Your AML compliance program is only as good as a third party says it is.
Thus, annual AML audits (or independent AML reviews as they are referred to by FinCEN) are required of all financial institutions, including businesses in the cryptocurrency space and crypto MSBs.
The four pillars of BSA/AML compliance established by the Bank Secrecy Act (BSA) provide the foundation for cryptocurrency businesses to build robust compliance programs. The pillars include an audit requirement for all AML programs.
Based on the four pillars, every financial institution (including cryptocurrency businesses) must develop a compliance program that features:
- Internal policies, procedures, and controls
- A designated compliance officer
- Ongoing employee training
- An independent audit function to test the program
Failure to comply with the Bank Secrecy Act and other anti-money laundering (AML) regulations carries serious consequences, so it’s important not to shrug this one off.
Any way you look at it, understanding how AML compliance audits work is essential to building a stronger business for the long haul. We’ll make sure you know everything you need to know about independent audits and reviews so there’s no guessing.
We’re continuing our series of cryptocompliance 101 posts to help cryptocurrency business owners understand the regulatory landscape, its nuances, and what steps need to be taken to strengthen their compliance.
Today, we’re focusing on annual AML program audits, or independent AML reviews – what they are, who should prepare them, and what to do when the audit is complete.
What is an annual AML compliance audit or review and why is it important?
When you hear the word “audit,” do you start to sweat?
Most people do because we usually hear about the negative aspects of the audit process. It conjures mental images of regulators knocking at your door, rummaging through your records, trying to find something to “bust” you on.
But what’s the real story?
AML program audits are conducted to ensure your cryptocurrency compliance policies and processes are working the way they should and keeping your crypto business out of trouble. That’s not a bad thing.
The reality is laws change, and financial criminals devise new ways to infiltrate legitimate financial companies all the time. For that reason, it’s critical that financial institutions constantly test the strength of their compliance policies and protocols and update them as needed.
In cryptocurrency, where regulatory oversight is more reactionary and guidance is more limited and ambiguous, the importance of annual independent reviews cannot be overstated.
An annual AML compliance review is conducted by an independent, qualified third party with a goal to test the program, identify weaknesses, and recommend corrective actions to ensure the program stays in compliance with the Bank Secrecy Act.
The independent reviewer will check your compliance program from top to bottom to identify any areas where your crypto business is weak. They’ll search deep and make sure they have sufficient evidence before they draw any conclusions or make any recommendations in a final report.
An AML program review typically includes:
- Evaluation of overall adequacy and effectiveness of the AML compliance program, including policies, procedures, and processes
- Risk-based transaction testing to evaluate the MSB’s adherence to recordkeeping and reporting requirements. This includes things like Suspicious Activity Reports (SARs) and Currency Transaction Reports (CTRs)
- Evaluation of management’s efforts to resolve compliance violations or deficiencies that were identified in previous audits or regulatory examinations
- Review of employee compliance training for accuracy and thoroughness
- Review and assessment of suspicious activity monitoring to ensure its adequacy
- Review of Know Your Customer/Customer Due Diligence processes
- Evaluation of automated systems and information technology
- Review of recordkeeping
- Adherence of personnel to compliance policies and procedures
- Delivery of a final report and recommendations for improvement as appropriate
What should businesses do when a review is completed?
When the review is complete, the reviewer will provide a report that documents the procedures performed, testing done, and findings. This report will identify any compliance violations, weaknesses identified, and problems discovered during the review.
The report should be provided to the Board of Directors which is responsible for tracking identified weaknesses and documenting corrective actions. In addition, the BSA Compliance Officer is responsible for ensuring the problems and weaknesses described in the report are documented, tracked, and corrected.
Ultimately, it’s the BSA Compliance Officer who will determine what corrective actions are needed and create an action plan to address them.
Who should prepare an AML review?
An annual review should always be performed by a highly qualified independent company with demonstrated expertise in compliance for bitcoin and cryptocurrency companies, and a deep understanding of relevant regulations, both federal and state.
Like we said up top: Your AML compliance is only as good as a third party says it is.
In other words, you need to work with a reputable and thorough independent AML reviewer that understands how to test your AML program, poke holes in it, and improve it.
Working with a reviewer can (and should) be a positive experience. You benefit significantly from the knowledge transfer that occurs during the review process and after the report is delivered.
However, you have to be working with an experienced and credible AML consultant to derive maximum benefits. Otherwise, deficiencies in your cryptocurrency compliance program could be missed.
A poorly conducted audit can give you false peace of mind, so do your due diligence and choose a reputable independent reviewer to conduct a checkup of your AML program each year.
Remember, AML program audits (or independent AML reviews) are conducted to ensure the policies and processes you have in place to maintain compliance with regulators are adequate and functioning properly to protect your business. Reviews also confirm that everyone on your team is following a robust compliance program and actually doing what they say they’re doing.
The law requires that MSBs conduct independent audits, and it’s recommended that you have a complete AML program review done every 12 months or more often depending on your BSA/AML risk profile.
When you hire an independent consultancy firm to complete your review, make sure they have access to the information they need so the final report is as comprehensive and accurate as possible. This is the best way to have true peace of mind that your compliance program is as strong as it can be.
Finally, always work with an experienced and qualified independent reviewer to ensure your audit results are reliable and actionable.
If it’s time for your annual review, you can schedule a free consultation with BitAML to get started.