An auditor who performs an AML investigation should adhere to the principle that AML and Data Protection Privacy laws should not be mutually exclusive. This means that the auditor should respect and protect the personal data of the individuals involved in the investigation, while also complying with the AML obligations and requirements. The auditor should balance the legitimate interests of preventing and detecting money laundering and terrorist financing with the fundamental rights and freedoms of the data subjects, and apply the data protection principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, and confidentiality.
The auditor should also take into account the relevant legal frameworks and guidance on data protection and AML, such as the EU General Data Protection Regulation (GDPR), the EU Anti-Money Laundering Directive (AMLD), the Council of Europe Convention 108+ on data protection, and the Guidelines on data protection for the processing of personal data for AML/CFT purposes issued by the Consultative Committee of the Convention 108+. The auditor should also cooperate and consult with the data protection authorities and the AML authorities, as appropriate, to ensure compliance and consistency.
References:
Data protection and the EU's anti-money laundering regulation
The EU's anti-money laundering regulation and data protection: Part II
For Banks, Data Privacy and Anti-Money Laundering Don't Have to Be Incompatible Guidelines on data protection for the processing of personal data for AML/CFT purposes Data Protection requirements must go hand in hand with the prevention of money laundering and terrorism financing ACAMS CAMS Certification Study Guide 6th Edition

During an internal investigation, employees should be instructed to do the following actions:
Inform counsel of all request for documentation: This is to ensure that the legal rights and obligations of the organization and the employees are protected and respected. Counsel can also advise on the scope, relevance, and confidentiality of the requested documents1.
Make copies of all documents provided to law enforcement: This is to maintain a record of the information that has been disclosed and to prevent any loss or alteration of the original documents. Copies should be made before the documents are handed over to law enforcement2.
Keep a log of the documents requested: This is to track the progress and status of the investigation and to avoid any duplication or omission of the requested documents. The log should include the date, time, description, and location of the documents, as well as the name and contact details of the person who requested and received them3.
Providing corporate documents directly to law enforcement, on the other hand, is not an action that employees should be instructed to do during an internal investigation. This is because law enforcement may not have the legal authority or the proper warrant to access the documents, and doing so may violate the privacy or confidentiality of the organization or the employees. Employees should consult with counsel before providing any documents to law enforcement4.
1: Internal money laundering reporting | The Law Society5 2: How to Conduct Effective AML Investigations
- Blog | Unit212 3: What Is The Importance Of An Internal Investigation?4 4: Anti-Money Laundering: 5 Steps to Conduct an Audit3

One of the common methods used by money launderers to hide the origin and destination of illicit funds is to create complex corporate structures that obscure the identity of the real owners or controllers of the assets.
Lawyers can facilitate this process by providing legal services such as setting up shell companies, trusts, foundations, or other entities in jurisdictions with weak AML regulations or high secrecy. By doing so, lawyers can help their clients evade taxes, avoid sanctions, conceal criminal activities, or launder money. This is why lawyers are considered high-risk professionals for AML purposes and are subject to due diligence and reporting obligations.
= Some of the references that support this answer are:
ACAMS Study Guide for the CAMS Certification Examination, Chapter 3, Section 3.2.2, page 77: "Lawyers are often used to create complex corporate structures that can be used to hide the beneficial ownership of assets." Money Laundering Reporting Officer: The Role Of MLRO, Section "Money Laundering Risks For Lawyers":
"Lawyers are at risk of being used by criminals to launder money through various means, such as creating corporate entities, conducting transactions, or providing advice." New York Lawyer Pleads Guilty to Ponzi Scheme, Money Laundering, Section "Lawyer agrees to forfeit $19 million from investment scheme": "A New York lawyer admitted Monday to money laundering and orchestrating an $18.8 million Ponzi scheme using his Forest Hills-based law firms, Wisnicki & Associates LLP and Wisnicki Neuhauser LLP."

An anti-money laundering officer should coordinate with the human resources department when implementing a new hire screening program. A new hire screening program is a process of conducting background checks and verifying the identity, qualifications, and suitability of prospective employees, especially those who will be involved in the bank's anti-money laundering (AML) compliance program. The human resources department is responsible for managing the recruitment, hiring, and training of employees, and ensuring that they comply with the bank's policies and procedures. Therefore, the human resources department is the most appropriate partner for the anti-money laundering officer in developing and executing a new hire screening program that meets the bank's AML standards and regulatory requirements.
The other options are not relevant or necessary for the implementation of a new hire screening program. The internal auditor is responsible for evaluating the effectiveness and adequacy of the bank's internal controls, including the AML compliance program, but not for screening new hires. The local financial intelligence unit is a government agency that collects, analyzes, and disseminates financial information related to money laundering and terrorist financing, but not for screening new hires. The institution's regulator is the authority that supervises and examines the bank's compliance with the applicable laws and regulations, including the AML requirements, but not for screening new hires.
ACAMS Study Guide for the CAMS Certification Examination (6th Edition), Chapter 4: Developing an AML
/CFT Program 1
FFIEC BSA/AML Manual, Assessing the BSA/AML Compliance Program, BSA/AML Training 2 AUSTRAC, Employee due diligence 3

Verified Answer: = A. Collect further customer reference data and determine what must be screened and at which frequency. and C. Deploy an independent risk-based test to ensure the screening on this customer is effective.
Comprehensive Detailed Explanation: = When an existing customer changes its business scope and jurisdictions, banks need to manage sanctions compliance risk effectively. Here are the steps they should take:
1. Collect Further Customer Reference Data: Obtain updated information about the customer's new business activities, locations, and counterparties. Understand the nature of their transactions and assess the associated risks. Determine what specific data elements need to be screened (e.g., names, addresses, beneficial owners) and establish the appropriate screening frequency.
2. Deploy an Independent Risk-Based Test: Conduct a comprehensive risk assessment tailored to the customer's changes. This assessment should consider factors such as the customer's industry, geographic exposure, and transaction volume. The risk assessment helps identify high-risk areas that require enhanced scrutiny.
3. Screen Directors and Ultimate Beneficial Owners: Perform sanctions screening not only on the customer but also on their directors and ultimate beneficial owners. This ensures that any potential risks associated with these individuals are identified and mitigated.
4. Perform Politically Exposed Person (PEP) and Negative Media Screenings: Continue to screen the customer and related parties against PEP lists and negative media sources. This helps detect any adverse information related to politically exposed individuals or entities.
By following these steps, banks can proactively manage sanctions compliance risk and safeguard their institution's reputation while adhering to regulatory requirements12.
References:
1. Protiviti: Sanctions Risk Assessment: A Key Risk Management Tool
2. Moody's: What Businesses Need to Know About Sanctions Compliance