This article launches a series based on a Jade ThirdEye Spotlight on AML podcast, which featured AML/CFT auditing specialist Martin Dilly, who spoke on AML Programme Audits, Independent Reviews, and Assurance.
New Zealand and Australia both require reporting entities that operate in their respective jurisdictions to undergo regular anti-money laundering audits. While there are similarities, AML/CFT audits differ between the countries in two key ways – auditing time frames and the audit details they are obliged to report.
How often does a reporting entity need to be audited?
From a New Zealand perspective, reporting entities (except for high-value dealers) require an audit every two years, although that is expected to move to a three-year requirement from mid-2021. This two (soon to be three) year window is a maximum period since supervisors can require you to undertake an audit at any point. Because of this impending increased time frame, I suspect we'll see more on-request audits in more high-risk industries like money remittance. Banks may be forced to get audits on a more regular basis too.
With such independent audits, they have to be precisely that - done by someone who is removed from your organisation. These audits also need to be carried out by someone who can demonstrate they have the skillset and knowledge to undertake the audit. This is an obligation that sits with the reporting entity.
From an Australian perspective, there is no such time limit in Australia; the timeframe is based on the reporting entity's self-determined level of risk.
What does an AML audit need to cover in New Zealand and Australia?
As mentioned above, the audits will generally cover the same content as a whole, but Australia does split its programme.
In New Zealand, an audit covers all significant compliance obligations that pertain to your risk profile – from customer due diligence to transaction monitoring, rule effectiveness to information flow.
Australian AML/CTF programmes are split into two parts. Part A is generally focused on the procedures a reporting entity uses to identify, manage, and mitigate its potential exposure to activities surrounding money laundering or terrorism financing. Part B is essentially your customer due diligence (CDD) or know your customer (KYC) obligations. Strictly speaking, Part B independent reviews don't have to cover customer due diligence, which always seemed very odd given it's probably one of the two most significant areas that reporting entities need to get right. In saying this, while it's not required, many entities choose to have the independent review cover both parts.
Australia also has an independent audit requirement, but that's one where AUSTRAC, as the AML supervisor, can request you to get an audit. In such an instance, they will approve and appoint that person. While this requirement is rarely invoked, most reporting entities will generally undertake one of the independent reviews mentioned above.
What is the difference between AML audits and independent AML reviews?
There is some discussion and argument whether there is a difference in level of assurance between audits and reviews. I think a lot of people would prefer to say they're having a review rather than an audit, but I don't necessarily believe that is the case. Certainly, in New Zealand, as part of your audit, you can choose to get either a limited or reasonable assurance audit, which essentially provides you differing levels of assurance. For further details, I write on this at length in my CAMS Audit white paper. Ultimately, it boils down to how much assurance you want regarding your level of compliance.
Martin Dilly is an AML auditor advisor, who has consulted full time as an AML/CFT specialist since 2012. Martin has assisted hundreds of entities across every sector through the provision of audit consulting and training services in New Zealand, Australia, Samoa, and Vanuatu.