Report released by AUSTRAC on 8 March 2017 identifies four areas for improvement by compliance reporting as required by the Anti-Money Laundering and Counter-Terrorism Financing Act 2006.
The four key areas for improvement being in relation to risk assessments, adoption of a risk-based approach to the AML/CTF, outsourced and automated processes, and governance issues.
Under section 47 of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Act), reporting entities are required to give the Australian Transaction Reports and Analysis Centre a report regarding their compliance with the Act. Reports are due annually by 31 March each year.
On 8 March 2017, AUSTRAC released a report setting out its conclusions from reports lodged by reporting entities under the Act. The report detailed some improvement considerations in four key areas:
- Money-Laundering/Terrorism Financing (ML/TF) risk assessments;
- Applying a risk-based approach to Anti-Money Laundering/Counter-Terrorism Finance (AML/CTF);
- Outsourced and automated processes; and
- Governance issues
ML/TF risk assessments
Many reporting entities engaged AML/CTF service providers to help them complete their risk assessments. In some cases, this resulted in generic risk assessments that could apply equally to any entity in that industry sector. Such an assessment is not tailored to protect that specific business.
Many reporting entities limited their reporting to risks faced by their business at a single point in time. Risk assessment should be an ongoing process, particularly as customers, products, delivery channels and technologies change over time. Reporting entities should have systems in place to ensure their risk assessments and methodologies evolve as needed.
Some reporting entities’ risk assessments focused almost exclusively on money laundering risks and failed to consider terrorism financing.
Applying a risk-based approach to AML/CTF
Some of the AML/CTF programs included large sections copied from the AML/CTF Rules or the AUSTRAC compliance guide. Those programs did not set out the actual systems and controls that a reporting entity had in place.
Many AML/CTF programs are templates obtained from external AML/CTF service providers that have not been tailored to suit the reporting entity’s business.
Use of vague or noncommittal language in programs significantly weakens their effectiveness. Clear, straightforward language helps employees understand what they need to do, the circumstances that trigger action and the nature of risk, such as the types of transactions that the reporting entity has identified as posing ML/TF risks.
Outsourced and automated processes
Some reporting entities assumed that the processes they, or their service providers, have implemented are working correctly and are compliant. In these cases, discovery of non-compliance only occurs after a substantial breach or adverse assessment from AUSTRAC.
Some entities assumed their automated processes are functioning in a compliant manner when this was not always the case.
A reporting entity may have engaged the same consultancy firm to design, and then later review its AML/CTF program. While this does not necessarily mean the review is not independent, reporting entities must satisfy themselves that the reviewer:
- is truly undertaking an independent review of the program, and
- does not have a vested interest review outcome.
Part A of an AML/CTF program must be subject to ongoing oversight by a reporting entity’s Board of Directors or equivalent. Best practice for a reporting entity is to document procedures to ensure Board oversight. Where programs did not include procedures to ensure Board oversight, further investigation often found that the Board had not overseen the functioning of the reporting entity’s AML/CTF program as required.
A copy of the AUSTRAC report can be downloaded at www.austrac.gov.au/businesses/obligations-and-compliance/insights-compliance-assessments.
Posted by Jack Guthrie and John Kell