Five more quick wins for financial crime compliance
In January, we published seven quick wins for financial crime compliance which outlined common areas of non-compliance that should be relatively easy to address. Below, we have identified five new quick wins, as well as highlighting some areas of non-compliance that we continue to see.
By reviewing and addressing these areas, you can enhance the effectiveness of your systems and controls to prevent money laundering, terrorist financing, and proliferation financing.
Risk appetite
Area of non-compliance
We see vague risk appetite statements without clearly defined parameters. We also see examples of unrealistic risk appetite statements, for example a zero or low-risk appetite where there is a high proportion of high-risk customers.
Solution
Check your risk appetite statement is sufficiently clear so the board can articulate it, and employees can understand it when deciding whether to accept new business. Ensure your book of business accurately reflects your risk appetite. If it doesn’t, this indicates your risk appetite requires review.
Proliferation financing
Area of non-compliance
We often see business risk assessments without any assessment of proliferation financing risks and mitigants.
Solution
Ensure that your business risk assessment identifies proliferation financing risks and the systems and controls implemented to manage those risks. Confirm that the cumulative effect of these risks has been considered alongside other risks identified.
Customer risk assessments
Area of non-compliance
We see instances of customer risk ratings being downgraded in the absence of a documented process, independent approval or well-articulated rationale.
Solution
Ensure you have a clear procedure setting out the circumstances in which a risk rating can be amended and who is authorised to do so. Document why it is appropriate in each case.
Policies and procedures
Area of non-compliance
We often see policies and procedures which have not been reviewed at appropriate intervals or kept up to date.
Solution
Establish a review cycle for all policies and procedures so that you can demonstrate they are being maintained. Check you have a process for updating these policies and procedures when trigger events occur. You should also document the date of any review, even if no changes are made.
Certification
Area of non-compliance
In our reviews of customer files, we frequently find that documents have not been certified in accordance with policies and procedures.
Solution
Ensure that your employees understand and follow your requirements for suitable certification, including what information should be captured, as well as when and how to verify a certifier’s details.
Other issues highlighted in our previous quick wins that we still identify in our exams in 2025:
Suspicious activity reports – date information
For internal suspicious activity reports (SARs), many entities record the date of suspicion, but the AML/CFT/CPF Codes of Practice require a record of the date the information or matter came to the employee’s attention, which might be different. Ensure this date is captured in your SAR forms. This allows the board and senior management to assess the timeliness of internal suspicious activity reports.
SAR registers – reporter information
We also see SAR registers which do not record the role of the individual making an external SAR, such as whether the person is the MLRO or Deputy MLRO, as required by the AML/CFT/CPF Codes of Practice. Check your SAR register records this information.
Screening
Maintain clear policies and procedures for conducting adverse media and open-source searches, including sanctions searches.
Screening records
Ensure search results are documented, including the rationale for discounting hits.
Exemptions from customer due diligence requirements
Ensure exemptions are only used in appropriate circumstances and document the rationale for application.
These essential components for full compliance with the AML/CFT/CPF regulatory requirements are sometimes all that is missing from otherwise comprehensive and robust systems and controls. You should check these areas to enhance the effectiveness of your financial crime prevention framework.