As a general rule and in the context of AML/CFT, the business units (eg front office, customer- facing activity) are the first line of defence in charge of identifying, assessing and controlling the risks of their business. They should know and carry out the policies and procedures and be allotted sufficient resources to do this effectively. The second line of defence includes the chief officer in charge of AML/CFT, the compliance function but also human resources or technology. The third line of defence is ensured by the internal audit function.
First Line of Defence
As part of the first line of defence, policies and procedures should be clearly specified in writing, and communicated to all personnel. They should contain a clear description for employees of their obligations and instructions as well as guidance on how to keep the activity of the bank in compliance with regulations. There should be internal procedures for detecting and reporting suspicious transactions.
A bank should have adequate policies and processes for screening prospective and existing staff to ensure high ethical and professional standards for hiring staff. All banks should implement ongoing employee training programmes so that bank staff are adequately trained to implement the bank’s AML/CFT policies and procedures. The timing and content of training for various sectors of staff will need to be adapted by the bank according to their needs and the bank’s risk profile. Training needs will vary depending on staff functions and job responsibilities and length of service with the bank. Training course organisation and materials should be tailored to an employee’s specific responsibility or function to ensure that the employee has sufficient knowledge and information to effectively implement the bank’s AML/CFT policies and procedures. New employees should be required to attend training as soon as possible after being hired, for the same reasons. Refresher training should be provided to ensure that staff are reminded of their obligations and their knowledge and expertise are up to date. The scope and frequency of such training should be tailored in light of the risk factors to which employees are exposed due to their responsibilities and the level and nature of risk present in the bank.
Second Line of Defence
As part of the second line of defence, the chief officer in charge of AML/CFT should have the responsibility for ongoing monitoring of the fulfilment of all AML/CFT duties by the bank. This implies sample testing of compliance and review of exception reports to alert senior management or the board of directors if it is believed management is failing to address AML/CFT procedures in a responsible manner. The chief AML/CFT officer should be the contact point regarding all AML/CFT issues for internal and external authorities, including supervisory authorities or financial intelligence units (FIUs).
The business interests of a bank should in no way be opposed to the effective discharge of the above-mentioned responsibilities of the chief AML/CFT officer. Regardless of the size of the bank or its management structure, potential conflicts of interest should be avoided. Therefore, to enable unbiased judgments and facilitate impartial advice to management, the chief AML/CFT officer should, for example, not have business lines responsibilities and should not be entrusted with responsibilities in the context of data protection or the function of internal audit. Where any conflicts between business lines and the responsibilities of the chief AML/CFT officer arise, procedures should be in place to ensure AML/CFT concerns are objectively considered at the highest level.
The chief AML/CFT officer may also perform the function of the chief risk officer or the chief compliance officer or equivalent. He/she should have a direct reporting line to senior management or the board. In the case of a separation of duties, the relationship between the aforementioned chief officers and their respective roles must be clearly defined and understood.
The chief AML/CFT officer should also have the responsibility for reporting suspicious transactions. The chief AML/CFT officer should be provided with sufficient resources to execute all responsibilities effectively and play a central and proactive role in the bank’s AML/CFT regime. In order to do so, he/she must be fully conversant with the bank’s AML/CFT regime, its statutory and regulatory requirements and the ML/FT risks arising from the business.
Third Line of Defence
Internal audit, the third line of defence, plays an important role in independently evaluating the risk management and controls, and discharges its responsibility to the audit committee of the board of directors or a similar oversight body through periodic evaluations of the effectiveness of compliance with AML/CFT policies and procedures. A bank should establish policies for conducting audits of:
- the adequacy of the bank’s AML/CFT policies and procedures in addressing identified risks,
- the effectiveness of bank staff in implementing the bank’s policies and procedures;
- the effectiveness of compliance oversight and quality control including parameters of criteria for automatic alerts; and
- the effectiveness of the bank’s training of relevant personnel.
Senior management should ensure that audit functions are allocated staff who are knowledgeable and have the appropriate expertise to conduct such audits. Management should also ensure that the audit scope and methodology are appropriate for the banks’ risk profile and that the frequency of such audits is also based on risk. Periodically, internal auditors should conduct AML/CFT audits on a bank-wide basis. In addition, internal auditors should be proactive in following up their findings and recommendations.
As a general rule, the processes used in auditing should be consistent with internal audit’s broader audit mandate, subject to any prescribed auditing requirements applicable to AML/CFT measures.
In many countries, external auditors also have an important role to play in evaluating banks’ internal controls and procedures in the course of their financial audits, and in confirming that they are compliant with AML/CFT regulations and supervisory practice. In cases where a bank uses external auditors to evaluate the effectiveness of AML/CFT policies and procedures, it should ensure that the scope of the audit is adequate to address the bank’s risks and that the auditors assigned to the engagement have the requisite expertise and experience. A bank should also ensure that it exercises appropriate oversight of such engagements.