Roadmap to AML/CTF/CPF Audit Readiness

An independent Anti-Money Laundering / Counter-Terrorist Financing / Countering Proliferation Financing (AML/CTF/CPF) audit helps businesses evaluate the effectiveness of their AML/CTF/CPF Program and ensure compliance with AML/CTF/CPF laws and regulations of India.

It identifies potential vulnerabilities in the AML/CTF/CPF program of the business and offers suggestions to overcome these gaps. Here is your roadmap to AML/CTF/CPF audit readiness, guiding your way to counter financial crimes and stay compliant with legal obligations.

The Meaning and Significance of an Independent AML/CTF/CPF Audit

What is an Independent AML/CTF/CPF Audit

An independent AML/CTF/CPF audit refers to the regular assessment of the quality and effectiveness of the internal AML/CTF/CPF policies, procedures and controls adopted by entities and resultant records and regulatory compliance thereof. It involves systematically examining the different components of the AML/CTF/CPF program of the Reporting Entity, such as the Know Your Customer(KYC) process, Sanctions Screening, Customer Due Diligence (CDD), Record Keeping, etc.

Significance of an Independent AML/CTF/CPF Audit

Ensures Compliance with Indian AML/CTF/CPF Laws

India’s AML regulations mandate independent AML audits. For example, the Guidelines issued for Dealers in Precious Metals and Stones, Real Estate Agents and Virtual Digital Assets under the Prevention of Money Laundering Act 2002 (PMLA) require regular AML audits. The International Financial Services Centres Authority (Anti Money Laundering, Counter-Terrorist Financing and Know Your Customer) Guidelines, 2022 (IFSCA Guidelines) also mandates the same.

Assesses AML/CTF/CPF Program Efficiency

AML/CTF/CPF audit evaluates the effectiveness of the AML/CTF/CPF program and ensures that it aligns with the latest AML/CTF/CPF laws of India and the Enterprise-Wide Risk Assessment (EWRA) of the Reporting Entity.
Provides Unbiased Suggestions to Combat the Identified Vulnerabilities
AML/CTF/CPF audit recognises vulnerabilities in the AML/CTF/CPF program and includes suggestions to overcome them and mitigate money laundering (ML), terrorism financing (TF) and proliferation financing (PF) risks.

Strengthens AML/CTF/CPF Compliance Culture

Regular AML/CTF/CPF audits strengthen the AML compliance culture of the Reporting Entity by demonstrating the commitment of senior management towards AML/CTF/CPF compliance.

Builds Positive Reputation

AML/CTF/CPF audit improves the reputation of the Reporting Entity amongst its customers, investors, as well as AML/CTF/CPF regulators by demonstrating its commitment to AML/CTF/CPF compliance and combating ML, TF and PF risks.

After discussing the meaning and significance of an independent AML/CTF/CPF audit, let us understand when an independent AML/CTF/CPF audit is to be conducted.

When Should AML/CTF/CPF Audit be conducted?

To ensure that the AML/CTF/CPF program is effective against ML, TF and PF risks and up to date with the latest AML/CTF/CPF compliance requirements, AML/CTF/CPF audit should be conducted periodically. The best practice is to conduct the audits annually. Such periodic audits should assess both the individual business practices of the Reporting Entity as well as the overall entity-wide AML/CTF/CPF program.

However, the frequency of the AML/CTF/CPF audits depends on the nature and size of the Reporting Entity’s business. Its customer base, the products and services it offers, the geographies it serves, and the level of ML, TF, or PF risks it is exposed to as assessed under its Enterprise-Wide Risk Assessment (EWRA). For example, if the reporting entity provides services that are exposed to higher ML, TF, or PF risks due to their nature, the reporting entity needs to conduct the AML/CTF/CPF audit process more frequently.

Now that we know when an independent audit should be conducted, let us turn the discussion towards what an independent audit entails, and the various components of an AML/CTF/CPF program that should be examined in an independent audit.

Scope of an independent AML Audit

For an independent AML Audit to be comprehensive, it should evaluate the efficacy of the following components of the Reporting Entity’s AML program:
  • The EWRA of the Reporting Entity, taking into account its nature, size, and complexity of the business operations
  • The AML/CTF/CPF program and controls and its adequacy in countering ML, TF and PF risks
  • The robustness of the AML/CTF/CPF program against the dynamic ML, TF and PF risks evolved since the last EWRA
  • Red flags to recognise ML, TF and PF risks
  • Changes made to AML/CTF/CPF program since the last audit, including the implementation of the suggestions made in the last audit
  • Employee training on the AML/CTF/CPF program and AML/CTF/CPF regulatory requirements in India
  • KYC and CDD procedures, including Enhanced Due Diligence (EDD) procedures, Politically Exposed Persons (PEP) screening and adverse media screening
  • Sanctions screening procedures
  • Transaction monitoring systems and their adequacy considering the ML, TF and PF risk exposure of the company
  • Procedures for submitting Suspicious Transaction Reports (STR) and other required reports both internally to the AML Principal Officer and externally to the Financial Intelligence Unit of India
  • Record-keeping practices and their alignment with AML/CTF/CPF regulatory requirements, including the quality, adequacy, and comprehensiveness of the records maintained
  • AML/CTF/CPF software adopted by the Reporting Entity, including its functioning and whether it is up to date with the latest regulatory requirements
  • Customer acceptance policy, customer onboarding process and customer exit policy
  • Periodic reports related to AML/CTF/CPF measures submitted by the AML Principal Officer or Designated Director of the Reporting Entity to the senior management or Board of Directors and the action taken on these reports
  • AML Principal Officer’s implementation of the directions or feedback received from the AML/CTF/CPF supervisory authorities
  • Correspondence or outcome regarding any AML/CTF/CPF inspection or review conducted by the AML/CTF/CPF supervisory authority
  • Responses of any AML/CTF/CPF related survey submitted
  • Status of remediation measures adopted to fill the gaps identified by the AML Principal Officer, the latest AML/CTF/CPF audit or inspection conducted by the AML/CTF/CPF supervisory authorities
  • Policy related to AML/CTF/CPF data access and archival
  • Status of compliance with other regulatory requirements, such as sector-specific Guidelines for Dealers in Precious Metals and Stones, Real Estate Agents and Virtual Digital Assets
As discussed in this section, an AML/CTF/CPF audit assesses a wide range of components, so it is crucial for entities to take proactive preparatory measures to streamline the auditing process. The following section provides a comprehensive guide on preparatory measures Reporting Entities can take for a smooth independent AML/CTF/CPF auditing process.

Roadmap to AML/CTF/CPF Audit Readiness

The preparatory measures for an independent AML/CTF/CPF audit involve two essential steps. First, the Reporting Entity must finalise its list of requisites for the AML/CTF/CPF audit and an independent AML/CTF/CPF auditor. Second, it must gather and finalise all necessary information and documents to be reviewed during the auditing process. These steps have been discussed in detail.

Finalisation of Requisites for an Independent AML Auditor

Reporting Entities need to prepare and approve their own list of requisites they expect from an independent AML/CTF/CPF auditor and the auditing process to ensure that the auditing process is aligned with their needs. Deciding on these requisites makes sure that the auditing process is smooth without any hiccups. This list should take into account the following components:

Period to be included for review

Reporting Entity needs to specify the timeframe for which the auditor will review and assess the AML/CTF/CPF program.

Scope of Audit: Limited or Full Scope

Limited scope audit involves an evaluation of identified areas rather than a comprehensive examination of the entire AML/CTF/CPF program of the Reporting Entity. For example, a Reporting entity may choose to audit only its CDD process or its KYC process. On the other hand, a full scope audit involves an auditing process covering all components of the AML/CTF/CPF program.

The Expected Outcome

The reporting entity needs to decide and list the expected outcomes of the auditing process. For example, if the Reporting Entity requires so, it can specify that the auditing process should be followed by practical action plans to combat the vulnerabilities found.

The Budgeted Cost

Reporting Entity needs to outline the range of budget it aims to allocate to the auditing process. This depends on the scope of the audit that it has decided to opt for.

Time Estimation

The Reporting Entity needs to specify the time period in which it expects the auditing process to be completed.

Preparation of Information and documents

To streamline the AML/CTF/CPF audit process and avoid delays, the Reporting should prepare the following information and documents in advance:

1. Business Profile: This includes a comprehensive overview of the Reporting Entity’s nature and size of business, the products and services it offers, its customer base, the geographies it serves, its delivery channels, etc. This profile helps auditors understand the business and identify potential ML, TF and PF risks.

2. Certificate of Incorporation, Memorandum and Articles of Association: These documents provide information regarding the Reporting Entity’s establishment and its operational and ownership structure

3. Organisation Structure: This includes information about the hierarchy in the organisation to help auditors understand the management and decision-making process in the Reporting Entity

4. Annual Financial Statements: This includes financial statements of the entity for the immediately previous financial year.

5. Enterprise-Wide Risk Assessment: As a part of AML/CTF/CPF compliance, all Reporting Entities must have an EWRA in place. Assessing the EWRA helps auditors examine the ML, TF and PF risk exposure of the Reporting Entity, the actions it has taken to address these risks and the effectiveness of these actions.

6. AML/CTF/CPF Program: AML/CTF/CPF Program includes all policies, procedures and controls in place to comply with the AML/CTF/CPF regulatory obligations of the Reporting Entities and combat ML, TF and PF risks.

7. Red Flags Applicable to the Reporting Entity: Depending on factors such as the nature and size of the business, the products and services it offers, its customer base, the geographies it serves and its delivery channels, all Reporting Entities may have different red flags in place to identify any potential ML, TF and PF risks during its business operations. This list needs to be examined by the auditor.

8. AML/CTF/CPF Governance: This includes details on the oversight and management of AML/CTF/CPT activities within the Reporting Entity, and its adequacy needs to be examined by the auditor.

9. AML Principal Officer’s Profile: All Reporting Entities need to appoint an AML Principal Officer to oversee the AML/CTF/CPF compliance in the entity. Auditors need to be provided with the profile of the Principal Officer, which should include information about their qualifications, experience, responsibilities, powers, etc.

10. KYC, CDD, Customer Onboarding Procedures and Templates: This outlines the procedure of a Reporting Entity’s customer onboarding, identity verification and Customer Risk Assessment (CRA) process.

11. Procedures for Submitting Various Regulatory Reports: These reports include Cash Transaction Report (CTR), Counterfeit Currency Report (CCR), Property Transaction Report, Non-Profit Organisation Transaction Report, Cross Border Wire Transfer Report (CBWTR), and Suspicious Transaction Report (STR) to be submitted to Financial Intelligence Unit of India.

12. AML/CTF/CPF Record Keeping Policy: This policy outlines the procedure for maintaining and storing AML/CTF/CPF related records, including customer identification documents, transaction records, etc, as required under AML/CTF/CPF regulations of India.

13. AML/CTF/CPF Training Logs and Training Material: Training materials and logs should document the AML/CTF/CPF training provided to staff, including the regularity of such training, topics covered, participant details, etc.

14. Details of Targeted Financial Sanctions Program and Systems: This includes information on how the Reporting Entity implements and manages targeted financial sanctions, such as screening against various sanctions lists.

15. Customer and Supplier Registers: This includes a comprehensive list of all customers and suppliers of the Reporting Entity, including their details and ML risk profiles

16. Register for the AML/CTF/CPF Reports Filed with the Financial Intelligence Unit of India: This helps auditors examine the AML/CTF/CPF compliance function of the Reporting Entity as well as the accuracy of the reports submitted.

17. Employee Register: This includes a list of all employees and their roles and responsibilities in the AML/CTF/CPF program.

18. List of Countries Identified as High-Risk Countries: This list contains countries considered high-risk from AML/CTF/CPF perspective. Information given must also include the Reporting Entity’s association with customers from such high-risk countries.

19. The Procedures to Identify and Establish a Business Relationship with PEPs: Procedures for identifying Politically Exposed Persons (PEPs) and establishing business relationships with them should be shared with the AML/CTF/CPF auditor. This includes EDD measures in place for PEPs to mitigate any potential ML, TF and PF risks.

20. Previous Years’ Independent AML/CTF/CPF Audit Reports: These reports help auditors evaluate the effectiveness of past measures taken to improve past AML/CTF/CPF programs.

21. Information About the Inspection or Review Conducted by the Supervisory Authorities and Guidance Received from Them: This includes information regarding any inspections or reviews conducted by supervisory authorities, as well as action taken on any instructions provided by them.

22. Information About Administrative Fines and Penalties Imposed on the Reporting Entity: Under the PMLA or IFSCA Guidelines, penalties related to AML/CTF/CPF non-compliance may be imposed on Reporting Entities. This information should be given to the auditor to help the auditors assess the entity’s AML/CTF/CPF compliance culture and its response to regulatory supervision.

23. Periodic Report Submitted by the AML Principal Officer to the Senior Management: This report should summarise the AML Principal Officer’s observations and suggestions regarding the entity’s AML/CTF/CPF program.

24. Access to Staff Members and Senior Management: AML/CTF/CPF auditors should have access to relevant staff members and senior management involved in the AML/CTF/CPF program of the Reporting Entity to discuss and assess compliance practices, collect required information and address any concerns.

25. Access to Files and Various AML/CTF/CPF Compliance Records: Auditors should be given access to all relevant files and records related to AML/CTF/CPF compliance.

26. Disclosure of all Known Instances of Statutory Non-Compliance: Any known instances of non-compliance with AML/CTF/CPF statutory requirements under the PMLA, IFSCA guidelines or any other AML/CTF/CPF regulations should be disclosed to the AML auditor. This transparency helps the auditors understand the compliance issues that the Reporting Entity faces.

Conclusion

An independent AML audit is important because it helps assess and improve the effectiveness of a Reporting Entity’s AML program. For a comprehensive and smooth AML auditing process, preparing for the AML audit is indispensable. By finalising requisites for the AML auditor and auditing process and gathering all relevant information and documents, Reporting Entities can streamline the independent AML audit process.

Niyeahma – Your Trustworthy AML Compliance Consultant

  • Conducting the Enterprise-Wide Risk Assessment to assess the ML/Ft exposure to your VDA activities
  • Developing and implementing an AML program for managing the ML/FT risks
  • Appointing an AML Principal Officer and assisting in setting up an AML compliance department
  • Creating transaction monitoring rules to detect suspicious VDA transfers timely
Thus, you can find all kinds of support related to AML compliance at Niyeahma.

About the Author

Linkedin

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 7+ years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.