The word ‘inspection’ itself means the act of examining or looking at something with particular care or criticism. In the minds of anti-money laundering and compliance officers, it is most often associated with stress, uncertainty or punishment.
And these feelings are heightened when we are talking about an inspection carried out by a local authority, a supervisor, who is of course in a position of power. It is undoubtedly much more stressful than, say, an internal audit.
On the other hand, every compliance officer understands that regulatory inspection is a natural and unavoidable process that increases market transparency and clarity.
At the end of the day, such inspections add value to the market, so the attitude towards them should be balanced. The purpose of this guide is to provide confidence and to bring more clarity about the process of regulatory inspections.
Inspection process flow
How to prepare for the visit
Half of the success of a good performance at an inspection performance lies in the right preparation. If you have already been warned about an inspection, make sure you have done all your homework. This includes:
- Ensure that you have all the necessary documents
- Documents are up to date and properly signed
- Business processes are clear for staff
- There is a clear and understandable allocation of the responsibilities during the inspection (appointing a ‘project owner’ or ‘single point of contacts’ for inspection – always a good idea)
- Plan to allocate sufficient resources during the inspection – the inspection may require significant time from your team
As a general rule, maintain an optimistic outlook while simultaneously making prudent preparations for the most adverse possible outcome during the visit of the supervisor. Review the possible worst-case scenarios and think through what explanations should be provided for the supervisor in advance. In AML/CFT area there will never be 100 % compliance, the question is – how far from perfection are you and do you have a viable explanation for the supervisor.
Quality of data
It is always a good idea to contact the regulator before an inspection, as this will give you a better understanding of the regulator’s expectations in terms of what data they will need from you and how long the inspection will take.
If possible, arrange data quality assurance. The regulator may impose sanctions if the data / information provided to it is not complete or accurate.
Main organizational issues during the inspection:
- Appoint a project manager to organize the collection/provision and communication with the regulator
- Organize training for employees to raise awareness of what to expect when a supervisor visits.
- Include inspection in your planning (inspection can be time and resource consuming)
Remember that it is not uncommon for there to be misunderstandings between company staff and the inspectors during the inspection. Therefore, it is always a good idea to have a competent central contact person for the inspection – just to make sure that all the questions asked by the inspectors are understood and that the answers given really cover all the processes in the company (leaving no room for misunderstandings or misinterpretations).
During the inspection always remember the CPR rule and try to be:
The aim of the supervisor’s during an inspection is to check if the AML risk management system is functioning properly. Put yourself in the regulator’s shoes and help them understand your risk management processes and procedures – if you don’t think the questions asked or information requested will give them a complete picture of your operations, be proactive in providing additional information or explanations.
Do not bush around – regulators will sense that something is not working or is wrong and may interpret your actions as an unwillingness to cooperate or as hiding some misbehavior.
The regulator is just doing his job, respect that.
While following the CPR rule, be cautious and ensure that the information provided to the supervisor is accurate and comprehensive. If the supervisor’s questions are unclear or ambiguous, rephrase them in your own words to gain a clear understanding of the intentions of inspectors. Provide information without delay, if any additional time is needed to provide a comprehensive response – inform the inspectors of the reasons for delays. Carry out a quality assurance review of the information provided to inspectors to ensure that it is well structured and easy to understand.
Getting the report
The outcome of the inspection – the report detailing the findings of the inspection team as well as providing you information, how the inspection team will deal with those findings (if the legal requirements have been breached). The day you receive this report from your regulator is the day you make important decisions. When you have the inspection report in your hands, here is what you should do:
- Analyze the report to ensure that it contains all the facts provided by the company and that the inspection team did not misinterpret the data provided
- If you find that not all the necessary data has been provided to the inspection team, leading to a potential misunderstanding of existing processes, initiate the process of gathering additional data to be submitted to the supervisor with additional explanations
- Prepare the remediation plan to address the findings identified in the inspection report
- Initiate necessary changes to address findings as soon as possible
- Prepare the response to the inspection report, including additional data, explanations, findings remediation plan, evidence that improvements have already been made (if any)
- Keep the regulator informed of improvements made (provide evidence)
Here are some of the mitigating circumstances that can really do miracles:
- Voluntary avoidance of the occurrence of negative consequences of the breach
- Cooperating with the regulator, actively assisting in the conduct of an inspection and determining the circumstances of the breach
- Voluntary written notification of the breach and termination of the inappropriate behavior
- Acknowledgement of the violation (it should be sincere)
- Voluntary measures to prevent the same or a similar type of violation from being committed in the future and these measures should be taken prior regulator’s instructions (on the company’s initiative)
Pick your battles
Focus on the most serious/significant findings and don’t get bogged down in lengthy discussions of minor findings.
Disagreeing just for the sake of disagreeing puts you in a negative light.
After the inspection
The period after the inspection should not be seen as the start of your tasks. If you see that the inspection team is highlighting some weaknesses in your processes during the inspection, prioritize addressing these weaknesses during the inspection. This proactive approach will be viewed favorably. The inspection report will indicate the tasks that should be undertaken immediately and prioritized to demonstrate your approach to the risk awareness and compliance. The final decisions of the regulator, unless they involve the revocation of the license, are the way forward for the company for the next 3-6 months. This will provide you with a last opportunity to demonstrate to the supervisor your commitment to compliance. Do not miss this opportunity.
Here are some ideas that you can start implementing immediately during the inspection, or after the inspection is complete and you have received the inspection report:
- Ask for the closing meeting with the regulator before the end of the inspection to understand the preliminary AML/CFT control flaws indicated by inspection team
- Prepare the findings remediation plan
- Initiate necessary changes immediately (during the inspection if possible)
- Communicate proactively with supervisor, report on progress, invite to visit the company
- Carry out an independent AML/CFT audit to assure the supervisor that improvements are actually being implemented in the internal processes, and provide them to the supervisor.
Our experience over the years has shown that there are 4 most common compliance breaches that regulators find in financial institutions. And those breaches are:
- Inadequate Know Your Customer (KYC) procedures. I.e., not enough information is collected about the customer and therefore the level of risk is not properly assessed
- Inadequate monitoring of customer relationships. For example, when monitoring customers from high-risk countries or politically exposed persons.
- Improperly conducted investigations of suspicious money transactions or mistakes when informing the FIU of such investigations
- Failure to designate senior managers to manage AML/CFT procedures and communicate with the FIU.
The supervisor will also give significant weight to the company’s approach, including its management’s response, to the breaches identified. In most cases the supervisor will not tolerate “wilful blindness”, although it is difficult to prove.
In other words, if you try to cut corners on compliance, you should be prepared to face the consequences. The history of regulatory fines tells us that non-compliance is not a cost-effective choice. So it is up to you to choose your weapons wisely, but we believe that it is always worth analyzing the flaws and focusing on solving them, rather than getting bogged down in the details of later dialogue with the supervisor.
Regulatory regimes vary from country to country. AMLYZE is based in Vilnius, Lithuania, so most of this guide complies with Lithuanian and EU laws. Therefore, the decisions based on the advice written here should be taken with the appropriate precautions and in accordance with local laws.