AML policy update: three most frequently made mistakes
AML policy is a dynamic part of your firm. Within AML, things change from time to time. These changes may affect your policy. I notice that firms find it a challenge to actively deal with this. In this blog, I outline the three most common mistakes and give some practical advice.
In accordance with current law
It is important that your policy corresponds to the law in force at the time. Take the UBO register as an example. Since its introduction, organisations have been obliged to carry out a UBO check. If the data from the register does not match the data given by that client, you have to make a feedback to the UBO register. Matters like this, which are reflected in the legislation, should also be included in your policy.
In your policy, you don't describe who should do what. A policy is a general description of:
- the firm's risk appetite;
- the AML process;
- the associated risk profiles.
You can find more on the content of the policy in an earlier blog on the essential parts of a risk policy.
The starting point of your AML policy is whether or not you have to deal with AML legislation. If you do not feel you are in the AML sphere, an ordinary file may still change during the course of time. Then you do end up in the AML sphere and it matters that you can take your policy into account.
How often should you update your policies?
What is important with an up-to-date policy is that all components are updated periodically. Now I hear you thinking, 'How often should I do that?' My opinion is that the policy should be a living document. Every month might be a bit excessive, but make sure you schedule a time for this at least once a couple of years. Go through the policy and check whether it is still in line with current AML legislation.
Three most common mistakes
Which mistakes do I encounter most often in practice?
- In the drawer
What I see happening most often is that a policy is written but then not seen. Yet it is becoming increasingly important to have these policies available. AML is taking a more prominent role and the supervisor is going to monitor more extensively. For instance, crucial elements may be missing, such as the screening of risk and sanction lists. For instance, what do you do if a PEP is involved? Want to know what a PEP is and how to check them? Then read this article.
- Not a policy but a roadmap
Sometimes I see that a policy is not a policy, but a roadmap. A plan of action that broadly defines how to proceed. A policy comes before that. The entire work process should be detailed from A to Z. It should also include your firm's risk analysis and risk appetite. I often don't see these two parts reflected, even though they are mandatory. Here, you describe what type of clients you have, what sectors they come from and what type of matters they bring. Say: as a firm, you specialise in crypto. In that case, it is not necessary to mark every client with a high risk profile. After all, it is your specialisation, but you need to properly include and explain this in your policy. A firm doing sporadic crypto matters will assign this type of clients a high risk profile, though. In short, it is important to carefully consider and record your risk analysis.
- The exception becomes the standard
In practice, I see that firms want to include exceptions. For example, they want to do simplified research on specific files. These firms want to include this as an exception in the policy. My advice is always: don't do it. I have seen so many times that the exception then becomes the standard. Not doing any investigation at all is a no-go anyway. If you want to do simplified research, it's human nature that it quickly becomes the new normal. Of course, there will always be exceptions, but don't let that become the standard. That can no longer be explained to the supervisor.
Speaking of the supervisor. One thing is certain, during a supervisor's visit, the policy is an important part and very likely the starting point of the conversation. He or she will certainly ask the question: 'Does your firm have a written risk policy and, if so, may I see it?' Be prepared for this.
Write a policy and update it at least once a year in line with AML legislation. Are you looking for help writing or updating your AML policy? Then take a look at our AML compliance as a service. With this service, we offer support and guidance on your AML policy.
About the author: Demi Eliens
Demi is Compliance Manager at RegLab. On a daily basis, she helps firms shape and implement AML policies. From her experience and broad perspective, she provides strategic and practical compliance advice. She is also not afraid to work hard and do AML at firms herself. An all-rounder with a clear view on AML.