17 Aug Increased AML/CTF Compliance Reporting – a glimpse into Australia’s possible future
A recent report by the UK FCA provides insight into the possible compliance reporting regime Australia may adopt as part of the response to the Statutory Review of the AML/CTF Act.
The Report on the Statutory Review of the Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Act 2006 was released on 26th April 2016.
The Statutory Review Report identified the current Section 47 Compliance Reporting as an area for review, with AUSTRAC stating they are considering the introduction of increased compliance reporting obligations on reporting entities.
AUSTRAC has not made any further comment on the possible shape of new or increased compliance reporting obligations. However, overseas regulators are increasing AML/CTF compliance reporting.
On the 29th July 2016, the Financial Conduct Authority (FCA) in the UK published Policy Statement PS16/19 “Financial Crime Reporting; Feedback on Chapter 6 of CP15/42 and final rules”, which put in place a Financial Crime Return. This return must be completed annually by all entities the FCA regulates that are covered by the UK’s AML/CTF law and regulation.
PS16/19 is the conclusion of a consultation with the industry that the FCA launched in December 2015.
The consultation posed six questions and drew responses from a broad number of industry participants including financial services and the legal profession.
The basis for putting in place a Financial Crime Return (FCR) is set out in the FCA business plan, which identifies financial crime as a priority for the FCA. The FCA has a statutory duty to enhance the integrity of the UK’s financial system, which includes protecting it from exploitation by criminals.
The FCA set out that when performing duties related to anti-money laundering, the supervisory standards it is expected to meet are formulated by the Financial Action Task Force (FATF).
The FCA identifies that its’ financial crime supervisory work relies on the use of ad hoc data requests to gather information about firms’ systems and controls.
PS16/19 states that because FCA does not currently routinely gather information from firms about financial crime, the risks they are exposed to, or how they manage those risks, it affects the FCA’s ability to operate a truly risk-sensitive supervisory approach in line with global standards.
Policy Statement PS16/19 identifies new FCA Rules, which it believes will address this issue and bolster its’ risk-sensitive supervisory approach. The FCR reporting requirements do not come in to force until December 2016, with a transition period of a year until December 2017.
The data and information required to be reported to the FCA covers a number of areas that are relevant to the level of Money Laundering (ML) and Terrorist Financing (TF), Financial Sanction (FS), and Fraud risk, as well as AML/CTF compliance arrangements. The reporting has been split by the FCA into the following sections:
This section requires that an entity reports on the business locations it has, and the potential ML/TF risk they represent:
- The FCR requires reporting on the jurisdictions of operation in which a reporting entity conducts business’.
- It also requires the entity to identify those jurisdictions it conducts business in that it has assessed and considers to be high-risk.
This section requires that an entity reports the number of customers they have against a number of criteria that address particular ML/TF risks and how they are addressed:
- Politically Exposed Persons (PEPs) – either individual or corporate, which are classified as being a PEP, or having PEP-connected relationships.
They are not required to report the total number of PEPs associated with a particular corporate customer.
- Correspondent banking relationship with a respondent institution from a non-EEA state (outside the EU and therefore not subject to the EU 4th Money Laundering Directive).
- Customers that are higher ML/TF risk and are therefore subject to Enhanced Customer Due Diligence measures.
- Customer relationships located in each country (country by country).
- Customers linked to those jurisdictions considered to be high-risk.
- Customer relationships refused or exited for financial crime reasons.
This section requires that an entity reports the number of SMRs made and financial crime related court orders received. This section also requires reporting on the number of staff that are dedicated to managing financial crime.
As part of the FCR entities are required to report:
- The number of suspicious activity reports (SMRs in Australia) submitted internally to the nominated officer/MLRO (AML/CTF Compliance Officer).
- The number of SARs (SMRs) disclosed to the Authorities.
- The number of disclosed SARs which sought consent. (The UK has a consent regime, where if a transaction that appears suspicious has not been executed, consent from the authorities must be sought before executing the transaction).
- The number of SARs (SMR’s) disclosed that relate to Terrorism.
- The number of investigative court orders received.
- This refers to the number of production orders, disclosure orders, account monitoring orders and customer information orders, issued by a court or the relevant authorities.
- The number of restraint orders being serviced/in effect. A ‘restraint order’ here refers to either a court issued restraint order or a property freezing order.
- The number of relationships maintained with natural or corporate persons (excluding group members) which introduce business to the firm.
- The number of relationships that introduce business relationships which have been exited for financial crime reasons.
- The total number of full time equivalent (FTE) staff with financial crime roles (AML/CTF/TFS and Fraud).
- The FTE dedicated to fraud responsibilities.
Australia’s Financial Intelligence Unit (FIU), AUSTRAC is in a different position to the FCA, as it already has sight of the SMRs filed by reporting entities so may not need as detailed reporting.
This section requires an entity to report on their Sanction (TFS) arrangements, requiring an entity to report:
- Whether they use an automated system (or systems) to conduct screening against relevant sanctions lists.
- The number of TRUE sanction matches that were detected.
- Whether repeat customer sanctions screening is undertaken.
This section aims to obtain the reporting entity’s view on the most prevalent frauds relevant to their business, which the FCA states will be used to understand whether the organisation is aware of the fraud risks identified by the broader industry.
This section only asks one question:
- Indicate the top three most prevalent frauds which the FCA should be aware of and whether they are increasing, decreasing or unchanged.
The FCR can be completed by a single entity or as a group of entities which would mean consolidating the information and data into a single report for a group.
Cost Benefit Analysis
The requirement to complete a FCR is based on the size of the entity. The FCA have limited completion of the FCR to entities, with an annual revenue of £5 million (circa AU$8.5 million).
As part of the consultation process the FCA considered the cost benefit analysis of implementing the FCR.
On the cost side of the ledger the FCA identifies that the FCR will apply to around 1,400 entities.
The FCA recognises that estimating the cost of reporting implementations is very difficult and the incurred cost varies significantly between firms.
The FCA identifies that the costs incurred are heavily dependent on firm-specific factors, including complexity and legacy IT systems.
FCA therefore expressed the cost as a range for both the cost per firm and aggregated cost to the industry:
- One-off compliance costs to introduce the requirement to collect and report the data in the FCR could range from £0 to £85,000 (circa AU$140,000) per individual firm, and could incur annual costs of anywhere between £0 and £12, 000 (circa AU$20,000) per firm. These costs did not include complex groups.
- Complex groups indicated that the implementation cost would range from £0–£100, 000 (circa AU$170,000), with complex group respondents indicating minimal ongoing costs.
The FCA concludes that the FCR would cost £10.9 million (circa AU$18.4 million) for the 1,400 entities to implement.
The FCA also estimates that annual running costs for the industry would be £700,000 (circa AU$1.2 million).
The cost to the FCA is estimated to be in the region of £1m (circa AU$1.7 million) for systems implementation, with minimal ongoing costs.
On the benefits side of the ledger, the FCA operates a risk-sensitive Financial Crime Supervision Strategy, which is dependent on accurate and consistent data for the risk-ranking of firms by financial crime risk profile.
To support their risk-sensitive Financial Crime Supervision Strategy, the FCA set out the following benefits of implementing the FCR:
- Provide regular, accurate and consistent financial crime data, collected and analysed by appropriate systems. This will allow more effective and efficient use of FCA resources
- Allow the accurate categorisation of firms, ensuring that the correct population of firms is selected for proactive AML, CTF and sanctions visits.
- The data will also be used to support the annual reclassification of firms under this system. Doing so will ensure that FCA financial crime resources are targeted in the correct areas, supporting more effective supervision of financial crime controls
- Provide data to be used to conduct proactive trend analysis and emerging risk identification.
- This data will also be used to facilitate analysis on related issues. For example, information on operating jurisdictions and customer geography can be used to inform other work including thematic reviews.
- This provides benefits by reducing the size and quantity of some ad hoc data collections, as well as ensuring that the most relevant firms are involved in FCA thematic work.
The FCA further states that the benefits of implementing the FCR cannot be calculated in financial terms, stating:
“The benefits of improved supervision derive from preventing the harms that arise from financial services being used for financial crime, both in terms of the underlying crime and the impact this has on the UK financial services sector. Given that this activity is inherently hard to quantify, we are unable to meaningfully assess the financial benefits of the reporting provision and these cannot therefore be reasonably estimated. “
In Australia there are currently over 14,000 reporting entities providing designated services under the AML/CTF Act 2006, which are regulated by AUSTRAC. However, whilst the benefits are the same the cost model might be significantly different.
The FCA does estimate that the costs would on average be £14,000 (circa AU$24,000) for implementation and £500 (circa AU$850) ongoing costs for the medium size firms, which provides a more realistic cost per reporting entity for a similar reporting requirement in Australia.
However, given that the majority of reporting entities regulated by AUSTRAC are relatively small concerns with simpler business models and technology infrastructure, the cost could be significantly less per reporting entity.
Clearly, in the FCA’s experience, relying on the use of ad hoc data requests to gather information about systems and controls and not routinely gathering information adversely impacts their financial crime supervisory work as well as the ability to operate a truly risk-sensitive supervisory approach in line with global standards. Like AUSTRAC, the supervisory standards the FCA is expected to meet are formulated by the Financial Action Task Force (FATF).
The FCA believe that introducing the systematic collection of information and data will support their supervisory work and an adequate risk-sensitive supervisory approach.
The introduction of the FCR does not replace the MLRO (AML/CTF Compliance Officer) annual compliance report to the board, which is a key regulatory tool deployed by the FCA.
The MLRO report ensures the board and senior management are aware of the effectiveness of AML/CTF compliance arrangements within an organisations and are able to demonstrate their oversight obligations, which are similar to those in place in Australia.
Whilst we still wait to see what AUSTRAC proposes in response to the commitments it made in the Report on the Statutory Review, it is clear that the collection and ultimate analysis of information and data about reporting entities’ AML/CTF programs, and how effective that program is at mitigating ML/TF risk, will be an important part of the AML/CTF compliance.
It is therefore probable that AUSTRAC may develop a similar compliance reporting regime in order to understand the level of compliance across the industry and within particular sectors of the industry.
Compliance reporting will be particularly important when, as we expect, Designated Non-Financial Businesses and Professions (DNFBPs) are brought into the Australian AML/CTF regime.
With reporting entity numbers estimated to swell to over 100,000 and finite supervisory resources, structured and comprehensive compliance reporting will be an important tool for AUSTRAC to understand the level of ML/TF risk within the industry, set supervisory priorities, measure compliance with AML/CTF obligations, and demonstrate that Australia’s AML/CTF regime is effective in practice.
The level and type of compliance reporting in Australia will increase, and reporting entities will have to make available significant data, some of which they may not have readily available currently.