In its efforts to remain in full compliance with the European framework for tackling money laundering and terrorist financing, the Republic of Cyprus is constantly implementing changes to its local laws, in order to ensure alignment with EU Directives and Regulations.
One of the fundamental pillars of the Cypriot economy is the financial services and international business sector, which consistently follows a set of rigorous compliance requirements. This has led to generally positive ratings by the Committee of Experts on the Evaluation of Anti-Money Laundering Measures and the Financing of Terrorism (Moneyval).
Cyprus has been rated 5 times by Moneyval and is one of 25 countries assessed that has not recorded low evaluation grades in any of the 11 pillars of the effectiveness assessment, receiving substantially effective and moderately effective ratings across the board.
In a follow up to our recent article on the importance of bringing AML talent on board, we now take a look at best practices for fostering a culture of AML Compliance within your organization. This entails that every stakeholder and entity adheres to a set of obligations and duties, and also undergoes a series of annual training requirements.
It is important to note that business priorities and profit-making activities should not take precedence over this culture of AML compliance.
What are the elements of a strong compliance environment?
The basic elements for establishing a strong compliance environment within an organization are as follows:
- Implementing a system of internal policies, controls, and procedures based on a risk-based approach
- Designating a Compliance Officer who will oversee the compliance function on a daily basis
- Designing an ongoing employee training program
- Assigning an independent audit function to monitor and evaluate the effectiveness of the aforementioned policies and procedures on an ongoing basis.
How can we help?
C.X. Financia offers guidance for the creation of a strong AML compliance culture within an organization, as well as a wide range of support services and training that will help your organization design and execute an effective approach to AML.
See below our top tips for:
- Boards of Directors,
- Internal Audit Department, and
- Compliance Department.
Boards of Directors
Money laundering is a top priority for Boards of Directors, as regulators have increasingly been issuing fines for failure to maintain adequate AML controls. It is therefore important for an organization’s Board of Directors to establish and actively support a culture of compliance throughout their entire company. These are our Top Tips for board members looking to effectively lead their organization into a culture of compliance.
When designing an organization’s Governance Structure, make sure you tick off the checklist below:
- Does it ensure AML Compliance?
- Is the Compliance Department and Compliance Officer independent enough to appropriately manage the organization’s AML Risk?
- Can the Compliance Department exert appropriate influence over operations to ensure the quality of execution of AML procedures?
- Do you have enough resources (sufficient personnel, technology, and expertise) to implement the program?
The 5 Pillars of a written, board-approved AML program should incorporate the below elements:
- A system of internal controls
- A designated Compliance Officer
- Training for appropriate staff
- Independent testing of the Customer Due Diligence Process.
An effective AML Program and Annual Report should contain, at minimum, the following elements:
- Which material changes were made to the AML Program in the last year and why, specifically signalling which were due to regulatory updates and which were due to process failure
- Material AML Material Weaknesses, Deficiencies or findings identified by Regulators or Internal Audit or an Independence Test Monitoring Program. An Action Plan must subsequently be considered, as well as regular updates on the status of the corrective actions
- Possible Violations: whether these were Isolated or Systemic and whether they are likely to be the subject of an enforcement action or criminal prosecution
- Summary of all Suspicious Activities Reports, including details on fraud.
Internal Audit Department
With concerns over compliance and protection for investors constantly increasing, Internal Auditors are now faced with new responsibilities in the development and review of an organization’s AML policies, practices and measures. These are our top tips for Internal Audit Teams looking to effectively audit their organization’s compliance operations.
When evaluating the effectiveness of an organization’s AML governance culture, the Internal Audit Department should take into account the following challenges and opportunities:
- Updating and adapting to changes in Regulatory Standards: the evolving demand for transaction monitoring and sanctions screenings has increased the need for transparency in an organization’s processes and controls. Specific focus areas include data quality, back-up and recovery, privacy considerations, and validation of system effectiveness.
- Knowledge of AML technologies: familiarize yourself with your organization’s technology and ensure that all AML systems are working properly and are fine-tuned and validated on a regular basis.
- Skills Integration: Internal Audit Departments need to build an integrated team of personnel with a variety of skills, from compliance and business to technology, in order to effectively assess, deploy and maintain AML processes and technology systems.
When assessing an organization’s AML systems, the Internal Audit Department should answer the following questions:
- Operations & IT:
- Do the systems include Transaction Monitoring (TM), KYC, Sanctions and PEP Screening?
- Do the systems and data processes undergo regular maintenance and support?
- Compliance, Risk Management, IT:
- Does the Organization utilize AML Systems (TM, KYC, Sanctions Screening) to identify and report suspicious activity and/or transactions?
- Does the Organization ensure appropriate technology controls in the areas of security, on-going data integrity, back-up and recovery?
- Does the Organization utilize Model Validation of AML Technology to fine-tune and ensure compliance with regulatory requirements and standards?
- Internal Audit Review Processes:
- Are IT processes (ongoing data integrity, reconciliation checks, security, back-up procedures, etc) and configurable controls (system overrides, workflows, etc) regularly reviewed and monitored?
- Are processes reviewed, validated, and fine-tuned regularly to ensure appropriate methodology in accordance with the relevant requirements and regulations?
When designing and performing an AML Technology Audit, the Internal Audit Department must take note of the following key audit areas:
- Data Integrity
- Security & Privacy Requirements
- Change Management
- Back-up and Recovery
One of the basic elements for establishing a strong compliance culture within an organization is the designation of a skilled and knowledgeable Compliance Department that will oversee the compliance function on a daily basis, and meet challenges head-on. These are our top tips to help Compliance Departments navigate the demanding requirements of the AML and CFT Law and implement an efficient and effective AML Compliance Program.
An effective Transaction Reporting and/or Suspicious Activity Reporting procedure should provide the AML Compliance Officer with the following key information:
- The unique identifier for the Client(s) involved
- The unique identifier for the transaction(s) involved
- A short description justifying the suspicion
- The reporting officer.
An AML Compliance Program should include the following basic components:
- A system of internal controls
- A designated Compliance Officer
- Training sessions for appropriate staff
- Independent testing of the program
The Compliance Department should ensure that the below elements are fully understood and adopted by all staff members in order to create a successful culture of compliance throughout the Organization:
- Efficient and effective customer due diligence and enhanced due diligence programs are to be put in place and utilized regularly
- Manuals and guidelines are to be established for the automated AML systems and these are to be communicated to all relevant parties and updated on a systematic basis
- Compliance factors are to be embedded into staff performance evaluations and compensation decisions
- Training, procedures, and clear communication are to take place in order to emphasize that compliance is the responsibility of the entire organization, not just a specific department.
When it comes to managing AML Risk, the Compliance Department must undertake the following responsibilities:
- Establish clear roles and responsibilities for reporting risks, which are to be communicated to all departments
- Each operating line of business (first and second lines of defence) should be made aware of their specific role in the ownership and management of risk through regular training and continuous education
- Keep proper records for procedures and measures when addressing risk management and deficiencies.
The 4 important factors of a correct Know Your Client (KYC) procedure:
- Proper client identification
- Assessment of overall risk
- Adoption and verification of information
- Efficient monitoring of client’s transactions or related actions.
When it comes to assessing Suspicious Transactions/Activities, the Compliance Department should be aware that:
- An employee may be personally liable for failure to report information regarding money laundering or terrorist financing
- Should the above occur, employees are expected to cooperate and must immediately report anything that comes to mind in relation to transactions for which there is a slight suspicion of money laundering or terrorist financing
- According to Article 27 of the AML Law, any person who knows or reasonably suspects that another person is engaged in money laundering or financing of terrorism offences must report this information to MOKAS as soon as it comes to their attention. Failure to do so is considered to be a criminal offence.
- Failure to report these circumstances is punishable with a maximum of five years imprisonment or a fine of €5,000 or both of these penalties simultaneously.
An effective Client Acceptance Policy (CAP) should include the following factors:
- A description of the types of client that are likely to pose a higher than average risk to the organization
- Clear guidelines and descriptions for clients that are not accepted and/or require enhanced, normal or simplified due diligence
- Categorization of clients into at least 3 risk categories of Low, Medium and High
- An outline of the client’s nature of business activities, type of client, and the origin and destination of funds.
The Compliance Department must immediately reject any client who displays the following characteristics:
- Holds prior convictions regarding Money Laundering or Terrorist Financing
- Has been placed on an EU or UN Sanctions List
- Practices activities of unknown or doubtful legal status
- Fails or refuses to provide the relevant information required for assessment
When putting together a proper Client Profile, the Compliance Department must include:
- Identification details (KYC)
- Financial/Economic Profile
- Anticipated Activity/Transaction Profile
- Purpose of using your products or services
For further insights on addressing modern challenges in today’s regulatory climate, as well as information on our package training solutions, contact us today.