An independent AML/CFT audit refers to an independent review or assessment of a reporting person’s risk-based AML/CFT framework. It assesses whether the provisions of the FIAMLA and FIAMLR are being complied with by the reporting person and allows the reporting person to ascertain and assess the proper functioning of its risk-based AML/CFT framework over a specified period and make any required changes.

Yes, it is mandatory for reporting persons to conduct an independent AML/CFT audit.

Pursuant to Regulation 22(1)(d) of the Financial Intelligence and Anti-Money Laundering Regulations 2018 (‘FIAMLR’), a reporting person should carry out an independent audit to review and verify compliance with and effectiveness of the measures taken in accordance with the Financial Intelligence and Anti-Money Laundering Act (‘FIAMLA’) and regulations.

The independent AML/CFT audit enables the reporting person to evaluate the practical efficiency of its risk-based AML/CFT programme and determine whether the risk-based policies, controls and procedures in place are based on the money laundering and financing terrorism & proliferation risks identified by the reporting person and whether they are adequate and effective in mitigating the risks.

A person who is suitably qualified, understands the sector of the reporting person and has audit experience can conduct the AML/CFT audit. This does not necessarily mean the person has to be a chartered accountant or qualified to undertake financial audits. However, he/she must be independent, and not involved in the development of the risk assessment, or the establishment, implementation, or maintenance of the AML/CFT programme of the reporting person.

No. Currently, there is no list of recommended auditors for independent AML/CFT audits. It is for the reporting person to determine who is considered independent and has the appropriate qualifications and experience to conduct the AML/CFT audit.

It is for the reporting person to apply a risk-based approach to determine the frequency of the independent AML/CFT audit. In some instances, there will be regulatory bodies which might prescribe the minimum frequency of the independent AML/CFT audit and this can vary from every 1-3 years. Nevertheless, the scope of the independent audit needs to be risk based and agreed between the reporting person and the auditor.

No, the Financial audit is not the same as independent AML/CFT audit.

A Financial audit is an independent review and evaluation of completeness and accuracy of an organisation’s financial accounts while an AML/CFT audit is a review and evaluation of the adequacy and effectiveness of an organisation’s AML/CFT framework.

A documented detailed report from the auditor to the reporting person as to whether the reporting person meets the minimum requirements for its risk assessment and AML/CFT programme, whether the AML/CFT programme was adequate and effective throughout the specified period and whether any changes are required.

No, the auditor must be independent, and not involved in the development of the risk assessment, or the establishment, implementation, or maintenance of the AML/CFT programme of the reporting person.

A reporting person’s own (internal) review is a process that he/she/the compliance team (MLRO & Compliance Officer) carries out to ensure that the risk assessment and AML/CFT programme are up to date and to help the organisation identify and remedy any areas of deficiency.

The independent AML/CFT audit is a systematic check, by the internal auditor or an external auditor, of reporting person’s risk assessment and AML/CFT programme, and the application of said programme.

A desk-based or onsite inspections by the regulatory body is to check that the reporting person has adopted a risk-based AML/CFT programme that meet the requirements of the AML/CFT laws and regulations of the country and are being effectively implemented within the business’ operations. To note that a desk-based review or onsite inspections by the regulatory body is not considered a substitute for conducting an independent AML/CFT audit or internal review.