Amid intense focus on financial institutions and the apparent regularity in which poor governance practices are being disclosed, an article in The Australian last week revealed interesting insights into the Australian Transaction Reports and Analysis Centre's (AUSTRAC) investigative approach.

The article refers to their Freedom of Information (FOI) request of AUSTRAC relating to the documents it sought from the Commonwealth Bank of Australia (CBA) well before the regulator filed proceedings in the Federal Court alleging anti-money laundering (AML) breaches by CBA.

We are not commenting on the merits of that case, although it has attracted significant publicity. The case is continuing and the parties are due to report to the court on mediation efforts before the end of this month.

Of interest, as reported on the FOI responses, AUSTRAC sought a suite of documents including the banks’ recent internal and external audit reports on AML compliance, minutes of meetings of the board, audit committee and risk committee at which AML compliance were considered, iterations of the bank’s AML program, documentation of money laundering and terrorism financing risk assessment and risk management controls and internal correspondences regarding regulatory reporting.

The nature of these requests and scope of documents, especially board minutes and records of when regulatory action was considered or taken, show the level of detail and focus of the regulator in establishing whether or not and how an obligation has been performed, and consequently whether a breach may have occurred.

This is a timely reminder to all industry participants that good governance does not start and end with putting procedures in place.

It requires the active involvement of senior management to ensure those procedures are appropriate, and most importantly, that they are followed. A lack of adequate procedures, as well as a failure to follow procedures, could form the basis for a prosecution. The regulator's immense information gathering powers enable it to gauge the extent to which compliance or non-compliance has occurred.

Regular review and assessment of what is being done, and importantly what is not being done, are essential to ensuring a business demonstrates proper governance and mitigates regulatory risk.