When anti-money laundering (AML) is discussed, the focus logically seems to be on compliance teams, reporting obligations and regulatory requirements. However, board accountability should never be forgotten. Executives are expected to provide oversight, understand the risks facing their organisations and ensure that appropriate controls are in place.
The publication of the Generally Accepted Compliance Practice (GACP) by the Compliance Institute of South Africa (CISA) gives board members a fresh look at how financial crime risk is understood and managed across their organisations.
Brad Elliott, CEO of RelyComply, a global anti-financial crime platform for enterprise financial services, highlights five questions executives should be asking as financial crime becomes more sophisticated, accountability increases and organisations face growing pressure to demonstrate that the controls they have in place are working.
1. Can we see risk across the organisation?
A financial institution may use different systems for customer onboarding, transaction monitoring, sanctions screening, investigations and reporting. That means information is often spread across business units, jurisdictions and technology platforms.
According to Elliott, the question for executives is whether they have a clear view of how all those risks connect across the organisation.
“The issue isn’t whether information exists,” he adds. “It’s whether leaders can see how different risks connect and what those connections mean for the organisation as a whole.”
2. How do we know our controls are working?
A control that exists on paper but fails to flag a suspicious transaction, escalate a risk or trigger an investigation, is a liability. Elliott is direct on this point: “Organisations need confidence that controls are identifying risks, escalating concerns and performing as intended.”
“Executives should be asking how controls are tested, what they’ve caught recently, and what the last failure looked like. If no one can answer the last question, that’s your answer.”
3. Are we prepared for AI-enabled financial crime?
Artificial intelligence is creating opportunities for both businesses and criminals. Convincing fake identities can be created in minutes. Fraud attempts can be automated and social engineering attacks can be tailored to specific individuals at scale.
Elliott says, “Executives should understand how these developments affect their organisations and whether existing controls are fit for purpose. With technology rapidly evolving, this is an ‘always on’ requirement, which can be streamlined with a unified platform to help businesses detect and prevent financial crime.”
“Executives should be asking whether their current controls were designed for the threat environment of today or the one that existed three years ago. For most organisations, the honest answer is uncomfortable.”
4. Are the right issues reaching the right decision-makers?
Reporting delays, fragmented processes and organisational silos can prevent emerging risks from receiving the attention they require.
Says Elliott, “Executives must understand how risks are escalated, how incidents are reported and whether decision-makers receive the information they need to act. Reporting alone doesn’t create oversight.
“Executives should interrogate their escalation paths, considering how long it will take for a material risk to travel from identification to board awareness. If the answer is measured in weeks, that’s not oversight; it’s a paper trail.”
5. Could we confidently demonstrate our approach to regulators and stakeholders?
Secure organisations operate in an environment built on trust. Regulators, investors, customers and business partners expect these organisations to understand their risks and demonstrate how those risks are being managed.
Elliott comments, “Organisations need to understand their risks, manage them effectively and be able to demonstrate that they are doing so. Regulators, investors and customers increasingly expect that level of accountability. That requires an active commitment and internal accountability.”
6. The new industry standard
The publication of the GACP provides a common benchmark for compliance and risk practitioners across South Africa’s financial sector, from major banking and insurance groups to asset managers, payment providers, legal firms, crypto asset service providers and other accountable institutions.
Elliott concludes, “No single organisation can address financial crime risk in isolation. Strong standards, effective governance and collaboration across the industry all have a role to play. Raising standards across the industry benefits everyone.”
