Where to Start the Year in Crypto Compliance: A Compliance Officer’s New Year To-Do List
A Compliance Officer’s job never really stops, not on weekends, not on holidays. As long as your company is providing a service there is a reason to lose at least a small amount of sleep. Compliance Officers do take holidays and with the long Christmas and New Year’s breaks in the rearview, they come back to the office rested and looking forward to the next twelve months with a nearly new priorities list.
The question therefore arises, where do I start with so many things to accomplish? The easy answer is: set your priorities, roadmaps and timeframes, account for the unexpected, then just dive in.
A Crypto-Compliance Checklist for Long-Term Success
The top of the year is a good time to have a few long-term projects in mind, plan for them, and start gathering the necessary data and or resources to get them accomplished. For crypto-compliance teams, start to think about these things:
-
- AML risk assessment;
-
- Independent test;
-
- Evaluating KPIs and KRIs;
-
- Drafting an annual money laundering report (now that you have a full 12 months of data);
-
- Exam preparations;
-
- Vendor renewals; and
-
- Team and company training.
Setting the Standard: Conducting a Comprehensive AML Risk Assessment
Your AML risk assessment should set the standard for the other items I have mentioned, as by its completion you should fully understand whether your operational controls mitigate your money laundering and other financial crimes risk sufficiently, or if changes need to be made. The risk assessment can be conducted from scratch, or you can simply update the assessment based on changes to products, services, customers, delivery channels, or the jurisdictions your company services as they change. Your entire compliance program should be as complex as the entity it is associated with so the way you carry out your risk assessment should be equally as complex, i.e., if an update is appropriate then update it, if a new assessment is appropriate then conduct a full assessment.
The Importance of Scheduling an Independent Test for Your Compliance Program
If you have not already scheduled an independent test of your program, January would be a great time to start reaching out to independent consultants, auditors, or deciding if you have an internal person or team sufficiently qualified to independently test your program. Independence is key and should be especially considered if you decide to do this using internal personnel.
The obvious purpose of independence is objectivity. The goal of the independent test is to give an objective analysis of your compliance program and whether it is or is not aligned with regulatory requirements.
So, start now, and have these considerations in mind as you decide on who and when you’ll carry this out. Typically, it is best to conduct your risk assessment first and attempt to remediate issues you have found as a result of the assessment.
Tracking Progress and Demonstrating Value: Key Performance and Risk Indicators
With these two tasks in consideration, January is also a great time to review your prior year’s key performance indicators (KPIs) and set your key risk indicators (KRIs) for the coming year. These metrics are important to keep yourself informed on the ongoing effectiveness, needs, and shortcomings of your compliance program. The risk assessment, and independent test, are point-in-time retrospective metrics. KPIs and KRIs are live, easy to update, and especially the result of data – as opposed to the more rule-based analysis received from the more formal assessment and test.
Further, your board and executive team will not (should not) be involved in day-to-day compliance activities. KPIs and KRIs allow you to concisely explain to them what’s happening in compliance and provide context for your needs as they arise. One of the top concerns for Compliance Officers is managing costs and adequate resourcing. KPIs and KRIs help compliance demonstrate itself as a cost-savings operation rather than a cost center. So, when it comes time for a request to increase a budget, add additional staff, or utilize a new vendor service, the metrics that demonstrate this most effectively will be KPIs and KRIs.
Exam-Ready Checklist
In completing, or initiating, the prior three tasks, you should be in a good position for exam preparations. While exam prep may be seen as something to be left until a regulator reaches out, having an ongoing exam prep checklist ready and completed will allow you to continue to evaluate your program, and to reduce the workload when the exam eventually comes. The checklist should be adjusted for your specific context but should include:
-
- Anti-Money Laundering and Sanctions Policy
-
- Is it current within 12 months
-
- Is there a separate sanctions policy from the AML policy
-
- Has it been approved by the Board of Directors and documented in Board minutes
-
- Does the AML policy designate (i.e. name) a qualified AML Officer
-
- Does the AML policy address a culture of compliance
-
- Anti-Money Laundering and Sanctions Policy
-
- Procedures
-
- Are written procedures up to date and accessible to staff
-
- Are they in line with the AML and sanctions policy
-
- Are there resulting processes and practices based on these procedures
-
- Procedures
-
- Evaluate past independent test results
-
- Has a recent independent test been conducted (in the prior year)
-
- Were any findings remediated and documented
-
- Evaluate past independent test results
-
- Staffing
-
- Have you completed a staffing assessment
-
- Is staff appropriately qualified and trained
-
- Is head count sufficient to ensure that all compliance program requirements are satisfactorily met
-
- Staffing
-
- AML Software
-
- Has the software been optimized on a risk-based approach
-
- Has testing been completed on alert parameters
-
- Are you detecting issues with false or true positives
-
- Has testing been completed on alert parameters
-
- AML Software
-
- Data Validation
-
- Have your models been independently validated
-
- Is all relevant data available for accurate transaction monitoring
-
- Data Validation
These and other areas of your program should be considered on an ongoing basis as regulatory examiners will review this information.
Evaluating Your Compliance Vendors
Your AML software and the relevant data are crucial to the effectiveness of your compliance program. And the effectiveness of your vendor should be evaluated at least annually. Depending on what services you rely on a vendor to provide, e.g., transaction monitoring, ID verification, negative news screening, sanctions screening, or similar, it is best to understand how effective your existing vendor is as well as what is the industry standard – as industry standard will align more closely with regulatory expectations.
Conduct vendor evaluations and understand the quality of the service they’re providing, the ease of communicating your needs with the vendor, regulatory and security risks associated with sharing data and how those are addressed, and the viability of the vendor’s business (if the vendor goes out of business you could lose a key component of your compliance program).
Develop a list of red flags that may arise and have evaluations of their competitors to ensure you have options if you need to make a change, that you are getting the best service for what your budget allows, and that the service you do chose is adequate to the complexity of your institution. If you find red flags present in their service, be conscious of the renewal period and have these addressed prior to the end of the contract or be ready to make a change without disruption to your compliance processes.
The Importance of Continuing Education and Company-Wide Compliance Training
Finally, for January, ensure you have your compliance teams continuing professional education (CPE) in mind and possibly planned out as well as company-wide compliance training. A great way to arrange CPE for your team is to use trusted third parties such as your vendors, professional associations, and educational institutions. Search for, or have a go-to list of, webinars, certificates, and certification courses. Outside of your compliance team, your company and board of directors will need anti-money laundering training. January is a good time to decide who needs what level of training, how you will provide this, and how they will attest to the training.
The beginning of the year does not have to be a simple continuation from December. Use January to plan and be prepared to complete the annual tasks discussed above and you will set your compliance program up for a productive and effective year ahead.
A great place to find CPE for your crypto compliance team is with the Blockchain Intelligence Group. Get crypto anti-financial crime certified in a matter of days with our on-demand training.