Internal AML audit: how to assess client due diligence within your firm

Why conduct an internal AML audit?

The results of an external audit can sometimes be alarming. In addition, many shortcomings turn out to be easy to remedy, but by then it is already too late. Do you want to prevent a regulator or external auditor from having to point this out? Then conduct an internal audit yourself and ensure you have some “easy wins” ready for when the regulator visits.

Good to know: an external audit may be mandatory for certain firms. The internal audit is separate from this. It is an additional instrument to prepare and improve your own practice.

How do you conduct an internal AML audit? 

Step 1. Start with the policy. Read through your firm's AML policy and risk policy. Does the policy comply with current legislation? And do you understand how your firm's AML process works in practice? 

Step 2. Next, talk to colleagues who are responsible for client identification in accordance with AML and non-AML regulations. How do they approach this? Do they follow the standard process? Are they aware of the requirements and internal policy? When did they last attend AML training (AML training obligation)? 

Step 3. Then compare the outcome of the discussions with colleagues with the documentation. Does the policy correspond with what colleagues do in practice and does the process on paper match the process in practice?

Step 4. Then carry out a sample check on the matters of every colleague who identifies clients/approves matters. Ensure that both AML and non-AML matters are included. When carrying out the sample check, pay attention to the following aspects: 

1. Client identification (completeness and documentation). 
2. Classification of services that are (not) subject to AML.
3. UBO assessment. 
4. Screening and risk classification with substantiation.
5. Monitoring   
6. Reporting suspicious transactions 
7. Third-party account (if applicable).

These are the same aspects that an external auditor or supervisor would also look at.

Step 5. As a final step, compile a report and go through the areas for improvement with each colleague. Make sure you repeat the process regularly so that the subject matter and areas for improvement remain a topic within the firm.  

Typical areas for improvement

Many firms encounter the same problems, so it is quite possible that one or more of these points will be highlighted in the internal audit:

• The explanation for a non-AML matter is insufficiently substantiated. 
• The risk profile is insufficiently substantiated.
  
• The organisational chart of the ownership and control structure is not included in the matter.

By identifying and improving these issues in advance, you can prevent a regulator from raising them during an inspection. You also show the regulator that your firm is actively working to comply with AML regulations. 

How often do you conduct an internal audit?

Unlike external audits can be, internal audits are not mandatory. Therefore, there is no fixed schedule that your firm must adhere to. Nevertheless, we recommend conducting an internal audit at least once a year. This ensures that policies, processes and matters are complete and remain up to date. In the event of major changes within the firm or changes in legislation, it is advisable to conduct an additional internal audit.

An internal audit provides insight into the degree of AML compliance within the organisation and helps identify areas for improvement in order to better comply with legislation. In addition, it optimises internal processes and thus prevents sanctions by the regulator in the event of a positive audit outcome.