Last month, Tabcorp incurred a $45M civil penalty for failing to meet its obligations in relation to anti-money laundering and counter-terrorism financing. If anyone was in any doubt as to the serious consequences of failing to meet their obligations arising from the AML/CTF Act, then the Tabcorp case will have surely removed it.

In the same month, AUSTRAC issued an insights paper detailing common errors reporting entities are making. AUSTRAC has ascertained this information through its compliance monitoring and the self-reported breach notification processes[1]. In light of the Tabcorp case, all reporting entities should be reviewing their AML/CTF programs to ensure the errors and failings highlighted by AUSTRAC are not occurring in their business.

COMMON THEMES

A large proportion of the failings AUSTRAC found related to a small number of common approaches taken by reporting entities to their AML/CTF compliance programs. These deficiencies included:

  1. failing to tailor generic assessments templates;

  2. change management processes not considering AML/CTF risks;

  3. point in time assessments rather than continuous assessment;

  4. a failure to focus on terrorism financing risk;

  5. use of vague language in policy and procedure documents;

  6. a failure to monitor outsourcing arrangements or automated processes;

  7. a lack of independence in the review of AML/CTF programs; and

  8. a lack of board oversight stemming from the process being undefined.

As a result of these common deficiencies, AUSTRAC is looking for reporting entities to improve their AML/CTF compliance programs in the following four key areas:

  1. ML/TF risk assessments;

  2. applying a risk-based approach to AML/CTF risks;

  3. regular review of outsourced and automated functions; and

  4. governance of AML/CTF obligations.

RISK ASSESSMENTS

While using a template off-the-shelf risk assessment tool can be useful, reporting entities must tailor any such tool to their own business. In undertaking the AML/CTF risk assessment, the reporting entity needs to understand the inherent AML/CTF risks arising from:

  1. its designated AML/CTF services (including how they can be used for ML/TF purposes)

  2. its customer profiles;

  3. how its services are provided (such as in person, remotely or anonymously); and

  4. the foreign jurisdictions in which customers can access or use its designated services.

RISK BASED APPROACH

Reporting entities are required to take a ‘risk-based approach’ in designing their AML/CTF programs. Using a ‘risk-based approach’ means that organisations must develop programs that manage the AML/CTF risks that are inherent in the designated services they provide and the environment in which they provide them. Each reporting entity therefore must tailor its AML/CTF program for its own business. The benefit of this approach is the flexibility it provides reporting entities in how they design their AML/CTF programs. However, this flexibility comes with a responsibility to ensure the AML/CTF program is adequate for the AML/CTF risks faced by the organisation.

A common failing detected by AUSTRAC was the use of vague language in describing the processes and controls put in place to manage AML/CTF risks. Often these were merely a copy of the language of the AML/CTF Act. AUSTRAC cite the example of a transaction monitoring program that consisted of “…reviewing customers’ transactions. Unusual transactions will be escalated to the compliance officer who will consider lodging a suspicious matter report, where appropriate.” This policy failed to describe how the monitoring was to be carried out or which indicators would make a transaction suspicious. Clearly, staff using the policy would have no basis upon which to comply with it on a consistent, relevant or thorough basis. Policies, processes and procedures need to be practical, fit for purpose, detailed, clear and tailored to the specific ML/CF risks faced by the organisation.

OUTSOURCING AND AUTOMATED PROCESS

A common issue with outsourcing and automation is that both are prone to point-in-time assessments with no ongoing monitoring or review to ensure the required outcomes continue to meet the relevant obligation. Nor can it ensure changes within the business are being taken into account.

Reporting entities need to make sure outsourcing and automated processes are well documented, regularly reviewed and periodically tested or reconciled against source data to ensure changes in the business (such as staff, product channels, products, customer base or systems) are taken into account.

A number of reporting entities have discovered long-running breaches of their obligations when a system change (particularly a system upgrade) has triggered a review. These organisations were then faced with reporting long-running systemic breaches. Reporting entities need to regularly ensure their controls, systems and processes are operating effectively to avoid systemic risk.

GOVERNANCE

AUSTRAC found a number of common governance issues stemming from:

  1. a lack of independence in the review process where the designers of the AML Program are also engaged to review its operation;

  2. the board oversight process, including the procedure to be used, not being documented; and

  3. a failure to update the entities enrolment details with AUSTRAC.

Reporting entities should ensure their AML/CTF programs adequately cover these processes.

CONCLUSION

The AUSTRAC Chief Executive, Paul Jevtovic says the Tabcorp civil penalty, “serves as a stark reminder to all reporting entities that there are serious consequences for non-compliance with the AML/CTF Act.” All reporting entities should consider the areas identified by AUSTRAC in their insights paper, to ensure their AML/CTF programs are meeting the organisations AML/CTF obligations.