Strategies for Avoiding Common AML Compliance Pitfalls

Regulated Entities might make the mistake of incorrectly identifying the Money Laundering (ML) and Terrorism Financing (TF) risks to their business from external factors such as:

• Customers
• Geography
• Products or Services
• Delivery Channel
• Mode of Transaction, and so on

• Enterprise-Wide Risk Assessment (EWRA): which helps Regulated Entities to identify ML/TF risks posed to their business by factors such as:
  • Customers
  • Geography
  • Products or Services
  • Delivery Channel
  • Mode of Transaction, and so on

Further, Regulated Entities can ensure that they formulate measures to mitigate ML/TF risks posed by their customers by including the following measures in their AML framework:

• Customer Due Diligence (CDD)
  • Know Your Customer (KYC)
  • Sanctions, Politically Exposed Person (PEP)
  • Adverse Media Screening

These measures help weed out troublesome customers who could be potentially involved in illicit activities by ensuring timely regulatory reporting and deploying additional or Enhanced Due Diligence measures on customers who pose more than usual ML/TF risks but are not sanctioned or found to be explicitly involved in illegal activities.

Another pitfall that Regulated Entities encounter is incorrect measures and parameters to identify ML/TF risks. This is a by-product of wrongly or inaccurately conducted EWRA, which exposes the Regulated Entity to ML/TF risks from factors not known to them due to wrong identification, leading to inaccurate and ineffective mitigation of such risks.

Also, inaccurate or incomplete CDD/KYC lead to inaccurate assessment of Customer Risk Assessment (CRA), again leading to the deployment of insufficient ML/TF risk mitigation measures.

The safest thing a Regulated Entity can do is deploy a well-calibrated and tailored CRA software that understands its sector and business-specific AML compliance obligations. This appropriate CRA tool selection is a strategy that can facilitate a Regulated Entity to avoid common pitfalls arising due to issues in the accurate assessment of ML/TF risks.

When a CRA tool is tailored to the Regulated Entity’s specific ML/TF risks and is in tune with the risk appetite, it helps the Regulated Entity with an overall Risk-Based Approach (RBA).

The most common of all AML compliance pitfalls is placing reliance on readily available templates for AML and Counter Financing of Terrorism (CFT) framework.

Templates are merely crafted on the basis of common ingredients of a standard AML/CFT program, which does have all ingredients but lacks fine-tuning, balancing, negating, emphasising of compliance measures contained within to suit the specific needs of a Regulated Entity.

For instance, a certain Regulated Entity may require to devise exceptions for conducting CDD measures due to the subject matter of trade or business being a non-covered activity under AML laws, but a templated AML/CFT program may completely fail to consider the existence of such a distinction between covered and non-covered activities, leading to conducting CDD of every single customer, leading to huge cost to the company which was never required in the first place.

Thus, the major pitfall of templated AML/CFT program is under or over-compliance, completely contradicting RBA.

The strategy to mitigate misuse of Regulated Entity’s resources and under or over-compliance is relying on customised and risk-based AML/CFT Policy.

Regulated Entities need to be mindful while developing a customised AML/CFT policy of the fact that the EWRA would be different from business to business even within the same sector and similar business size or turnover, as no two businesses are the same.

Tailored AML/CFT policies and procedures are developed by taking into consideration the business-specific risks such as:

• Customers
• Geography
• Products or Services
• Delivery Channel
• Mode of Transaction, and so on

This helps Regulated Entities devise their CDD and KYC measures and adjust their CRA parameters in accordance with the ML/TF risks posed to their business, thus ensuring compliance with the principles of RBA.

When the personnel of the Regulated Entity are unaware, untrained and unprepared with regards to their individual roles and responsibilities towards combating ML/TF risks, then it’s a major compliance pitfall as employee unpreparedness is directly linked with non-compliance leading to regulatory fines and penalties and even cancellation or revocation of license to do business of the Regulated Entity due to poor AML compliance.

Regulated Entities must be mindful that they are liable for the acts of their employees and must train them to identify, assess, and mitigate ML/TF risks appropriately, as AML training is a mandatory requirement in most jurisdictions.

Regulated Entities can ensure that their employees are well trained with regards to:

• Identifying ML/TF red flags and typologies applicable to the business,
• Are well trained to carry out their roles with regards to that of a:
  • Screening Analyst
  • KYC Analyst
  • Transaction Monitoring Analyst
  • AML Compliance Officer or Money Laundering Reporting Officer (MLRO)
  • Senior Management Responsible for Signing-Off High-Risk Customer Relationships

Regulated Entities must ensure that their employee training timing, frequency, subjects covered, trainers engaged, and training material relied upon are well documented for compliance purposes.

Simply investing in automated AML solutions or commonly used AML compliance software does more harm than good.

Relying on technology without adequate testing and validation of the tools and analysis of the viability of the tool with the risks specific to Regulated Entity is a major AML compliance pitfall that should be avoided.

Regulated Entities must strike a balance in deploying technology only where needed and to the extent of the need to automate. This helps with risk-based deployment of AML compliance tools after taking into consideration the outcomes of AML software testing and validation leading to fine-tuning of software deployed in alignment with the RBA.

Not considering the implication of AML compliance measures deployed on a larger futuristic scale is an AML compliance pitfall.

This ineffective oversight can lead to non-uniform implementation and results of AML compliance measures relied upon throughout the Regulated Entities subsidiaries, branches (local or overseas) leaving room for illicit actors to misuse loopholes in ML/TF control measures deployed by the Regulated Entities leading to fines and penalties.

Regulated Entities need to develop an AML framework with group-wide oversight that takes into consideration the international AML compliance standards as described by the Financial Action Task Force (FATF) and local as well as international laws of the jurisdictions it operates within.

Regulated Entities must consider whether the country they are operating in is in alignment with FATF recommendations and whether the countries in which its branches, subsidiaries, third parties operate, and sister concerns operate are aligned with FATF standards or not.

Regulated Entities must devise an AML framework for what actions and measures to take in the cases of weaker or stronger AML regimes of its branches, subsidiaries, third parties operate, and sister concerns to ensure regulatory compliance.

Many Regulated Entities rely on third parties to fulfill their AML compliance obligations such as CDD, KYC, screening, etc.

However, they fail to consider that the ultimate responsibility of AML compliance for their entity lies with them.

Thus ML/TF risks posed by third parties must be carefully identified and mitigated.

For instance, a Regulated Entity, when outsourcing its CDD obligations to an offshore entity, fails to consider data privacy and data protection concerns ends up violating its customer’s privacy as well as if the offshore third party’s regulatory regime prohibits it with information sharing, then the entire exercise of delegating CDD to third party goes to waste, leaving the Regulated Entity stuck when an inspection arrives at its doorstep demanding records of its CDD measures, which the offshore entity cannot share due to laws in their country.

Third-party risks can be adequately mitigated by taking into consideration the regulatory differences, if any and deploying adequate ML/TF risk identification protocols to assess and mitigate third-party risks.