Sophie Grace director Sophie Gerber lays out the obligations reporting entities must adhere to for compliance with AML/CTF rules in Australia.
In Australia, Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) reporting entities have until 31 March 2019 to complete their annual compliance report for 2018, which should detail how their AML/CTF obligations have been met over the past year.
Reporting entities have a variety of obligations which need to be documented and adhered to in order to ensure they are complying with Australia’s AML/CTF Act and AML/CTF Rules. These obligations now also apply to Digital Currency Exchange Providers.
What should be included in an AML/CTF Program?
AUSTRAC (the Australian Transaction Reports and Analysis Centre) has released guidance about what needs to be included in Part A and Part B of an AML/CTF Program in their Compliance Guide. AUSTRAC has also noted that the omission of the reporting obligations from Part A of a reporting entity’s AML/CTF Program translates to non-compliance.
Part A of an AML/CTF Program should include the procedures for a reporting entity to identify, manage and mitigate the money laundering or terrorism financing (ML/TF) risks which are applicable to its business.
Part A should include:
- procedures for an independent review of Part A of your Program to be conducted on a regular basis;
- various reporting obligations which are applicable to a business;
- an AML/CTF Risk Assessment including:
• new designated services, before they are introduced to the market;
• new methods of delivering a designated service, before they are adopted;
• new or developing technologies used to provide designated services, before they are adopted; and
• changes in the nature of the business relationship, control structure or beneficial ownership;
- an AML/CTF risk awareness training program for employees;
- a clear delegation of responsibilities of all employees including the appointment of an AML/CTF Compliance Officer;
- employee due diligence program;
- ongoing and enhanced customer due diligence programs and transaction monitoring program;
- a risk-based Transaction Monitoring Program; and
- procedures for Part A to be managed and approved by an AML/CTF Compliance Officer and Director.
Part B of an AML/CTF Program sets out customer identification and verification procedures. It should include all Know Your Customer (KYC) procedures in accordance with the AML/CTF Rules.
All reporting entities must have a Part B of their AML/CTF Program. An independent review of Part B of your AML/CTF Program is not required under the law, however it is recommended that reporting entities review KYC procedures regularly.
Regular review ensures the KYC procedures are applicable to the business, customer types and location, and the designated services the reporting entity provides.
What is an Independent Compliance Review?
The purpose of an independent review is to provide an impartial assessment of whether Part A of your AML/CTF Program has been implemented effectively, whether it addresses its ML/TF risks, whether it complies with legislative requirements, and whether the reporting entity has been following its AML/CTF Program effectively.
All of these requirements should be tested in the independent review, which can be conducted by an internal person or external person.
Further, the AML/CTF Rules were updated in early 2018 to define what is meant by the ‘independence’ of a reviewer. As a result, reporting entities must now be able to demonstrate the independence of a reviewer when organising an independent review of Part A of their AML/CTF Program.
In assessing the suitability of a person to be an independent reviewer, a reporting entity should consider the following factors:
- whether each reviewer is a member of a professional body that imposes relevant obligations on its members;
- the measures taken to avoid the risk of “self-review”;
- whether each reviewer is sufficiently free from influence by persons involved in the development of Part A of the reporting entity’s AML/CTF Program, or the reporting entity’s risk assessment, and
- the adequacy of the reviewer’s understanding of, and expertise in applying, the obligations of the AML/CTF Act and Rules to the reporting entity.
Reporting entities are able to use their understanding of ML/TF risk to determine the specific actions and methodology required to complete the review and can determine the scope of the review required to be conducted, in consultation with the reviewer. Independent reviews also provide an opportunity to assess whether previous audit issues have been addressed. Reporting entities should confirm that Part A of their AML/CTF Program includes procedures to ensure an independent review is conducted at regular intervals.
How often should an AML/CTF Program be Reviewed?
Any business with an AML/CTF Program must have it reviewed regularly. While it is recommended that AML/CTF Programs are reviewed at least annually, it is up to each reporting entity to determine how often its Program is reviewed, whether this is done internally or externally, and whether it is conducted independently or not.
Some things reporting entities should take into account when making their decision includes:
- the nature of the business (i.e. remittances, digital currency exchange, financial planner, etc);
- the size and complexity of the business; and
- the type of ML/TF risks the business faces.
Overall, reporting entities have a variety of obligations which need to be documented and adhered to in order to ensure they are complying with Australia’s AML/CTF Act and AML/CTF Rules including, conducting regular reviews of their AML/CTF Program and submitting a compliance report by 31 March each year.
Sophie Gerber is the Director of Sophie Grace, a Sydney based financial services consultancy firm providing legal and compliance services to the financial services and credit industries.