To all MLROs: Hand on heart – when was the last time you read, not just skimmed through – your firm’s AML Policy?
Have you ever asked one of your AML Team members or First Line relationship managers or – if confidentiality permits - your SO (Significant Other) or DD (Dear Daughter)/DS (Dear Son) to read your AML Policy? How far did they get before they gave up because the document was “too long”, “too boring”, or “too complicated” due to its jargon or structure?
The FCA recently published feedback on good and poor quality applications received under the cryptoasset AML/CTF regimes.[1] While specifically targeted at cryptoasset firms, the FCA’s comments on policies and procedures are applicable to all regulated firms: “Applicants should not submit generic/off-the-shelf policies and procedures that do not align with their business model or that contain obsolete documents not designed for or adapted to the proposed […] activities.”
Senior management is responsible for ensuring that their firm’s policies, controls and procedures are appropriately designed and implemented, and are effectively operated to manage the firm’s risks.[2] AML policies and procedures (“AML P&P”) are at the core of a firm’s AML control framework – they set out the structure of the AML Programme, its key elements, and the roles and responsibilities of parties across the Three Lines. Further, they set the minimum standards to meet regulatory requirements and key strategic risk decisions for the application of a risk-based approach.[3]
Firms are assessed against their AML P&P during supervisory visits: Are employees doing what they are supposed to be doing based on the AML P&P? Without “good” AML P&P (and we’ll come to what that means) well-meaning employees who are prepared and willing “to do the right thing” will struggle to determine what “the right thing” is.
Staying out of the FCA’s Crosshairs
Despite clear requirements, we (and the FCA) regularly see AML P&P that fail to meet the required standard. Some severe (but unfortunately common) failings include:
- Use of generic templates that are not tailored to the size and risk profile of the organisation;
- AML P&P that appear to be copied from (one or more) other organisations, referring to products the firm does not offer, customer segments that the firm does not cater to, and/or functions and roles that do not exist at the firm. This is often compounded with inconsistent terminology throughout the document;
- AML P&P that are still in draft format, without version history/control, sometimes with missing sections and open questions and comments; and
- AML P&P that solely regurgitate the regulations without applying them to the firm’s operating model.
What may be even more concerning is that these documents have been approved by the Board of Directors/Senior Management.
While these are examples of material failings, even AML P&P prepared with more care and diligence may fail to be effective, here’s why:
- Excessive document length (who reads an AML Policy that has more than 80 pages?);
- Inappropriate style, terminology and structure, such as the use of complex sentence structures and terminology that non-AML professionals struggle to understand;
- Lack of a clear and user-friendly table of contents that allows users to quickly understand the overall document structure and find what they are looking for; or
- References and hyperlinks to (internal and external) sources that no longer exist or are outdated.
We are sympathetic and understand that MLROs at smaller firms are often stretched for resources. They know that their AML P&P needs to be improved, but this task is often deprioritised over other tasks that are perceived as more urgent such as overdue CDD reviews or a backlog in transaction monitoring alerts. This may lie in the fact that some MLROs may not consider AML P&P as controls in themselves, but rather as documentation of other controls: (“We will fix the actual controls (CDD, TM, etc.) and then we can fix the ‘paperwork”.)
This approach is short-sighted – firstly, there are clear regulatory expectations and guidance as to what AML P&P need to cover and achieve, i.e. shortcomings will almost certainly lead to a supervisory finding in an inspection. Secondly, there are practical risks that go beyond AML P&P not being designed appropriately: “Bad” AML P&P are unlikely to be used by employees in their day to day work. Employees will instead follow their colleagues’ examples and guidance, exacerbating any misunderstandings and short-cuts. Over time, executed AML processes and those documented in the AML P&P will deviate further until this is detected through an internal or external review. Costly and time-consuming remediation exercises are often the consequence.
How MLROs can do More with Less
The following practical steps will help to make AML P&P “user-friendly”, and thus help to increase operational effectiveness.
- Ensure the content is tailored to your firm in terms of customers, transactions, products and services, geographic locations, delivery channels, overall risk and risk appetite and organisational set-up;
- Keep is short and to the point. Use short and clear sentence structures and “plain English”. Consider whether additional details and legal references are required, and, if so, whether they can be moved to an appendix or a footnote;
- Create clear and meaningful headings and sub-headings – these should also form the basis for the table of contents;
- Structure all AML P&P in similar order and format – this helps users to find relevant information quicker;
- Use graphics and tables to structure detailed information in a format that makes it easier accessible and digestible.[4]
Update AML P&P in a timely manner to reflect internal and external changes, such as new products or customer segments, or new regulations.
Everyone will agree that (clearly) written words have more (long-lasting) accuracy at the end of the day, eliminating the confusion that a game of Broken Telephone / Pass the Message can have after the information has been passed on for a few rounds.
********************
[1] FCA “Cryptoasset AML/CTF regime: feedback on good and poor quality applications”. Available at: https://www.fca.org.uk/firms/cryptoassets-aml-ctf-regime/cryptoasset-aml-ctf-regime-feedback-good-and-poor-quality-applications
[2] SYSC 3.1.1.R, Regulation 16 (2) MLRs 2017
[3] See JMLSG Part I, 1.58
[4] Examples are the inclusion of a graphic displaying the overall AML P&P framework providing employees with an overview of all relevant documentation and their relationship to each other, or a table setting out the minimum CDD requirements for CDD/EDD for Low/Medium/High risk rated clients.