The Financial Services Commission (‘FSC‘) has updated the Anti-Money Laundering and Combatting the Financing of Terrorism Handbook 2020 (the ‘AML/CFT Handbook‘) previously issued on 13 January 2020.
The Handbook provides guidelines to assist financial institutions in complying with the Financial Intelligence and Anti-Money Laundering Act 2002 and the Financial Intelligence and Anti-Money Laundering Regulations 2018 (‘FIAML Regulations‘).
Following the first AML/CFT supervisory cycle 2020/2021, the Handbook has been updated and includes additional provisions in Chapter 4 (Risk Based Approach) to assist financial institutions in implementing an adequate business risk assessment and a new Chapter 13 on conducting independent audits.
In short, the additional provisions in Chapter 4 of the Handbook provides that:
– Management, compliance and risk management departments should all work together on performing the business risk assessment. The role of the compliance department is process monitoring, facilitation and testing; whereas other functions or departments (such as audit) can also provide the necessary input.
– The board of directors has the ultimate responsibility for the business risk assessment and ensuring that an effective internal compliance culture is duly implemented.
– Risk management requires a systematic approach as it is a cyclical process, risks are not static and money-laundering/terrorist financing risks vary according to business activities. A financial institution is therefore expected to (a) perform the whole cycle of identification, analysis and testing of the effectiveness of controls at regular intervals, (b) maintain an up-to-date understanding of vulnerabilities and risks faced, (c) development and implement appropriate strategies to mitigate and control such risks, and (d) document mitigating factors and controls put in place to provide an audit trail.
Chapter 13 on independent audits sets out a non-exhaustive list of considerations to be tested by the independent audit (such as the existing AML/CFT policies and procedures, internal risk assessments, any outsourcing of such risk assessments, the function and effectiveness of the compliance team, AML/CFT training, record-keeping, CDD measures and controls, and suspicious transaction monitoring and reporting). It is recommended that audits should be carried out at least annually or when there are material changes to the financial institution or regulatory framework.
Guidelines are also provided when choosing an independent audit professional and on the contents of the independent audit report.
The FSC may request a financial institution to file its independent audit report for a specified period, and to make available work plans, audit scope, transaction testing and other independent audit documentation and information.
For more details, please see the following link: