In addition to setting up the AML/CTF processes to manage the inherent ML/TF risks, you also need processes to respond to actual attempts to use a designated service for criminal purposes. An incident management process may help your business plan for and deal with such attempts. Typically incident management will include the following steps.

The first step is the recognition that an incident has taken place. Examples of what could qualify as an incident may include:

• a customer's behaviour is deemed suspicious and a SUSTR/SMR is lodged
• an employee is involved in ML/TF activities
• a computer system is 'hacked' into and personal information of your customers is stolen
• a breach that would constitute failure to remain compliant
• recording the time, duration and location of the incident
• identifying which designated services were related to the incident and considering if the risks to your business of continuing to provide the service while the incident is being analysed
• identifying what records or logs exist for the incident and performing general fact-finding, with any evidence kept if it is available, such as interviews with the relevant staff member, CCTV footage, any identification records, a record of conversation, a description of the customer, and human resources records (there may be more evidence available to you depending on the circumstances)
• determining who should be notified internally and externally and defining the processes for escalation
• assessing the severity of the incident in order to develop immediate responses and longer-term options.

The second step is taking an immediate response. Immediate responses include, but are not limited to:

• informing AUSTRAC as per statutory obligations for suspect transation reporting and suspicious matter reporting
• reviewing your current policies
• determining any human resource and contractual issues
• reviewing staff training to address the incident
• managing any public relations issues.

The third step is analysis and assessment of the incident. Analysis and assessment of the incident may lead to a range of options for your business to improve its ML/TF risk management, including:

• disclosing the information to relevant statutory bodies
• modifying the AML/CTF program
• addressing any shortfalls in staff behaviour or performance
• considering if legal proceedings are required
• determining why the incident happened despite any precautions and controls that were in place
• using information as feedback to further develop and update training and the monitoring regime of the AML/CTF program
• including the incident in the next AML/CTF compliance report to AUSTRAC.