Thethird line of defense (internal audit)providesindependent oversightof an institution’sAML/CFT compliance framework.
Option B (Correct):The internal audit function should report to the board’s audit committeeto maintainindependence and objectivity.
Option A (Incorrect):While frequent audits are essential, AML audits should be risk-based rather than mandated at a strict 12-month interval.
Option C (Incorrect):Internal audit must assess remediation plansto ensure they adequatelyaddress AML deficiencies.
Option D (Incorrect):The third line of defense should not be involved in daily AML operationstoavoid conflicts of interest.
Three Lines of Defense in AML Risk Management:
A screenshot of a computer Description automatically generated
Best Practices for AML Audit Function:
Ensure complete independence from AML operations.
Conduct risk-based audits tailored to emerging threats.
Report audit findings to the board for effective oversight.
[Reference:, Basel Committee’s "Sound Management of ML/TF Risks", FATF Recommendation 18 (AML Internal Controls & Oversight), Wolfsberg Group AML Audit Guidelines, , , , ]
