In accordance with current law
It is important that your policy corresponds to the law in force at the time. Take the UBO register as an example. Since its introduction, firms have been obliged to carry out a UBO check. If the data from the register does not match the data given by the client, you have to mention this to either the UBO register or the client. Issues like this, which are reflected in the legislation, should also be included in your policy.
A policy is a general description of:
- the firm's risk appetite;
- the AML process;
- the associated risk profiles.
You can find more on the content of the policy in an earlier blog post on the essential parts of a risk policy.
The starting point of your AML policy is to define when you have to deal with AML legislation and when you do not. Keep in mind that a non-AML file may still change during the course of time into an AML file. Then you do have to do AML checks and it then helps that you can take your policy into account.
How often should you update your policies?
What is important is that all components of the AML policy are updated periodically. The policy should be a living document. Every month might be a bit excessive, but make sure you schedule a time for this at least once a couple of years. Go through the policy and check whether it is still in line with current AML legislation.
Three most common mistakes
Which mistakes do we encounter most often in practice?
- No comprehensive policy
What we see happening most often is that a policy is written but not specified enough. For instance, crucial elements may be missing, such as the screening of risk and sanction lists or what to do if a PEP is involved. However, it is becoming increasingly important to have these policies available. AML is taking a more prominent role and the supervisor is going to monitor more extensively.
- Not a policy but a roadmap
Sometimes we notice that a policy is not a policy, but a roadmap. A plan of action that broadly defines how to proceed. A policy is something that comes before that. The entire work process should be detailed from A to Z. It should also include your firm's risk analysis and risk appetite. We often don't see these two parts reflected, even though they are mandatory. You should describe what type of clients you assist, what sectors they work in and what type of matters they bring. Say: as a firm, you specialise in crypto. In that case, it is not necessary to mark every client with a high risk profile. After all, it is your specialisation, but you need to properly include and explain this in your policy. A firm doing sporadic crypto matters will assign this type of clients a high risk profile, though. In short, it is important to carefully consider and record your risk analysis.
- The exception becomes the standard
In practice, we see that firms want to include exceptions in their policy. For example, they want to allow simplified research on specific files. These firms want to include this as an exception in their AML policy. Our advice is always: don't do it. We have seen so many times that the exception then becomes the benchmark. Of course, there will always be exceptions, but don't let that become the standard. That can no longer be explained to the supervisor.
Speaking of the supervisor: one thing is sure, during a supervisor's visit the policy is an important part and very likely the start of the conversation. He or she will certainly ask the question: 'Does your firm have a written risk policy and, if so, may I see it?' Be prepared for this.
In conclusion
Write a policy and update it at least once a year in line with AML legislation. Are you looking for help writing or updating your AML policy? Take a look at our AML compliance as a service. With this service, we offer support and guidance on your AML policy.
Discover the key steps to comply with AML, especially for everyone who must meet AML requirements
