Complying with your AML/CTF obligations
AUSTRAC Action: The Westpac Case
AML/CTF obligations – A case study:
Australian Transaction Reports and Analysis Centre (AUSTRAC) made national and international headlines on 20 November 2019, when it applied to the Federal Court for civil penalty orders against Westpac, alleging systemic non-compliance with the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act).
AUSTRAC has alleged that Westpac has contravened the AML/CTF Act on over 23 million occasions, including the failure to:
- Appropriately assess and monitor the ongoing money laundering and terrorism financing risks associated with the movement of money into and out of Australia through correspondent banking relationships.
- Report over 19.5 million International Funds Transfer Instructions (IFTIs) to AUSTRAC over nearly five years for transfers both into and out of Australia.
- Pass on information about the source of funds to other banks in the transfer chain.
- Keep records relating to the origin of some of the international funds transfers.
- Carry out appropriate customer due diligence on funds transferred to the Philippines and South East Asia, where there is an increased risk of potential child exploitation.
How Australia’s AML/CTF regime works
Australia’s AML/CTF regime was implemented to address the threats that money laundering and terrorism financing (ML/TF) pose to national security and the integrity of key sectors of the economy, and to bring Australia into compliance with international AML/CTF standards developed by the Financial Action Task Force (FATF).
Organisations which provide “designated services” come within the ambit of the AML/CTF regime (such as banks, financial services providers, the gambling industry and money service providers) and are described as “reporting entities”.
In order to comply with their AML/CTF obligations, reporting entities must implement systems and controls which manage the risk that their businesses could be used for money laundering or terrorism financing (ML/TF). The AML/CTF Act requires a reporting entity’s systems and controls to be documented in an AML/CTF Program, and sets out the policies and procedures which must be implemented by the entity, and documented in the AML/CTF Program.
AUSTRAC is Australia’s AML/CTF regulator and specialist financial intelligence unit. Since 2017, AUSTRAC has “upped” the level of regulatory action taken against reporting entities who fail to comply with their obligations under the AML/CTF Act. A notable example is the agreement reached between AUSTRAC and the CBA in June 2018, when CBA agreed to pay a $700 million penalty for its serious breaches of the AML/CTF laws.
Given AUSTRAC’s more robust attitude to compliance by reporting entities, it is increasingly important for reporting entities to ensure that they comply with the AML/CTF laws.
Often, companies assume that banks and other major financial institutions will take responsibility for identifying the proceeds of crime or thwarting potential money laundering schemes. However, AUSTRAC takes the view that compliance with AML/CTF laws is the responsibility of each reporting entity, and companies need to ensure that their AML/CTF compliance is both comprehensive and effective.
At Holley Nethercote Lawyers, we provide a range of clients with detailed and practical advice as to how to comply with their AML/CTF obligations. We also regularly conduct independent reviews of a reporting entity’s AML/CTF Program (which are required under the AML/CTF laws under Part 8.6 for Reporting entities and Part 9.6 for Designated Business Groups). Our independent review reports identify any deficiencies in a reporting entity’s policies or procedures, or in the implementation of those procedures.
Common recommendations which flow from our independent AML/CTF reviews include:
1. Management oversight and compliance with the AML/CTF regime:
As well as nominating a designated AML/CTF compliance officer, a reporting entity must demonstrate that it has implemented governance procedures which ensure that it complies with its AML/CTF obligations.
The reporting entity must demonstrate its management and oversight of how the business deals with any AML/CTF issues which may arise, as well as ongoing compliance with its AML/CTF obligations. For example, a reporting entity must ensure that its Board receives regular updates in relation to potential AML/CTF issues, and conducts regular reviews of its ML/TF risk and transaction monitoring systems. It is also important to ensure that the reporting entity maintains appropriate oversight over any of its AML/CTF functions which are outsourced to a third party.
2. Assessment of customer risk:
The AML/CTF laws require an AML/CTF Program to include risk-based systems and controls to identify and verify the identity of customers. This means that as part of its Know Your Customer (KYC) procedures, each reporting entity should determine the ML/TF risk level of each customer, and record that assessment on the customer’s account.
The level of ML/TF risk assessment allocated to a customer then determines the nature and extent of the customer identification information to be collected and verified. Each customer’s ML/TF risk assessment determination should be recorded on the customer’s account or file.
Companies should avoid assuming that all customers represent either a low or medium risk of ML/TF activity. A comprehensive ML/TF risk assessment process should include considerations of the customer type and the jurisdiction in which the customer is based, as well as whether an individual customer or a beneficial owner1 of the customer is a Politically Exposed Person (PEP)2.
The risk assessment process should also include consideration of the following factors:
- the customers’ source of wealth and funds;
- the nature and purpose of the company’s business relationship with each customer type; and
- the control structure of non-individual customers (including beneficial owners).
Companies also need to create and implement a process for ensuring that a customer’s ML/TF risk assessment is re-evaluated if there are changes to the customer’s details (in relation to its control structure or beneficial ownership details, or there are changes in the nature of the company’s relationship with its customer). It should also set out how changes are identified.
In order to comply with this obligation, some reporting entities have implemented a procedure whereby the entity repeats the KYC checks on all customers at regular intervals, and the time period between KYC checks is determined in accordance with the customer’s ML/TF risk rating. For example, customers posing a high ML/TF risk are re-screened more regularly than customers with a low or medium ML/TF risk rating.
3. Ongoing customer due diligence:
Following from the initial KYC procedures, reporting entities are required to monitor all of their customers and their transactions on an ongoing basis.
The three (3) mandatory requirements of ongoing customer due diligence are:
- implementing trigger points for collecting additional KYC information (not just for high ML/TF risk clients);
- implementing a transaction monitoring program, which flags any unusual transactions, and notifies the AML/CTF compliance officer (or other senior manager) to either investigate or suspend the customer’s account; and
- implementing an enhanced customer due diligence program.
Reporting entities should create their own unique “trigger points” or “red flags” which, when activated, prompt the company to undertake additional compliance checks and other monitoring actions to manage the ML/TF risk. For some companies, a trigger point is a monetary limit, whilst for others, it could be a request that funds are transferred to a third party beneficiary in another jurisdiction.
4. Reporting to AUSTRAC:
Reporting entities are required to lodge a range of reports with AUSTRAC, to enable it to carry out its regulatory functions and also, to gather data as part of its role as a specialist financial intelligence unit.
The reports include:
International funds transfer instruction (IFTI) reports – to be submitted when a reporting entity sends or receives an instruction to or from a foreign country, to transfer money or property, to that entity. Many of the allegations against Westpac and CBA related to their inadequate IFTI reporting procedures, which resulted in a huge number of IFTI reports which were not submitted to AUSTRAC.
Suspicious matter reports (SMRs) – to be submitted if, at any time while dealing with a customer or potential cusstomer, the reporting entity forms a reasonable suspicion that the matter may be related to money laundering or terrorism financing, an offence under a law of the Commonwealth, tax evasion, or the proceeds of crime. CBA admitted to failing to report multiple suspicious matter reports, as a result of its internal policy of not to report a suspicious matter if the bank had already lodged an SMR with AUSTRAC for the same customer, demonstrating the same suspicious behaviour, within the past 3 months. We emphasise that every instance of suspicious behaviour must be reported to AUSTRAC.
Threshold transaction reports (TTRs) – to be submitted when a reporting entity provides a service covered by the Act to a customer involving the transfer of physical currency of AUD10,000 or more (or the foreign equivalent).
AML/CTF Compliance Reports – to be submitted annually to AUSTRAC, which summarise the company’s AML/CTF activities for the previous year.
Companies must make sure that their AML/CTF Program includes appropriate systems and controls to ensure their compliance with these reporting obligations. Appropriate systems can include tailored training for employees, and oversight by the reporting entity’s Board or compliance committee.
Reporting entities must ensure that employees who are involved in AML-related duties (such as identifying customers, monitoring transactions, or processing funds transfer instructions) receive regular risk awareness training in relation to the company’s obligations under the AML/CTF laws. Further, the content of the training should be tailored to reflect the unique ML/TF risks faced by the company. If any of your AML/CTF obligations are outsourced to third parties, the employees of the third parties that conduct the AML/CTF services should also receive AML/CTF training.
Ideally, the training should be followed up with a written test for participants so that the AML/CTF compliance officer can assess the effectiveness of the training session and the knowledge levels of the employees.
Reporting entities have other obligations, including assessing the overall ML/TF risk faced by their businesses, as well as conducting risk-based due diligence checks on employees.
AML/CTF Legal Assistance
At Holley Nethercote Lawyers, we can provide you with comprehensive and practical advice on compliance with your AML/CTF obligations, and can also provide you with bespoke AML/CTF training for your organisation, which is tailored to the services you provide and the ML/TF risks which are relevant for your business. We are also experienced at conducting an independent review of your AML/CTF Program and its implementation.
Author: Naomi Fink (Senior Associate)
1 Beneficial owner means an individual who ultimately owns or controls an entity.
Owns means ownership of 25% or more of an entity.
Control means control by means of an arrangement or agreement which results in the person exercising control of an entity through the capacity to determine decisions about financial and operating policies.
2 PEP or politically exposed person means an individual entrusted with a prominent public function (for example, Heads of State, government, senior politicians or senior executives of state owned companies but not usually a middle rank or junior official), and includes:
– a person who is an immediate family member of that person, including spouse, de facto partner, child, child’s spouse or partner or parent; and
– a close associate of that person.
close associate means a person who has joint beneficial ownership of a legal entity (or legal arrangement) with that person, or sole beneficial ownership of an entity (or legal arrangement) that exists for the benefit of that person.
domestic PEP means a politically exposed person of an Australian government body.
foreign PEP means a politically exposed person of a government body of a foreign country.
international organisation PEP means a politically exposed person of an international organisation.
international organisation means an organisation established by formal political agreement by two or more countries with the status of an international treaty, and recognised in the laws of the countries which are members of the organisation.