ic-menu icon


ic-chevron-right icon


ic-chevron-right icon

Capital Management Companies: AML Factors in the Annual Audit

Capital Management Companies: AML Factors in the Annual Audit

ic-clock icon

3 minutes

ic-calendar icon

On May 13, Ivo Schmiedt, founder of the investor onboarding platform Vestlane, and Kerberos hosted a webinar on "AML Factors in the Annual Audit" for capital management companies (CMCs). Speakers Ivo Schmiedt and Florian Peters (Kerberos) shared their experiences with auditors, BaFin, and other supervisory authorities, highlighting potential content-related and logistical issues that may arise during or after an annual audit, such as documentation and archiving of KYC documents.

Key Requirements for a Successful Audit

To achieve an audit without significant deficiencies, CMC employees must understand and comply with the central requirements of the German GwG. This includes maintaining an effective risk management system and rigorously implementing the audit of contractual partners. Technical and logistical requirements may need to be fulfilled with the help of external experts and service providers.

Why Are Capital Management Companies Subject to Mandatory Audits?

The audit obligation originates from Section 45a (3) KAGB, which states: "The auditor must also examine whether the capital management company has fulfilled its obligations under the Money Laundering Act and has complied with the provisions of this Act. The auditor must report the results of this audit separately in the audit report."

To audit compliance with anti-money laundering obligations, various forms of evidence, such as proof of training, KYC processes, and risk analyses, must be provided. Failure to provide sufficient evidence often leads to findings.

The Audit Process: What to Expect

The audit process typically follows these steps:

  1. Kick-off Meeting: Auditors gain an initial insight into AML structures and may ask initial questions.
  2. Request for Documents and Documentation: "If it's not documented, it didn't happen." All measures taken should be documented and presented to the auditors.
  3. Review of the Documents: Auditors thoroughly review risk analyses, guidelines, and other documents for completeness and comprehensibility.
  4. Sending the Draft Audit Report
  5. Coordination / Comments on the Findings
  6. Final Report & Submission to the Supervisory Authority

Common Findings: Practical Examples

Findings can arise for various reasons:

  1. Training Courses: Discrepancies in opinions about the frequency and timing of training. The Money Laundering Act only refers to "ongoing information." Kerberos recommends annual training.
  2. Certification of Money Laundering Reporting Officers: Findings occur if officers lack or have expired certifications. Kerberos offers (re-)certification courses with DEKRA.
  3. Outsourcing Notification: Delays in reporting outsourced compliance roles, such as money laundering reporting officers, to the supervisory authority can result in findings.
  4. Risk Analysis Updates: Non-adherence to the annual update frequency.
  5. KYC Documents: Incomplete or incorrect customer identification can lead to findings.
  6. Absence of the Money Laundering Reporting Officer: Deputies and officers must not be on holiday simultaneously to ensure continuous compliance management.

Post-Audit Consequences

The severity of internal and external reactions depends on the assessment of the effectiveness of your AML measures.

Internal Reactions:

  • Remediation
  • Review of compliance culture and governance structure
  • Personnel changes or increases
  • Reporting to BaFin on measures taken

External Reactions:

  • Special audit
  • Dismissal of the money laundering reporting officer and/or management
  • Reputational damage via "BaFin pillory"
  • Fines or license revocations, though less common, are possible

Helpful Takeaways

  • Always maintain and readily provide risk analysis and money laundering prevention guidelines.
  • Employee training certificates are crucial.
  • Ensure due diligence obligations are met; some audits may sample 100% of cases.
  • Notify outsourcing of money laundering reporting officers promptly.
  • The intensity of the audit varies by auditor as BaFin requirements are not yet standardized.

About Kerberos

Kerberos Compliance helps you to achieve compliance with the Anti Money Laundering Act in a cost-effective manner. Our digital solutions minimize your effort and compliance costs and can be easily integrated into your normal day-to-day business.

With over 112,000 suspicious activity reports per year, the financial sector submits the most reports to the FIU. It is mainly credit institutions that report. Capital management companies, financial services institutions, insurance companies and others account for only a fraction. The developments of recent years, the planned expansion of BaFin and the call for stricter monitoring are now increasing the pressure on everyone.

Author: Florian Peters

Senior Manager Compliance at Kerberos