Written by Simone Jones on Wednesday January 29, 2020
Ensuring your employees are adequately trained in anti money laundering (AML) is a crucial component of managing financial crime risk. Not only is it vital to protect your firm, but it's often required by regulations. In the UK for instance, the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR2017) have clear requirements on training and the Financial Conduct Authority (FCA) see it as a key system and control. Whilst the obligation to train employees is clear, there are many ways training can be delivered.
With that in mind, we will take a closer look at four key questions to consider when developing your AML training and strategy, examining FCA guidance and seeing what lessons we can learn from historic FCA enforcement action, alongside our experience at ICA.
First and foremost, in whatever jurisdiction you operate, your regulations should be the first point of call when determining AML training obligations.
In the UK, the MLR2017 outlines two key requirements for employee training. First, it requires employees to be ‘made aware of the laws relating to money laundering and terrorist financing’.
This awareness-level training can be carried out by any number of means. A popular choice is mandatory online learning, which can be an effective way to deliver knowledge to a large or disparate group of employees.
Second, the regulation requires that employees and agents are ‘regularly given training in how to recognise and deal with transactions and other activities which may be related to money laundering or terrorist financing’.
This second part is where it gets really interesting and there are a broad range of training solutions that can be acquired or designed to meet those needs. Whilst the regulations should be the starting point for understanding obligations, there are a number of other significant considerations for AML training.
Below are some important questions to consider for your own AML training programme.
When determining your own training needs, consider the following:
Typically, high-risk roles are categorised as such due to the activity undertaken in those roles. Relationship managers or employees in a payment processing team, for instance, are at the forefront of identifying potentially suspicious activity.
When determining the activities and roles that are high risk, consider what impact the roles have on the AML framework; not all of the roles will be customer facing and therefore the risks they deal with will be different. Employees that need to assess risks when designing products, for example, should have training that enables them to appreciate AML risks and the control framework. This may lead to role-based training being the most appropriate solution, allowing it to be tailored to the specific activities unique to that role and the risks faced. This acknowledges that the training needs of the AML teams will be very different to those in the first line of defence as well as those of your senior managers.
It’s important to note that training isn’t the one-stop solution for all of life’s problems – there can be other, systemic issues that training struggles to cover. If a team is under-resourced or there are technology issues, training alone won’t solve the problems. No matter how well employees are trained, if they have insufficient resources, they will not be able to carry out their functions appropriately.
Training is still, of course, a key component of the risk management framework. Procedures and job aides can often struggle to account for every instance and by providing training that gives employees an understanding of the risks, they can apply those principles to different issues.
Once training has been determined as the right solution, the fun can begin with the design process, establishing the method for the training, the learning outcomes and how they will be achieved through the content and activities. Establish the risks and subjects that need to be covered (remember, don’t overlook terrorist financing) and keep in mind how the effectiveness of the training will be measured.
The frequency of training must take into consideration the risks faced by the business, whilst also being aware of practical considerations. Typically, a firm may choose to provide all learners with annual refresher training and then implement a cycle for more targeted training for high-risk roles led by a risk-based assessment. The FCA’s enforcement action against Canara Bank noted that absence of training between 2012 and their visit in 2015 as a key issue.
Part of this means thinking about the time needed by employees to complete the training. The FCA noted in a decision notice on Deutsche Bank that insufficient headcount led to AML personal having less time for devote to oversight, supervision, training and professional development.
There must be a culture and environment to support training, which will provide learners with the appropriate time to complete the training, whether it be time away from the office to attend training courses/conferences or uninterrupted time at the employee’s desk to study or complete training.
A record of the training employees have completed should be kept, as well as regular analysis to ensure training is kept up to date.
Despite best efforts, there can be times when shortcomings are addressed after the fact. This is linked to the first question, determining training needs. Training can often form part of a remediation plan, ensuring that employees have the appropriate skills and expertise to carry out their role to the required standard.
It may be that you have identified an issue with the fail rate of account openings during the customer due diligence (CDD) process, despite having procedures in place. Whilst there can be wider, underlying issues – such as technology and culture – it could suggest staff carrying out the role do not have an understanding of what is required of them i.e. the practical application of the procedures. The FCA identified ‘shortcomings in the application of…due diligence policies and procedures’ in their Final Notice of Standard Chartered Bank in 2019. The FCA noted that it appeared that Standard Chartered Bank hadn’t ensured that employees involved in the process received adequate training. Inadequate training for employees to effectively carry out their role was also identified in enforcement action against Canara Bank and Deustche Bank.
Investing in training can demonstrate that AML high on the agenda and the appropriate steps are being taken to prevent a recurrence.
In its 2018 Final Notice for Canara Bank, the FCA noted improvements to AML systems and controls, which included ‘increasing the training for new senior managers’. Standard Chartered Bank’s remedial steps were also noted by the FCA, specifically the bank’s launch of a ‘Financial Crime Compliance Correspondent Banking Academy’ offering AML and Sanctions training to its respondent bank customers.
An additional lesson can be learnt from this Final Notice. Training should not only be directed at employees, but to anyone that has an impact on the risk framework, including third parties. This is echoed by the FCA in their enforcement action against Canara Bank, where they noted that Canara placed reliance on third party firms for their third line of defence, but the internal auditor received only standard AML training in their own firm – and no specific training on Canara’s business.
There are a multitude of factors that need to be established when determining training requirements. What is clear is that a one-size-fits-all approach doesn’t work. Employees should be given the skills and expertise to understand money laundering risks and the control framework, but also opportunities to enhance their ability to practically apply their knowledge. Depending on the risk profile of your firm, tailored training may be required to help your learners to better understand how it works in practice and an environment to safely practice their skills.
If you are interested in this topic, keep an eye out on ICA Insight as we will be exploring good practices for role-based training in the next few weeks.
FCA, ‘Final Notice to Canara Bank’, 6 June 2018: – accessed January 2020
FCA, ‘Final Notice to Deutsche Bank’, 30 January 2017: – accessed January 2020
FCA, ‘Decision Notice to Standard Chartered Bank’, 5 February 2019: – accessed January 2020
Legislation.gov.uk, ‘The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017’: – accessed January 2020
This article forms part of the #BigCompConvo - Join us as we explore and debate the latest challenges and issues facing you and regulatory and financial crime compliance professionals all over the world. If you’d like to contribute an article as part of the Big Compliance Conversation get in touch with us at firstname.lastname@example.org
Thank you. Your comment is awaiting moderation and should appear on the site shortly.
Required fields are not completed, please ensure all required fields (*) have been filled in properly.
You can leave the name empty should you wish to remain Anonymous.