The TIC Company
AML remediation may not be the way anybody wants to start their working week but the truth is, if done right, it can not only uncover bad processes and procedures but can be the beginning of a journey to compliance success.
Over the years we have seen a number of companies – many of them financial institutions – receiving large fines for incorrect or missing processes. Using remediation as a preventative measure as well as a cure could help keep you on track and avoid the pain of formal warnings, or worse fines.
What is remediation?
Remediation most often occurs when an entity has been found non-compliant and has been given a formal warning and/or is required to carry out ‘enforceable undertakings’.
Remediation will include:
Reviewing and assessing what you’re doing and seeing where faults have occurred
Taking action so the faults do not occur again
Retrospectively fixing the mistakes which occurred
Reviewing and assessing your current situation is a critical part of the process and is why ongoing monitoring and quality assurance should always form part of your compliance programme.
Take the recent case of BNZ who reported themselves to the regulators for failures in prescribed transaction reporting (PTRs). While it took some time to discover their PTR systems weren’t providing the correct information, they would never have made the discovery if they were not reviewing and testing. Now, BNZ have the opportunity to work with the Reserve Bank of New Zealand to remediate the issue. A costly error, but one which could have been worse if it remained unfound for any longer.
Get the basics right
Regulators will review all your AML activity but above all else you can guarantee your customer due diligence (CDD) process will be rigorously tested. Indeed, one of the main reasons many companies are failing audits, facing remediation and large fines is centred around CDD and know your customer (KYC).
To get it right you need to be applying a risk-based approach to due diligence and taking measures to ensure you remove anonymity from transactions and that you truly know your customer.
To help avoid retrospective remediation on CDD ensure:
You are reviewing your due diligence processes, and gathering the correct identifying information on your customer, the beneficial owner(s), and any person acting on behalf of your customer.
You determine the risk level of every customer, verify information, and understand the nature and purpose of the proposed business relationship.
You keep comprehensive records, maintain these records, regularly review and respond to changes in your customers circumstances.
This by no means covers everything which should be included in due diligence, but make sure you get it right as you can be sure regulators will justifiably be expecting this to be near perfect.
Dealing with AML remediation
So, you, your auditor, or the regulators have found a reason for remediation, what next? Sometimes you can see the issue clearly yourself and take steps to correct it, other times you might need the expertise of an AML provider. Whichever option you choose the key is to ensure you bring the non-compliant activities, and/or missing activities identified into a compliant state.
While the aforementioned BNZ remediated their PTR reporting, this will have cost them considerable time and money. A huge task which no doubt required intensive resourcing to complete.
Other businesses facing fines have had the arduous job of going back through customer files and checking that the right information was collected during onboarding and ongoing due diligence, such as whether IDs had been collected and whether trustees were on file.
Again, another huge task.
It certainly pays to get it right first time but if you don’t, take a step back and start to plan your remediation strategy:
Ensure that senior management and key stakeholders in the organisation are aware of the issues, and that they work with you to fix those things. Without that buy-in, remediation will be virtually impossible.
Next, establish a roadmap for remediation. You may be on a deadline from your regulator, or your auditor may be recommending remediation to occur in a certain timeframe. Bear these in mind as you prioritise the actions for remediation.
If you are requested to remediate by your regulator, make sure you continually update them on your progress. This will maintain a good relationship, and potentially avert further action from them.
In some cases, you may realise that you don’t have time to fix things. This is where a third-party company can be very useful - they work with you to undertake remediation, and provide advice on how to improve processes so it doesn’t happen again.
Remediation prevention with uplift
You’ve dealt with fixing all the remediation issues found by regulators but it doesn’t stop there. You also need to demonstrate what you will do to avoid the same thing happening again, and start to take action on this.
This positive change or ‘uplift’ is likely to include a number of aspects depending on your situation:
Reviewing and/or re-creating your compliance programme.
Conducting quality assurance on client information and recording what is missing or incorrectly captured.
Retraining of staff and/or redirecting training in such a way that staff understand the correct process or new emphasis on concepts.
Ensuring those responsible for the compliance programme have the right level of knowledge so there are no gaps in compliance education at all levels of the organisation.
At tic company, we’re experts in both remediation and uplift, and have supported multiple entities in the financial services, property, and the cryptocurrency industries to manage remediation and the improvement of compliance procedures to make positive change.
In some instances, you may be surprised to be in remediation if you felt your compliance procedures were up to scratch, but it can happen. The Russia sanction list requirements saw some entities caught out as they were re-using previously obtained information in relation to Politically Exposed Persons (PEPs) and sanction screening. They thought they were doing the right thing, as in theory you can reuse information models, but it can, and did expose some companies to bad actors – something we are helping a business to remediate right now.
To outsource or not?
Outsourcing remediation and uplift has some key benefits, but ultimately you should weigh up a few things when considering your options:
do you have the right expertise to carry out enforceable undertakings, or resolve formal warnings correctly, in a timely manner, on your own;
do you have the necessary skills to update your procedures so compliance is done correctly in the future; and
does taking staff away from their day job to make corrections add value to your business.
If the answer is no to any of these, you may want to outsource to a trusted AML provider.
There’s no doubt remediation can be a stressful time, but the learnings and discoveries made along the way can help lead towards future compliance success. And, if you need some assistance to get there, get in touch and see how we can help with expert advice and support.