AUSTRAC released a report titled Insights from Compliance Assessments (Report) in March 2017 which included insights from the compliance assessments it conducted in 2016.
The Report outlines the areas where reporting entities are performing well and the areas for improvement. Particularly, AUSTRAC has identified four key areas where reporting entities can improve on their Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) outcomes:
- ML/TF Risk Assessments;
- Applying the risk-based approach to AML/CTF;
- Outsourced and Automated Processes; and
- Governance Issues.
ML/TF Risk Assessments
The Report emphasises the importance of risk assessment in the framework of a compliant AML/CTF Program and calls for reporting entities to undertake a ML/TF risk assessment before introducing any of the following:
- new products – e.g. when a remittance provider starts providing remittance services for a different currency pair;
- services – e.g. when a financial service provider starts providing dealing services in addition to advisory services; and
- delivery channels – e.g. when there is a change of method used in the delivery of financial services, such as the recent development of digital advice in addition to face to face.
AUSTRAC indicates that as customers, products, delivery channels and technologies continue to change over time, it is crucial that reporting entities have systems in place to monitor these changes and update their policies and procedures accordingly.
In relation to the ML/TF Risk Assessments, AUSTRAC has identified the following insufficiencies:
- Generic Risk Assessments – risk assessment which is of a generic nature and not tailored to the business to which it relates;
- Changes in Risk Profile – AUSTRAC indicated that many reporting entities did not consider changes in their overall ML/TF risk profile on an ongoing basis. AUSTRAC observed that most reporting entities only considered the risks posed by their business at a single point of time, typically when they first developed their AML/CTF program;
- insufficient focus on terrorism financing risk – AUSTRAC indicated there has been insufficient focus on terrorism financing risk, which may lead to reporting entities not considering certain indicators of suspicious activities.
Applying the Risk-based Approach
The AML/CTF regulation in Australia is risk-based, meaning reporting entities are given flexibility in determining how to fulfil many AML/CTF obligations.
However, reporting entities should clearly indicate in their AML/CTF Program how they fulfil their AML/CTF obligations.
The Report has identified the following areas of insufficiencies in this regard:
- Documenting Systems and Controls – AUSTRAC indicated that some AML/CTF Programs contain large sections that were copied from the AML/CTF Rules and/or AUSTRAC compliance guides, which do not reflect the systems and control that the reporting entity has initiated as its own approach;
- Template Programs – AUSTRAC does not discourage the use of external consultants in the preparation of AML/CTF Programs but emphasises the importance of having these template programs tailored to suit your specific business;
- Use of Non-Specific Language – AUSTRAC observed the use of vague or non-committal language in many AML/CTF programs and expects reporting entities to use clear and straightforward language to ensure that employees can easily understand what they are required to do.
Outsourced and Automated Processes
How often do you ask yourself questions such as the following?
In the case of transaction monitoring programs, have all business rules been configured correctly?
- Will the rules trigger enhanced customer due diligence processes or further investigation if unusual or suspicious transactions occur?
- How often do you consider the impact of IT changes, such as system upgrades or new automated processes, on automated AML/CTF functions?
- Where an automated function is designed to produce reports or alerts, are they being communicated effectively and promptly to someone who is adequately trained and authorised to deal with these changes appropriately?
- Are automated reports to AUSTRAC reconciled against source transaction data?
Reporting entities are reminded that even when AML/CTF activities have been outsourced and/or automated, they remain responsible for the proper function of an AML/CTF program.
The Report identified insufficient oversight of outsourced functions and automated functions by reporting entities. AUSTRAC noted that a service provider’s failure to follow compliant procedures can result in a breach of the reporting entity’s obligations and as a result places the reporting entity at risk of incurring financial penalties and reputational damage.
AUSTRAC observed instances where reporting entities engaged the same entities which prepared their AML/CTF Programs to conduct independent compliance reviews. AUSTRAC cautions reporting entities about this and suggests they consider whether they are satisfied that the reviewer is truly undertaking an independent review of the AML/CTF Program and does not have a vested interest in the outcome of the review.
When engaging an entity to conduct an independent review of your AML/CTF Program, you must ensure that the following aspects are covered in the review:
- the effectiveness of Part A of the program in addressing the ML/TF risk of the reporting entity or each reporting entity in a designated business group;
- Whether Part A complies with the requirements outlined in the AML/CTF Rules;
- Whether Part A has been effectively implemented; and
- Whether the reporting entity has complied with Part A of its program.
Part A of the AML/CTF Program requires regular oversight of the Board. As such, we encourage you to document procedures to ensure Board oversight and approval of Part A of your AML/CTF Program.
It is important to consider your obligation to update your enrolment details with AUSTRAC via the AUSTRAC Business Profile Form. This is a legal obligation and is used by AUSTRAC to calculate levy amounts, prompt reviews and update of your enrolment details will avoid reporting entities being incorrectly invoiced by AUSTRAC.
If you are an existing client of ours, please consider and contact us if you wish to:
- review and update your AML/CTF Program;
- discuss the new products, customers, delivery channels and your existing Risk Assessment;
- update your enrolment details with AUSTRAC; or
- have Sophie Grace assist you with compliance training for your entity.
If you are a new client, we are here to assist with:
- a tailored AML/CTF Program;
- registration application with AUSTRAC;
- an independent compliance review.
Sophie Grace has extensive experience in assisting various types of clients with their AML/CTF Programs and all relevant questions. We offer tailored compliance services in this respect and can assist clients in preparing and finalising a compliant AML/CTF program as well as conducting an independent review of your existing program. We will work with you to address any insufficiencies and ensure compliance across all areas.
Please feel free to contact us for further information on how we can assist you with your AML/CTF obligations.