Independent AML/CFT Audit obligations- Have you completed yours?


The Financial Services Commission (“FSC”) has recently published an updated Anti Money Laundering and Counter Financing Terrorism (“AML/CFT”) handbook for financial institutions comprising of a new chapter namely “Independent AML/CFT audit”. This new chapter has been brought at an important time where the financial services sector is currently facing major challenges with the classification of Mauritius on the grey list of FATF, Blacklist of the European Union and High-Risk Third countries of the UK. Moreover, this new chapter is a guidance to Section 22 (1) (d) of The Financial Intelligence and Anti-Money Laundering Regulations 2018 “FIAMLR 2018” which requires every financial institution to conduct an independent AML/CFT audit of their existing compliance framework.

By Hishaam Mohammoodally
Legal & Compliance Executive
HLB Risk & Compliance Consultancy Ltd


An independent AML/CFT audit is an audit conducted by an external professional AML/CFT auditor or firm using best practice. It a special assessment of whether the provisions of the applicable laws, rules & regulations and various orders, instructions issued by the competent authority are being complied with. It is an evaluation of the existing Risk Assessment and AML/CFT framework of your company through file testing, transaction testing and the testing of live application of policies and procedures.  It also helps to identify the money laundering and terrorist financing risks (ML/TF) faced by an organization, that it is keeping the assessment up to date, and effectively determining the levels of risk faced by its business. In essence, the independent audit of the Risk Assessment and AML/CFT Program is also geared towards assessing the adequacy and effectiveness of its implementation. It is an opportunity for an organization to obtain another view of how well the AML/CFT program is designed and functioning.



An independent AML/CFT audit may be conducted by either an internal team or an external audit professional or firm. However, the audit process should be carried out independently as stipulated by the FIAMLR 2018. This indicates that the internal auditor should be independent and must not have been involved in the development of risk assessment, or the establishment, implementation, or maintenance of the organisation’s AML / CFT framework. Thus, the audit function should be separate from operational and executive team dealing with the AML/CFT processes of the company.

In cases where an external audit professional has been appointed to conduct AML/CFT audit, the financial institution will have to demonstrate that the external auditor is adequately independent from its business and that there is no conflict of interest.

Where a reporting entity has retained the services of an auditor to perform AML/CFT audit, the company must conduct due diligence on the person or firm to ascertain that the selected auditor has the necessary skills, experience and qualifications. This will ensure that the AML/CFT audit is properly conducted, and the Auditor provides quality recommendations, so that the reporting entity can use the findings and recommendations to improve upon deficient areas. The criteria considered by the financial institution when assessing the independence and relevant experience of the external auditor to perform the audit, should be properly documented and shall be made available to the FSC upon request.



The independent AML/CFT audit covers a review of your Risk Assessment and AML/CFT Programme to ascertain that it meets the requirements of the FIAMLA, FIAMLR and relevant rules & regulations.

Typically, an AML/CFT audit should adopt the following methodology which is in line with best practice:

  1. A full review of your company’s AML existing compliance program manual
  2. Whether the program has been effectively implemented and whether the entity is complying with the policies and procedures in place
  3. Adequacy of AML risk-assessment procedures of the AML program
  4. Whether the organization is addressing the risk faced by its business in an effective manner
  5. Review of past audit reports to assess the efficacy of recommended implemented changes
  6. Compliance Officer functions and effectiveness
  7. Money Laundering Reporting Officer functions and effectiveness
  8. Customer Due Diligence and Enhanced Due Diligence
  9. Transaction Monitoring and evaluation of automated monitoring systems
  10. Suspicious transaction reporting process
  11. Targeted Financial Sanctions policies
  12. Record keeping processes
  13. Employee screening
  14. AML/CFT Training



The frequency and extent of the review should be proportionate with the licensee’s size, nature, context, complexity and internal risk assessment. Company applying a risk-based approach will need to determine the frequency and scope of the independent AML/CFT audit review but is encouraged that it is conducted on an annual basis. The frequency and the scope may also depend on the business risk assessment of a company. If the business risk assessment changes, then it is advisable to conduct more frequent audit review. High risk organizations should conduct their independent audit more frequently.



An independent AML/CFT audit report usually includes helpful recommendations. The more thoroughly an auditor understands your business and processes, the more helpful they can be. It is to be noted that the report should be duly signed and dated by the audit professional or firm. The report must cover all components of a compliance program. It should clearly outline other different components such as audit scope, audit objectives, audit methodology, audit observations, gap analysis and relevant recommendations to allow the reader to reach an informed conclusion on the adequacy of the AML/CFT program. Compliance audit reports must be issued in a timely manner to the Board of Directors of a company to allow them to take appropriate actions to address deficiencies and areas of non-compliance.

After a compliance audit has been completed, the reporting entity must seek to implement the necessary changes recommended in the report, share the findings with the relevant employees who are directly involved in the deficiencies that need to be corrected, solicit the advice of these employees, especially Front-Line staff on how they feel the Program could work better. Additionally, the risk or AML/CFT committee must set deadlines and timeframes for the changes and list those who are responsible for getting the tasks completed. Finally, detailed records of the Audit must be kept. These may be requested by FSC.



HLB Risk & Compliance Consultancy Ltd has a dedicated team to help companies and Designated Non-financial Business Professionals (“DNFBPs”) to conduct independent AML/CFT audit. We have proven expertise to assist your company in complying with the different legislations/guidelines and to provide you with valuable recommendation for the improvement of your AML/CFT program. We use best practices and innovative methodologies which ensure quality, completeness and reliability.

Do you require a quote for an independent Audit?
Please contact us on or on +(230) 203 3900.

Get in touch

Whatever your question our global team will point you in the right direction

Start the conversation

An overview of Trade based Money Laundering and Terrorist Financing and the risk indicators


April 2, 2021

The term trade-based money laundering and terrorist financing (“TBML/FT”) refers to the process of disguising the proceeds of crime and moving value through the use of trade transactions in an attempt to legitimise their illegal origins or the underlying financing of such activities. Criminal organisations and terrorist financiers use this process to move money for the purpose of disguising its illicit origins and integrate such funds into the formal economic system.

The Process

TBML/FT is an old medium used by money-launderers to launder illicit funds and they use various methods to operate which include the following, inter alias:

  • misrepresentation of the price, quantity or quality of imports or exports.
  • fictitious trade activities which have never happened physically .
  • involvement of front companies which are actually in existence in order to blur ‘occult’ transactions.
  • over- and under-invoicing of goods and services.
  • multiple invoicing for the same goods or services.
  • over- and under-shipments of goods and services.

More complicated schemes integrate the above fraudulent practices into more complex web of transactions and movements of goods across the globe.

The risk factors

The ‘Financial Actions Task Force’ (“FATF”) Typologies Report on Trade-based Money Laundering dated 23 June 2006 principally highlights the ways in which criminals exploit the vulnerabilities of the international trade route system for their own advantage and move value for money, rather than goods. The Report includes recommendations to address the risk associated with TBML.

The FATF and the Egmont Group have identified some potential risk indicators of TBML, from numerous samples of data and case studies. The risk indicators have been designed to enhance public & private sectors to identify suspicious activity associated with TBML so that they can collaboratively work towards mitigating them.

It is strongly recommended that TBML can be combatted: firstly by raising the awareness and the standard of risk assessment of public & private sectors involved in international trade and secondly by the promotion of public private partnership, allowing enhanced cooperation between private & public sector and information sharing of financial and trade data amongst the two sectors.

The massive, interconnected supply chains systems, lack of technical understanding and poor tracking and supervision of the whole end to end process makes detection of money laundering  difficult. Inherent vulnerabilities in the international trade system, including the enormous volume of trade flows, obscures individual transactions and therefore provide abundant opportunity for criminal organisations and terrorist groups to transfer value across borders.

The risk indicators have been broadly regrouped under the following 4 main categories:

i. Structural risk indicators
ii. Trade activity risk indicators
iii. Trade documents & commodity risk indicators
iv. Account and transaction activity risk indicators

The risk indicators under each category are analyzed below

Structural risk indicator

  • The corporate structure of a trade entity appears unusually complex and illogical, such as the involvement of shell companies or companies registered in high-risk jurisdictions.
  • A trade entity is registered or has offices in a jurisdiction with weak AML/CFT compliance.
  • A trade entity is registered at an address that is likely to be a mass registration address, e.g., high-density residential buildings, post-box addresses, commercial buildings or industrial complexes, especially when there is no reference to a specific unit.
  • The business activity of a trade entity does not appear to be appropriate for the stated address, e.g., a trade entity appears to use residential properties, without having a commercial or industrial space, with no reasonable explanation.
  •  A trade entity lacks an online presence, or the online presence suggests business activity inconsistent with the stated line of business, e.g., the website of a trade entity contains mainly boilerplate material taken from other websites or the website indicates a lack of knowledge regarding the particular product or industry in which the entity is trading.
  • A trade entity displays a notable lack of typical business activities, e.g., it lacks regular payroll transactions in line with the number of stated employees, transactions relating to operating costs, tax remittances.
  • Owners or senior managers of a trade entity appear to be nominees acting to conceal the actual beneficial owners, e.g., they lack experience in business management or lack knowledge of transaction details, or they manage multiple companies.
  • A trade entity, or its owners or senior managers, appear in negative news, e.g., past money laundering schemes, fraud, tax evasion, other criminal activities, or ongoing or past investigations or convictions.
  • A trade entity maintains a minimal number of working staff, inconsistent with its volume of traded commodities.
  • The name of a trade entity appears to be a copy of the name of a well-known corporation or is very similar to it, potentially in an effort to appear as part of the corporation, even though it is not actually connected to it.
  • A trade entity has unexplained periods of dormancy.
  • An entity is not compliant with regular business obligations, such as filing VAT returns.

Trade activity risk indicators

  • Trade activity is inconsistent with the stated line of business of the entities involved, e.g., a car dealer is exporting clothing, or a precious metals dealer is importing seafood.
  • A trade entity engages in complex trade deals involving numerous third-party intermediaries in incongruent lines of business.
  • A trade entity engages in transactions and shipping routes or methods that are inconsistent with standard business practices.
  • A trade entity makes unconventional or overly complex use of financial products, e.g. use of letters of credit for unusually long or frequently extended periods without any apparent reason, intermingling of different types of trade finance products for different segments of trade transactions.
  • A trade entity consistently displays unreasonably low profit margins.5 in its trade transactions, e.g., importing wholesale commodities at or above retail value, or re-selling commodities at the same or below purchase price.
  •  A trade entity purchases commodities, allegedly on its own account, but the purchases clearly exceed the economic capabilities of the entity, e.g., the transactions are financed through sudden influxes of cash deposits or third-party transfers to the entity’s accounts.
  • A newly formed or recently re-activated trade entity engages in high-volume and high-value trade activity, e.g., an unknown entity suddenly appears and engages in trade activities in sectors with high barriers to market entry.

Trade document and commodity risk indicators

  • Inconsistencies across contracts, invoices or other trade documents, e.g., contradictions between the name of the exporting entity and the name of the recipient of the payment; differing prices on invoices and underlying contracts; or discrepancies between the quantity, quality, volume, or value of the actual commodities and their descriptions.
  • Contracts, invoices, or other trade documents display fees or prices that do not seem to be in line with commercial considerations, are inconsistent with market value, or significantly fluctuate from previous comparable transactions.
  • Contracts, invoices, or other trade documents have vague descriptions of the traded commodities, e.g., the subject of the contract is only described generically or non-specifically.
  • Trade or customs documents supporting the transaction are missing, appear to be counterfeits, include false or misleading information, are a resubmission of previously rejected documents, or are frequently modified or amended.
  • Contracts supporting complex or regular trade transactions appear to be unusually simple, e.g., they follow a “sample contract” structure available on the Internet.
  • The value of registered imports of an entity displays significant mismatches to the entity’s volume of foreign bank transfers for imports. Conversely, the value of registered exports shows a significant mismatch with incoming foreign bank transfers.
  • Commodities imported into a country within the framework of temporary importation and inward processing regime are subsequently exported with falsified documents.
  • Shipments of commodities are routed through a number of jurisdictions without economic or commercial justification.

Account and transaction activity risk indicators

  • A trade entity makes very late changes to payment arrangements for the transaction, e.g., the entity redirects payment to a previously unknown entity at the very last moment, or the entity requests changes to the scheduled payment date or payment amount.
  • An account displays an unexpectedly high number or value of transactions that are inconsistent with the stated business activity of the client.
  • An account of a trade entity appears to be a “pay-through” or “transit” account with a rapid movement of high-volume transactions and a small end-of-day balance without clear business reasons, including:

An account displays frequent deposits in cash which are subsequently transferred to persons or entities in free trade zones or offshore jurisdictions without a business relationship to the account holder.

‒ Incoming wire transfers to a trade-related account are split and forwarded to non-related multiple accounts that have little or no connection to commercial activity.

  • Payment for imported commodities is made by an entity other than the consignee of the commodities with no clear economic reasons, e.g., by a shell or front company not involved in the trade transaction.
  • Cash deposits or other transactions of a trade entity are consistently just below relevant reporting thresholds.
  • Transaction activity associated with a trade entity increases in volume quickly and significantly, and then goes dormant after a short period of time.
  • Payments are sent or received in large round amounts for trade in sectors where this is deemed as unusual.
  • Payments are routed in a circle – funds are sent out from one country and received back in the same country, after passing through another country or countries.

The above risk indicators are potential signs of the likelihood of the occurrence of unusual or suspicious activity. Nevertheless, they do not automatically warrant the occurrence of suspicious activity, but they rather prompt for an in-depth assessment and monitoring of the whole trade chain.

Although the above risk indicators should remain the triggering events for an enhanced monitoring, the basic fundamental principles of customer due diligence should never be undermined.

Kaminee Busawah

Managing Director- Risk & Compliance


Get in touch

Share to:

Copy link:

Copied to clipboard Copy