01 Nov Not that Super – ML/TF Risks & AML/CTF Controls within the Superannuation Industry
On the 31st of October 2016 AUSTRAC published its money laundering and terrorist financing risk assessment on the Australian Superannuation (Retirement & Pension Fund) sector.
The risk assessment provides sector-specific information on ML/TF risks, and can be found at http://www.austrac.gov.au/australias-superannuation-sector
The risk assessment counters the widely-held position that Superannuation is low ML/TF risk, establishing that:
- AUSTRAC assesses the overall money laundering and terrorism financing (ML/TF) risk for the superannuation sector as MEDIUM.
- This rating is based on an assessment of the criminal threat environment, the vulnerabilities within the sector, and the consequences or harms associated with the criminal threat.
- The superannuation sector in Australia is faced with a serious and multifaceted criminal threat environment.
- The volume and value of money moving through the sector, and the number of member accounts at the national level, make it an attractive and lucrative target for both opportunistic criminals and well-resourced organised crime groups.
- Terrorism financing activity presents a challenge for the industry and government given the significant consequences that can occur with small amounts of funds.
- AUSTRAC believes that significant opportunity exists for superannuation funds to leverage this assessment and to expand their suspicious matter reporting and strengthen internal controls against financial crime.
The information in this risk assessment relates to corporate funds, industry funds, public sector funds and retail funds. It does not specifically assess the risks posed by self-managed superannuation funds (SMSFs), although there is some reference to SMSFs in the assessment.
AUSTRAC has the expectation that the risk assessment will assist reporting entities to evaluate and improve the systems and controls necessary to mitigate these risks.
AUSTRAC also makes it clear that future AUSTRAC compliance activities of this sector will include assessing how reporting entities in the sector have responded to the information in the risk assessment.
By any measure the superannuation industry is a significant player in financial services.
The risk assessment establishes that the superannuation industry comprises of 242 funds with total assets under management of more than $1.25 trillion, held on behalf of 28 million accounts, which receive contributions of over $100 billion and make over $60 billion in payments annually.
However, in AML/CTF terms the industry seems to be punching below its weight, reporting only 294 suspicious matters in the last two years.
To put that in perspective the AUSTRAC Annual Report published in mid-October identified that over a 12-month period AUSTRAC received a total of more than 78,000 suspicious matter reports.
The risk assessment further documents that only five funds submitted over 50% of the 294 suspicious matter reports, and only 49 funds (out of the 242) submitted any suspicious matter report.
The net result is that nearly 200 funds have not made a suspicious matter report to AUSTRAC in the last 24 months.
The risk assessment goes on to identify that approximately 30 per cent of SMRs submitted by the sector over a two-year period were referred to, or requested by, partner agencies for further analysis and investigation.
The AUSTRAC Annual Report states that around 7.5% of all suspicious matter reports were made available to partner agencies for further investigation, indicating that suspicious matter reports from the superannuation industry are of significant investigation value.
As a result, AUSTRAC rightly raises the question whether poor reporting is indicative of weak AML/CTF controls within the sector.
Before tackling the controls, let’s look at the nature of the ML/TF risks that the industry is facing and should be mitigating through their AML/CTF program and controls.
AUSTRAC splits its risk assessment into three areas:
- criminal threat environment
- vulnerability to ML/TF and predicate crimes
- the consequences of ML/TF risk
AUSTRAC identifies that the criminal threat environment is varied and multifaceted, ranging from opportunistic offences conducted by individual members, to complex and sophisticated attacks executed by organised crime groups, including from entities based overseas.
The size of the superannuation sector makes it an attractive target for money laundering and associated predicate crimes.
Fraud is by far the most prevalent predicate crime, with many reported cases of falsified documents and attempted illegal early release of superannuation savings.
Many cases of fraud are enabled by cybercrime, with funds observing regular and sophisticated hacking attempts.
Terrorism financing is a limited but emerging threat. Foreign terrorist fighters (FTFs), who are generally self-funded, have accessed superannuation accounts to finance their activities.
The specific characteristics of the superannuation sector that contribute to its vulnerability to ML/TF and predicate crimes include:
- the extremely large number of member accounts and volume of transactions
- low levels of member engagement, which hampers timely detection of fraud
- post-preservation accounts which have few restrictions on making transactions to and from the accounts
- voluntary contributions to accumulation accounts by members, where the source of money is difficult to verify
- payments to members and outgoing rollovers that are vulnerable to fraud and illegal early release
- the growing reliance on online delivery of products and services, resulting in less face-to-face interaction with customers and increasing online data storage.
The risk assessment identifies customer ML/TF risk factors that limit the overall vulnerability of the sector include:
- the relatively simple customer type (mostly individual members)
- the relatively low level of customer anonymity
- the very limited use of cash
- the non-transferability of superannuation accounts between people.
- the lack of foreign politically exposed persons (PEPs) and
- the low number of overseas customers and transactions indicate a low foreign jurisdiction risk for the sector.
Additionally, source of funds and wealth was identified as a general mitigant to ML/TF vulnerability.
Fund contribution payments received from an employer were identified by AUSTRAC as carrying a low level of risk as the source can be readily established.
However, AUSTRAC identified that payments direct from a member present a higher risk because of the potential difficulties in determining their source.
The risk assessment identified that assessing a member’s source of funds or wealth was reported by the industry as a challenge.
The risk assessment identifies product and service ML/TF risk factors that present various levels of vulnerability:
- lower risk products include eligible rollover funds and defined benefits funds where they do not allow members to make contributions.
- higher risk products include accumulation funds and post-preservation accounts, which allow relatively easier movement of funds.
There are several factors that limit the vulnerability of most superannuation fund products for money laundering. These include:
- conditions and restrictions on when money can be moved to and from superannuation accounts
- taxes levied on excess/voluntary contributions
- the high level of visibility of transactions by the ATO
- the relatively low level of customer anonymity; and the non-transferability of superannuation accounts between people.
These factors do not, however, reduce the vulnerability of these products to fraud.
Regarding channel ML/TF risk, AUSTRAC identifies that the growing reliance on online delivery of superannuation products and services makes the sector vulnerable in several ways.
Superannuation funds have very limited face-to-face contact with their members.
A clear trend in many funds is an increased emphasis developing new and novel capabilities that empower members to make changes online to their profiles, contact details, payment frequency and payment amount.
AUSTRAC identifies that without robust safeguards in place, these types of changes could unintentionally create new and significant vulnerabilities.
In the risk assessment AUSTRAC also identified that superannuation funds tend to have minimal exposure to jurisdiction risk, as most have only a very small number of overseas-based members; for example, when an Australian citizen is working overseas for an Australian organisation. However, jurisdiction risk can be an issue in relation to departing Australia superannuation payments.
When it comes to business ML/TF risk AUSTRAC identified some common internal and operational vulnerabilities.
Data security was identified as a critical vulnerability, as funds continue to move towards digitising their internal operations, such as through cloud services and offshore service providers.
AUSTRAC stated that funds should also consider risks posed from employees, fund administrators, financial planners and other outsourced providers who can access sensitive information.
It was identified that fund employees may be in positions where they could facilitate or execute money laundering, or a predicate crime such as fraud.
One scenario quoted was where post-preservation accounts are most vulnerable to internal fraud because of the ability to withdraw a lump sum payment.
AUSTRAC identifies, when it comes to the consequences of ML/TF risk, that:
- predicate crimes are generally borne at the individual fund level, particularly for funds with poor internal controls or a weak compliance culture.
- terrorism financing, though to date only involving a few cases, may have significant consequences, including financing the activities of individuals seeking to engage in foreign conflicts and potentially enabling terrorist acts in Australia and overseas.
Now turning to AML/CTF systems and controls, AUSTRAC states that:
- it is highly likely there is significant under-reporting and non-reporting of suspicious matters across the superannuation industry.
- There is considerable scope for superannuation funds to expand their suspicious matter reporting and strengthen internal controls against financial crime.
AUSTRAC further states that this view is strongly supported by various superannuation funds and industry experts that provided input to this report.
- Some funds reported that their boards were highly accessible, engaged and aware of the risks associated with ML/TF and the various predicate offences.
However, both funds and industry experts were concerned that this level of accessibility and board engagement may not be consistent across the sector.
The risk assessment appears to be a comprehensive and well researched document containing some stark facts about the superannuation industry’s ML/TF risks and the effectiveness of the AML/CTF systems controls deployed within the sector.
The superannuation firms should take note of the information within the risk assessment as a matter of urgency and review their own AML/CTF arrangements considering AUSTRAC’s findings.
The superannuation firms should consider whether their ML/TF risk assessment considers the threat environment the ML/TF vulnerability and the consequences of the ML/TF risks, set out by AUSTRAC, and it is equally important that they can demonstrate that they have done so.
Firms should further consider, based on their own and AUSTRAC risk assessment, whether they have appropriate controls to mitigate their Ml/TF risk, as required by the AML/CTF Act 2006.