This article is based on a Jade ThirdEye Spotlight on AML podcast, which featured AML/CFT auditing specialist Martin Dilly, who spoke on AML Programme Audits, Independent Reviews, and Assurance.
AML programmes have many repeatable processes, which means automation can be used to create operational efficiencies. While people do make mistakes, each added element of automation removes an aspect of human error. For instance, it means your people aren't trying to reconcile spreadsheets to work out whether the alerts dropped off, or cases need to be followed up with because someone forgot to close it off as it wasn't automated.
What do auditors look for in automated transaction monitoring systems?
When it comes to automated transaction monitoring systems' auditing requirements, the benefit is usually that all the records are in one place - rules, parameters, alerts, investigations, dispositions, and suspicious activity reports. Essentially, the whole process in one place.
Audit logs for rules and parameters also greatly benefit from automation. Removing the human dependency for specific tasks means, for example, you're not relying on someone's knowledge of when they changed their rules or parameters, as it's all documented in the system. You can review the logs and see what they were doing each time, which is very helpful for auditors.
What should reporting entities who have automation tools in place know or be prepared to think about when being audited or reviewed?
- Rules and parameters set up. One key example for me would be if you're using a transaction monitoring system, you've got your rules and parameters set up. You should have clear reasoning behind why you have these rules and parameters. This needs to have supporting information to show the risks you're addressing and why you think these particular rules and parameters are adequate for your business.
- Demonstrating assurance. The bit that many entities forget about is things like assurance around the data going into their systems. Reporting entities need to show the reasons or steps behind the confidence they have that the right business data is flowing into their transaction monitoring programme. This extends to how they know the rule sets are working as expected. Having confidence in your programme is one thing, but demonstrating it to an auditor is crucial.
- Data integrity. Data integrity is not necessarily something that an AML auditor will dive deeply into. Still, they will be looking to say how you can demonstrate to me that your data is accurate. A foundational aspect of this integrity is mapping your key systems.
- Mapping information flow. If you start seeing some errors that the rules aren't working quite the way they should, auditors will ask questions like “Which data field it is pulling from in the system?” and “Does the system even have this information?”. In order to make a recommendation around amending that rule, the auditor needs to understand your data, the fields, and so forth. Ideally, you will have a simple map of your key systems to visualise the flow of information in your business.
- Relevant access. One other beneficial thing you can do for your auditor is to set them up with view-only access to your automated system. Auditors need to spend time getting familiar with and going through your systems. Any delay in providing access to it can result in losing half a day while waiting for setting this up. So, talk to your provider ahead of time and let them know if there is an auditor setting so you can let them have view-only access and let them see what they need to see. It's vital to get view-only access as it means the auditor won't be able to do any damage behind the scenes by accident, which would still ultimately be your responsibility as a reporting entity.
In essence, make sure you understand how your systems work and make sure you're able to demonstrate it.
Martin Dilly is an AML auditor advisor, who has consulted full time as an AML/CFT specialist since 2012. Martin has assisted hundreds of entities across every sector through the provision of audit consulting and training services in New Zealand, Australia, Samoa, and Vanuatu.