30 Oct AUSTRAC enforcement: The key lessons for risk and compliance teams
In June, the Commonwealth Bank of Australia (CBA) settled a civil claim from the Australian Transaction Reports and Analysis Centre (AUSTRAC) for breaches of the Anti-Money Laundering and Counter-Terrorism Financing Act (AML/CTF Act).
The A$700 million penalty was at the time the largest fine for AML/CTF breaches outside the United States. It remains the largest fine in Asia.
The breaches by CBA have been well-documented, and while the majority of reporting entities are not as large or complex as CBA, and do not offer the products and services that were the subject of the civil claim, there are lessons for all to consider. All reporting entities should take note of the issues that led to the CBA breaches, and ensure that they address non-compliance vulnerabilities in their own businesses.
At the time of the CBA settlement, Nicole Rose, the chief executive of AUSTRAC, said the penalty would cause industry to take note, and said AML/CTF would become a regular talking point in boardrooms across the country.
“It is the responsibility of reporting entities, their boards and senior management to ensure the organisation they oversee takes its AML/CTF obligations seriously, and that there is an organisational culture that supports this,” Rose said.
This author has many years of AML/CTF experience, including the management of similar cases for financial institutions, and was the AUSTRAC-appointed expert witness in the CBA case. As a result, he is uniquely positioned to provide commentary on how reporting entities should respond to the case. This article sets out six lessons for reporting entitles, which distil the main points identified as part of the recent “expert witness” sessions in which the author participated with Nathan Lynch of Thomson Reuters in Melbourne, Sydney and Brisbane.
Lesson one: Understand and manage your ML/TF risks
Understanding, and responding to, the ML/TF risks faced by a business is a fundamental principle of AML/CTF. It ensures reporting entities are in a position to manage and mitigate their risks, so it becomes more difficult for their products and services to be used by criminals, and makes it easier to identify when criminals are using, or are attempting to use, a business to commit crime and/or launder money.
The AML/CTF Act and Rules require reporting entities to understand their ML/TF risks, and continue to understand the level and extent of their ML/TF risks over time. If a business fails to assess its risks or to maintain an adequate understanding of its ML/TF risks, the systems and controls in place to manage and mitigate the risk may become ineffective.
As part of the CBA case, it was identified that before the introduction of intelligent deposit machines (IDMs) the ML/TF risks were not property understood, and that multiple opportunities to re-assess the ML/TF risk were missed, despite clear indicators that such risks were increasing.
Reporting entitles should be aware that, as in the CBA case, their understanding of ML/TF risk and the adequacy of controls in place to mitigate those risks may be reviewed retrospectively by AUSTRAC, particularly where there is evidence of criminal activity, and that real ML/TF risk has arisen.
They should therefore consider whether their ML/TF risk assessment is up-to-date and accurately reflects their ML/TF risks, and whether the controls in their AML/CTF program appropriately manage and mitigate those risks.
Lesson two: Follow your AML/CTF program
One of the other requirements of the AML/CTF Act and Rules is that reporting entities should have in place an AML/CTF program, and ensure they are following that program.
CBA’s AML/CTF program clearly articulated what should be done in particular circumstances, however on a number of occasions it was apparent that it failed to follow the requirements stipulated by that program.
Having set out what needs to be done within an AML/CTF program, failure to ensure the business is complying with that plan is a fundamental error.
Reporting entities should put in place mechanisms to ensure they are following the AML/CTF program. The type and extent of those mechanisms will vary depending upon the size, nature and complexity of the business. They can, however, be as simple as routinely checking operational activity against AML/CTF program requirements, or commissioning an independent review with reasonable frequency. If a business is operating a lines of defence risk management model, each line of defence should be involved in checking that the AML/CTF program is being followed.
Lesson three: Manage change within the business
As well as maintaining an up-to-date understanding of ML/TF risk, it is important to understand the impact that changes to business systems can have on AML/CTF controls, and on the reporting entity’s ability to comply with the AML/CTF Act and Rules and with its own AML/CTF program.
The CBA case highlighted that even relatively small and apparently innocuous changes to business systems can result in disproportionate non-compliance. For example, CBA made a system change to fix an error message on customer-facing systems which meant that certain transactions meeting the threshold transaction reporting (TTR) criteria were not systematically identified, and were therefore not reported to AUSTRAC.
The impact of the fix, which CBA subsequently described as a “coding error”, on compliance with this AML/CTF obligation was not identified for a number of years, compounding the breach of the AML/CTF Act and Rules and resulting in failure to make more than 53,000 reports.
In another part of the case, CBA merged two customer data sets, and in doing so lost a system marker that flagged accounts with particular characteristics for automated transaction monitoring. The loss of the systems marker on almost 800,000 accounts was not detected for almost two years, and the fix was not completed for an additional year. This reduced CBA’s ability to identify suspicious matters that are the life blood of the AML/CTF regime.
These examples illustrate how relatively simple changes to systems can result in significant non-compliance.
Reporting entities should therefore consider, as part of the change process, whether there is appropriate governance and assurance regarding changes to business systems and other parts of their operations, and whether they are confident that changes which could impair compliance are effectively identified.
Lesson four: Ensure decisions and poor information flows do not downgrade compliance
The CBA case highlighted a number of decisions that ultimately damaged the level of AML/CTF compliance within the organisation. These included failure to report suspicions where similar suspicions had been notified to AUSTRAC about a customer or account, and failure to give adequate consideration to whether a suspicious matter report (SMR) should be submitted when law enforcement had identified a customer as being of interest or under investigation. There was also ineffective management of risk once a suspicious matter had been identified and reported.
There could be many reasons why these kinds of “policy” decisions are made, and these may have a sound operational basis, but compliance should also be a consideration. It is nevertheless a challenge that must addressed by all reporting entities, as innocuous decisions taken by one part of the organisation can have unintended consequences for the whole business if the views of all relevant stakeholders are not sought and understood.
The CBA case also highlighted what can happen when there are problems with the way information flows through an organisation. While CBA does not appear to have set out consciously to be non-compliant, in part, its organisational structure created barriers to effective information flow; in the author’s view, this contributed non-compliance. When regulators review such cases with hindsight they will often make assumptions about who knew what, when they knew it, and why actions were or were not taken.
Reporting entities should ensure that decisions are not made in isolation, whether that is by operations, compliance or even the business. In the author’s experience this is a real challenge, particularly for large or complex organisations which may have complex stakeholder models and devolved decision-making processes.
To counter this, reporting entities should map or understand the internal (and, where relevant, external) stakeholders involved in AML/CTF compliance across the organisation to ensure that any gaps that could contribute to non-compliance are identified and addressed.
Lesson five: Understand and manage the level of compliance within the organisation
Governance and assurance are important activities throughout a reporting entity, with responsibilities that flow all the way up to senior management and the board.
Governance is usually exercised by management and control functions, including the compliance function. Governance in AML/CTF terms means ensuring the risks are understood and the program is appropriate for the risks, as well as activities such as change management approval.
Assurance in its many forms, for example, testing and oversight, involves the conscious checking that systems and controls specified as part of the governance process are implemented, and that they operate effectively.
Reporting entities should ensure they have appropriate governance to reassure themselves that the program is, and continues to be, appropriate. They should also devise assurance activities to ensure systems and controls within the AML/CTF program are adequately implemented, and work as designed.
This is becoming increasingly important as the AML/CTF regime in Australia matures, and being able to demonstrate compliance is just as crucial as being compliant.
Lesson six: Non-compliance has real-world effects
“Compliance with the AML/CTF Act is a serious matter. Money laundering, terrorism financing and serious financial crime are very real issues with very real impacts on the lives of everyday Australians,” Rose said at the time of the CBA settlement.
The breaches agreed as part of the settlement directly contributed to criminals using CBA products and services to launder money, finance terrorism and commit other criminal acts including drug trafficking. At least $177 million of criminal activity using IDMs was identified.
This should act as a wake-up call for all reporting entities. While it is easy to get lost in the complexities of the CBA case, the simple truth remains that reporting entities have obligations under the AML/CTF Act to play their part in preventing, detecting and reporting crime. Where they fail to do that, and it can be proven that the failure is due to non-compliance, the CBA case has put them on notice that AUSTRAC will take action.
Neil Jeans was the expert witness for AUSTRAC in the recent civil litigation against Commonwealth Bank.