Not following your outlined AML/CFT programme will lead you straight to a negative audit finding, as you are required by law to abide by them.

Effective AML/CFT programmes are built upon the legal requirements and your specific AML/CFT risk assessment. If the programme doesn’t reflect what you actually do, then change it (provided you remain compliant with the law) so it reflects both what you do, and when you do it.

Common examples of unnecessarily onerous programmes we see include:

• Specification of quarterly or six-monthly reviews of the AML risk assessment and programmeIt’s fine to review more frequently than annually if your business is rapidly changing. But, if your business is fairly static, then don’t burden yourself with unnecessarily frequent reviews that you constantly fail to undertake.
• A training programme that is too ambitious and over-the-topThe company specifies specific training modules but never undertakes them. You need to ensure all relevant staff are appropriately trained, but you don’t need to build a massive programme in the hope it will impress the AML supervisors.
• Overly complex vettingSome vetting programmes are extremely complex – including saying they will personally meet the clients, will undertake loads of checks such as police and politically exposed person checks– and then don’t do them. Build a vetting programme that meets the law and is relevant to your business. Once again, electronic verification is the way to go.
• Overly complex account monitoring and CDD for small companiesAgain, if it’s too complex, compliance with the processes will fall by the wayside.