The Financial Services Commission of Mauritius (FSC) had issued an Anti-Money Laundering and Combatting the Financing of Terrorism (AML/CFT) Handbook on 13 January 2020, which provides guidelines to its licensees on how to combat money laundering and terrorist financing as set out in the various local legislations, namely the Financial Intelligence and Anti-Money Laundering Act 2002 (FIAMLA) and the Financial Intelligence and Anti-Money Laundering Regulations 2018 (FIAML Regulations 2018). The Handbook aims to shed light on the FSC’s expectations and further helps licensees assess the adequacy of their internal systems and controls and remedy any deficiencies. As the Handbook provides in its clause 1.4, the guidance therein is not enforceable per se but to the extent that a licensee follows it, it would tend to indicate compliance with the AML/CFT legislative provisions.
On 31 March 2021, the FSC amended the AML/CFT Handbook to include a new chapter 13 entitled “Independent Audit” and additional provisions in chapter 4 (Risk Based Approach) on implementing an adequate business risk assessment. In a communiqué, the FSC considers the independent audit and the business risk assessment as being two important components of the AML/CFT compliance programme that its licensees are required to comply with.
In chapter 4, clause 4.3 entitled “Business Risk Assessment” has been amended to provide that the ultimate responsibility for business risk assessment and an effective internal compliance culture lie with the board of directors. It goes on to provide that management, compliance and risk management should all work together in performing business risk assessment. Primarily, responsibility for the quality and execution of the risk analysis lies with the first line of defence as the risks would first manifest themselves there. It further provides that since risk management requires a systematic approach, it is a cyclical process; it involves identification, analysis and testing of the effectiveness of controls at regular intervals. Risk is neither static nor is the internal and external environment within which the business operates. It is imperative to therefore identify the vulnerabilities, maintain an up to date understanding of these risks, and develop and implement appropriate strategies to mitigate and control those identified risks. Where not all risk elements have been considered in conducting the business risk assessment, the licensee will have to demonstrate how effective and robust its risk assessment is in line with its inherent risks and vulnerabilities and the FSC will assess the extent to which the business risk assessment reflects the residual risks faced by such a licensee.
The new chapter 13 entitled “Independent Audit” is designed to assist licensees in meeting their regulatory and legal requirements through an independent compliance audit. It is apposite to note that Regulation 22(1)(d) of the FIAML Regulations 2018 requires financial institutions to put in place an audit function to review and verify compliance and effectiveness of the measures taken in accordance with FIAMLA and FIAML Regulations 2018. There is therefore a statutory obligation to have in place an audit function which will allow the licensee to evaluate its AML/CFT programme and ascertain whether the established policies, procedures, systems and controls are adapted to the risks identified. Chapter 13 provides that an AML/CFT independent audit is a vital element of any effective compliance programme. Such an audit, which should be risk-based, in line with international best practices, allows a view to be formed on the overall integrity and effectiveness of the AML/CFT programme in place. It further helps to recognize deficiencies in regulatory compliance systems and develop ways to remedy such shortcomings. The audit will inter alia involve obtaining a good understanding of the licensee’s business, reviewing relevant core documents, file testing, testing the live application of policies and procedures, and interviewing a cross-section of players. The audit process must have sufficient depth and breadth to support its findings. Clause 13.5 sets out the key components of the AML/CFT programme which the independent audit should cover.
The frequency and extent of the independent audit should be commensurate with the licensee’s size, nature, context, complexity and internal risk assessment. Such an audit should be carried out at least once annually or whenever there are material changes either to the licensee or to the legal and regulatory framework. The audit should result in a written report with potential failings and a recommended course of action. The findings of such a report, highlighting the recommendations and deficiencies should be reported to senior management and to the board of directors. The board has the responsibility to take appropriate corrective actions.