The Anti-Money Laundering and Countering Financing of Terrorism Act 2009 (the Act) comes into full force on 30 June 2013.
As D-day nears, the government agencies tasked with supervising reporting entities under the Act (the Supervisors) are shifting their focus from educating reporting entities about their obligations to supervising and enforcing compliance with the Act.
In this update, we consider the Supervisors' likely approach to supervision and enforcement, and the practical implications for reporting entities.
How will compliance with the Act be monitored?
In a recent presentation, the Reserve Bank stated that the primary focus of the Supervisors after 30 June 2013 will be monitoring compliance with the Act, with a lesser focus on risk assessment, investigations and enforcement. The Financial Markets Authority (FMA) has also recently issued guidance on its approach to supervision under the Act.
A risk-based approach to supervision and enforcement is a key guiding principle for the Supervisors. In accordance with this risk-based approach, reporting entities will be subject to different kinds of monitoring depending on their money laundering and terrorism financing risk.
The Supervisors have a range of methods available to monitor compliance by reporting entities. For example, the Supervisors can request information, documents and records from reporting entities and conduct onsite inspections. At a practical level, the FMA have stated that their monitoring activities may start by asking senior management "How do you know your organisation is compliant and adopting appropriate behaviours?" If reporting entities resist monitoring, enforcement officers appointed by the Supervisors can search reporting entities' premises and seize relevant information.
The key thing for reporting entities to know at this stage is that requests for information and onsite inspections are likely to begin soon after 30 June 2013. The FMA expects many entities, particularly in medium-high risk sectors, will obtain external audits well in advance of the two year window allowed by the Act, and that some audit reports will be available for the period 30 June 2013 to 31 December 2013. FMA will consider whether a firm has received an audit report when determining priorities for monitoring.
For some reporting entities, particularly small entities in low risk sectors, monitoring may be limited to analysis of annual reports submitted under the Act, thematic surveys and desk-based reviews of requested documents.
Larger entities in higher risk sectors should expect onsite inspections. The Reserve Bank has already developed a programme for onsite inspections over the next 12 months based on risk assessments. Onsite inspections may last for up to several weeks, and may cover single or multiple areas of compliance. For example, an onsite inspection of a larger reporting entity might examine the entity's process for making suspicious transaction reports.
Reporting entities can expect to be given reasonable notice in advance of onsite inspections, and the Supervisors are likely to request information and copies of relevant documents in advance of inspections. However, we caution that the Supervisors are not required under the Act to give notice. They may arrive without notice if they suspect a reporting entity is intentionally non-compliant.
The Supervisors will analyse collected information to detect potential non-compliance. Like the Australian Transaction Reports and Analysis Centre (AUSTRAC) (the entity tasked with monitoring and enforcing the equivalent Australian legislation), the Supervisors are likely to tailor their analysis to specific industry sectors based on their expectations for reporting entities in that sector. Reporting entities should therefore ensure that they keep pace with their industry peers when implementing compliance regimes, or risk being identified as non-compliant.
How will compliance with the Act be enforced?
When faced with a potential breach of the Act, the Supervisors have a range of enforcement options at their disposal.
Possible sanctions for non-compliance with the Act range from formal warnings and enforceable undertakings to criminal convictions. A criminal conviction under the Act could result in a penalty of up to two years' imprisonment for individuals or a fine of up to $5 million for a body corporate.
While the Supervisors have indicated that enforcement is a lower priority than monitoring and supervision, some level of enforcement action is necessary to discourage non-compliance. The Reserve Bank has warned that the Supervisors are likely to take a firm stance from the outset with reporting entities in sectors with high money laundering risk and high non-compliance risk.
We expect the Supervisors to concentrate on education and guidance, and to escalate to enforcement action only where reporting entities continually fail to comply or wilfully do not comply. Furthermore, the Supervisors have stated that enforcement action "will be proportionate to the nature and severity of any non-compliance on a case by case basis". The FMA has said "We may undertake further inquiry or expect a reporting entity to adjust its compliance and follow up to ensure that this is done. In some cases, notices, warnings or enforceable undertakings may be used. Further non-compliance could result in stronger action, such as civil or criminal prosecution."
Our expectations are mirrored by the Australian experience where enforcement action has been infrequent and low level. Over the past two years, AUSTRAC accepted enforceable undertakings from two entities, gave remedial directions to three entities and required one entity to appoint an external auditor. AUSTRAC did not seek any injunctions, pecuniary penalties or criminal penalties from the court for non-compliance with reporting requirements.
Examples of enforceable undertakings given by reporting entities (and accepted by AUSTRAC) include commissioning an external auditor or a review of the reporting entity's compliance and conducting revised risk management assessments.
As the Reserve Bank has noted, reporting entities should not be complacent. The expected low levels of enforcement action do not mean that reporting entities do not need to comply with the Act. Rather, once the Supervisors have identified a reporting entity as being potentially non-compliant, they are likely to more closely supervise that reporting entity.
Message for reporting entities
While it is unlikely that the Supervisors will take significant enforcement action immediately after 30 June 2013, compliance is likely to be closely monitored. To avoid the risk and additional costs associated with being subject to external monitoring or the introduction of a stricter compliance regime, businesses should ensure that they have compliance regimes in place in advance of the Act coming into full force.