Financial Crime Audit Roundtable

Key Takeaways

Exiger hosted another Financial Crime Audit Roundtable under Chatham House rules attended by senior internal audit practitioners from various financial services institutions covering financial crime risk across UK and EMEA. The discussion focused on the role that internal audit has played in light of recent global sanctions against Russia, and the risk areas that are in FCC internal audit plans for 2022/2023.

Exiger first provided a brief overview of regulatory fines from 2021; the year saw 80 institutions being collectively fined USD 2.7bn for AML failings globally. Exiger then looked at 2022 to date, with the outbreak of war in Ukraine and resulting sanctions imposed by governments around the world against Russia being front of mind. Exiger highlighted that the war has given rise to a convergence of sanctions and AML risk and highlighted the potential for an increase in the use of cryptocurrency as a circumvention method. Notable legislation such as UK’s Economic Crime (Transparency and Enforcement) Act, new and much anticipated powers for Companies House, and US President Biden’s new Executive Order on digital assets were covered. Covid-related fraud and corruption, the scale of which is currently emerging, was also highlighted.

Emerging trends for 2022 were presented:

• AML/CTF de-risking – European Banking Authority’s (EBA) January 2022 Opinion suggested that de-risking has a detrimental impact on the achievement of European Union’s objectives. The EBA noted that institutions should tackle unwarranted de-risking.
• Illegal Wildlife Trade and Money Laundering – RUSI assessed the UK’s handling of Illegal Wildlife Trade on behalf of the UK government; financial institutions have an important role to play in curbing illicit flows. See the report from RUSI here.
• Virtual Assets / NFTs – crypto money laundering is on the rise (Chainalysis report). The UK NCA have stated that drug dealing is a common predicate offence for cryptocurrency laundering in the UK. Non-fungible tokens, or NFTs, have increased in popularity and are at high risk of money laundering.
• Modern Slavery and AML – Ukrainian refugees are at risk of human trafficking and organised crime (UNODC Press Release). Banks should be on the look-out for related financial flows.
• Sanctions Compliance – Financial institutions across the world are managing a big wave of new sanctions.
• Trade Based Money Laundering – FATF recommendations urge members to raise awareness of TBML within public and private sectors involved in international trade. Circumvention of sanctions via trade transactions is a topical risk area.
• Covid – criminals continue to exploit the crisis via the production of counterfeit medical goods, cybercrime, and investment, charity and other types of fraud (FATF report).
• Resourcing concerns – FCA’s “Dear CEO” letter raised concerns about the high turnover of MLROs and teams left under-resourced.

Roundtable Discussion

The roundtable discussion focused on recent sanctions against Russia, internal audit’s response and the 2022/2023 audit plan of participants’ organisations.

Sanctions risk is on the audit plan for 77% of participants.

Organisations are analysing their exposure to newly sanctioned parties. Three participants noted that the evolving sanctions landscape is being monitored holistically at their organisation not only from an anti-financial crime lens but also from other perspectives such as credit, settlement and cyber risks.

Participants noted that all three lines of defence within their organisations were engaged in monitoring the fast-moving sanctions landscape. Internal audit departments have increased their engagement with the First Line business and are using existing and new monitoring channels to stay abreast of the organisation’s response to new sanctions, such as attending key First Line of Defence fora or risk committees, attending new tactical working groups or joining daily calls with the First and/or Second line.

A number of participants commented that their businesses are reassessing the strategy with regard to clients with a Russian nexus and evaluating whether these fall within the organisation’s risk appetite. One participant from an international bank with a branch in Russia noted that the local branch is under pressure to comply with global sanctions regulations as well as Russian legal requirements which are at times conflicting. The ability to settle the Ruble is a key focus for institutions that offer settlement services and correspondent banking, and one institution noted potential circumvention risk via their key markets, namely China and the UAE, that are at risk of being used as a conduit to making payments on behalf of Russia. 

Risk appetite and risk assessments are areas that are high on internal audit agendas. 69% of participants selected this as an area of focus for 2022.

Data analytics is being leveraged to understand sanctions risk exposure to Russia; for example, to quantify the population of clients with touchpoints to Russia and transactional exposure via SWIFT payments. One individual in particular noted internal audit’s use of data analytics in providing assurance within list management by comparing new sanctions lists against the lists that are being uploaded into the bank’s systems for screening to ensure internal lists are complete.

All participants agreed that the internal audit plan needs to be flexible to ensure there is sufficient focus on current sanctions risks but at the same time allow the First and Second Line to execute against that risk.

From a sanctions lens, screening controls are receiving the most focus by internal audit in 2022.  Customer screening is on the audit plan of 92% of participants, while transaction screening is on the audit plan of 77% of participants. The alert investigation process is being audited by 62% of participants.

Some takeaways:

• The majority of participants noted that they are working to identify controls and processes that are currently under stress as well as providing assurance around new controls that have been created to ensure compliance with multiple waves of new sanctions orders.
• The majority of participants also noted an increased focus on recent spikes in screening alerts, with internal audit checking whether these are being addressed timely.
• List management is another focus area; list entries have seen increased volumes and internal audit is working to ensure list entry management is effective and robust. Two participants noted the implementation of new controls to ensure that sanctions lists are being generated and updated to the banks’ systems in a timely manner, on which internal audit have been providing assurance.
• Sanctions circumvention risk is also getting attention given newly added SDNs, with one participant noting that they are looking to enhance internal audit coverage in that area. KYC, EDD and PEP processes, in particular Source of Wealth identification and measuring indirect sanctions exposure, are also receiving targeted attention to ensure that organisations are identifying all potential sanctions risk across their customer base.
• All participants noted that CDD and EDD controls are on their 2022 internal audit plan. OFAC reporting and indirect sanctions risk exposure through Trade Finance are also key areas that participants noted as receiving increased internal audit attention.

In terms of high-risk businesses, Correspondent Banking (54%) and Trade Finance (31%) are on top of audit’s agenda.

Other areas that are on internal audit’s agenda for this coming year include:

• ABC (69% of participants), with high-risk intermediaries and Gifts & Entertainment being the most common areas being audited by participants, and Fraud (62%).
• Environmental, Social and Governance (ESG) is another risk type being audited by internal audit teams this year (69%); this is an area which is increasingly being incorporated under the financial crime compliance umbrella at financial institutions. The session concluded with practical Q&A among participants.

Financial Crime Audit Roundtable Conclusions

Sanctions will remain top of the agenda for the coming months, as financial institutions respond to the recent waves of sanctions against Russia. Communication between the three Lines of Defence is paramount to ensuring comprehensive sanctions coverage in a rapidly changing environment. Internal audit continues to be a trusted advisor to the business and compliance in times of crises. By being a flexible partner, internal audit teams are identifying controls and processes under stress and providing assurance around new and existing controls in response to new sanctions, thus contributing to the overall effectiveness of the global response to Russia’s aggression in Ukraine.

How Exiger Can Help

Exiger professionals are ex-practitioners that have managed some of the largest and most complex financial crime and sanctions-related programmes in the world. Their extensive industry experience of financial crime and sanctions risk management can help clients to assess their sanctions compliance programmes against regulatory standards and industry best practice, and if weaknesses are identified, partner with client teams to enhance programme controls, design, develop and deliver sanctions training, and help clients to ensure their organisation-wide risk assessments are sufficiently focused on sanctions risk. Exiger can also work alongside internal audit teams, utilising our in-house sanctions expertise to assess sanctions systems and controls.

Exiger is changing the way banks, corporations and governmental agencies fight financial crime by combining industry expertise and artificial intelligence to root out bribery, corruption, sanctions violations, money laundering and terrorist financing. In recognition of the growing volume and complexity of data and regulations, Exiger is committed to working with clients to create a more sustainable compliance environment through its holistic and innovative approach to problem solving.

Powering its Advisory, Diligence and Government Services solutions, Exiger has developed purpose-built technology—DDIQ and Insight 3PM— trained and deployed by its subject matter experts to accelerate the auditability, efficiency, quality and cost effectiveness of clients’ compliance operations. Exiger operates in seven countries and eleven cities around the world, including London, New York City, the Washington, D.C. metro area, San Antonio, Toronto, Bucharest, Singapore and Sydney. In recognition of the growing volume and complexity of data and regulations, Exiger is committed to working with clients to create a more sustainable compliance environment through its holistic and innovative approach to problem solving.

Contact Exiger to learn more about services.