- Conducting a ML/TF risk assessment
- Approval and oversight by boards and senior management
- Appointing an AML/CTF compliance officer
- Regular independent review of Part A
- Employee due diligence program
- AML/CTF risk awareness training program
- AUSTRAC feedback
- Reporting obligations
- Ongoing customer due diligence
The primary purpose of Part A of an AML/CTF program is to identify, mitigate and manage the ML/TF risk arising from the provision of a designated service by a reporting entity. Elements of Part A also inform the risk-based approach that is applied in Part B (customer identification).
The following sections outline the requirements for each of the elements of Part A of an AML/CTF program.
Risk management is the process of identifying risk and developing policies and procedures to minimise and manage that risk. This requires the development of a framework to identify, prioritise, treat (deal with), control and monitor risk exposures. The risk management process involves assessing risks against the likelihood (or chance) of them occurring and the severity or amount of loss or damage (or impact) which may result if they do occur.
ML/TF risk is the risk that the reporting entity or its products and services may be used to facilitate money laundering or terrorism financing. In particular, a reporting entity must consider the risk posed by the following:
- customer types, including any customers who are politically exposed persons (PEPs) and their associates
- the types of designated services it provides
- how the entity provides its designated services (for example, over-the-counter or online)
- the foreign jurisdictions with which it operates or conducts business.
What must be included in the ML/TF risk assessment?
The ML/TF risk assessment must measure the level of risk (for example high, medium or low risk) associated with providing each designated service. This risk level determines the risk-based customer identification procedures to be included in Part B of the AML/CTF program.
The reporting entity's risk assessment framework must be flexible because the entity's risk profile may change. The reporting entity must also be able to identify and monitor significant changes in its ML/TF risks and amend its procedures accordingly. This must include assessing the ML/TF risk posed by all:
- new designated services, before the entity introduces them to the market
- new methods of delivering a designated service, before the entity adopts them
- new or developing technologies used to provide designated services, before adopting them
- changes in the nature of the business relationship, control structure or beneficial ownership of its customers.
A reporting entity's ML/TF risk assessment should be in writing and be updated and reviewed at regular intervals.
Part A of the AML/CTF program must be:
- approved by the governing board and senior management of the reporting entity, or each reporting entity of a DBG (where appropriate)
- subject to ongoing oversight by the governing board and senior management.
Oversight by boards and senior management may include:
- ongoing reporting to the board and senior management on the performance and effectiveness of the AML/CTF procedures, including the results of an independent review, instances of non-compliance with the AML/CTF Act and any feedback received after an assessment by AUSTRAC of an AML/CTF program
- periodic review of the ML/TF risk faced by the reporting entity to ensure the reporting entity's risk-based procedures and controls are appropriate and proportionate to the ML/TF risk it faces.
A reporting entity must appoint a person as the 'AML/CTF compliance officer'.
A reporting entity's AML/CTF compliance officer must be at management level, and may undertake other duties within the reporting entity. Differences in the nature, size and complexity of businesses means 'management' may be interpreted broadly to mean a person who handles, directs and controls AML/CTF compliance within the reporting entity. This is particularly relevant where the reporting entity is a small business.
The AML/CTF Rules do not specify whether the compliance officer must be an employee of the reporting entity or an independent contractor engaged by the reporting entity. AUSTRAC considers it preferable for the compliance officer to have a direct connection to the reporting entity that allows them:
- the authority and resources to perform their responsibilities, including access to all relevant areas of the reporting entity's operations and all relevant staff members (at any level)
- the power to address problems relating to AML/CTF compliance and reporting obligations.
Reporting entities that are members of a designated business group (DBG) and which have elected to adopt a joint AML/CTF program must appoint a compliance officer, at management level, from one of the members to represent the entire group. The compliance officer may also act as the nominated contact officer for the DBG. If a DBG elects not to adopt a joint AML/CTF program, each reporting entity within the DBG must develop their own AML/CTF program and appoint a separate compliance officer.
Duties of an AML/CTF compliance officer
The AML/CTF Rules do not specify the duties of the compliance officer. As a guide, examples of duties include:
- ensuring continued compliance with the requirements of the AML/CTF Act and AML/CTF Rules (subject to the ongoing oversight of the reporting entity's board and senior management)
- day-to-day oversight of the AML/CTF program
- regular reporting, including reporting of non-compliance, to the board and senior management
- addressing any AUSTRAC feedback about the reporting entity's risk management performance or AML/CTF program
- acting as the AUSTRAC contact officer for matters such as reporting suspicious matters, international funds transfer instructions and threshold transactions, urgent reporting, compliance audits, or requests for information or documents
- contributing to designing, implementing and maintaining internal AML/CTF compliance manuals, policies, procedures and systems.
Delegation of responsibilities
The compliance officer may delegate certain duties to other employees of the reporting entity. For example, the compliance officer may delegate certain duties and functions that are specific to a local office or branch to ensure compliance procedures are implemented consistently at the particular branch. However, in these circumstances, the compliance officer is expected to retain responsibility for implementing and assessing the ongoing operation of the AML/CTF program.
Chapters 8.6 (standard programs) and 9.6 (joint programs) of the AML/CTF Rules require that Part A of the AML/CTF program be independently reviewed at regular intervals and the reporting entity must be able to demonstrate the independence of the reviewer.
What is an independent review?
The purpose of an independent review is to provide an impartial assessment of whether Part A of a reporting entity’s AML/CTF program:
- effectively addresses its ML/TF risks
- is compliant with the legislative requirement
- has been implemented effectively, and
- is being complied with by the reporting entity.
All of these requirements should be tested in the independent review. However, reporting entities can use their understanding of ML/TF risk to determine the specific actions and methodology required to complete the review, and determine the scope of the review required to be conducted of each entity that has adopted a joint program. Independent reviews also provide an opportunity to assess whether previous audit issues have been addressed.
Chapters 8.6 and 9.6 of the AML/CTF Rules require that an independent review of Part A of an AML/CTF program be completed by a person who was not involved in undertaking any of the functions or measures being reviewed, including the design, implementation or maintenance of Part A of the AML/CTF program, and who was not involved in the development of a reporting entity’s risk assessment or related internal controls. In essence, the reporting entity must be satisfied that an independent reviewer is not assessing their own work, and that there are appropriate divisions in place to avoid threats to the independence of a reviewer.
An independent review can be conducted by an internal person, or an external person. In assessing the suitability of a person to be an independent reviewer, a reporting entity may find it useful to consider matters such as:
- whether each reviewer is a member of a professional body that imposes relevant obligations on its members
- the measures taken to avoid the risk of “self-review” (see, for example, APES 110 Code of Ethics for Professional Accountants, published by the Accounting Professional & Ethics Standards Board)
- whether each reviewer is sufficiently free from influence (see, for example, Section 290 of APES 110 Code of Ethics for Professional Accountants) by persons involved in the development of Part A of the reporting entity’s AML/CTF program, or the reporting entity’s risk assessment, and
- the adequacy of the reviewer’s understanding of, and expertise in applying, the obligations of the AML/CTF Act and Rules to the reporting entity.
What matters should the independent review consider?
The engagement of an independent reviewer should be clear about the scope of the review. Reporting entities may engage an independent reviewer to examine specific or a variety of issues, or engage different reviewers for different issues. A list of issues that an independent reviewer could consider are listed below. It may not be necessary for the reviewer to consider some of these matters in each independent review, particularly if there have been no relevant changes to Part A of the AML/CTF program and its implementation, or where changes were only made recently, or are being implemented at the time of the independent review.
- the appropriateness, adequacy and currency of the reporting entity’s policies and procedures concerning the assessment and management of ML/TF risks
- the assumptions underlying the entity's ML/TF risk assessment
- changes in practices or policies
- changes in the ML/TF risk profile
- whether the personnel of the reporting entity understand and comply with Part A of the reporting entity’s AML/CTF program
- the adequacy of the response to previous recommendations
- post-implementation reviews of the effectiveness of changes to Part A of the AML/CTF program
- the cause and plan for resolution of any deficiencies or violations
- the adequacy and effectiveness of staff training
- the seniority and authority vested in the AML/CTF compliance officer role/function
- the effectiveness of transaction monitoring systems in identifying suspicious matters
- the extent to which third-party providers, to whom functions have been outsourced, have implemented and are complying with Part A of the AML/CTF program, and
- where the business has branches or subsidiaries (including in other countries), the adoption and implementation of AML/CTF measures in those locations.
What should be in the independent review report?
The report of an independent review will contain the findings and recommendations of the independent review. The utility of the report can be enhanced by providing an overview of:
- what was tested
- how the testing was conducted, and
- the sample size.
How often should the independent review be conducted?
A reporting entity must determine how often or regularly the independent review of Part A of its AML/CTF program will be conducted. The frequency should account for the nature, size and complexity of the business, and the type and level of ML/TF risk it might face. Where a reporting entity has identified the ML/TF risks it faces as high, it is recommended that the period between independent reviews not exceed two to three years. If appropriate, a reporting entity may wish to specify how often an external party should be engaged to conduct the independent review.
What factors might lead to more frequent independent review of Part A of your AML/CTF program?
Certain factors or circumstances might influence a decision to conduct more frequent independent reviews. A reporting entity can consider the following factors in determining the interval in between independent reviews of Part A of its AML/CTF program. The list is not intended to be exhaustive, and the reporting entity is best placed to identify the factors and attribute weightings to them:
- organisational changes, such as mergers or acquisitions
- changes to the type and level of ML/TF risk the business faces
- whether the reporting entity implements changes to its acceptance of transactions in cash
- whether the reporting entity has made changes to the outsourcing of its obligations to another entity
- the value and volume of transaction reporting
- whether there have been significant changes to Part A of the reporting entity’s AML/CTF program since the last independent review
- whether the reporting entity has commenced servicing new customer types, or commenced providing new designated services and/or new products, or has commenced providing services through new channels
- whether the reporting entity has any compliance deficiencies
- whether any previously-identified deficiencies in Part A of the reporting entity’s AML/CTF program have been rectified, and
- the status/outcome of any enforcement actions regarding a competitor of the business.
It is a matter for a reporting entity to decide if these or other factors might prompt a reporting entity to commission an ‘out-of-cycle’ independent review, or to vary an existing audit plan.
A Pty Ltd is a small business offering designated remittance services in conjunction with other business activities as a grocer. A Pty Ltd has three full-time employees (including the two co-owners and a manager) and a number of casual and part-time employees to cover the extended opening hours. The manager of the business has developed and adopted the AML/CTF program tailored for A Pty Ltd’s business operations. The manager, as A Pty Ltd’s AML/CTF Compliance Officer, is responsible for the maintenance of the program. The size of the business is such that there are no other employees who could appropriately conduct an independent review of the AML/CTF program. Accounting firm B provides accounting and taxation services to A Pty Ltd, and has expertise in conducting reviews of AML/CTF programs. The co-owners of A Pty Ltd have engaged Accounting firm B to conduct an independent review of the AML/CTF program every two years.
C Ltd provides financial services and is part of a corporate group, comprising C Ltd, D Ltd, and E Ltd. C Ltd has separate compliance and internal audit functions. The compliance function is responsible for the development and maintenance of C Ltd’s AML/CTF program. The internal auditor is a senior manager who has previously conducted periodic reviews of the AML/CTF program, however is currently on secondment as a professional development opportunity. The acting internal auditor has previously worked in C Ltd’s Compliance team, and has been involved in implementation of the AML/CTF program. C Ltd determined that the acting internal auditor would not be able to conduct an independent review of the AML/CTF program. C Ltd considered whether any other suitably qualified and experienced personnel within the corporate group would be able to conduct the review of C Ltd’s AML/CTF program. C Ltd selected the General Counsel of D Ltd as being suitable and arranged for the General Counsel of D Ltd to conduct the independent review.
An employee due diligence program refers to the documented procedures for screening staff members to minimise any exposure to risk. An employee due diligence program must set out appropriate risk-based systems and controls for the reporting entity to determine whether to undertake the following activities, and how to undertake them:
- screen a prospective employee who, if employed, may be in a position to facilitate the commission of a money laundering or financing of terrorism offence
- rescreen an employee, where the employee is transferred or promoted and may be in a position to facilitate the commission of a money laundering or financing of terrorism offence.
A reporting entity should establish procedures to identify and verify the identity of prospective or existing employees, confirm their employment history (for example, through references or referee reports) and determine if they are suitable to be employed in a particular position in the business. The procedures should take into account the role of the employee and the nature, size and complexity of the business, and the type of risk it might reasonably face.
A reporting entity may determine that certain positions pose a higher risk than others because they may be, for example, vulnerable to collusion with, or coercion by, third parties. In such cases, the AML/CTF program may set out more rigorous screening processes for higher risk positions.
Where an employee is engaged in a role that poses a high risk, the reporting entity may consider additional processes such as determining whether the person has:
- a criminal record, by requiring the applicant to provide evidence of a National Criminal History Check undertaken through a state, territory or federal police force or accredited service provider
- been subject to disciplinary action by a regulator or legal action or has any matters to be considered before a court of law
- taken advantage of the laws relating to bankruptcy
- lived in high-risk countries (for example, countries that are subject to sanctions by Australia.
Some reporting entities are also regulated by another Commonwealth, state or territory agency which requires employees to hold a licence (for example, people employed in the gambling and betting sectors or those that are required to hold an AFSL). The reporting entity may consider whether those licensing obligations also satisfy the risk-based systems and controls outlined in its employee due diligence program.
An employee due diligence program must also outline a system to manage an employee who fails, without reasonable excuse, to comply with any system, control or procedure under the AML/CTF program. A reporting entity may consider establishing policies outlining the consequences of employee non-compliance with AML/CTF requirements; for example:
- disciplinary action ranging from issuing formal warnings through to dismissal, depending on the scale and seriousness of the breach
- mandatory refresher training.
Part A of the AML/CTF program must include an AML/CTF risk awareness training program for employees. The reporting entity may also extend such training to include boards of directors, senior managers, agents and consultants who carry out functions connected with providing designated services on behalf of the reporting entity.
A risk awareness training program is central to a reporting entity's effort to protect its business from being used to facilitate money laundering or terrorism financing. The AML/CTF risk awareness training should ensure that employees are aware of the ML/TF risks faced by the business and their role in mitigating this risk by contributing to the reporting entity's overall compliance with its AML/CTF obligations.
The AML/CTF risk awareness training program should be documented (similar to a business training plan) and detail how the reporting entity will ensure employees are aware of:
- the sources of ML/TF risk to the reporting entity
- the reporting entity's commitment to AML/CTF compliance
- the reporting entity's AML/CTF policies and procedures
- the reporting entity's obligations under the AML/CTF Act and Rules and the consequences of non-compliance
- the nature and consequences of the ML/TF risks they may reasonably face.
The training program may specify:
- who needs to be trained (for example, existing employees, new employees, employees transferring to different positions, senior managers, new directors and consultants)
- what the training intends to achieve
- the duration and frequency of training, including refresher training.
The training program may also describe how the training will be conducted: for example, through:
- on-the-job training, especially for training relevant to a specific role
- induction training, incorporating AML/CTF awareness for new employees and employees transferring into new positions
- instructor-led training, whether through in-house training units or external training providers
- online e-learning courses
- ongoing communication of changes and updates to systems, controls and procedures.
The training program should apply, at a minimum, to all employees who:
- are in a position which has been assessed as posing a high ML/TF risk
- have contact with customers
- authorise and approve customer transactions
- handle cash or funds
- facilitate transaction reporting to AUSTRAC
- oversee or implement the AML/CTF program.
A reporting entity's training program should be reviewed and maintained to accommodate changes to the ML/TF risk faced by the reporting entity and the operating environment.
Part A of the AML/CTF program must include appropriate procedures for the reporting entity to apply AUSTRAC feedback on the reporting entity's performance in managing ML/TF risk. This includes procedures for addressing recommendations contained in any reports AUSTRAC prepares on the reporting entity's compliance with the AML/CTF Act and Rules. AUSTRAC may also, from time to time, provide industry specific compliance feedback and guidance that reporting entities should use to maintain their AML/CTF program and keep it up to date.
Part A of the AML/CTF program must include details about:
- the reporting entity's AML/CTF reporting obligations; and
- appropriate systems and controls designed to ensure compliance with the reporting obligations.
A reporting entity's reporting obligations may include:
- threshold transaction reports (TTRs)
- suspicious matter reports (SMRs)
- international funds transfer instruction (IFTI) reports
- AML/CTF compliance reports
- changes to the reporting entity's enrolment details
- material changes to the reporting entity's registration details on the Remittance Sector Register (if they are a remittance dealer)
- material changes to the reporting entity’s registration details on the Digital Currency Exchange Service Provider Register (if they are a digital currency exchange).
This element of Part A helps reporting entities ensure that procedures are in place to submit all compulsory reports to AUSTRAC in an accurate and timely manner.
Reporting entities should notify AUSTRAC as soon as possible of any serious non-compliance with its reporting obligations.
Reporting entities are required to have in place appropriate systems and controls to determine whether additional customer information (including beneficial owner information) should be collected and/or verified on an ongoing basis to ensure that the reporting entity holds up-to-date information about its customers. This process is known as 'ongoing customer due diligence' (OCDD). The decision to apply the OCDD process to a particular customer depends on the customer's level of assessed ML/TF risk.
OCDD must be included in Part A of an AML/CTF program. OCDD ensures customers are monitored on an ongoing basis to identify, mitigate and manage any ML/TF risk posed by providing designated services. OCDD obligations apply to all ongoing customers receiving designated services.
Ongoing customer due diligence also includes:
- implementing a transaction monitoring program; and
- developing an 'enhanced customer due diligence' program.
Transaction monitoring program
Part A of the AML/CTF program must include a risk-based transaction monitoring program. A transaction monitoring program:
- must include appropriate risk-based systems and controls to monitor the transactions of customers
- must identify transactions that are considered to be suspicious
- should be capable of identifying complex, unusually large transactions and unusual patterns of transactions which have no apparent economic or visible lawful purpose.
A risk-based transaction monitoring program may include the following elements:
- risk-based processes for recognising money laundering typologies and transaction patterns indicating suspicious behaviour (for example, customers making large, structured cash deposits, and then subsequently transferring the funds electronically to unrelated accounts)
- processes to establish customer transaction profiles that include the customer's transaction history (for example, to identify instances where a customer has conducted activity inconsistent with their profile)
- processes to compare established customer transaction profiles against risk-based typologies and transaction patterns
- processes to assign alerts to customers identified as high risk or those conducting transactions indicating suspicious behaviour.
Depending on the nature, size and complexity of the business, a reporting entity's transaction monitoring program may be conducted manually or using an automated transaction monitoring system.
Types of transactions which may be monitored under a transaction monitoring program
What constitutes complex, unusual or large transactions or unusual patterns of transactions differs for each reporting entity. It depends on the reporting entity's size, types of customers, products and delivery channels and risk profile.
Generally, complex and unusual transactions might include:
- transactions of an unusually large size or volume relative to the customer profile (or usual customer behaviour)
- transactions that exceed the reporting entity's internal thresholds or reporting triggers
- transactions to or from a high-risk country including a 'prescribed foreign country' (for example, Iran or the Democratic People's Republic of Korea/North Korea)
- payments to or from a person on a sanctions list
- changes in account balances or levels of financial activity that are inconsistent with the size of past account balances
- irregular patterns of account activity that are characteristic of money laundering or terrorism financing.
AUSTRAC typologies reports and indicators of ML/TF activity
AUSTRAC typologies reports contain a variety of case studies detailing various methods criminals use to conceal, launder or move illicit funds and to commit financial or other crimes. The case studies detail the suspicious financial activities undertaken by the suspects in each case.
AUSTRAC's typologies reports also list 'indicators' (customer behaviour 'red flags') that may assist reporting entities to identify potential money laundering and terrorism financing activity (see appendix A of the AUSTRAC typologies reports).
Enhanced customer due diligence program
Part A of the AML/CTF program must include an enhanced customer due diligence (ECDD) program. ECDD is the process of undertaking additional customer identification and verification measures in certain circumstances deemed to be high risk.
The ECDD program details the procedures the reporting entity must undertake:
- if it determines under its risk-based systems and controls (for example, through its transaction monitoring program) the ML/TF risk associated with dealing with a certain customer is high
- a designated service is being provided to a customer who is, or has a beneficial owner who is, a foreign PEP
- when an SMR obligation arises
- if it is entering into or proposing to enter into a transaction, and one party to the transaction is physically present in, or is a corporation incorporated in, a prescribed foreign country.
See Table 1 below for a detailed description of the enhanced customer due diligence requirements (also see chapter 15 of the AML/CTF Rules).
Enhanced customer due diligence procedures
A reporting entity is required to implement a range of ECDD measures outlined below in the following circumstances:
- Identified high ML/TF risk
- Designated service is provided to a customer who is, or who has a beneficial owner who is, a foreign PEP (Note: in addition to any other appropriate measures, reporting entities must undertake measures 4 and 6 below)
- When an SMR obligation arises
- Actual/proposed transaction with a party who is physically present in, or is a corporation incorporated in, a prescribed foreign country.
Table 1: Enhanced customer due diligence procedures
|Measure 1: Seek further information||
Seek further information from the customer or from third party sources to undertake one or more of the following:
|Measure 2: More detailed analysis||Undertake more detailed analysis of the customer's information and beneficial owner information, including, where appropriate, taking reasonable measures to identify the source of wealth and source of funds for the customer and each beneficial owner.|
|Measure 3: Verify or re-verify customer information||Verify or re-verify customer information in accordance with the reporting entity's customer identification procedures.|
|Measure 4: Verify or re-verify beneficial owner information||Verify or re-verify beneficial owner information in accordance with the identification requirements specified in Chapter 4 of the AML/CTF Rules.|
|Measure 5: Analysis and monitoring of transactions||
Undertake more detailed analysis and monitoring of the customer's transactions - both past and future. This may include:
|Measure 6: Senior management approval||
Seek senior management approval for: