Independent Reviews – The Lessons Learnt

aml risk assessment

Independent Reviews – The Lessons Learnt

AUSTRAC’s increased focus on particular industry sectors and on compliance with the June 2014 CDD changes (after expiry of the assisted compliance period on 1st January 2016), coupled with increasing awareness by reporting entities that non-compliance with AML/CTF obligations, can create reputational damage and adversely impact a business, has meant the demand for independent reviews is increasing.

Over the last 12 months we have undertaken   independent reviews for many reporting entities from industry sectors including Remittance Providers, Investment Banks, Investment Management and Foreign Exchange.

This allows us to provide insight on areas where we find reporting entities commonly need to take action, which you may find useful when thinking about commissioning an independent review.

 What is an Independent Review?

The Australian AML/CTF regime requires that reporting entities have their AML/CTF programs periodically reviewed.

The AML/CTF Rules require an independent review to:

  • Assess the effectiveness of a business’ program having regard to its risks;
  • Assess whether the program complies with legal and regulatory obligations;
  • Assess whether the program has been effectively implemented; and
  • Assess whether the business is complying with its program.

There is no set time period for conducting an independent review.  The choice of review frequency should be a combination of the ML/TF risk faced by the business, the maturity of the AML/CTF program, and the rate of regulatory change.

 Preparation Preparation Preparation

We sometimes find reporting entities are unable to easily provide a complete and up to date set of documents to support the review.

By definition the documents required will include the AML/CTF program documents and material, but they should be stored in a way that supports your ability to demonstrate the evolution of the program over time.  This involves putting in place practices where version control is appropriately maintained.

Equally important is the ability to provide documents that explain about the business, the market it serves, and the products and services offered to customers.  This will help the reviewer to understand your business and frame the review in the context of your business. After all, there are unique things about your business and the AML/CTF controls you deploy within your business – one size does not fit all.

The availability of business records and other material which demonstrates compliance with the AML/CTF program requirements will also be necessary.  These records can include staff training, CDD material on customers, suspicious matter reports, and other transaction records covering reporting obligations such as IFTIs.

Governance is a common failing.  Whilst the AML/CTF program may have been maintained and may have kept pace with the changing regulatory requirements, some smaller firms forget to get the new versions of the program approved by management.  Adoption of the program is a key implementation requirement within the AML/CTF Rules.

An experienced reviewer should be able to provide you with a checklist of the documents you will need to provide as part of the review, and provide guidance on what state they should be in before considering commencing a review.

Understanding the Risks  

Frequently we identify issues that relate to the risk assessment.  Undertaking an appropriate money laundering (ML) and terrorist financing (TF) risk assessment is the foundation to your AML/CTF program.

It is no coincidence that assessing the effectiveness of a business’ program having regard to its risks is the first requirement of the independent review.

Most reporting entities we work with have a good grasp of their risks, but some fail to adequately document that understanding. Unfortunately, all too often we see the risk assessment fall short, whether that’s because it does not adequately cover the risks, has not assessed the risks it has identified, or does not fully document that assessment.

In extreme cases the risk assessment only takes the form of a narrative in the actual program document.  The recent court action by AUSTRAC in relation to Tabcorp has highlighted the requirement to have a separate risk assessment document.

The risk assessment should be updated at least annually (or when there is a material change to your business or when new products are introduced).  The risk assessment, your business and therefore your risks do not remain static.

 Previous Independent Reviews

As the current AML/CTF regime has been in place for a number of years, a reporting entity should have commissioned at least one independent review by now.

In our experience, it is rare that an independent review will result in no recommendations or actions for the reporting entity to consider.  It is also a requirement that the management of the reporting entity formally responds to the findings of an independent review.

It is also common practice for independent reviewers to check the action taken as a result of a previous independent review.

We sometimes find reporting entities have not fully documented their response to a previous review and experience difficulty in demonstrating that they have taken appropriate action.

It is important that a reporting entity has a structured and robust process for managing the actions resulting from an independent review, and is able to make sufficient information available about what they did in response to the findings of an independent review.

 Customer Due Diligence

With the June 2104 changes, CDD has recently become a specific review topic for AUSTRAC.  CDD is also one of the fundamental AML/CTF controls as it supports many other controls, including transaction monitoring and suspicious matter reporting.

Reviewing CDD files is therefore a core pillar of an independent review and is also a key measure of the business’ level of compliance with the AML/CTF program.

We often experience varying degrees of completeness and coherence when reviewing CDD files as part of an independent review.

Whilst it’s common that different functions of a business are involved in the processes required to complete customer due diligence, it is important that a reporting entity is able to bring this data together and produce well-structured CDD files that contain all the necessary documents to prove that the requirements set out within the AML/CTF program have been met.

In Conclusion

An independent review should provide insight into your compliance and risk management activities, whether your business has adopted the compliance and risk management controls, and how your business is operating within the boundaries of the AML/CTF program.

In choosing an independent reviewer for your business, there is no substitute for experience.

An effective independent review should deliver pragmatic, proportionate, and business-focused outcomes that support your business in achieving regulatory compliance and managing risk in a way that works for the business.