On 27 March 2024, the Wolfsberg Group (Group) published Principles for Auditing Financial Crime Risk Management (FCRM) using the Wolfsberg Factors (Factors) which were published in 2019.

The Group notes that internal audit (IA), an independent function within a financial institution (FI), constitutes the third line of defence and plays an important role in assessing the comprehensiveness and effectiveness of the FCRM programme, validating that the programme is dynamic and covers all regulatory requirements in a thoroughly documented manner. Furthermore, IA should adopt a risk-based approach that includes internal and external requirements (e.g., local regulations may have defined requirements).

The Group believes that IA can assist their FIs in their fight against financial crime by measuring FCRM outcomes using the Factors and has developed principles and measures for auditing an FCRM programme. These are:

Factor: Complying with financial crime laws and regulations.

Principle: As a baseline matter, IA should assess whether the FI can demonstrate that its governance documents address the requirements of all relevant local laws and regulations and assess that the financial institution has an effective set of controls to ensure adherence to these requirements.

Measures:

  • The FI can evidence that local financial crime laws and regulations have been addressed in the FI’s governance documents.
  • The FI can evidence that controls mapped to these elements of the governance documents are designed and operating effectively.
  • The FI can evidence a sufficiently governed process to assess the adequacy of the FCRM programme in addressing regulatory requirements.

Factor: Establishing a reasonable and risk-based set of controls to mitigate the risks of a financial institution being used to facilitate illicit activity.

Principle: IA should evaluate whether the FI has a well-designed, reasonable and risk-based set of controls, and then assess the effectiveness of the controls.

Measures:

  • The FI can evidence that its set of controls is designed to provide reasonable coverage that is proportionate to the risks identified in its risk assessment documentation.
  • The FI can evidence that the set of controls is effective.
  • The FI can evidence a sufficiently governed process for changes to its set of controls and that such governance gives appropriate consideration to financial crime risk.

Factor: Providing highly useful information to relevant government agencies in defined priority areas.

Principle: An FI may choose to establish quantitative and/or qualitative indicators relating to the sharing of highly useful information to relevant government agencies.

Measures:

  • The FI may consider developing a credible and reasonable set of indicators upon which to assess its performance in providing highly useful information to relevant government agencies in defined priority areas
  • The FI can evidence that it is collecting the indicators it has set for itself.
  • The FI can evidence oversight through formal governance of its self-assessment on its provision of highly useful information to relevant government agencies.