A company with a robust AML framework should have nothing to fear from an AML regulatory visit
Over the past years, regulators have considerably stepped up their enforcement role, and this is evident from the hefty fines being imposed, the publication of such fines, and the subject persons in question. This reality poses not only compliance and financial risks on subject persons but also reputational risks, which might have an even greater adverse effect on the company. Thus, it is natural that the notification of a regulatory visit is met with apprehension by those involved.
Subject persons are informed of a visit from the FIAU, and either the MFSA or the MGA, through a notification letter generally sent three weeks in advance. The FIAU will also request a list of documentation that would need to be provided within one week from the receipt of the notification letter.
Visits may take various forms, with the most common being:
- On-site or off-site compliance examinations
- Full-scope, targeted or thematic reviews
- Supervisory meetings, and
- Ad hoc visits.
“By failing to prepare, you are preparing to fail”, Benjamin Franklin’s wise words perfectly describe the approach which companies should take vis-à-vis regulatory visits.
Managing regulatory visits effectively requires careful planning and commitment from senior management. The amount of time and effort required to prepare for such a visit cannot be underestimated.
The following are some tips that should help in the preparatory phase of the review:
- The review process should be managed by the Money Laundering Reporting Officer (MLRO), who should allocate the time and identify the resources required to prepare the documentation related to the review, as well as to assist the regulators during the course of the visit. Moreover, since the Board as a whole is responsible for compliance, they need to be kept updated with the status of the review. Depending on the nature of the visit, it would perhaps also be beneficial for a member of the Board to be directly responsible for overseeing the process. This will also facilitate communication with the Board.
- It is essential to identify objectives, assign responsibilities, and set deadlines. The notification letter relating to the visit will indicate the type of review taking place, and the areas which will fall within its scope. This information should be used to define an action plan and to allocate responsibilities across the team to ensure that deadlines set by the FIAU are met.
- An independent third-party review and assistance can add value during the preparatory and the review process. This will allow the company to have the required technical expertise on board within a short period of time, without removing resources from the first and second line of defence and thereby limiting disruptions to operations.
- One should allocate sufficient time to collate and carry out a detailed review of the information requested. Reviewing the documentation prior to submission is critical to uncover issues, gaps, and inconsistencies. This would give the opportunity for certain issues to be rectified before the documentation is submitted. Subsequently, all requested information should be provided in a clear and structured manner to facilitate the review. This process should be subjected to the 'four eyes’ review principle.
- Issues may be uncovered during the preparatory phase or as a result of ongoing compliance monitoring - breaches or errors which cannot be addressed prior to the review. Be transparent and report them upfront, together with a detailed action plan of how the company plans to rectify such issues. This will give comfort to the regulator that the company has the systems in place to identify issues, and that it is also committed to acting on them. The plan, however, must be realistic, since it will certainly be followed up by the regulators. Failure to implement an action plan will have negative effects on the company’s reputation with the regulators and may also trigger further reviews and possible sanctions.
- Finally, it is vital that the MLRO be on top of their game at all times, especially when it comes to dealing with an official review by the authorities. The person assigned to this role must have a thorough understanding of the risk and control framework of the company with respect to AML. This essentially means understanding the risks the company is exposed to and the drivers resulting in the overall risk. Furthermore, the MLRO should also understand the underlying processes, systems, and tools in place to mitigate those risks, including the methodology used in the business and customer risk assessments.
Theoretically, a company with a robust AML framework should have nothing to fear from a regulatory visit. However, it will generally still present a challenge for companies, particularly due to the resources required and the potential disruption to the operations of the company. On the other hand, a successful outcome of such a visit will add value to the company by providing assurance to the regulators, shareholders, directors, and employees, of the internal standards maintained and the quality of the AML framework. It will also be a learning experience for the AML compliance team, who will get an insight into the regulator’s point of view.
Article written by Alicia Vella, senior manager in our advisory department, specialising in internal audit, AML, and regulatory compliance
This article first appeared in the Sunday Times of Malta on 07/02/2021