AUSTRAC has published its observations arising from recent AML/CTF compliance assessments of reporting entities and breach notifications received from reporting entities.
AUSTRAC has identified four key areas where reporting entities can improve their AML/CTF outcomes:
- ML/TF risk assessments;
- applying the risk-based approach to AML/CTF;
- outsourced and automated processes;
- governance issues.
ML/TF risk assessments
AUSTRAC says that reporting entities with appropriate ML/TF risk assessments demonstrated that they understood:
- how their products and services could be misused by criminals to launder money or fund terrorism;
- how likely it is that each product or service could be misused.
It says that it is essential that reporting entities undertake an ML/TF risk assessment before introducing any new products, services or delivery channels. This will allow reporting entities to implement compliant AML/CTF processes before providing the product or service to customers.
Reporting entities must also have systems in place to monitor changes in their ML/TF risk over time, and update their policies and procedures accordingly. This is because customers, products, delivery channels and technologies change over time.
AUSTRAC compliance officers assessments have found that many reporting entities only considered the risks posed by their business at a single point in time, typically when they first developed their AML/CTF program.
However, many did not have systems in place that prompted them to update their risk assessments when aspects of their business changed, or when patterns emerged of the misuse of designated services by criminals.
AUSTRAC says that reporting entities must ensure they review patterns of suspected criminal activity emerging from their ongoing customer due diligence, and the suspicious matter reports they lodge with AUSTRAC, and update their risk assessment accordingly.
AUSTRAC also observes that some reporting entities’ risk assessments focused almost exclusively on money laundering risks and failed to consider terrorism financing.
While money laundering and terrorism financing can have similar methodologies, AUSTRAC says it is important that reporting entities consider the different objectives or motivations behind money laundering and terrorism financing. These differences can result in very different indicators of suspicious activity. Knowing the different indicators is important for reporting entities to monitor customer behaviour and detect and report suspicious behaviour to AUSTRAC.
Applying the risk-based approach to AML/CTF programs
AUSTRAC comments that some of the AML/CTF programs reviewed by AUSTRAC included large sections that were copied from the AML/CTF Rules or the AUSTRAC compliance guide. Those AML/CTF programs did not set out the actual systems and controls that a reporting entity had in place.
AUSTRAC says that compliant AML/CTF programs contain policies, processes and procedures that are practical and fit-for-purpose in addition to being tailored to the specific ML/TF risks the reporting entity faces. They use clear language that allows reporting entity staff to know what they need to do and when.
A reporting entity stating that it has the systems and controls required by the AML/CTF Rules is not fulfilling its obligation to document those systems and controls in its AML/CTF program.
If a template is used as a basis for an AML/CTF program, AUSTRAC expects that it is customised for the reporting entity so that it addresses the specific ML/TF risks faced by the reporting entity.
AUSTRAC concludes that clear, straightforward language helps employees of the reporting entity to understand:
- what they need to do;
- circumstances that trigger additional action;
- the nature of risk in the business, such as the types of transactions that the reporting has identified as posing ML/TF risks.
Outsourced and automated processes
When the reporting entity outsources its ML/CTF obligations AUSTRAC says the business needs to consider the impact this would have on its ability to meet its AML/CTF obligations. This includes:
- ensuring that the roles and responsibilities of the reporting entity and its service providers, including the AML/CTF activities each party would undertake, were clearly documented in a contract;
- proactive monitoring and testing of AML/CTF systems and processes provided by others through those contracts.
When automated systems are used to undertake AML/CTF process, AUSTRAC recommends that reporting entities place importance on regularly monitoring those systems to ensure they are functioning as intended and mitigate the risk of non-compliance.
Reporting entities should ask themselves these types of questions when assessing their automated functions:
- in the case of transaction monitoring programs, have all business rules been configured correctly? For example, will the rules trigger enhanced customer due diligence processes or further investigation if unusual or suspicious transactions occur? Are the rules and triggers up-to-date with the changing ML/TF environment?
- have you considered the impact of IT changes, such as systems upgrades or new automated processes, on automated AML/CTF functions?
- where an automated function is designed to produce reports or alerts, are they being communicated effectively and promptly to someone who is adequately trained and authorised to deal with them appropriately, such as the AML/CTF compliance officer? Is the AML/CTF compliance officer appropriately resourced to consider automated alerts in a timely and thorough manner?
- are automated reports to AUSTRAC (such as threshold transaction reports and international funds transfer instruction reports) reconciled against the source transactional data?
AUSTRAC has observed that some reporting entities assume that the processes they, or their service providers, have implemented are working correctly and are compliant. Often, discovery of non-compliance occurs after a substantial breach or adverse assessment from AUSTRAC.
A service provider’s failure to follow compliant procedures places the reporting entity in breach and, at times, at risk of incurring financial penalty and reputational damage. Most importantly, it also increases the risk that ML/TF events will occur undetected.
Governance issues
AUSTRAC has observed instances where the entity conducting an independent review of a reporting entity’s AML/CTF program was closely associated with, or the same as, the entity that drafted the reporting entity’s program.
AUSTRAC says that while this does not necessarily mean the review is not independent, reporting entities must satisfy themselves that the reviewer is truly undertaking an independent review of the AML/CTF program and does not have a vested interest in the outcome of the review.
Additionally, many of the independent review reports that AUSTRAC has examined did not cover all the matters required by Part 8.6 the AML/CTF Rules. Of concern is that some reporting entities had not independently identified this omission.
AUSTRAC has confirmed that Part A of an AML/CTF program must be subject to ongoing oversight by a reporting entity’s Board of Directors or equivalent.