While most financial institutions focus their energies on managing credit, market and operational risks, globalisation and opening of new markets has brought in new regulatory challenges that need to be managed. One such risk, which is more alarming than others, is money laundering. In spite of regulatory and governmental pressures, management of this risk has been slow/ traditional and not always effective.
While the summer of 2012 revealed global banks allegedly not having robust systems and controls to mitigate the risk of money laundering (which in turn could potentially be a link to financing terrorism and other criminal activities), the summer of 2013 put the spotlight on Indian banks. There is confusion over whether banks are managing their money laundering risks effectively — more information based on Government and regulatory reviews may shed some light.
One thing is for sure — money laundering risk is often spoken about but not enough is done to create awareness. Hence, it has risen to the forefront of the Government’s, regulators’ and industry’s focus.
An opportunity to correct the inefficiencies can be gained by answering this question: Has the internal audit (IA) function matured sufficiently to assess and monitor the newer risks affecting the industry?
Reality is that the IA functions have evolved over the past decade from a traditional to more focused approach, keeping in mind the risk profile of the organisation. However, in many cases, the coverage does not sufficiently include certain key issues, such as emerging risks related to money laundering and financing terrorism, resulting in a potential “blind spot”. It is therefore imperative that IA functions, especially in the financial services industry, objectively assess the manner in which the money laundering risk is managed. In this direction, independent anti-money laundering (AML) audits or testing need to be undertaken, at least annually.
To be effective, auditors need to be fully trained to reasonably conclude that necessary compliance is adhered to. Failure to do so may leave the organisation open to regulatory criticism, leading to further testing of the programme and possibly greater effort on part of the organisation to put the house in order.
With the risk landscape constantly changing, as perpetrators find unique money laundering techniques, internal audit programmes should consider incorporating the following elements to proactively evaluate the strength of AML measures.
Strong governance: Existence of a well-defined governance structure with adequate oversight by senior team members having defined roles and responsibilities, and an updated policy and procedures document that covers all business departments and products.
Knowledge and skills of employees: Identification of money laundering and transactions involving financing of terrorism is an art, and is significantly dependent on the quality of personnel performing this function. Accordingly, personnel entrusted with it should possess appropriate certification, knowledge and experience.
Further, an environment of continuous learning, training programmes and knowledge-sharing sessions within the organisation would enable the personnel to be updated with current practices, and keep them alert to risk indicators.
Management of alert scenarios: Comprehensive review of alerts from the perspective of coverage (covering all products and businesses) and effectiveness (generating acceptable levels of false positives) would be a good indication of the organisation’s ability to identify suspicious transactions.
Timely monitoring and closure of alerts: Generating alerts is only a part of the AML arsenal — reviewing, analysing, reporting, and finally closing the alerts in a timely manner allows a financial services organisation to contribute towards timely detection of money laundering incidents and, where possible, prevention.
Continuous controls monitoring: Early warning indicators are an effective way to stay informed on the risk of money laundering within the organisation. Indicators such as increase in suspicious transaction reporting to FIU, regulatory inspection findings, and media reports assist in gauging the risk of money laundering from both an external and internal environment perspective.
Cross border data analytics (private banking, remittances and other high risk businesses): Remittances have always concerned regulators. Purpose of the remittance, parties to the transaction, and jurisdictions involved are key indicators that need to be monitored, and tools used to detect money laundering should be appropriately configured.
Internet banking vulnerabilities: Proliferation of the Internet across India has had a positive impact in easing communication and transaction flows. However, it brings challenges that, if not appropriately contained, could damage reputations.
Increase in incidents such as hacking and phishing make an organisation vulnerable to unwittingly allowing transactions to take place in an unfettered manner, which may make the organisation complicit to financing terrorism. Monitoring breaches and performing appropriate system reviews around internet banking enables the organisation to plug the risk.
Internal audit can effectively validate these through collaboration with the business units and the compliance function, and assemble a risk-based programme that is sound and comprehensive. That way, it can assess whether the institution’s AML mechanism is responsive to its particular risk profile, usually expressed in the risk assessment, and where misalignment is observed, recommend that corrective action be taken.
By collaborating as a strategic business advisor and enlisting the support of all stakeholders, internal audit can contribute towards institutional compliance with regulatory obligations, and better managing of potential money laundering risks, and the corresponding reputation loss.
The author is Advisory Partner, Ernst & Young
Prasad Durlabhji, senior professional with Advisory Services, Ernst & Young, contributed to this article.