Governance Committees: Map out which governing bodies will be responsible for oversight and challenge of your IWT policy, as well as which body is responsible for the more detailed monitoring and testing of your IWT effectiveness.
Management Information (MI): Senior Management can only make the right decisions if they have the right level of data flowing into them on a regular basis. Your MI plan should include what level of information and data you are providing, to whom and how frequently. Regulators will often want to see what MI is being fed into Senior Management and other levels of the organisation.
We would recommend that your Governance & MI is formally documented to include the following:
Roles & Responsibilities: it is critical to map out who is responsible for protecting your business from IWT risk. In reality this would usually be all of your staff, so it is important to clearly communicate roles and responsibilities for all teams and business groupings. In this you will also want to draw out a couple of specific roles, including:
Who takes overall responsibility for the firm.
Who is responsible for compliance with local laws and regulations.
Who is responsible for filing Suspicious Activity Reports (SARs) (internally and externally).