The timeframe for independent testing has shortened. Here’s what you can do to prepare for your next review.
As we’ve said numerous times, your AML compliance program is only as good as a third party says it is.
Cryptocurrency businesses that take their AML obligations seriously routinely schedule outside independent testing of their compliance policies and procedures. This process is also sometimes called an “independent audit” or “AML audit,” but we prefer “review.”
Whatever you call it, independent testing is one of the four pillars of AML compliance for a reason: without an unbiased party around to poke and prod your program, it can be hard to tell what’s working and what isn’t.
The importance of recurring reviews can’t be overstated enough. While 12-18 months used to be prescribed as an adequate period between reviews, recent best practices in AML compliance suggest a 12-month timeframe, or a true annual audit or review.
The point is this: things change fast in crypto. Therefore, an independent review every 12 months is a must.
As we enter the new year, it might be time to look back at your last review and see if you’re at (or past) the 12-month mark for a checkup.
Though it is a requirement of BSA/AML compliance, think of the independent review as an annual physical with your doctor. It’s a friendly face there to kick the tires and give you constructive advice.
Remember too that it’s much preferable to learn about deficiencies in your AML compliance from an independent reviewer rather than an examiner (at which point it’s generally too late).
We’ve offered tips on getting the most out of independent reviews before, and are here to do so again. As you look to schedule your next review, here are six things you can do proactively to get the most out of the process.
If you want to ask BitAML about an independent review, you can reach out to us here.
1. Make sure that all of your filings are up to date
One of the best, most proactive things you can do is to make sure that your state and federal filings are up to date, and to renew if needed.
Keeping track of state money transmitter licensure can be complicated, especially if you operate in multiple states, each with its own unique renewal periods and requirements. Checking in on your MTL filings and updating as necessary is a very important proactive step you can take.
Additionally, you will want to check your FinCEN registration and make sure that it is up to date. After a money services business (MSB) completes its initial registration, the form to review must be filed by December 31 of the second calendar year preceding the 24-month renewal period. Renewal is accomplished by filing the Registration of Money Services Business Form, FinCEN Form 107.
2. Update your website
This is something we see very often in the reviews we conduct for cryptocurrency businesses.
A lot of MSBs, particularly kiosk operators, don’t often keep up with their websites. There are many understandable reasons for this. Websites may not attract much traffic, and there is little need to proactively monitor them when business is primarily conducted through the kiosks.
This means that websites can easily fall out of date. The problem is, this can inadvertently hurt your business.
Imagine a customer visits your website to make sure your business is legitimate, looks up your FinCEN number, and finds that there’s no listing because the number has since changed.
The point is, you don’t want customers getting the wrong idea about your business.
Making some simple updates to your website — updating your FinCEN number, locations of kiosks, accurate messaging, etc. — is an easy update that sends a positive message about consumer protection.
Don’t let your marketing fall behind, or put your reviewer in a tough position where they need to fact-check your public-facing branding.
3. When was the last time you did employee training?
Formal AML training of your personnel is another AML compliance pillar.
You and your employees should go through AML training every year to keep up to date on changing laws and regulations, among other compliance topics.
Any new employee needs to have been trained within 30 days of employment (this is an industry best practice timeframe — we recommend making it part of HR onboarding), and annually thereafter.
Even if you are a sole proprietor, you will need to be able to demonstrate documentation that shows a record of annual AML training.
Training is fairly straightforward, and can usually be completed in a matter of hours (this is something BitAML can help with as well).
Bottom line: make sure you and your employees have gone through an AML training within the last 12 months, and if you haven’t, get one done and documented before your review.
4. Are you and your team prepared for questions?
The competency of the AML staff (or yourself as sole proprietor) will be commented on during the course of an independent review.
As such, take some time to brush up on your AML program and policies if need be, and prepared to answer questions about your processes and the application of AML compliance to your institution in the course of your duties.
Every employee is responsible for compliance in some way, so review your institutional compliance and how it affects your role if need be.
5. Does your team meet regularly about compliance matters?
A company’s board should discuss compliance matters frequently, and such discussions, including specifics about topics covered, should be documented for examiner review.
Additionally, any compliance-related communications or meetings with your employees should also be documented.
An institution’s culture of compliance is important to reviewers, so make sure any compliance discussions with the board or otherwise are well-documented. If not, take some time to go back and do so before your review.
6. Work with your reviewers
Remember that an independent third-party reviewer is there to help you by simulating examiner review from a regulatory body. In other words, they are there to help you improve your compliance program and processes so that review from a regulatory examiner goes more smoothly.
As such, any difficulty in this cooperative relationship will only hurt you during a review with a regulator, who will not be as patient and can and will issue fines and take administrative action for failure to produce documentation for timely review.
An independent review is an opportunity to get your ducks in a row in the event of a hypothetical regulatory examination. And believe us, they’re coming.