This is a series on common issues identified during the completion of external AML/CTF independent reviews. In this series, James Cozens, Director, Commercial, and Brooke Benson, Senior Consultant at CompliSpace, will build upon the key issues typically identified during the completion of external independent reviews and commentary on common issues identified by AUSTRAC.
As part of our role in the independent review process we see a variety of common trends and issues. As expected, these are often issues that are also picked up by the regulator, AUSTRAC. A summary of the top 10 most common issues identified will be highlighted across two blogs, starting with issues 10-6 (in no particular order of priority).
10. Identifying your Money Laundering/Terrorism Financing (ML/TF) Risk
Risk management underpins many of the AML/CTF requirements within Australia. Following the Customer Due Diligence (CDD) updates which came into effect on 1 January 2016, the core risk factors to be taken into account by a reporting entity were expanded upon and are now covered in Parts 8.1.4 and 4.1.3 of the AML/CTF Rules.
The Rules state that in identifying its ML/TF risk, a reporting entity must now consider the risk posed by:
- its customer types, including any beneficial owners and Politically Exposed Persons (PEPs);
- its customers source of funds and wealth;
- the nature and purpose of the business relationship with its customers, including, as appropriate, the collection of information relevant to that consideration;
- the control structure of its non–individual customers;
- the types of Designated Services it provides;
- the methods by which it delivers Designated Services; and
- the Foreign Jurisdictions with which it deals.
How each reporting entity addresses the additional risk factors varies across each AML/CTF Program with some reporting entities either failing to incorporate any of these additional CDD risk factors into their risk assessments or simply struggling with their application.
In addition, AUSTRAC expects a reporting entity’s risk management framework to deal with both regulatory risk, being the risks associated with the breaches of relevant provisions of the AML/CTF Act and Rules, and business risk, namely the risk that designated services may be used to facilitate ML/TF.
Reporting entities often fail to distinguish between and clearly document their:
- business risks, such as the ML/TF risks associated with the Designated Services they provide or the Foreign Jurisdictions with which they deal; and
- regulatory risks, such as the failure to undertake the applicable identification and verification on each client type, provide staff with appropriate risk awareness training, or screen any staff that may be in a position to facilitate the commission of a ML/TF offence.
9. Risk Awareness Training
When was the last time your employees undertook AML/CTF Training? If it was during induction, now is the time to organise a training session. If it was in the last year or two, did it cover topics like: suspicious matters and prohibition on tipping off, beneficial owners, PEPs, who your AML/CTF Compliance officer is, what designated services you provide, and your KYC onboarding processes?
The AML/CTF risk awareness training program must be designed so that employees are given appropriate training at appropriate intervals, having regard to ML/TF risk that may reasonably be faced. Training content should enable employees to understand:
- the obligations of the reporting entity under the legislation and consequences of non‑compliance;
- the type of ML/TF risk that the reporting entity might face; and
- the processes and procedures provided for by the reporting entity’s AML/CTF program that are relevant to the work carried out by the employee.
Although the frequency of training is largely determined by the ML/TF risk each reporting entity may reasonably face, we often see instances of AML/CTF training on induction followed by very little training thereafter. Training is also often generic, high level and rolled out to all staff, regardless of their role and without application to the work carried out by the employee.
8. Boards and Senior Management Oversight
When did you last update your Part A Program? Reporting entities providing Designated Services prior to June 2014 will have at least two Program version, but do you have governing board/senior management approval of each version?
This is a common issue picked up by AUSTRAC. Not only is the approval process needed, but failure to obtain approval also indicates that the Part A Program may not be subject to the ongoing oversight of the reporting entity’s board and senior management team. Further, if asked to demonstrate this, can you produce evidence of ongoing oversight of your Part A Program by your governing board/senior managers?
7. (Over) Reliance on Outsourced Service Providers
Whilst s 37 of the AML/CTF Act provides that applicable customer identification procedures may be carried out by an agent, the legal obligations with respect to customer identification remains with the reporting entity.
A review of certain parts of each Part B Program now forms part of each typical independent review. This is largely because of the way that the AML/CTF Rules are now drafted, as well as the way in which most AML/CTF Programs are designed.
Reporting entities often fail to update their Part B Programs, particularly as there is often the impression that it is the responsibility of the third party service provider.
Part B Programs must be updated to take into account the new CDD requirements, particularly in relation to beneficial owner identification and verification procedures, PEPs and the revised ML/TF risk requirements, including the source of wealth and the nature of the business relationship. Where there is reliance on a third party then these procedures should be reflected in periodic reviews of your service provider, updated service agreements, as well as in the reporting entities AML/CTF Program.
6. Beneficial Owner Procedures
As highlighted in previous blogs, one of the key changes in the June 2014 CDD requirements focused on the risks associated with beneficial owners, particularly where complex ownership or control structures exist.
Step 1 was to ensure that the new beneficial owner definition was incorporated into each reporting entity’s AML/CTF Program. While it seems straightforward enough, sometimes this is overlooked, in particular, as it relates to Ongoing Customer Due Diligence (OCDD).
Step 2 required reporting entities, amongst other things, to ensure that Part A is designed to enable the reporting entity to understand the control structure of non-individual customers (Rule 8.1.5(2)) as well as to identify significant changes in ML/TF risk for the purposes of its Part A and B Programs (Rule 8.1.5(3)), including risks arising from changes in the nature of the business relationship, control structure or beneficial ownership of any of its customers.
Further, under AML/CTF Rule 4.1.3, in identifying its ML/TF risk, a reporting entity must now consider the risks posed by its customer types, including beneficial owners of customers, customers’ sources of funds and wealth, the nature and purpose of the business relationship with its customers including, as appropriate, the collection of information relevant to that consideration, and the control structures of its non-individual customers.
The updated CDD requirements impact both Part A and Part B of most AML/CTF Programs, requiring reporting entities to address, amongst other things:
- additional risk indicators associated with beneficial owners (such as complex control structures or sources of funds/wealth not typically seen across other client types);
- documenting beneficial owner procedures – when do the procedures apply, what are the exceptions, what information must be collected etc.; and
- changes to the initial and ongoing customer due diligence processes.
So, in short, simply asking customers whether they are the beneficial owner on an application form is not going to be enough to meet these revised beneficial owner requirements.
About the CompliSpace Service
The AML/CTF regime is complicated, and is subject to almost constant change. CompliSpace assists its clients to unravel the complexities in this area, providing a full suite of AML/CTF services, ranging from external independent reviews, in house training, AML/CTF Program design, and KYC services.
For more information contact James Cozens
This blog is a guide to keep readers updated with the latest information. It is not intended as legal advice or as advice that should be relied on by readers. The information contained in this blog may have been updated since its posting, or it may not apply in all circumstances. If you require specific or legal advice, please contact us on (02) 9299 6105 and we will be happy to assist.