In the current financial climate, how can internal auditors calculate and manage the risk of fraud and money laundering?
The story seems incredible. Police at the scene of an explosion in a fireworks factory in 2006 smelled cannabis coming from a neighbouring property. After investigation they discovered a ‘sophisticated and extensive’ drugs operation but were unable to prosecute the property owner because he was living in Venezuela and refused to return to the UK to answer charges. Instead, the police pursued his father, who was tried and convicted of drugs-related offences. As a final twist, the property owner had £250,000 on deposit with the UK’s largest bank in an offshore account in Jersey!
This story is not made up or taken from the pages of a John Grisham thriller. Rather it is one in a series of revelations in the media in 2012 surrounding HSBC, the most notable being those accusing the bank of putting commercial interests before the prevention of money laundering by Mexican drugs cartels and Al-Qaeda terrorists following a report by the US Senate. The consistent theme is that failure of controls at HSBC has allowed criminals and terrorists to access the bank and make use of its account facilities for money laundering purposes around the world.
This article follows on from a piece in the September edition of Internal Audit giving 10 practical tips for internal auditors in the conduct of their anti-money laundering (‘AML’) work.
Here, the focus switches to how internal auditors should respond to the changed approach of authorities in the US and the UK to the AML systems and controls which now involve increasingly retrospective and aggressive measures. Firms need to demonstrate a robust controls framework that is capable of identifying problems and of acting on them promptly. Internal auditors have an important role to play in this and should step up by adopting a twin-track strategy based around traditional assurance and a modern risk-based approach.
Regular independent reviews of systems and controls remain necessary and they must be extensive in scope. But they are no longer sufficient. Rather, internal auditors need to add an extra dimension to their AML work through an informed risk-based approach drawing on research, collaborative working with AML professionals and an assessment of culture. Before looking at this, it is important to understand the new regulatory approach.
A new regulatory approach
Regulators on both sides of the Atlantic were heavily criticised for the failings of supervision in the lead-up to the financial crisis. They have responded. The old concepts of ‘regulatory forbearance’ (US) and ‘light-touch regulation’ (UK) are things of the past. All firms need to be aware of a very different supervisory approach by the authorities, one that is increasingly rigorous and intrusive, where decisions made will be looked at retrospectively with the benefit of hindsight.
The huge fines levied on banks in 2012 for AML failings demonstrate well the new regulatory philosophy of credible deterrence. As examples, Coutts was fined £8.75m by the FSA in the UK, its highest ever AML-related fine, while in the US the Dutch bank ING was fined $619m. Standard Chartered agreed to pay $340m to settle allegations that it was involved in money laundering for Iranian clients. More striking still are the indications that HSBC will have to pay fines of $1.5bn following the controls failings highlighted in the Senate report.
The sheer size of these fines, together with the extremely negative publicity that accompanies them, means that the possibility of AML systems failure can no longer be seen as a ‘necessary cost of doing business’. Every firm must have a strong controls framework in place in order to mitigate the risk of financial loss and reputational damage. Internal audit has a key part to play in this framework.
Necessary assurance – auditing the AML process
It remains necessary (indeed essential) during a time of increased regulatory scrutiny that internal audit provides independent monitoring of the effectiveness of AML policies, procedures, systems and controls. To provide effective assurance, internal auditors must regularly test samples of client files for accuracy and consistency in terms of complying with customer identification and due diligence procedures.
They must do much more than this, however. The key areas of an AML audit programme are extensive:
- look at the adequacy of governance arrangements and policies
- ensure the regular screening of customer names against official proscribed lists
- review to see whether a proportionate, risk-based approach is applied in practice, both at the strategic level in terms of a threat matrix and also at the individual business-relationship level too
- check whether the transaction monitoring system is appropriate to the business and capable of flagging up suspicious-looking transactions
- verify the working of both internal and external suspicion reporting mechanisms
- assess the quality of staff training programmes
- consider the adequacy of the record keeping and retrieval systems from third parties.
Two further components are necessary for an effective assurance process. First, internal auditors should carry out periodic quality self-assessment reviews to make sure they themselves are properly trained and prepared before each AML assignment. Second, the results of the internal audit work must be reported formally to senior management and the board via the audit committee.
Understanding risk – how internal auditors add value to the AML process
Internal audit work as described above is necessary to provide senior management with assurance but it will not in itself be sufficient to lead to real improvement in the AML process. Reviewing evidence in client files may very well reveal errors or inconsistencies. By itself, this is of limited value – what senior management really needs to know are the causes of the errors and the underlying risks to the business.
There is always a number of possible contributory factors: staff attrition rates, little or no infrastructure in place prior to ‘opening for business’ in new locations or with new products, lack of training and/or too low a level of staff involved in the due diligence process or rapid growth in customer numbers. Providing senior managers with an informed analysis of the root causes of any errors found must now be a critical component of AML-related internal audit work.
There are three essential extra ingredients to an AML audit programme to enable this informed analysis to take place:
- Professional pre-audit planning and research: the FSA’s thematic reviews of good and bad practice are essential reading, notably the two reports Financial crime: a guide for firms (December 2011) and Banks’ management of high money-laundering risk situations (June 2011). They highlight the types of controls weaknesses seen in the Coutts case. An understanding of the issues behind the regulatory fines in the US and the investigation into controls failings at HSBC is another part of being adequately prepared. Keeping up to date with the findings of the Financial Action Task Force is also required. It is vital that internal auditors are both current and credible around AML issues if they are to add value in this area
- Work collaboratively with the Money Laundering Reporting Officer (MLRO) and other practitioners to agree the areas that require focus during the audit: this is a key part of risk-based internal auditing. Remember that AML risk is no longer customer-centric: what is sold (the products), how the firm is introduced to its customers (the delivery channels) and where in the world the customer and the related business are located (country risk) are crucial too. Good AML practitioners recognise that internal audit is an essential component of a strong controls framework and is needed for effective risk management. They also view the internal audit report as a useful way of flagging up key issues to senior management
- Review the culture and controls-consciousness of the firm: this is a vital area of risk at the present time and begins with governance. The tone is always set at the top and it is essential that directors and senior managers take AML risk seriously if regulators’ expectations are to be satisfied. The following two questions provide a useful indicator of the level of senior management engagement: when was the last time the CEO and other board members received AML training; and what was the size of the MLRO’s pay increase when he/she was appointed to that office?
If the answers are ‘never’ and ‘none’ then there might well be a problem! Internal auditors should not be afraid to flag up these issues. Another area of concern is where there is a strong and dominant sales culture in the business. It is instructive to observe that the ‘systematic, widespread and unacceptable’ failures in the Coutts case largely concerned poor controls over high net worth individuals where it seems that the risk scores were unduly influenced by the potential profitability of the business relationships concerned.
Here is another story covered by the media in 2012: a couple living in a small house in Teignmouth, Devon, who were found in possession of over 300 firearms (including Uzi submachine guns and pump-action shotguns) leading to the conviction of the husband, had £85,000 deposited in an offshore bank account in Jersey with HSBC.
Such sensational-sounding stories will always attract media attention. So, although the ultimate objective of AML activities is to disrupt financial crime and to assist the authorities in prosecuting criminals, the key requirement for all firms is the management of reputational risk in an era of intrusive regulation. Internal auditors are crucial to this, first by providing assurance on AML systems and controls and secondly by adding value through an informed insight into risk.
Steve Giles is a partner in Highview Consultants and has recently published a book entitled Managing Fraud Risk – A Practical Guide for Directors and Managers. Each chapter of the book covers a vital aspect of fraud including corporate governance, detection controls, risk and business ethics. Read a sample chapter.