Anti-money laundering and counter-terrorism financing: Key questions for boards and executives in 2017

By Peter Haig
Anti-bribery & AML Corporate Governance Financial Services International Business Obligations Risk & Compliance

In brief

Australian boards and senior executives are expected to maintain oversight of risk and compliance issues including bribery, sanctions, human rights and anti-money laundering. In-house counsel perform a central role in supporting this oversight and maintaining compliance. In the fourth of a five-part series, Partner Peter Haig and Associates Andrew Shetliffe and Glyn Ayres look at the key questions that Australian boards and senior executives should be asking about anti-money laundering and counter-terrorism financing in 2017.

What is happening in AML/CTF regulation in 2017?

In short, a lot. Against the backdrop of two years of reviews and announcements, 2017 is shaping up to be a year in which the rubber hits the road in the world of anti-money laundering and counter-terrorism financing (AML/CTF) regulation. Now is the time for businesses that are subject to the AML/CTF regime – or that may soon be covered by its seemingly inevitable expansion – to consider the key issues and any actions they need to take.

As we previously reported, 2016 saw the release of the long-awaited Report on the Statutory Review of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 and Associated Rules and Regulations. The Report recommended sweeping changes to the AML/CTF regime, including:

  • dramatically simplifying the legislative framework to make it easier for businesses to understand and comply with their obligations; and
  • extending the regime to cover a range of non-financial businesses including real estate agents, accountants, lawyers, and 'high-value dealers' such as businesses that buy and sell precious metals and stones.

The Report emphasised that the proposed reforms should be 'co-designed' by government and industry, and that the extension of the regime should be subject to a cost-benefit analysis and industry consultation. Accordingly, a draft Project Plan was released for consultation and has now been finalised. The Project Plan provides a roadmap for lengthy consultations that are taking place as part of the reform process.

In addition to the reform process, a better-resourced AUSTRAC (the AML/CTF regulator) has been stepping up its enforcement activities, including the imposition of significant fines.

Set out below are five questions that boards and senior executives should be asking about AML/CTF regulation in 2017.

Should we take part in the consultation process for proposed AML/CTF reforms?

The consultation process is already underway, having in fact commenced before the Project Plan was finalised, and a report on the extension of the regime to specified non-financial businesses is expected shortly. However, the bulk of the consultations are yet to come, with the significant 'Phase 2' reforms up for discussion between July and December this year. The Phase 2 reforms include proposals aimed at substantial rationalisation and simplification of the AML/CTF legislation to produce a more 'principles-based' regime with less complexity. This would be a welcome development.

Reporting entities and other interested parties should consider making submissions on:

  • how the AML/CTF Act and Rules can be rationalised and simplified, including in relation to customer due diligence and verification;
  • rationalising and clarifying the reporting obligations under the regime;
  • simplifying AML/CTF programs by merging their 'Part A' and 'Part B' components;
  • reducing unnecessary burdens associated with compliance reports to AUSTRAC;
  • streamlining the correspondent banking requirements; and
  • improving guidance from AUSTRAC on a range of issues, including ML/TF risk assessment, the intelligence value of AML/CTF reporting, customer due diligence, and record-keeping requirements.

Is our ML/TF risk assessment current and specific to our business?

Meanwhile, as the reform process has been unfolding, AUSTRAC has been busily performing compliance audits of reporting entities (ie businesses covered by the AML/CTF regime). AUSTRAC has recently released guidance that draws on those assessments to provide insights into what businesses are getting right and wrong across a range of industries. Reporting entities should consider this guidance carefully, as it provides some clear, practical pointers as to what AUSTRAC looks for.

As we previously reported, a key critique of Australia's AML/CTF regime made by the intergovernmental Financial Action Task Force in its 2015 Mutual Evaluation Report of Australia was that the regime may not be sufficiently calibrated to the task of identifying and mitigating ML/TF risks. Perhaps, partly in response to that feedback, AUSTRAC has now warned reporting entities that 'off-the-shelf' risk assessments that do not properly identify or engage with the specific ML/TF risks faced by a business will not pass muster with the regulator. This warning is in keeping with AUSTRAC's efforts to shift reporting entities from a 'tick the box' approach to AML/CTF compliance to one that engages substantively with the ML/TF risks reporting entities face.

What AUSTRAC wants to see is evidence, in a reporting entity's AML/CTF program, that 'the reporting entity has actually thought about its AML/CTF obligations, the specific ML/TF risks it faces [and] the systems it will use to identify, mitigate and manage those risks'. AUSTRAC has reminded reporting entities of the requirement that their ML/TF risk assessments consider the following factors in the specific context of their particular businesses:

  • the designated services the business provides;
  • the types of customers who receive those services;
  • how the services are provided; and
  • the foreign jurisdictions (if any) in which the services are provided.

In addition, a business needs to state clearly in its AML/CTF program how it will update its risk assessment to take account of changing circumstances. Such changes may include the provision of a new designated service or entry into a new market, but information from transaction monitoring and ongoing customer due diligence should also be used. For example, where patterns of suspicious behaviour are identified, they should be fed back into the risk assessment.

The prescriptive nature of some parts of the AML/CTF regime, combined with the relative lack of guidance from AUSTRAC in relation to risk assessment, can lure some businesses into a 'tick the box' mentality. That is a trap to be avoided.

Do our AML/CTF outsourcing and automation arrangements meet the expectations of the regulator?

Many businesses use agency arrangements to outsource certain parts of their AML/CTF compliance, which is perfectly legitimate and permitted under the legislation. Similarly, many businesses use automated systems to carry out processes such as transaction monitoring.

However, outsourcing and automation also carry risks, related to the point above about the need for a reporting entity to stay abreast of its specific ML/TF risk profile. To guard against a 'set and forget' attitude to outsourcing, AUSTRAC has made it clear that agency arrangements should be set out in a contract that describes in detail what the agent will do. Further, the reporting entity should have documented processes for monitoring and testing the work of the agent to ensure it meets the requirements of the contract, the reporting entity's AML/CTF program, and the legislation.

As we have previously noted, it is important to recognise that, while a reporting entity can outsource its AML/CTF processes to a certain degree, the compliance obligations – and the reputational risks – stay with the reporting entity. AUSTRAC has noted that businesses often do not realise their outsourcing arrangements have resulted in non-compliance until there is a substantial breach or an adverse compliance assessment. Particularly as the regulator has now given that warning, reporting entities should consider reviewing their agency arrangements to make sure they are working as they should.

A related problem can arise with respect to the automation of AML/CTF processes. Some reporting entities implement automated processes, but forget to check whether IT upgrades might affect their efficacy. As with outsourcing, reporting entities should review their AML/CTF policies to ensure this risk is addressed.

Are we getting the most out of our Designated Business Group?

An AML/CTF Designated Business Group, or DBG, allows a group of related companies to adopt a single joint AML/CTF program and to pool compliance functions such as customer identification checks and ongoing customer due diligence. This can be a great way of maximising efficiency and minimising risks, but DBGs can also present their own risks and challenges.

One area of risk relates to entry into a DBG, which is not automatic. To join a DBG, a reporting entity in a corporate group must elect to do so and must register its election with AUSTRAC. Further, to be covered by the joint AML/CTF program of the DBG, the reporting entity must formally adopt the program (usually at a board meeting) and the program must apply to it. In practice, this means joint AML/CTF programs must be updated to reflect the particular designated services and ML/TF risk profiles of each company in the DBG. Overlooking any of these requirements could result in a serious breach, particularly if the omission leads to an entity providing designated services without an AML/CTF program as required by the legislation.

A disorganised DBG is also unlikely to produce the efficiencies that are available. For example, a joint AML/CTF program may make different provisions with respect to different reporting entities, reducing unnecessary compliance burdens. Alternatively, a DBG member may adopt an AML/CTF program which is different from the joint AML/CTF program that applies to the DBG. For instance, a reporting entity that qualifies for a special AML/CTF program (available, broadly speaking, to a reporting entity which provides no designated services other than arranging for customers to receive another designated service) may adopt a special AML/CTF program despite being a member of a DBG which provides other designated services. While clients have reported that the AUSTRAC online interface does not clearly reflect this flexibility when it comes to compliance reporting, it is nevertheless available and may be worth considering.

Another area of difficulty relates to circumstances in which a reporting entity can no longer be a member of a DBG. For example, if a corporate reorganisation results in a reporting entity no longer being sufficiently related to each other company in the DBG, that entity can no longer be a member of the DBG and AUSTRAC must be notified of its withdrawal from the DBG. It must then fend for itself as far as AML/CTF obligations are concerned. Further, when a reporting entity leaves a DBG, complicated questions arise about the extent to which it can continue to rely on customer due diligence procedures undertaken, or records kept, by another member of the DBG while it was in the DBG. Vendors and purchasers of interests in reporting entities should think carefully about the compliance risks and burdens that might arise in this situation.

Are any of our offshore entities or activities potentially captured by the AML/CTF regime?

It might be reasonable to assume that the Australian AML/CTF regime only captures designated services provided in Australia. However, that assumption would be wrong.

In fact, the AML/CTF legislation provides for various circumstances in which the regime will apply extraterritorially. It applies to companies incorporated in Australia that provide a designated service at or through a permanent establishment in a foreign country. It also applies to companies incorporated overseas that:

  • provide a designated service at or through a permanent establishment in Australia; or
  • are 'controlled' by an individual who is resident in Australia in a relevant sense; or
  • are subsidiaries of a company that is incorporated, or relevantly 'controlled' by an individual who is resident, in Australia.

The last two points apply even if the overseas company provides its designated services wholly outside Australia. Further, the legislative thresholds for 'control' and 'residency' are surprisingly low and could easily be triggered inadvertently.

The legislation does provide for exceptions to many of its requirements for entities operating in a foreign jurisdiction with comparable AML/CTF laws, but these exceptions reduce rather than eliminate the applicable obligations. For this reason, Australian businesses with foreign subsidiaries, and foreign businesses dealing in Australia, should consider whether the AML/CTF regime might unexpectedly apply to them.