09 Mar AUSTRAC publishes their assessment of AML/CTF compliance
On the 8th March 2017 AUSTRAC published a report entitled “Insights from compliance assessments – good business practices and areas for improvement” which analyses the compliance reports made by reporting entities to AUSTRAC.
The report identified four areas where, in AUSTRAC’s view, reporting entities can improve AML/CTF compliance:
- ML/TF Risk Assessment
- Applying the risk based approach to AML/CTF
- Outsourced and automated processes
- Governance issues
AUSTRAC makes it clear that all reporting entities should take note of the issues raised and ensure that the issues identified are not replicated in their AML/CTF Programs.
The nature of the report is generic, across types of reporting entity. However, the report is important reading for all reporting entities in Australia, who should measure their own AML/CTF Programs against AUSTRAC findings.
ML/TF Risk Assessment
AUSTRAC identified that many reporting entities have adopted generic assessments that are not specific to the reporting entities’ business and therefore do not assess the ML/TF risk the specific reporting entity may reasonably face.
The risk assessment, and the understanding of ML/TF risks that results, are fundamental to having an AML/CTF Program that addresses the ML/TF risk a reporting entity may reasonably face.
It is therefore important that, whilst the type of risks under assessment are common across reporting entities and industries, a reporting entity has a ML/TF risk assessment that is tailored and identifies the ML/TF risk relevant to its business.
AUSTRAC also identified that many reporting entities had failed to refresh their ML/TF risk assessment, noting:
“many reporting entities had only considered the risk posed by their businesses at a single point in time, typically when they first developed their AML/CTF program”.
AUSTRAC further commented that many reporting entities may not have systems in place that prompted them to update their risk assessments when their business changed or information came to light that a designated service had been misused by criminals, whether from the operation of their AML/CTF controls or from notices provided by AUSTRAC and other government agencies.
AUSTRAC Rules 8.1.5 (4) and (5) specify that a reporting entity must keep their ML/TF risk assessment current. It is therefore important that all reporting entities should have processes to refresh, or at the very least periodically review, their ML/TF risk assessment. This includes being in a position to refresh their assessment of risk as the ML/TF environment their business operates in changes.
The report additionally identified that many reporting entities only focused on ML risk, rather than ML/TF risk and as a result reporting entities had not adequately addressed TF risk within their business.
Given the likely extension of AUSTRAC focus to Targeted Financial Sanctions, foreshadowed in the Statutory Review Report last year, it is important that a reporting entity’s ML/TF risk assessment is inclusive of both ML and TF risks, but also may want to consider wider related financial crime risks.
It is our experience that reporting entities sometimes focus only on the four risk types in the Rules. In our opinion it is equally important for a reporting entity to understand the external and internal ML/TF environment they operate within. This includes an assessment of their business’ vulnerability to predicate offences, and their business’ vulnerability to being used for money laundering, as well as terrorist financing.
Applying the risk based approach to AML/CTF
AUSTRAC identifies that reporting entities should have AML/CTF controls commensurate to the nature, size and complexity of their business, as well as the ML/TF risks they face.
The report also identifies that compliant AML/CTF Programs:
- “contain policies, processes and procedures that are practical and fit for purpose in addition to being tailored to the specific ML/TF risks”
- “Use clear language that allows staff to know what they need to do and when”
AUSTRAC noted that some AML/CTF Programs were simply a cut and paste of large sections of AUSTRAC’s Rules setting out what systems and controls were required, but not setting out what systems and controls a reporting entity had in place.
Whilst it is important to contextualize the reason why particular controls are needed by stating their basis in law and regulation, as part of the AML/CTF Program it is also important set out what those controls are.
AUSTRAC makes it clear that reporting entities merely repeating the Rules are not fulfilling their obligations to document those systems and controls.
Failing to document their systems and controls adequately also means that a reporting entity is unable to demonstrate it has thought about its obligations and the ML/TF risk it faces or the systems and controls it will use, which are key factors that AUSTRAC looks for when assessing compliance.
From our experience, in order to be compliant and be able to support a business in its AML/CTF activities, an AML/CTF Program should fully set out the controls, not just regurgitate the Rules.
AUSTRAC also warns against the unthinking use of “template” AML/CTF Programs, stating that whilst templates are useful to define what obligations a reporting entity has and what systems and controls need to be put in place, they should be appropriately tailored by the reporting entity.
AUSTRAC also identified the use of vague or non-committal language in AML/CTF Programs which in their view weaken the AML/CTF Program and create a barrier to the business and staff understanding what they need to do, under what circumstances, and how the program addresses the ML/TF risk faced.
Whilst the implementation of AML/CTF controls can be complex and it is tempting to include vague statements that it is hoped will broadly address complex legal and regulatory concepts, specificity is needed to ensure that the reporting entity’s response and application of controls is unambiguous.
Outsourced and automated processes
AUSTRAC in the report make it clear that:
“reporting entities are responsible for the proper functioning of an AML/CTF program even when AML/CTF activities have been outsourced and/or automated”
The use of third party vendors and service providers has proliferated in recent years as reporting entities seek to minimise compliance costs and realise the advantages of the ‘digital’ world.
However, the adage – “you can outsource the function but not your responsibility” still holds.
In this area, the AUSTRAC report identified that best practice is where:
- Roles and responsibilities between the reporting entity and the service provider are clearly defined, agreed and documented.
- The Reporting entity undertakes proactive monitoring and testing to ensure that the service provider is fulfilling the agreed role and responsibilities
It is also important that reporting entities ensure the service providers take action where deficiencies are identified.
AUSTRAC also points to the oversight of both outsourced and automated functions as being vital to a reporting entity being able to demonstrate compliance if it is using outsourced or automated services.
Finally AUSTRAC turns its attention to governance over the AML/CTF Program. AUSTRAC noted that:
“where AML/CTF programs did not include procedures to ensure Board oversight, further investigation often found that the Board had not overseen the functioning of the reporting entity’s AML/CTF program as required” (by the Act and Rules).
This indicates non-compliance with the AML/CTF Rules, which under Part 8.4.1 state:
A reporting entity’s Part A program must be approved by its governing board and senior management. Part A must also be subject to the ongoing oversight of the reporting entity’s board and senior management.
This would significantly expose board and or senior management to regulatory action.
AUSTRAC also identified an issue relating to independent reviews, regarding whether there is independence of the reviewer from those parties drafting the AML/CTF Program.
AUSTRAC in the report make it very clear that the reviewer must be “truly independent” and “not have a vested interest in the outcome of the review”
As a rule of thumb the party undertaking the development or maintenance of the AML/CTF Program, including independent external parties, should not undertake the independent review. To put it simply this would be like marking your own homework!
AUSTRAC also identified that some independent reviews failed to adequately cover the requirement set out in Rule 8.6, which requires the independent review to assess:
- The effectiveness of part A at addressing the ML/TF risk in all part of the business, including all entities within a DBG.
- Part A’s compliance with the AML/CTF Rules
- The effective implementation of Part A
- Compliance with Part A
Reporting entities should therefore consider whether the scope of their independent review, when agreed with the reviewer, covered all these requirements and the subsequent report and findings adequately addressed all these areas.
If a reporting entity has not had a review that addresses all four areas, serious consideration should be given to updating their independent review to ensure it addresses all requirements set out in 8.6.
AUSTRAC further noted that some AML/CTF Programs failed to set out the obligation and the controls to ensure AUSTRAC is notified of changes to a reporting entity’s enrollment details, which is a basic legal obligation, and which AUSTRAC uses to calculate the supervision levy.
Reporting entities should therefore review the information held by AUSTRAC and ensure it is and remains up to date.
AUSTRAC in publishing this report are signaling a set of expectations, which all reporting entities should consider.
AUSTRAC have clearly identified issues in a number areas of an AML/CTF Program that all reporting entities should review against their own AML/CTF Program, and where necessary address any failings.
AUSTRAC, in publishing this report, have put all reporting entities on notice of what is expected and if these failings are found going forward the reporting entity will have little excuse to say it did not know.
Failure to consider and take action to rectify deficiencies and/or adopt the good practices the report identifies could create regulatory exposure for reporting entities.
The recent prosecution and subsequent $45 million settlement by TabCorp indicates that AUSTRAC will enforce against failings, particularly when those issues have been previously flagged/identified and the reporting entity failed to address them.