPs and VASPs broadly categorise the elements of an effective AML/CFT Program into three categories, namely:

1.First Line of Defence: Consisting of client-facing employees who directly interact with customers and are responsible for obtaining identification documents from customers, conducting CDD activities, Name/Sanctions Screening exercises, and reporting or escalating cases as required to the compliance function for further steps.

2.Second Line of Defence: Consisting of the CO or the MLRO and ML/FT and PF risk management teams responsible for guiding and overlooking the work of the first line. The Second Line of Defence serves as a point of contact for all AML-related issues arising within the DNFBPs or VASPs. The Second Line of Defence broadly remains responsible for overlooking the implementation of AML/CFT and CPF policies, procedures, controls, and systems within the DNFBPs and VASPs.

3.Third Line of Defence: This consists of the audit function, which is responsible for testing the efficacy of the AML/CFT and CPF responsibilities carried out by the First and Second Line of Defence.

The Three Lines of Defence (3LoD) model sets out the individual roles and responsibilities across different AML compliance functions within an organisation. This model encourages teamwork and coordination in combating ML/FT and PF. Under this model, each line of defence is aware of its responsibilities, and they work together to make sure risks are mitigated appropriately.

The Third Line of Defence enables DNFBPs and VASPs to:

• Minimise risks
• Comply with AML/CFT regulations
• Achieve business goals

Key Activities of the Independent AML Auditor

Before delving into the key activities carried out by an independent AML auditor, it is important to understand why an AML audit function must remain independent.

Why is the independent functioning of an AML Auditor important?

AML audit function must remain independent to ensure that the audit report serves multiple purposes and audiences beyond the business for which it is carried out. It becomes of utmost importance that the AML auditor exercises their functions independently, free from bias or ulterior financial motives, to ensure the quality and sanctity of the AML audit report, which impacts not only the business but also the society at large.

The independent AML auditor must have the necessary skills and experience to conduct such audits. The audit team must define the goals and scope of the audit exercise before executing it.

The key activities to be undertaken by the independent AML auditor are as follows:

Review of Enterprise-Wide Risk Assessment (EWRA)

The AML/CFT framework is based on the EWRA. DNFBPs and VASPs are required to implement AML/CFT policies, procedures, systems, and controls on the tenets of the risk-based approach, meaning that the business needs to consider the ML/FT and PF threats its business is exposed to and devise AML/CFT measures to counter those risks appropriately.

The independent AML auditor is responsible for reviewing the EWRA from time to time. The review allows DNFBPs and VASPs to check for changes in risks, alignment with AML regulations, and variations in their profiles. These adjustments can lead to changes in ML/FT and PF risks, making a review of EWRA essential.

The independent AML auditor must review the EWRA to account for the changes in the following:

• Customer risks (nature of activities, nature of clients, and ownership structures)
• Product or service risks (size, value, and volume of transactions, products/services, and payment modes)
• Jurisdictions risk (presence in different geographies and customers’ jurisdictions)
• Delivery channels (delivery of products/services, intermediary involvement, and mode of customer onboarding)

Any changes in the above factors affect DNFBPs and VASPs ML/FT and PF risks.

Review of AML/CFT Policies and Procedures

An assessment of AML/CFT policies and procedures is necessary for an independent AML audit function. Such assessment helps DNFBPs and VASPs to identify the flaws and correct them in a timely manner. Such a review of AML/CFT policies and procedures helps DNFBPs and VASPs to:

• Update them as required based on changes in external and internal variables.
• Make them sufficient to achieve AML compliance objectives.
• Improve their effectiveness to make the business compliant with the AML regulations.
• Perform Know Your Customer (KYC), CDD, Know Your Business (KYB), Know Your Transaction (KYT), and customer screening per the procedures stated.
• Identify anomalies in AML procedures and improve them for successful execution.
• Manage the reporting and recording of necessary tasks as stated in UAE’s AML regulations.

Independent Testing of Controls

An independent AML auditor is also responsible for testing the internal AML controls. These are the systems managing the AML compliance processes. DNFBPs and VASPs must test if they are working properly. The independent AML auditor checks the following:

• Customer due diligence controls so that DNFBPs and VASPs have well-defined risk profiles for their customers.
• Controls on screening customers against several watchlists to detect any connections with illegal activities.
• Controls on risk assessment to identify, categorise, prioritise, manage, and mitigate risks.
• Transaction monitoring controls to identify whether the rules to detect unusual activities, trends, or transactions are adequate.
• Recordkeeping and reporting controls to ensure compliance with UAE’s AML regulations.
• Employee training controls to ensure employees are aware of the AML procedures and perform them diligently.

Identifying Gaps in AML Processes

DNFBPs and VASPs need to perform several processes to comply with AML regulations. These processes help them identify the risks from customers and their transactions. Based on these processes, DNFBPs and VASPs can decide whether to transact with a customer. If any of these processes have weaknesses, DNFBPs and VASPs will be unable to complete them on time with accurate results. The independent AML auditor is responsible for identifying gaps in the following AML processes:

• Know your customers, employees, and vendors
• Customer due diligence
• Sanctions screening
• Transaction monitoring
• Risk assessments
• Suspicious transaction reporting
• Internal reporting process
• Staff training
• Record-keeping
• Whistleblowing to report suspicious transactions or customers to senior management or authorities

Gap identification enables DNFBPs and VASPs to take timely action to fill those gaps. DNFBPs and VASPs must identify the reasons for these gaps. Take corrective action to fill those gaps. With the right strategies, DNFBPs and VASPs can convert these inefficiencies into efficiencies.

Assessing the Effectiveness of the AML/CFT Training Program

Employee training is a critical part of any AML/CFT framework. It helps train employees for the AML procedures they have to perform. Without such training, AML/CFT policies and procedures might be followed in an inaccurate or incomplete manner. The independent AML auditor must examine the presence and quality of such a training program.

The independent AML audit of training programs will identify the following:

• If employees are aware of UAE’s AML rules and guidelines
• If employees know the procedures for CDD, KYC, transaction monitoring, sanction screening, and risk assessment
• If employees can decide what to do with high-risk customers, Politically Exposed Persons (PEPs), sanctioned countries, and other illegal transactions
• If employees are conscious of the red flags in transactions
• If employees realise the importance of recordkeeping and know how to create and maintain records
• If employees are aware of the procedures to report relevant information to senior management
• If employees are mindful of the importance of AML/CFT compliance in the UAE

DNFBPs and VASPs must check whether employees know and can efficiently perform AML/CFT procedures.

Assessing the Effectiveness of the Record-Keeping Function

An independent AML audit program must also include an assessment of the recordkeeping function. Recordkeeping is essential to maintain records of AML/CFT procedures. It helps during audits and investigations.

By examining the record-keeping function, an independent AML/CFT auditor can ensure:

• If the records are properly created
• If the records have all the necessary information and data
• If the records are up-to-date with necessary changes
• If the records are accurate and complete
• If the records enable auditors to learn about DNFBPs and VASPs procedures and ensure their adherence

Issuance of an Independent AML Audit Report

One critical responsibility of an independent AML auditor is producing a detailed report on DNFBPs and VASPs AML/CFT program. This report must be a summary of the findings of this audit procedure. It must include the following:

• A summarised opinion on DNFBPs and VASPs AML/CFT program
• List of the identified inefficiencies or flaws in the program
• Recommendations of corrective steps for the weaknesses
• A detailed review of each AML procedure
• A comment on the status of DNFBPs and VASPs business’s compliance with AML/CFT regulations

Conclusion

An independent AML audit helps identify gaps in AML/CFT compliance and make necessary changes. It tests the adequacy of controls and recommends areas of improvement. The Third Line of Defense plays a crucial role in countering the threats of money laundering and terrorist financing. It also helps regulators understand the kind of risks an entity is exposed to and whether it is following the legal obligations in relation to countering ML/FT.