As the AML/CTF regime approaches its 10th birthday, what are the key issues for the finance industry?
From 12 December 2007 reporting entities are required to have in place an AML/CTF program documenting how they:
- identify and verify customers; and
- identify, mitigate and manage the risk that the services they provide may be misused for money laundering or terrorism financing.
The regime has gone through several changes over the decade and most recently has seen more active regulatory supervision by AUSTRAC including audits of businesses.
The first annual report of AUSTRAC following the commencement of the regime noted that ‘while each individual reporting entity is best placed to determine their own level of money laundering or terrorism financing risk, a challenge for AUSTRAC has been to provide entities with as much assistance as we can.’
The whole concept of risk assessment is confusing for many. A business that only provides personal or residential mortgage finance is faced with the threshold question of whether any activity is ever high risk. How does the identity of the customer change the risk level given that payments are usually applied for specified purposes and repayments are sourced from Australian Bank Accounts? The risk of these transactions funding corrupt purposes is quite different from transactions that can be passed through a transactional account.
One thing is abundantly clear and that is that simply having an AML/CTF program (as required by law) is not sufficient. There need to be processes in place to:
- collect and verify identity information; and
- determine whether any transaction is suspicious or otherwise reportable.
Against that background, Dentons prepared the following very general and incomplete checklist.
A reporting entity must:
- identify its customers before a designated service is provided and conduct enhanced customer due diligence at other times (‘know-your-customer’ or KYC activities);
- keep records (for seven years after the last provision of a designated service) including details of transactions and copies of documents used to identify customers (regardless of whether the finance proceeds or not);
- perform due diligence on certain staff members and provide AML/CTF training to staff members;
- establish and implement a written AML/CTF program;
- provide annual compliance reports to AUSTRAC;
- report any suspicious matters to AUSTRAC;
- provide details of all physical or e-currency transactions of AU$10,000 or more; and
- undertake on-going transaction monitoring.
Action check list
- Review your risk situation at least annually to identify significant changes in risk.
- Have your AML/CTF program and its implementation independently reviewed at regular intervals.
- Undertake employee training at least annually.
- Review your employee due diligence program at least every two years.
- Ensure there is appropriate oversight by boards and senior management.
- Designate an AML/CTF Compliance Officer at management level.
- Review your transaction monitoring procedures at least annually to ensure they can reliably identify suspicious transactions, and identify complex, unusually large or unusual patterns of transactions that have no apparent economic or visible lawful purpose.
- Annually review the tools used to monitor transactions.
- Ensure you hold the appropriate consents from customers to undertake identity verification and use external tools.
We conclude this report by restating that simply having an AML/CTF program (as required by law) is not sufficient – you must have processes that work.