Testing the Operational Effectiveness of the AML/CFT Framework

The Prevention of Money Laundering and Funding of Terrorism Regulations (PMLFTR) and the Implementing Procedures (IPs) emphasize the importance of monitoring the AML/CFT control framework on an ongoing basis, either through an independent audit function, or by engaging an independent consultant or an internal party who is independent from the operations. This article discusses how such reviews should not only focus on the fulfilment of compliance requirements, but also on identifying control failures.

In the post-greylist environment, money laundering remains a key strategic risk. The competent authorities have upped their supervisory and enforcement game, with a total of €11.8m in administrative fines issued by the FIAU in 2021 to subject persons across all sectors. A closer look at the most common failures identified by the FIAU, highlights deficiencies in  customer risk assessments (CRA) and business risk assessments (BRA), as well as the inadequacy of measures pertaining to customer verification, transaction scrutiny, purpose and intended nature, and treatment of high-risk customers. In essence, while these components may have been put in place by the subject persons, significant issues were identified when it comes to their operational effectiveness.

Indeed, operational effectiveness is fast becoming a key priority area for MLROs, senior management, audit committees and board members. While due importance should still be given to the compliance requirements that every subject person must meet, MLROs must seek to identifying weaknesses within their products, processes and tools which may be used by criminals to  their advantage. Criminals are continuously seeking to develop new ways of laundering their funds, and these could render existing control frameworks  obsolete. Furthermore, AML incidents put subject persons’ reputation on the line, with potentially significant impacts on the entity concerned.

The review of the AML framework may be conducted by the third line of defence. The objective here is to assess the design and operating effectiveness of the internal control framework, to provide an independent opinion thereon, and to propose recommendations on how identified weaknesses can be addressed by management. The independence of the function conducting such a review is crucial in ensuring that any opinions expressed are free from any internal and external interference, or undue pressure. Whilst preserving independence, the function undertaking the review should work with, and not against, management and the relationship should be built on mutual trust. This can be  ensured by discussing findings (rated by priority) and remediation plans during the course of the review. The report is first presented to management, who are also requested to provide their input in relation to the findings, before it is presented to the Board or Audit Committee.

The effectiveness review needs to have a well-defined scope. Scoping can include focusing on the areas which pose the highest risk, such as onboarding, the application of the risk-based approach, and transaction monitoring. Such an approach would ensure value-for-money, since resources will be focused on priority areas. Another approach to the review would be to undertake a health check of the holistic control framework. the latter would be designed to provide  an insight into the company’s compliance with its AML/CFT obligations, as well as a high-level overview of potential control failures.

Typically, an effectiveness review can have two facets, namely the Technical Compliance & Design and the Operational Effectiveness of the control framework:

  • Technical Compliance & Design: The assessment of the design of policies, procedures, controls and systems, to ensure that they meet the regulatory requirements and are in line with best practices and with the risk appetite of the company;
  • Operational Effectiveness: A review of the implementation of the company’s policies and procedures by the first line of defence, to guarantee that the controls designed by management are implemented in practice, and that the controls are effective in mitigating the risk. This may also cover the oversight and checks carried out by the second line of defence, these  being Compliance and MLRO. This phase will identify control failures emanating from the various components of the control framework. Various methodologies may be used during this phase, such as data analysis to provide greater coverage, which could eliminate or reduce the need for laborious substantive sampling. File testing on a sample basis could also be an option.
regulatory and compliance best practice v2

The following table identifies some risk-based areas that such a review can look into:

Component Samples

Technical Compliance & Design

(examples of review points)


(examples of review points)

CDD and Onboarding

  • Are the relevant policies aligned with the minimum regulatory requirements?
  • Are the measures therein designed in a risk-based manner?
  • Are the tools used efficient?
  • Is risk-based CDD being applied on the basis of the results of the CRA?
  • Does the company hold documentation showing how corporate customers’ ownership structures are verified?
  • Does the information collected provide sufficient information for the company to build a customer risk profile?

Customer Risk Assessment (CRA)

  • Does the CRA factor in the customers’ reputation, nature and behaviour?
  • What is the methodology of conducting the CRA (manual  / automated)?
  • Is the appropriate weighting being given to  individual risk factors?
  • Is the CRA  being carried out prior to the establishment of the business relationship, therefore allowing for the company to build the customer’s risk profile?
  • Is the CRA correctly gauging the risks attributed to complex structures and to other red flags?

Transaction Monitoring

  • Is the transaction monitoring system (automated/manual) in place, adequate to the nature of the business operations?


  • Are the set of risk-based detection rules adequately calibrated to the risks posed by the company’s customers?
  • Are the transaction monitoring controls capable of holistically monitoring  customers’ activities across their various accounts?

In conclusion, every subject person’s control framework goes through a process of evolution. In some cases this process may be more accelerated, particularly following supervisory visits or independent assessments. In spite of this, legacy issues pertaining to long-standing customers and controls may still persist and compromise the overall framework. The cross-border exposure of subject persons in Malta, albeit to different extents, also poses an additional layer of risk. An effectiveness review provides an accurate snapshot of the adequacy of the company’s control framework and ensures it is commensurate with the ML/FT risk exposure that the subject person faces. 

Operational effectiveness review