Review and assurance

The board: The Board of Directors is ultimately responsible for risk management and internal control, including determining the nature and extent of risks it is willing to take to accept in its pursuit of strategic objectives but ensuring that an appropriate risk culture based on regulatory compliance and internal risk management principles is embedded throughout the organisation. Some regulatory regimes stipulate clear accountability on Board members and senior managers to manage risks (including conduct and financial crime risks) responsibly using good judgement and penalties (including dismissal) can be imposed for clear disregard or incompetent management of such risks.

Senior management: Owing to the reputational, legal and regulatory risks posed by FIs being used for money laundering or terrorist financing, senior management has a responsibility to ensure that the firm’s controls, policies and procedures are appropriately designed and implemented to reduce the risk for a firm being used for money laundering or terrorist financing.

Senior management should approve all policies, controls and procedures for mitigating and managing the financial crime risks identified in the firm’s risk assessment. Senior management must be aware of the level of financial crime risks an institution is exposed to and consider whether a firm is equipped to mitigate risks effectively. The firm’s assessment of risks should be comprehensive and the selection of risk mitigation measures appropriate. All relevant decisions should be properly recorded, and the firm’s policies, controls and procedures should be followed and applied effectively. Risk management is a dynamic process and ensuring controls are effectively designed and improved over time would limit the risk of censure by the regulator.

Money Laundering Reporting Officer: The Board of Directors should approve the appointment by senior management of an appropriately qualified Money Laundering Reporting Officer (“MLRO”), Compliance Officer (CO) or equivalent to take responsibility for FCC matters.

Appointing a suitably senior MRLO or CO to oversee an FI’s AML/CFT systems and its management of money laundering risk is key to establishing a robust FCC framework. The duties of the officer are likely to include:

  • Establishing and maintaining AML/CFT policies and procedures.
  • Overseeing compliance with the AML/CFT Policy including reviewing audit/assurance reports (including KYC/CDD), suspicious transaction reports (STRs) and regular reporting to senior management or a board committee on AML/CFT management information.
  • Reporting to the Regulator: The MLRO / CO should report annually (or at whatever frequency stipulated) to the Regulator detailing compliance with AML/CTF rules and report to law enforcement relevant suspicious activity/STRs.
  • Staff training: The Officer should train or arrange training to ensure all staff understand the FI’s AML/CFT system, how it works and their responsibilities.

Record keeping: The Officer should be responsible for ensuring records are updated and maintained for stipulated periods of time as required by the regulator and other internal requirements. These records should include but not limited to KYC files, regulatory and board reports, and filings of STRs/ SARs and law enforcement enquiries (e.g. Production/Investigation Orders).

Specialist Financial Crime Support: Where necessary, specialist roles should also be appointed to manage other financial crime risks including sanctions, bribery & corruption (especially risks associated with third parties), fraud (internal and external), tax evasion and conduct and operational risks (market abuse/insider trading and information/cyber security). Such roles should be assigned to appropriately trained and experienced staff. See BI section for further information on these risks.