HomeReviewsOversight of AML: Time to take notice

Oversight of AML: Time to take notice

The last two years has seen significant changes across the globe, not only in relation to anti-financial crime regulation but also in terms of increased public interest and support for the disruption and prevention of financial crime.

Whether it’s bribery and corruption, economic sanction circumvention, money laundering or tax evasion, the world is seeing one of the most significant periods of change in the area of anti-financial crime. And this is accompanied by an increasing focus by regulators, the press and NGOs on boards (and equivalent bodies) and the oversight of their organisation’s anti-money laundering (AML) compliance frameworks.[1]

Boards and AML frameworks

I previously headed the financial crime team for a financial services regulator, where our activities included onsite examinations and enforcement of the local AML regulations. As part of those activities, we made it a point to interview both executive and non-executive directors about the organisation’s AML compliance framework.

In a handful of cases, where enforcement action was taken for non-compliance with those regulations, one of the more striking aspects was the perceived abdication of responsibility by some board members from actually understanding their business’s AML risks and how these were being mitigated. Despite colourful pie charts and spreadsheets of comparative data, some board members could not explain whether the information in the compliance reports they received told them that things were ‘good’ or ‘bad’. In other words, they were not able to discern from these reports whether the AML compliance framework was operating as it should or whether concerns were identified that required immediate attention.

Regulatory expectations

Some regulators have attempted to increase board engagement around financial crime by issuing guidance or best practice examples. Earlier this year, the Department of Justice in the US issued further detailed guidance on the types of questions the regulator will examine where suspected non-compliance has taken place. Although most regulated firms will be familiar with many of the questions listed, they illustrate the regulator’s clear expectations of the board. The list illustrates that in order for a board to effectively oversee a compliance framework, it requires a significant degree of transparency about the ‘nuts and bolts’ of that framework, how it is resourced, the expertise of personnel and the overall environment and attitude of senior management to applying the framework and dealing with non-compliance.

Regulators are increasingly prepared to take board members to task for failing in their oversight duties, whether it’s in relation to AML-specific or compliance frameworks more generally. Although their decisions are not always published or issued as public statements, there have been a number of unreported instances where regulators have required that individual board members resign or have been prohibited from holding board positions for a period of time due to their failure to effectively oversee their organisation’s compliance framework. Boards should, therefore, be under no allusions that regulators are not prepared to take board members to task where compliance frameworks have been found wanting.

How boards can misunderstand AML risks

In order to oversee and form a view about the effectiveness of an AML compliance framework, board members must first be confident in their understanding about the factors that make up an effective framework.

I often hear individuals talk about the lack of demonstrable knowledge that their boards show about AML requirements and how their compliance framework incorporates them. At times, there also appears to be a limited understanding by some board members of what the ‘risk appetite’ of the business is (i.e. how much business with high-risk AML traits
the organisation is prepared to take on, given the compliance costs and risks involved) and how this is incorporated into the compliance framework.


I think there have been a number of reasons for these perceptions. One reason is the ‘bad news gets no views’ approach to AML compliance board reporting.

This is where considerable time is spent by those who write, review and sign-off on AML compliance board reports to remove, downplay or re-characterise deficiencies, regulatory breaches and other problems. In some cases, a high degree of sensitivity over potential regulatory scrutiny of these reports (i.e. during an onsite examination) has resulted in more effort being thrown into avoiding mentioning bad news rather than in providing the board with the full picture. This, in some cases, has led to board members and, in particular, non-executive directors, being given a false sense of assurance that the AML compliance framework is working as it should.

Another reason for this is a perceived lack of board ownership over AML compliance reports. In these situations, the AML compliance function appears to be deciding what information the board needs to receive. The problem here is that what the AML compliance function thinks the board needs to know may not necessarily align with what the board members themselves actually need to know in order to fulfil their oversight role effectively.

Empowering the board to provide effective oversight

Clearly, board members do not want to be left in the dark when it comes to AML risks and how they are being mitigated by the organisations they oversee. Equally, boards do not want to be lulled into a false sense of confidence because they are not receiving the right information. So, what might be starting point?

The first is one that has been mentioned many times in the past – the tone at the top. Board members should take pause and consider whether past dialogue with the AML compliance function has encouraged a complete and transparent dialogue around framework deficiencies. While regulators expect the heads of AML compliance functions to have direct access to the board, board members should consider how often those interactions have taken place and whether it has included the canvassing of potential AML risks or concerns.


But in order to have a meaningful dialogue, an up-to-date level of AML knowledge is essential. So, the next step might be for board members to request a practical briefing from the AML compliance function on the AML regulations that apply to the organisation and, in particular, the specific obligations identified in those regulations attributable to the board. Next, a level of awareness about the AML compliance framework adopted by the organisation and who across the various lines of business is accountable for ensuring that the framework is applied.

And finally, board members might consider the reports they receive and the information in them. Look at the most recent AML compliance report and ask: Why is this information being provided to the board? How does this help the board to understand whether the AML compliance framework is effective? How does this help the board to identify new or evolving AML risks? What additional/different information might assist the board to better understand these matters?

Possible questions to ask in the future

With the many regulatory initiatives underway, such as the transposition of the 4AMLD here in Europe, now may be the time for boards to refresh the way in which they fulfil their AML oversight obligations. By having a firmer grasp on the practical aspects of AML requirements, board members can start to learn how to ask the right questions. Because, without understanding the basics, boards are at risk of being drowned with unhelpful bar charts and data in reports that fail to clearly indicate underlying AML risks, both regulatory and operational, for their organisation.

The following are some high-level examples of the types of questions and information that board members might consider requesting about activities that form a part of their organisation’s AML compliance framework:

Introduction of new AML regulatory requirements What are the key requirements that have been introduced?  What are the options to incorporate these changes into the existing AML compliance framework? What impact might those options have on day-to-day operations? Can existing controls or measures be capitalised upon to incorporate these changes? What is the roll-out plan and estimated time of completion?

AML compliance framework Has an AML risk assessment of the business been undertaken? How are the results incorporated into the organisation’s AML framework? What methodology is used to classify activities as ‘high’ versus ‘low’ risk? What are the operational consequences of classifying activities or customers as high risk? Based on the assessment’s results, what is the risk appetite of the business (i.e. at what point are we prepared to say ‘no’ to taking on a customer/new business relationship)?

Customer risk profiles What sector of the organisation’s customer base is classified ‘high-risk’? Are they concentrated in one or two particular lines or business or spread evenly across the organisation? How often are these classifications reviewed to ensure they remain accurate? Has the proportion of high risk customers changed over time due to the introduction new products, services, geographic sales targets?

Know your customer (KYC) remediation projects What problem is the project designed to resolve? Is this the most effective way to resolve the problem? Who ‘owns’ the project? What controls are in place to ensure that activities associated with higher risk customers are reviewed where KYC about them might be deficient or inaccurate? What additional regulatory concerns have been identified while the project was underway and how are these being managed?

Assurance activities How is the effectiveness of the AML compliance framework assured? Which function in the organisation performs these activities? How are the results reported? How are recommended follow-up actions assessed for appropriateness? How are follow-up actions tracked to ensure their timely completion?


The next few years will see a significant amount of regulatory change that will most certainly impact upon organisations’ AML compliance frameworks. The role of the board will prove to be an integral part of ensuring that these changes not only receive strong support from the top, but that they are appropriate for the business and effective in achieving regulatory compliance and mitigation of financial crime risks.

Enhancing the board members’ knowledge of AML requirements will bolster their ability to ensure that the board receives the information needed to make informed decisions about the organisation’s AML compliance framework. Taking greater ownership around the reporting it receives also sends a strong message to the organisation as a whole that the board truly takes its oversight role in this area seriously.


1. For the purposes of this article, the term ‘AML compliance framework’ includes the organisation’s anti-financial crime-related policies, procedures and controls.


Ethical Boardroom is a premier website dedicated to providing the latest news, insights, and analyses on corporate governance, sustainability, and boardroom practices.

Ethical Boardroom is a premier website dedicated to providing the latest news, insights, and analyses on corporate governance, sustainability, and boardroom practices.


Please enter your comment!
Please enter your name here

- Advertisment -

Most Popular