The LFI’s board of directors and senior management should exercise active oversight of the institution’s key financial crimes risks and the controls in place to mitigate those risks. The board (or a board-designated committee) and senior management should receive regular reports on the institution’s key risks and trends and the overall performance of AML/CFT and sanctions controls, and should review the institution’s financial crimes risk assessment, any AML/CFT and sanctions audit and regulatory reports, and the institution’s written AML/CFT and sanctions program. The AML/CFT and sanctions program should be subject to senior management approval, and the board and senior management should ensure that clear, current, and appropriate policies and procedures are put in place and that there are effective TM and sanctions screening systems supported by adequate internal expertise and resources.

TM and sanctions screening functions should be given clear and distinct responsibilities for their respective tasks in the TM and sanctions screening process chain (e.g., for alert handling and the filing of STRs/SARs). Additionally, as detailed above, LFIs are expected to implement effective reporting systems, to include quantitative MIS report as well as qualitative analysis of key risks and trends as appropriate, to ensure that their board and senior management are updated on key financial crimes risks in a timely manner. Any data quality or system functionality or output issues should be documented and tracked, and the status of remedial actions should be reported regularly to senior management.

TM and sanctions screening programs should be subject to independent testing by internal or external auditors with sufficient technological expertise and understanding of ML/TF/PF and sanctions risks and requirements. The LFI’s independent testing function (whether internal or external) should ensure adequate TM and sanctions screening coverage of the LFI’s customers, products, services, delivery channels, and geographies and may perform model testing and validation, as detailed above, as part of its AML/CFT and sanctions independent testing plan and methodology; otherwise, model testing and validation should be performed at periodic, risk-based intervals by a qualified and independent third party.