Financial Services Internal Audit Planning Priorities 2022

Below we highlight new areas relevant to Internal Audit but also those areas we believe will have greater focus in 2022. We hope this informs your 2022 planning and assurance approach.

1.1. Exchange of Information Compliance

Tax authorities are now receiving large amounts of taxpayer information, including information about interest earned or credited to accounts of residents, both from domestic Financial Institutions and from counterparty tax authorities (for instance via the Foreign Account Tax Compliance Act (FATCA) and Common Reporting Standard (CRS) regimes).

Tax authorities are analysing this data and using the results to launch enquiries, populate domestic tax returns, and even help collect domestic tax debt using overseas assets. This puts pressure on Financial Institutions to ensure that they have robust policies and procedures in place in relation to the customer data that is being reported. If institutions are not able to evidence this, they run the risk of suffering penalties and incurring reputational damage, both with tax authorities and their own customers.

Pressure from the Organisation for Economic Co-operation and Development (OECD) is driving tax authorities worldwide to increase their scrutiny of information exchange in their jurisdictions. This is particularly the case in jurisdictions where such audits have not occurred historically. Financial groups can expect review projects to be group-wide.

Area of Focus

FATCA and CRS audits


Tax authorities are now focusing on the quality of FATCA and CRS compliance. Approaches vary, but all are expecting to see proper policies and procedures documentation and a robust audit trail supporting the filing position taken and reports submitted to date. Internal Audit should assess the processes in place that help organisations meet these requirements and where they do not, understand the approach in place to bridge the gap.

Financial institution new challenges​

In many cases, Financial Institutions will already have an embedded process for handling and sharing client data when it has been legally requested. Considering these new challenges Internal Audit should obtain comfort that these processes will be reassessed, the relevant team trained, and senior Management oversight reinforced.

No safe havens​​

Customer awareness of data shared with tax authorities is likely to increase. Internal Audit should assess the robustness of processes, procedures, and audit trails in relation to customer data that is reported.

Challenge governance and sustainability​​​​

Fraud tactics continually change; they become more sophisticated and find new methods to commit fraud. Therefore, organisations should not become complacent after they have made the necessary improvements to their fraud risk framework. As fraud methods evolve, businesses should frequently assess where they have vulnerabilities and address them, using First Line internal control functions and external specialist teams to continuously monitor performance of the framework and identify gaps or ineffective processes. Internal Audit should consider challenging the processes by which this exercise is performed, and the governance applied. Keeping the framework up to date is likely to be a key area of focus going forward.

1.2. Fraud Risk Management

High profile fraud perpetuated by senior Management and staff is becoming more common place leading to many organisations suffering both financially and reputationally. With the COVID-19 pandemic driving a potential widescale move to remote working there has also been a surge in external fraud and scams, ranging from identity theft and cyber fraud, to manipulation of COVID-19 Government support schemes. Against this backdrop there is increased focus and desire to strengthen the responsibility and accountability of those charged with governance on the prevention and detection of fraud from the Government and Regulators.

COVID-19 pandemic implications: In the current environment, firms may be more susceptible to fraud risk both internally and externally as they seek to “improve” financial results, and since fraudsters are becoming more sophisticated in scamming unsuspected consumers. There has also been an increased fraud risk due to the change in working conditions and the remote working required as a result of the COVID-19 pandemic. In addition, there has been significant concern over potential large-scale fraud arising due to pandemic related Government support schemes. Firms have been working to evolve their fraud risk mitigation strategies to account for these implications.

The fraud strategy includes several aspects including how the authorities will work with other agencies and addressing recommendations from independent reviews relating to proactive surveillance, triage and intervention. Online platforms such as social media and search engines are particular areas that can put consumers at risk of fraud.

Area of Focus


Consider the risk assessment

Ongoing risk assessment that is sufficient to identify risks that can lead to material fraud is a key step in a firms approach to mitigating fraud risk. Internal Audit should consider challenging the process by which relevant fraud risks and controls are identified, how the risk assessment is performed consistently across all business areas and locations, how the current and future business environment may give rise to new fraud risks, any third-party fraud risks and the governance process applied to ensure the risk assessments stay up to date. Given the ongoing pandemic, Internal Audit should also challenge Management on how they have adapted their risk assessment to take-in-to account new risks that may have emerged.

Assess the design of the framework​​

As well as the risk assessment, robust fraud risk frameworks require several key foundations in order to be successful. This includes using the risk assessment to determine appropriate policies, processes and controls in order mitigate the identified risks within risk appetite. This may involve the use of specialists in certain areas, implementing automated controls and embedding a robust process in order to investigate and resolve any identified fraud. Internal Audit may consider challenging the design and operating effectiveness of the controls in place including how these have operated when fraud has been attempted / detected. Internal Audit should also consider how the design of the framework has been adapted to changes in the environment, for example, the pandemic.

Challenge governance and sustainability​​​​

Fraud tactics continually change; they become more sophisticated and find new methods to commit fraud. Therefore, organisations should not become complacent after they have made the necessary improvements to their fraud risk framework. As fraud methods evolve, businesses should frequently assess where they have vulnerabilities and address them, using First Line internal control functions and external specialist teams to continuously monitor performance of the framework and identify gaps or ineffective processes. Internal Audit should consider challenging the processes by which this exercise is performed, and the governance applied. Keeping the framework up to date is likely to be a key area of focus going forward.

1.3. Tax Governance and Control Framework

In addition to ensuring that tax risks across the business are being appropriately mitigated, a robust tax control framework supports a host of regulatory requirements as well as any narrative or numerical disclosures which are published outside of the group.

Meanwhile, the volume of voluntary tax transparency disclosure is increasing and it is critical that this is supported by an appropriate control framework and governance over the collection, analysis and publication of data. Failure to put in place, maintain and demonstrate an effective tax control framework can lead to financial uncertainty and penalties for the business and/or group, reputational damage, personal financial (and in some cases criminal) exposure for senior individuals and wasted Management time.

The following recent and upcoming regulatory changes mean that tax should remain a focus area for Internal Audit.

  • Directive on Administrative Cooperation (DAC6)—Following the implementation of DAC6 across the EU from 1 January 2021, companies should now have appropriate processes and controls in place to capture, analyse and where necessary report certain cross border arrangements within the 30 day deadline.
  • Public Country by Country Reporting (CBCR)—The Global Reporting Initiative’s (GRI) new reporting standard on tax (GRI-207) came into effect for publications from 1 January 2021. Groups for whom this applies are required to publish narrative on a range of tax management topics and also publicly disclose their CBCR information. Although not yet in force, the EU have also agreed in principle that groups who report their CBCR to tax authorities should also publicly disclose their CBCR information for both EU countries and those countries which are on the EU’s ‘Black’ and ‘Grey’ lists.
  • Other Tax Transparency Initiatives—As part of the move towards wider transparency and accountability on Environmental, Social and Governance (ESG) matters, there are a wide range of tax transparency (and broader) initiatives which groups/businesses may opt to sign up to. One such initiative comes from the World Economic Forum (WEF) whose tax metric requires groups to publish their global taxes borne figure, broken down by type of tax. Further expanded metrics also suggest including taxes collected and showing these figures by country.

Area of Focus

Compliance with changing legislation


Understand the approach taken by tax functions to determine the way in which new rules (e.g. DAC6) will impact the group and/or business.

Use this understanding to prioritise Internal Audit activity around approach to tax compliance and the control environment in place.

Governance framework

Review the governance framework around policies, risk registers and solutions to monitor changes in tax rules and those that are planned to be implemented in readiness for new rules coming into force (e.g. DAC6).

Ensure that the governance framework supports any narrative or numerical disclosures which are being made externally.

Rolling programme of testing​

Develop a risk-based audit plan for auditing different areas with coverage of the firm’s monitoring and testing processes in place around how their tax control framework operates, including rotation/coverage by tax territory.

Leverage subject matter expertise

Subject matter assistance with necessary expertise should be used to perform audit planning and/or carry out testing and reporting.

1.4. Ethical and Responsible Artificial Intelligence

Post COVID-19, the use of Artificial Intelligence (AI) in financial services (FS) is set to increase, driven by customers’ demand for digital services, cost pressures, and the need to boost operational efficiencies. But the pandemic also highlighted that as the adoption of AI in FS grows, so will the risks. For example, COVID-19 highlighted model drift (i.e. degradation) as one of the key challenges firms should address as part of their model risk management frameworks. In addition, where AI applications directly affect customer outcomes and/or use personal data, they can give rise to data protection, conduct, and ethical risks. As a result, EU regulators and supervisors continue to focus on ensuring that the deployment of AI is trustworthy: i.e. robust, compliant, and ethical.

At the end of April 2021, the EU published the AI Act which sets out the proposal for a comprehensive legislative framework for trustworthy AI providers and users of AI high-risk systems, who will have to comply with stringent rules before and after the marketing or use of AI systems. They will also be subject to conformity assessments, registration requirements, and potentially significant fines for non-compliance. Some AI systems used in FS will be in scope and treated as high-risk—e.g., those used to evaluate a person's creditworthiness, and monitor and evaluate work performance and behaviour. The AI Act will also apply to organisations providing or using AI systems located outside the EU if their AI systems affect individuals in the EU. We expect the EU to finalise the rules by 2023/2024.

In June 2021, the European Insurance and Occupational Pensions Authority’s (EIOPA’s) Consultative Expert Group published a report on AI governance principles to support ethical and trustworthy AI in the European insurance sector. The principles are proportionality, fairness and non-discrimination, transparency and explain-ability, human oversight, data governance and record-keeping, and robustness and performance.

Area of Focus

AI governance, risk management and ethical frameworks


Internal Audit should:

  • Assess whether the firm has a clear definition of AI and maintains an up-to-date inventory of all its AI systems on an ongoing basis;
  • Verify that the firm has an effective AI ethical framework to identify, assess and choose the right course of action in relation to risks, opportunities and moral issues raised by AI (e.g. trade-offs between individuals’ privacy and the breadth of data required for enhanced AI accuracy);
  • Verify that the firm’s risk appetite, governance and risk management frameworks and practices consider the particular context and risk associated with each individual AI use case (i.e. a defined approach to implementing AI within the business) ; and
  • Assess whether the skills, knowledge and diversity of Boards, Compliance and AI Design teams are sufficient to review and establish compliance with regulatory requirements, apply ethical judgements, and understand customer outcomes.

Comprehensive and integrated approach to conduct, data protection and ethics​

Internal Audit should:

  • Verify that the firm’s roles and responsibilities and model risk management practices support a comprehensive approach to, and compliance with, both conduct and data protection requirements across the AI system’s lifecycle;
  • Verify that conduct, data protection, and AI ethics requirements are considered as part of each AI system’s design phase; and
  • Assess whether AI technical and business requirements are compatible with relevant regulatory obligations and the firm’s ethical principles and risk appetite.

1.5. Electronic and Algorithmic Trading

Trading algorithms continue to play a large and important role within Capital Markets globally. However, alongside their benefits, they have the potential to initiate or escalate market disruption. The risk of algorithms malfunctioning has wide-ranging consequences for all stakeholders involved, which could include the possibility of financial loss, damage to firms’ reputations and severe disruption to financial markets. Regulators are placing greater scrutiny on firms to ensure that the use of algorithms supports appropriate compliance with regulations, with some notable developments over the past year as noted below.

European securities and markets authority: In December 2020, the European Securities & Markets Authority (ESMA) launched a consultation on proposed changes to Markets In Financial Instruments Directive (MiFID) II—Regulatory Technical Standard (RTS) 6, which describes the governance and control requirements on firms conducting Algorithmic Trading. ESMA has made several recommendations, which includes defining the term ‘disorderly trading’ in the context of capital markets, changing the nature and format of the annual self-assessment to be biennial, as well as potentially including Systematic Internalisers (SIs) under the scope of RTS 6. The testing and validation of algorithms has also been under review, as ESMA has a stated aim of improving how firms conduct better testing to address the ‘behavioral testing’ of algorithms. The consultation has closed for submissions, with final changes due in H2 2021.

Global FX code: The Global FX Committee is expected to share the results of their three-year review into the FX Global Code (FXGC). It is expected that the changes will cover the following areas: anonymous trading, algorithmic trading and transaction cost analysis, disclosures and settlement risk. Changes are proposed to 10 out of the 55 principles of the FXGC, and additional guidance will be provided around each of those scope areas.

Area of Focus

Governance and control framework


Assess the governance structure to ensure key roles and responsibilities in respect of electronic and algorithmic trading are clearly defined at each level, including Audit and Risk Committees, Algorithm Steering Committee and business-level Management.

Assess how the organisation has interpreted regulations relating to algorithms and evaluate whether there are appropriate policies and procedures in place to meet current and emerging regulatory requirements.

Challenge Management on their ability to understand and assess algorithm risks and to map algorithm risks and controls to regulatory requirements.

Review the risk and control framework and assess the adequacy of policies and procedures relative to testing and deployment, controls, monitoring and training across the business.

Review the control framework in-light-of new developments from ESMA and the FXGC.

Risk management and regulatory developments

  • Evaluate algorithm risk assessments in the light of recent market volatility.
  • Assess the design of algorithm controls and re-evaluate their effectiveness in stressed market conditions.
  • Evaluate the appropriateness of controls settings in different market conditions and the parameters that the control can be set to without requiring authorization.
  • Evaluate who should have authority to change the setting of the control.
  • Review the escalation process for changing controls settings.
  • Understand what your organisation is doing to maintain its awareness of regulatory developments that may impact your use of algorithms.

Testing and validation

  • Evaluate the appropriateness of assumptions and parameters used in previous testing.
  • Focus reviews on scenarios that are likely to occur in volatile markets.
  • Consider the potential impact of your organisation’s algorithms functioning improperly and revise definitions of ‘worst case’ scenarios.
  • Ensure that all control gaps identified have remedial actions in place, that the actions are appropriate to remediate the issue, and that the timelines for remediation are reasonable.

1.6. Operational Resilience

Businesses’ ability to react to crises and changes in working conditions continue to grow in necessity and successful enaction of operational resilience plans played a key part in enabling the financial services industry to adjust to a remote working environment where many have remained over the course of 2021. The COVID-19 pandemic is a timely reminder of the changing world in which we live, and the need for organisations to be able to manage challenging circumstances and events successfully and effectively. The previous 18 months have tested firms’ resilience to the limit, and this can be leveraged to enable a stronger and more successful response to the next potentially disruptive event. Operational Resilience remains a key regulatory hot topic now and into the future and all enhanced supervision firms need to demonstrate that a full assessment of their operational resilience has been completed and vulnerabilities have been identified with a view of being rectified as a high priority. Even organisation’s which are not directly captured by the regulation should consider compliance prior to the Regulators increasing the scope of coverage, and recognise that adoption represents resilience good practice regardless of regulatory obligations.

Businesses are expected to have designed and implemented their framework followed by a three-year timeline, during which firms are expected to have carried out the necessary remediations to their systems and processes, to ensure that there are no instances where they are likely to fall outside of impact tolerance when stress testing their important business services under severe yet plausible scenarios. Firms are likely to be running their operational resilience programmes over this entire period, to ensure they have sound, effective and comprehensive strategies, and processes and systems in place to address the risk of operational disruptions.

Per the Regulator, firm’s should as soon as reasonably practicable after 31 March 2022 and no later than 31 March 2025, have:

  • Performed mapping and testing to enable them to remain within impact tolerances for each important business service; and
  • Made the necessary investments to remediate where required and ensure they are operating consistently within impact tolerances.

Internal Audit need to support firms in both the short-term but also over the longer-term to support the build out and maturity of the Operational Resilience Framework.

Short term: readiness assessments: Internal Audit’s primary focus should be to assess the firm’s operational readiness to meet the operational resilience requirements set out by the Regulators. This may include a gap analysis against the policy statements and should consider the documentation and evidence supervisory authorities expect to be in place by this date, for example, as follows:

  • Review how the firm has interpreted the regulation and taken actions in response to this;
  • Assess the adequacy of firm’s operational resilience project and programme governance; ​
  • Review the roles and responsibilities which relate to operational resilience, including the Board’s understanding of its own responsibilities and where their sign-off is required;
  • Challenge Management’s selection of important business services and associated rationale;
  • Assess the robustness of Management’s process mapping, including documentation of the people, processes, technology, facilities, information and third parties;
  • Ensure that Management has set appropriate impact tolerances; and
  • Review the severe but plausible scenarios and stress-testing approach adopted.

Longer term: building maturity: the role of Internal Audit should move to more holistic, thematic based formats, challenging stakeholders over the validity and accuracy of outputs in line with changes in the external environment and maturing of the Operational Resilience Framework. Ultimately operating within an acceptable tolerance (i.e. within a tolerable level of impact) will be the focus for firms—whether that is through effective recovery, substitution of service, alternative procedures or a combination of all three.

1.7. IBOR Reform

Since the London Interbank Offered Rate (LIBOR) transition was first announced in 2017 there has been a significant market challenge given the widespread use of LIBOR across products and functions within financial services firms and corporates. As we fast approach the transition deadline date at the end of 2021 for most currencies and tenors of LIBOR, the pressure on firms to be ready is increasing. Many firms will be well-progressed in their transition planning, but as we approach the deadline date, global regulatory scrutiny is ever increasing. Given the short time period remaining until the transition date, firms should be well progressed in areas such as offering new products to clients, amending existing controls to support alternative Risk-Free-Rates (RFRs) and updating systems and processes to enable non-LIBOR business. We also expect firms to be paying close attention to regulatory milestones set out by the Alternative Reference Rates Committee (ARRC) and other relevant regulatory and industry bodies.

Timing of LIBOR cessation: The publication of overnight and 1, 3, 6 and 12-month USD LIBOR will continue until 30 June 2023, whereas all other tenors and currencies will cease at the end of 2021. For some institutions and their clients, this will delay the urgency of transition. However, supervisory guidance is clear that this extended end date is intended to allow legacy contracts to mature and should not be used as basis to continue writing new USD LIBOR contracts after 2021.

Milestones for ceasing issue of new LIBOR business: Across the LIBOR currencies, milestones to cease the issuance of new LIBOR contracts have been set with limited exemptions permitted (e.g., for risk management purposes). For GBP, no new loans, bonds, securitisations or linear derivatives should have been entered into after the end of Q1 2021. By the end of Q2 2021 no new business loans, securitisations (excluding collateralised loan obligations) or derivatives that increase LIBOR risk should be entered into referencing USD LIBOR. Regulatory guidance for USD LIBOR has emphasised that new business should cease as soon as practically possible, but no later than the end of 2021. For JPY LIBOR, loans and bonds should cease by the end of Q2 2021 and derivatives by the end of Q3 2021. Market participants should be ready for new business referencing RFRs as liquidity may shift rapidly as the end of 2021 approaches, noting that this has already moved for certain products and currencies.

Forward-looking term RFRs: Progress has been made on the publication of forward-looking term rates for use in contracts. In May 2021 the ARRC announced that it planned to select the CME Group as the administrator for the forward looking Secured Overnight Financing Rate (SOFR) term rate, once various market indicators (such as sufficient increase in offering of SOFR cash products) are met. Term Sterling Overnight Index Average (SONIA) has been available for use since January 2021 and Term Tokyo Overnight Average Rate (TONAR) for JPY since April 2021. For USD, Term SOFR is the first step in the ARRC-recommended hard-wired fallback ‘waterfall’ for cash products, so this is likely to aid transition of legacy contracts.​

Increased regulatory scrutiny: As the end of 2021 approaches, supervisory bodies are focusing on the execution of LIBOR transition and are increasing expectations of updates and demonstrable evidence of progress being made. As firms move into transitioning existing LIBOR referencing business, they will need to be able to demonstrate on a more frequent basis that exposures to LIBOR are being reduced, that there is a clear path to migration away from LIBOR and that plans are in place to deal with contracts that are difficult to transition (i.e., due to tough legacy issues).​

Programme flexibility: The impact of the current environment has led to a shift in target milestones set by regulatory convened working groups. Furthermore, as LIBOR transition has developed, the transition of other IBORs has also gathered pace (e.g. transition of the SOR and HIBOR (Hong Kong Interbank Offered Rate) benchmarks. With moving milestones for LIBOR transition and a gathering of pace in the reform of other similar benchmarks, transition programmes will not only need to keep abreast of changes, but will also need to be flexible enough to respond and adapt to scope and remit changes accordingly. Internal Audit should be able to assess the extent to which a programme keeps track of changes to milestones and regulatory expectations, and how the impact of the reform of other benchmarks is being considered.

Conduct risk and mitigation efforts: Managing conduct risks over the transition is also a topic which has been previously raised as a significant area of focus and will continue to be as RFR market liquidity develops further, and contracts start to transition away from LIBOR. Institutions will need to be able to demonstrate that conduct concerns have been adequately assessed and mitigation measures taken – failure to do so could lead to reputational, legal and financial costs – especially as due warning has been provided. Internal Audit should be able to validate and assess risk management measures taken by their firm in respect of conduct risk management. ​

Legacy transition: The contractual transition of legacy contracts away from LIBOR and on to RFRs may prove to be a significant undertaking. Aside from conduct concerns noted above, contracts may need to be bilaterally agreed with counterparties. Internal Audit should plan their assurance work in a manner which adapts to Management’s transition style.

1.8. Financial Crime

Serious and organised crime (including drugs, fraud, modern day slavery and child sexual exploitation, amongst others) is estimated to have a social and economic cost. Organised criminals and terrorists are also increasing their illicit activity in wildlife and other environmental crimes. As anti-financial crime regimes aim to reduce the harm to society, financial services providers are continuing to increase their already significant investments in compliance and their evolving role in the financial system, including public-private partnerships to mitigate financial crime risks.

The COVID-19 pandemic has given rise to a number of challenges for firms and legislators which has resulted in criminals evolving their approach to commit financial crime. Subsequently, there has been a significant increase in fraud activity as many firms have had to shift quickly to digital channels, with face-to-face interactions reducing considerably due to Government restrictions and guidelines. Recent financial crime scandals have shown that despite investment in new technologies and investing in building and growing specialist teams, firms are still making the same mistakes, which range from inadequate governance, inadequate record keeping and not fully understanding their risk exposure to high-risk customers. Furthermore, crypto assets have also increasingly emerged over the past few years and are now more accessible, with many crypto platforms becoming mainstream on the iOS and Android app stores. With these recent changes, criminals have shifted to other methodologies for money laundering, as well as use of crypto assets or trade-based money laundering. As such, combatting financial crime and providing guidance on regulatory requirements around crypto assets continue to be key priorities for the European Regulators.

While Firms are responding to significant changes in business conditions and continuing to adapt to the COVID-19 pandemic, regulatory expectations of firms’ efforts to mitigate financial crime risk has remained in-line with previous years. Further, emerging risks (such as the increase of fraud and financial crime during the pandemic, increased risk associated with crypto assets and changes in sanctions regime post-Brexit and more recently in relation to China and Russia) have required greater attention.

Fraud and tax offences continue to be the largest known source of criminal proceeds in the EU. Criminals have adapted their approach and techniques to further exploit the COVID-19 pandemic resulting in a significant amount of COVID-19 related fraud reports.

The transposition of the 5th EU Money Laundering Directive (5MLD) through the Law of 25 March 2020 in Luxembourg has introduced new regulatory requirements to curb illicit activity and further, includes guidance on Customer Due Diligence (CDD) requirements for additional in-scope areas such as cryptocurrency, cryptocurrency exchange platforms and wallets (among others). Cryptocurrencies have expanded considerably in the last few years, leading to an increased money laundering risk recognised by many financial services Regulators worldwide. The 5MLD also clarifies when it is acceptable to forego CDD for e-money clients, thus offering increased regulatory coverage and guidance to the broader financial sector.

The art market is now subject to the Money Laundering Regulations since the introduction of the 5MLD. There is a lack of understanding regarding the risks and vulnerabilities in the art market which can be exploited by criminals to circumvent traditional controls encountered within the financial services channels. The risks posed by this sector have increased over recent years due to the vulnerabilities created by anonymity of transactions, portability across borders, exposures to high-risk jurisdictions and level of cash used in the sector, which make high value dealers attractive for criminals. Financial services institutions are expected to update their controls to fully understand and verify their customers’ Source of Wealth and any associated risk posed where the customer’s wealth is generated by trading in this sector.

Area of Focus

Risk assessments


Internal Audit should evaluate if there is effective integration, to the extent possible, of all financial crime risk domains including fraud and tax evasion, and that the financial crime risk management framework has been suitably tailored for their firm and industry. Risk assessments continue to be an area of weakness at many firms, for example:

  • The enterprise risk assessment (ERA) is often overlooked and undervalued. Consequently, it tends to be underdeveloped and is not used to drive the firm’s financial crime systems and controls framework;
  • Where a firm is a branch or subsidiary of a parent based overseas—the parent’s ERA often drives the EU policies and may not include all relevant considerations required by the EU regulations;
  • Transaction monitoring (TM) risk assessments are often limited to generic scenarios and are not always tailored to the industry when compared with peers;
  • Customer risk assessments (CRA) are being performed in silos and do not always drive the ongoing due diligence requirements and monitoring for the customer as required by the regulations; and
  • A lack of experience in performing ERAs within the First and Second Line can result in confusion over applying mandatory risk guidelines and hinder the implementation of a robust ERA methodology.

Governance and oversight​

Internal Audit can support effective financial crime risk management by considering governance and oversight arrangements. This can include assessing:

  • Where key tasks such as CDD and screening are being conducted by outsourced service providers, whether the following measures are/have been taken
    • Due diligence prior to the commencement of the outsourcing arrangement, to assess the outsourcer’s process standards for the task being outsourced;
    • The provision of regular management information from the outsourcer detailing how the outsourced tasks are being conducted; and
    • Monitoring and quality review activity on the performance of the outsourced tasks.
  • Whether clear escalation processes are in place for matters that require review by senior Management or the Financial Crime team e.g. CDD exceptions and high-risk customers requiring senior Management approval for on-boarding. These processes should include clearly defined criteria for escalating issues and the requirement to maintain audit trail of escalations made and subsequent decisions.

Implementation of 5MLD

Internal Audit should continue to challenge the design and operational effectiveness of changes made by First and Second Line in response to the 5MLD. This includes, but is not limited to:

  • Reviewing the completeness of lists used during the onboarding process for 1) high risk countries; and 2) screening against political exposed persons (PEPs);​
  • Reviewing the updated policies and procedures for carrying out due diligence for a relationship against beneficial ownership registers; and
  • Assessing the adequacy and effectiveness of using new technology and data solutions for performing electronic identification and verification.

Lack of skilled resources across all three lines of defence​​

Firms are having to roll-out new, alternative anti-financial crime controls at pace while rapidly adapting to major ongoing business condition changes. Given the nature of these changes, an uplift of knowledge is required as new technologies and delivery channels are adopted in response to the changes, especially as these may not be fully tested or calibrated. Internal Audit should confirm that the audit approach is framed according to their firm’s risk appetite or risk capacity applicable during the audit period. Internal Audit recommendations should consider if ‘root causes’ of the issues are due to:

  • Shortage of resources due to cost reduction and/or a dilution of resources due to new requirements which may reduce the knowledge-base across the First and Second Line of Defence;​
  • Systematic or temporary business conditions;
  • Breach of risk capacity or appetite of the firm; and
  • Re-prioritisation not being risk sensitive and/or weakening the compliance framework.

Cost reduction/ sustainability​​​

Internal Audit should review the governance arrangements for cost reducing strategies that impact financial rime compliance. Internal Audit should challenge and review if cost reduction strategies are effective in achieving desired/consistent compliance results and if this is sustainable. Where this is outsourced, understand whether appropriate governance, record keeping, management information and oversight in place.

FinTech firms

Internal Audit should continue to challenge the maturing financial crime compliance framework against the industry good practice, to ensure that the governance model, the ERA and policies and procedures in place are tailored for the EU regulations.​

Where the firm offers crypto assets, Internal Audit should understand how the business achieves compliance with the guidance on crypto currency included in the 5MLD.

Internal Audit should challenge the ongoing monitoring controls in place to ensure that for all customers the customer risk rating is driving the ongoing monitoring approach