Increase of the importance of internal audits in AML and CTF Efforts

The Fight Against Money Laundering and Terrorist Financing Requires a Digital Revolution in Internal Audit Work.

The globalization of banking activity and financial crimes requires regulatory changes and a fresh look at the role of the internal audit and how it is carried out.

Israeli and international regulations define the duties of the internal audit in the fight against money laundering, terrorist financing and corruption and impose upon it extensive responsibility for maintaining more effective systems of internal controls.

The obligations that apply to the internal audit of financial entities in the fight against money laundering and terrorist financing are enshrined in Israeli regulations, inter alia, within the framework of the Bank of Israel’s “Proper Conduct of Banking Business 308”, which deals with compliance, and the compliance function in a banking corporation, in the Stock Exchange regulations, and the Circular of the Capital Market, Insurance and Savings Authority regarding the management of money laundering risks and terrorist financing in institutional bodies. In recent years, international regulations have expanded the responsibility of internal audit in this struggle within the framework of the USA PATRIOT Act, the Bank Secrecy Act, and The Office of Foreign Assets Control of the US Department of the Treasury. The entities to which such regulations refer are banks, brokerage firms, financial service providers, insurance companies, and investment companies.

This article reviews the increasing role of the internal audit function in the fight against money laundering and terrorist financing in global financial activities.

It is clear from Israeli and international regulations, that the Internal Audit is expected to play a crucial role in the fight against money laundering.


What is Money Laundering?

Money laundering is defined as the process by which illegally got money is presented to the system as a legitimate source. The illegal activity to which the law refers is an activity defined in the context of “original offenses” (inter alia, bribery, corruption, trafficking of human beings, trafficking of drugs, illegal gambling, trafficking of illegal arms, activities aimed at tax evasion and more). Unlike money laundering, terrorist financing activities can also be funded from a source of legal money but to be used for support terrorist activity.

Later in this article, both money laundering and terrorist financing activities will be termed “money laundering.” Money laundering can be identified in three phases:


Placement phase:

The phase at which money is injected into the financial system.


Layering phase

The phase at which steps are taken to disguise the source of the money.


Integration phase

The phase at which the money is withdrawn in its new form, the “cleaned” stage, by the offender.

Money laundering is an increasingly international phenomenon that has devastating effects on the global economy, especially on developing and vulnerable economies. The prevalence of money laundering has troubled regulators, banks, and financial entities around the world.

According to publications of the Israel Money and Terror Financing Prohibition Authority and worldwide financial intelligence units, money laundering, organized crime, corruption, tax fraud, and other major crimes have not decreased in recent years but have become more prevalent. The basic goals of money laundering are not different today than in the past, but today, money laundering lives in a global environment of technological developments that facilitate the concealment and camouflage of illegal funds.


Use of Technological Tools and Artificial Intelligence by the Internal Auditing Function

The volume of activity and the number of records in financial organizations world-wide is growing year by year.

Financial institutions typically have statutory monitoring systems to identify suspicious activity that deviates from the law or the defined range.

This range usually refers to amounts defined by law as amounts to be reported vis-à-vis the nature of the activity, activity with certain countries, comparison of a client’s financial activity to previous periods, or activity compared to other clients operating in the same business sector. However, notwithstanding the investment of significant financial resources in improving information and reports, over 95% of all alerts flagged by the system are closed as “false-positive results” and do not lead to the reporting of suspicious transactions (a false-positive result is a result flagged by the monitoring system that identifies anomalies that suggest the possibility of money laundering activity, but after a more detailed examination, said are solely routine transactions.

To allow for the accuracy of audit results and a comprehensive and accurate analysis that would support increasing the ability to identify and address risks across the organization, the reality must change. Innovative approaches and systems such as artificial intelligence must replace sample-based auditing, manual processes, and outdated monitoring systems.

Thus, it will be possible to increase efficiency, cover more information and data and do so in less time and with fewer resources.

Artificial intelligence systems can detect anomalies in customer’s behavior, by identifying and analyzing all entities involved in customer activity, analyzing complex transactions with countless criteria, and identifying potential money laundering patterns at all stages of the money laundering process.

However, in embedding anti-money laundering technology in an organization based on artificial intelligence, minimal customization of system settings is insufficient, especially in the era characterized by increased regulatory oversight, a rapidly changing legislative environment, and criminals finding new ways of money laundering.

In order to ensure that the activity monitoring systems function properly and as expected, the internal audit must assess the organization’s readiness, inter alia, for the following challenges:

  1. Rapid adaptation of systems to new and more stringent regulatory standards.
  2. Providing a solution for identifying breakdowns in data integrity, quality and in loading data by verifying mapping and identifying information integrity required from different systems and relevant processes.
  3. Incomplete or inaccurate information will undermine the ability of a transaction monitoring system to operate optimally. Ongoing verification that the definitions and criteria defined in the system comply with the requirements and expectations of the regulator, as well as topological analysis insights within the organization itself and financial organizations in Israel and abroad.
  1. The processes and controls that support technologies must address the transparency requirements. Specific areas of focus include, inter alia, testing the effectiveness of the system, defining the requirements for recovery and backup, as well as addressing information security requirements and privacy protection considerations.


The Rapid Development and Technological Complexity in the Fight Against Money Laundering, Create a Knowledge Gap for the Internal Auditor

The rapid development and technological complexity in the fight against money laundering create a knowledge gap for the internal auditor. In today’s business environment, the internal auditor should be intimately familiar with the operation of such systems. Accordingly, a shift to a wider use of information technologies for monitoring transactions and sanctions and the identification of money laundering and terrorist financing topologies requires an integrated team of regulatory experts, business activity experts, and analysts, and no less important – information systems experts.

If an organization is embedding any new anti-money laundering technology, the role of the internal auditor is to take on additional and expanded dimensions to oversee organizational change in management testing strategies.

During the embedding phase, the internal audit must ensure that the system’s embedding meets the requirements, including all areas affected by the technology on the organization’s activity vis-à-vis customers, reporting settings, and more.

Inter alia, the internal audit will consider whether sufficient comprehensive tests have been made in the organization to ensure that the system operates as planned; whether the data is accurate and complete; and have all interfaces required from the organization’s information systems been defined to enable effective monitoring. The internal audit should assess the potential limitations of the system and evaluate the operation of the system across a variety of input values, by accepting user tests to identify and reduce the possibility of obtaining “false negative” results when movement and/or sequence of movements will not flag the warnings required to identify exceptional activities in the system. On the other hand, the possibility of “false positives” should be reduced – in order to avoid receiving multiple alerts that do not indicate an abnormal activity.


Proactive and Initiated Audit review

One of the roles of the internal audit is to support the process of enforcing regulations, inter alia, because of the internal auditor’s expressed proficiency in the organization’s activities. However, it is rare that the internal audit identifies and reports allegedly money laundering activities.

It is difficult to determine with certainty whether the internal audit considers itself as having a preventive role in the fight against money laundering. However, there seems to be a somewhat contradictory approach from the regulators’ expectations in the world to identify money laundering incidents during audits.

Institute of Internal Auditors Standard 2100 states that “the internal audit must evaluate and contribute to the improvement of corporate governance processes, risk management and control processes of the organization, through the use of a systematic, institutionalized, and risk-based approach. The credibility and value of the internal audit increase when the auditors are proactive, and their assessments offer new insights and address future impacts.”


In Summary

As with most offenses, offenders will look for new methods when one money laundering method becomes more challenging to commit. As legislation becomes more stringent and financial institutions have strengthened their monitoring processes, respectively, the methods of operation of offenders have changed. Accordingly, in the oft-changing reality, the internal audit cannot afford the case of its efforts being slow and reactive, and that it will generate lessons for weeks and sometimes even months after the findings have been identified.

Reality requires the internal audit to act quickly, adjust the audit plan promptly and frequently, identify the past, and understand what important tomorrow will be. All this will be possible thanks to an integrated team of experts in the fields of regulation, business, analysts, and information systems experts, all the while working with intelligent information and artificial intelligence Systems.


By Diana Glantz, CPA (Isr)| AML @ Financial Compliance Expert

Recent Posts