I don’t write too many newlsetters. If you’re like me, you probably get too many to read already. BUT, I did think it is an opportune time to get one out this month. Two reason’s primarily:
1. Between now and 31 August 2022 you should all be putting in your annual report to your supervisors. Why, well it’s a mandatory requirement to do an annual report, so you have to, but it can also be seen to be a perfect time to review your risk assessment and compliance programme, check everything is up to date and maybe a trigger to check you’ve remediated everything from your last audit.
2. Most of you receiving this newsletter are non-financial institutions (DNFBP’s). This means that you would have all had your first audit around 2020ish. The audit time period has been extended to three years which means there’s going to be over 6000 DNFPB’s wanting to get a second audit over the next year or so. Which brings me to the second reason I thought it appropriate to write this newsletter. Don’t leave it too late to book in your next audit.
There is a shortage of AML auditors in New Zealand. If you don’t book in early you may struggle to get the auditor of your choice, at the time of your choosing.
So, what do you need to do to prepare for your next audit?
Firstly, its important that you have remediated or done your best to remediate the findings of the last audit. You don’t want the same findings coming up again in the next audit. It doesn’t look good, from an auditor’s perspective or from the supervisor’s perspective. So go over your reports and if you need support to get things done, do it now.
Secondly, the next audit probably won’t be the same as the first audit. The first audit would have been substantial, a good look around all aspects of your risk management programme and you possibly had a lot of findings.
Let’s face it. It was new to all DNFBP’s, there were a lot of questions around what a risk assessment looked like, what it was, how it tied into the compliance programme, how detailed the compliance programme should be, what needed to be in it, lots of questions. It was new to the Supervisor overseeing DNFBP’s too, the legislation was written for financial institutions, the interpretations hard to come by and guidelines unclear. The Supervisors took an educational approach to help reporting entities comply. BUT, it’s coming up 4 years plus now and the tide is turning. The Supervisors have a higher expectation now that reporting entities are maturing into the world of AML compliance. Their approach is going to be more targeted, looking at the areas of greatest non-compliance within the different sectors and their educational approach is morphing into a harder line seeking compliance. Watch out for more written warnings and court action as we move forward.
So, expect the second audit to also be more focused. It will be guided by the findings of the last audit. It will be checking how any findings have been remediated and how sustainable the remediation has been.
If there were a lot of findings in the last audit, then the second audit may still be a large and wide scope undertaking. The scope of the audit will also be directed by you, the reporting entity. Are there areas of uncertainty, have you found issues since the last audit you want independently checked or verified? You should discuss these with your auditor during the planning stage of the next audit to ensure it covers all that you require.
The audit will also check how well your risk assessment and compliance programme have been kept up to date. There have been changes within AML land such as guideline updates and audit time periods. We would expect these to be reflected in your documents. We need evidence that your documents have been reviewed as per your own documented timings, proof of regular and ongoing training for all appropriate staff and at the level required for their duties. There should be 2 – 3 years’ worth of reporting available to review. Internal reporting to Senior Managers/Directors, and within teams and external annual reporting to the supervisors or FIU. Ongoing monitoring will also be looked at more closely this time round. This should have picked up and remediated any CDD issues from the last audit.
Moving from two yearly audits to three yearly may have been seen by some as a wonderful move, however from an audit perspective its now three years’ worth of data, reporting, updating, training and vetting fieldwork and evidence to look at, and if it’s been non-compliant for that period of time as well, that’s a lot of remediation to go back and redo.