Earlier this year, Bank Negara Malaysia issued its revised policy document on anti-money laundering/counter financing of terrorism (AML/CFT) and targeted financial sanctions. The new guidelines aim to encourage institutions to take greater ownership of their AML/CFT controls.
One of the areas in the guidelines that has piqued our interest is the heightened board accountability on oversight, which places more responsibility on the board to ensure that the reporting institution has an effective AML/CFT framework. For example, the guidelines place the onus on the board to “ensure regular independent audits of the internal AML/CFT measures to determine their effectiveness and compliance” and “set and ensure the effective implementation of appropriate policies and procedures to address any specific ML/TF risks associated with the implementation of non-FTF business relationships.”
In this post, we want to provide insight into how to give your board the tools it needs to make effective decisions and how to demonstrate robust oversight whatever your organization and wherever you are based.
When selecting board members, compliance expertise can be overlooked. Your organization should have at least one fixed board member who has extensive AML/CFT experience, ideally from within a similar organization. They will be best placed to ask the right questions and focus attention on material areas.
You may be surprised to learn that your board requires frequent and tailored AML/CFT training just as much as your front-line team does. BNM guidelines state, “Board members must understand the AML/CFT measures required by the relevant laws, instruments issued under the AMLA, as well as industry’s standards and best practices in implementing AML/CFT measures.” This is important because without an understanding of AML/CFT, your board will be unable to understand or assess the information being presented to them. However, you should go beyond simple annual training that highlights regulatory requirements. Instead, provide your board with a nuanced view on the specific AML threats that exist and are emerging in the industry in which your organization operates. This includes typologies associated with serving specific client segments through certain delivery channels. Provide annual training as standard, and then quarterly/bi-annual as a refresh and to detail any changes in the AML/CFT landscape. You could even go one step further and consider offering board members the chance to sit with a member of your financial crime team for a day as a shadowing opportunity. This could be a great experience for both parties and an opportunity to learn firsthand. Keep a record of all training delivered and attendance in a secure repository.
The AML/CFT portion of a board meeting can sometimes be given the least amount of time and attention. This is something that can quickly and easily be resolved. Re-shuffle your agenda so compliance is near the start and allocate sufficient time to focus on this.
This is usually the area that most organizations struggle to get right. There is a fine balance to be struck between giving your board enough information so as to allow them to make meaningful and impactful decisions and providing so much information that it is difficult to navigate. The BNM guidelines provide a list of items that may be considered for board reporting, including “results of AML/CFT monitoring activities.” Avoid lengthy reports and data points. Focus on your risk appetite thresholds and material deviations (i.e., risk exposure to the organization). Be clear at the outset on what decisions you are seeking from your board and provide the necessary information concisely. Items for notification only would be better placed in an appendix; this includes non-material status updates on remediation projects. The sorts of items that may require board consideration include things like sanctions breaches. In this scenario, clearly articulate when the breach happened, what immediate steps were taken and what (if any) is the longer term plan of action, including any regulatory/client impact. The board should then be asked to confirm their agreement with the outlined approach.
Perhaps the only way to demonstrate what has been discussed at your board meeting and the decisions taken is via detailed minutes. The lighter the notes, the harder it will be to evidence a detailed discussion and how outcomes were reached. As such, document everything discussed, share with attendees and obtain electronic sign-off to confirm accuracy as soon as possible following the meeting.