- Conducting a ML/TF risk assessment
- Approval and oversight by boards and senior management
- Appointing an AML/CTF compliance officer
- Regular independent review of Part A
- Employee due diligence program
- AML/CTF risk awareness training program
- AUSTRAC feedback
- Reporting obligations
- Ongoing customer due diligence
The primary purpose of Part A of an AML/CTF program is to identify, mitigate and manage the ML/TF risk arising from the provision of a designated service by a reporting entity. Elements of Part A also inform the risk-based approach that is applied in Part B (customer identification).
The following sections outline the requirements for each of the elements of Part A of an AML/CTF program.
Risk management is the process of identifying risk and developing policies and procedures to minimise and manage that risk. This requires the development of a framework to identify, prioritise, treat (deal with), control and monitor risk exposures. The risk management process involves assessing risks against the likelihood (or chance) of them occurring and the severity or amount of loss or damage (or impact) which may result if they do occur.
ML/TF risk is the risk that the reporting entity or its products and services may be used to facilitate money laundering or terrorism financing. In particular, a reporting entity must consider the risk posed by the following:
- customer types, including any customers who are politically exposed persons (PEPs) and their associates
- the types of designated services it provides
- how the entity provides its designated services (for example, over-the-counter or online)
- the foreign jurisdictions with which it operates or conducts business.
What must be included in the ML/TF risk assessment?
The ML/TF risk assessment must measure the level of risk (for example high, medium or low risk) associated with providing each designated service. This risk level determines the risk-based customer identification procedures to be included in Part B of the AML/CTF program.
The reporting entity's risk assessment framework must be flexible because the entity's risk profile may change. The reporting entity must also be able to identify and monitor significant changes in its ML/TF risks and amend its procedures accordingly. This must include assessing the ML/TF risk posed by all:
- new designated services, before the entity introduces them to the market
- new methods of delivering a designated service, before the entity adopts them
- new or developing technologies used to provide designated services, before adopting them
- changes in the nature of the business relationship, control structure or beneficial ownership of its customers.
A reporting entity's ML/TF risk assessment should be in writing and be updated and reviewed at regular intervals.
Part A of the AML/CTF program must be:
- approved by the governing board and senior management of the reporting entity, or each reporting entity of a DBG (where appropriate)
- subject to ongoing oversight by the governing board and senior management.
Oversight by boards and senior management may include:
- ongoing reporting to the board and senior management on the performance and effectiveness of the AML/CTF procedures, including the results of an independent review, instances of non-compliance with the AML/CTF Act and any feedback received after an assessment by AUSTRAC of an AML/CTF program
- periodic review of the ML/TF risk faced by the reporting entity to ensure the reporting entity's risk-based procedures and controls are appropriate and proportionate to the ML/TF risk it faces.
A reporting entity must appoint a person as the 'AML/CTF compliance officer'.
A reporting entity's AML/CTF compliance officer must be at management level, and may undertake other duties within the reporting entity. Differences in the nature, size and complexity of businesses means 'management' may be interpreted broadly to mean a person who handles, directs and controls AML/CTF compliance within the reporting entity. This is particularly relevant where the reporting entity is a small business.
The AML/CTF Rules do not specify whether the compliance officer must be an employee of the reporting entity or an independent contractor engaged by the reporting entity. AUSTRAC considers it preferable for the compliance officer to have a direct connection to the reporting entity that allows them:
- the authority and resources to perform their responsibilities, including access to all relevant areas of the reporting entity's operations and all relevant staff members (at any level)
- the power to address problems relating to AML/CTF compliance and reporting obligations.
Reporting entities that are members of a designated business group (DBG) and which have elected to adopt a joint AML/CTF program must appoint a compliance officer, at management level, from one of the members to represent the entire group. The compliance officer may also act as the nominated contact officer for the DBG. If a DBG elects not to adopt a joint AML/CTF program, each reporting entity within the DBG must develop their own AML/CTF program and appoint a separate compliance officer.
Duties of an AML/CTF compliance officer
The AML/CTF Rules do not specify the duties of the compliance officer. As a guide, examples of duties include:
- ensuring continued compliance with the requirements of the AML/CTF Act and AML/CTF Rules (subject to the ongoing oversight of the reporting entity's board and senior management)
- day-to-day oversight of the AML/CTF program
- regular reporting, including reporting of non-compliance, to the board and senior management
- addressing any AUSTRAC feedback about the reporting entity's risk management performance or AML/CTF program
- acting as the AUSTRAC contact officer for matters such as reporting suspicious matters, international funds transfer instructions and threshold transactions, urgent reporting, compliance audits, or requests for information or documents
- contributing to designing, implementing and maintaining internal AML/CTF compliance manuals, policies, procedures and systems.
Delegation of responsibilities
The compliance officer may delegate certain duties to other employees of the reporting entity. For example, the compliance officer may delegate certain duties and functions that are specific to a local office or branch to ensure compliance procedures are implemented consistently at the particular branch. However, in these circumstances, the compliance officer is expected to retain responsibility for implementing and assessing the ongoing operation of the AML/CTF program.
Part A of the AML/CTF program must be independently reviewed at regular intervals and the reporting entity must ensure the independence of the reviewer.
A reporting entity must determine how often it will arrange for the conduct of an independent review of Part A. The timing should account for the nature, size and complexity of the business, and the type and level of ML/TF risk it might face.
The review may be conducted by an internal or external person; for example:
- an employee of the reporting entity not involved in or subject to the requirements of the AML/CTF program (such as the internal audit or legal department)
- external auditors or other compliance specialists.
The review should be conducted in accordance with the risk-based approach and must assess and test the following four areas:
- Part A's effectiveness in addressing the ML/TF risk of the reporting entity or each reporting entity in a DBG
- whether Part A complies with the requirements outlined in the AML/CTF Rules
- whether Part A has been effectively implemented
- whether the reporting entity, or each reporting entity in a DBG, complied with the procedures outlined in Part A.
The review should assess actual examples of the entity's day-to-day operations. For example, the review may test:
- the assumptions underlying the entity's ML/TF risk assessment
- the effectiveness of the controls put in place to mitigate the ML/TF risks
- whether employees of the reporting entity are complying with the requirements outlined in the AML/CTF program.
The results of an independent review, including any report prepared, must be provided to the senior management of the reporting entity (which may include the board of directors or a sub-committee of the board of directors and relevant senior executives).
An employee due diligence program refers to the documented procedures for screening staff members to minimise any exposure to risk. An employee due diligence program must set out appropriate risk-based systems and controls for the reporting entity to determine whether to undertake the following activities, and how to undertake them:
- screen a prospective employee who, if employed, may be in a position to facilitate the commission of a money laundering or financing of terrorism offence
- rescreen an employee, where the employee is transferred or promoted and may be in a position to facilitate the commission of a money laundering or financing of terrorism offence.
A reporting entity should establish procedures to identify and verify the identity of prospective or existing employees, confirm their employment history (for example, through references or referee reports) and determine if they are suitable to be employed in a particular position in the business. The procedures should take into account the role of the employee and the nature, size and complexity of the business, and the type of risk it might reasonably face.
A reporting entity may determine that certain positions pose a higher risk than others because they may be, for example, vulnerable to collusion with, or coercion by, third parties. In such cases, the AML/CTF program may set out more rigorous screening processes for higher risk positions.
Where an employee is engaged in a role that poses a high risk, the reporting entity may consider additional processes such as determining whether the person has:
- a criminal record, by requiring the applicant to provide evidence of a National Criminal History Check undertaken through a state, territory or federal police force or accredited service provider
- been subject to disciplinary action by a regulator or legal action or has any matters to be considered before a court of law
- taken advantage of the laws relating to bankruptcy
- lived in high-risk countries (for example, countries that are subject to sanctions by Australia.
Some reporting entities are also regulated by another Commonwealth, state or territory agency which requires employees to hold a licence (for example, people employed in the gambling and betting sectors or those that are required to hold an AFSL). The reporting entity may consider whether those licensing obligations also satisfy the risk-based systems and controls outlined in its employee due diligence program.
An employee due diligence program must also outline a system to manage an employee who fails, without reasonable excuse, to comply with any system, control or procedure under the AML/CTF program. A reporting entity may consider establishing policies outlining the consequences of employee non-compliance with AML/CTF requirements; for example:
- disciplinary action ranging from issuing formal warnings through to dismissal, depending on the scale and seriousness of the breach
- mandatory refresher training.
Part A of the AML/CTF program must include an AML/CTF risk awareness training program for employees. The reporting entity may also extend such training to include boards of directors, senior managers, agents and consultants who carry out functions connected with providing designated services on behalf of the reporting entity.
A risk awareness training program is central to a reporting entity's effort to protect its business from being used to facilitate money laundering or terrorism financing. The AML/CTF risk awareness training should ensure that employees are aware of the ML/TF risks faced by the business and their role in mitigating this risk by contributing to the reporting entity's overall compliance with its AML/CTF obligations.
The AML/CTF risk awareness training program should be documented (similar to a business training plan) and detail how the reporting entity will ensure employees are aware of:
- the sources of ML/TF risk to the reporting entity
- the reporting entity's commitment to AML/CTF compliance
- the reporting entity's AML/CTF policies and procedures
- the reporting entity's obligations under the AML/CTF Act and Rules and the consequences of non-compliance
- the nature and consequences of the ML/TF risks they may reasonably face.
The training program may specify:
- who needs to be trained (for example, existing employees, new employees, employees transferring to different positions, senior managers, new directors and consultants)
- what the training intends to achieve
- the duration and frequency of training, including refresher training.
The training program may also describe how the training will be conducted: for example, through:
- on-the-job training, especially for training relevant to a specific role
- induction training, incorporating AML/CTF awareness for new employees and employees transferring into new positions
- instructor-led training, whether through in-house training units or external training providers
- online e-learning courses
- ongoing communication of changes and updates to systems, controls and procedures.
The training program should apply, at a minimum, to all employees who:
- are in a position which has been assessed as posing a high ML/TF risk
- have contact with customers
- authorise and approve customer transactions
- handle cash or funds
- facilitate transaction reporting to AUSTRAC
- oversee or implement the AML/CTF program.
A reporting entity's training program should be reviewed and maintained to accommodate changes to the ML/TF risk faced by the reporting entity and the operating environment.
Part A of the AML/CTF program must include appropriate procedures for the reporting entity to apply AUSTRAC feedback on the reporting entity's performance in managing ML/TF risk. This includes procedures for addressing recommendations contained in any reports AUSTRAC prepares on the reporting entity's compliance with the AML/CTF Act and Rules. AUSTRAC may also, from time to time, provide industry specific compliance feedback and guidance that reporting entities should use to maintain their AML/CTF program and keep it up to date.
Part A of the AML/CTF program must include details about:
- the reporting entity's AML/CTF reporting obligations; and
- appropriate systems and controls designed to ensure compliance with the reporting obligations.
A reporting entity's reporting obligations may include:
- threshold transaction reports (TTRs)
- suspicious matter reports (SMRs)
- international funds transfer instruction (IFTI) reports
- AML/CTF compliance reports
- changes to the reporting entity's enrolment details
- material changes to the reporting entity's registration details on the Remittance Sector Register (if they are a remittance dealer)
- material changes to the reporting entity’s registration details on the Digital Currency Exchange Service Provider Register (if they are a digital currency exchange).
This element of Part A helps reporting entities ensure that procedures are in place to submit all compulsory reports to AUSTRAC in an accurate and timely manner.
Reporting entities should notify AUSTRAC as soon as possible of any serious non-compliance with its reporting obligations.
Reporting entities are required to have in place appropriate systems and controls to determine whether additional customer information (including beneficial owner information) should be collected and/or verified on an ongoing basis to ensure that the reporting entity holds up-to-date information about its customers. This process is known as 'ongoing customer due diligence' (OCDD). The decision to apply the OCDD process to a particular customer depends on the customer's level of assessed ML/TF risk.
OCDD must be included in Part A of an AML/CTF program. OCDD ensures customers are monitored on an ongoing basis to identify, mitigate and manage any ML/TF risk posed by providing designated services. OCDD obligations apply to all ongoing customers receiving designated services.
Ongoing customer due diligence also includes:
- implementing a transaction monitoring program; and
- developing an 'enhanced customer due diligence' program.
Transaction monitoring program
Part A of the AML/CTF program must include a risk-based transaction monitoring program. A transaction monitoring program:
- must include appropriate risk-based systems and controls to monitor the transactions of customers
- must identify transactions that are considered to be suspicious
- should be capable of identifying complex, unusually large transactions and unusual patterns of transactions which have no apparent economic or visible lawful purpose.
A risk-based transaction monitoring program may include the following elements:
- risk-based processes for recognising money laundering typologies and transaction patterns indicating suspicious behaviour (for example, customers making large, structured cash deposits, and then subsequently transferring the funds electronically to unrelated accounts)
- processes to establish customer transaction profiles that include the customer's transaction history (for example, to identify instances where a customer has conducted activity inconsistent with their profile)
- processes to compare established customer transaction profiles against risk-based typologies and transaction patterns
- processes to assign alerts to customers identified as high risk or those conducting transactions indicating suspicious behaviour.
Depending on the nature, size and complexity of the business, a reporting entity's transaction monitoring program may be conducted manually or using an automated transaction monitoring system.
Types of transactions which may be monitored under a transaction monitoring program
What constitutes complex, unusual or large transactions or unusual patterns of transactions differs for each reporting entity. It depends on the reporting entity's size, types of customers, products and delivery channels and risk profile.
Generally, complex and unusual transactions might include:
- transactions of an unusually large size or volume relative to the customer profile (or usual customer behaviour)
- transactions that exceed the reporting entity's internal thresholds or reporting triggers
- transactions to or from a high-risk country including a 'prescribed foreign country' (for example, Iran or the Democratic People's Republic of Korea/North Korea)
- payments to or from a person on a sanctions list
- changes in account balances or levels of financial activity that are inconsistent with the size of past account balances
- irregular patterns of account activity that are characteristic of money laundering or terrorism financing.
AUSTRAC typologies reports and indicators of ML/TF activity
AUSTRAC typologies reports contain a variety of case studies detailing various methods criminals use to conceal, launder or move illicit funds and to commit financial or other crimes. The case studies detail the suspicious financial activities undertaken by the suspects in each case.
AUSTRAC's typologies reports also list 'indicators' (customer behaviour 'red flags') that may assist reporting entities to identify potential money laundering and terrorism financing activity (see appendix A of the AUSTRAC typologies reports).
Enhanced customer due diligence program
Part A of the AML/CTF program must include an enhanced customer due diligence (ECDD) program. ECDD is the process of undertaking additional customer identification and verification measures in certain circumstances deemed to be high risk.
The ECDD program details the procedures the reporting entity must undertake:
- if it determines under its risk-based systems and controls (for example, through its transaction monitoring program) the ML/TF risk associated with dealing with a certain customer is high
- a designated service is being provided to a customer who is, or has a beneficial owner who is, a foreign PEP
- when an SMR obligation arises
- if it is entering into or proposing to enter into a transaction, and one party to the transaction is physically present in, or is a corporation incorporated in, a prescribed foreign country.
See Table 1 below for a detailed description of the enhanced customer due diligence requirements (also see chapter 15 of the AML/CTF Rules).
Enhanced customer due diligence procedures
A reporting entity is required to implement a range of ECDD measures outlined below in the following circumstances:
- Identified high ML/TF risk
- Designated service is provided to a customer who is, or who has a beneficial owner who is, a foreign PEP (Note: in addition to any other appropriate measures, reporting entities must undertake measures 4 and 6 below)
- When an SMR obligation arises
- Actual/proposed transaction with a party who is physically present in, or is a corporation incorporated in, a prescribed foreign country.
Table 1: Enhanced customer due diligence procedures
|Measure 1: Seek further information||
Seek further information from the customer or from third party sources to undertake one or more of the following:
|Measure 2: More detailed analysis||Undertake more detailed analysis of the customer's information and beneficial owner information, including, where appropriate, taking reasonable measures to identify the source of wealth and source of funds for the customer and each beneficial owner.|
|Measure 3: Verify or re-verify customer information||Verify or re-verify customer information in accordance with the reporting entity's customer identification procedures.|
|Measure 4: Verify or re-verify beneficial owner information||Verify or re-verify beneficial owner information in accordance with the identification requirements specified in Chapter 4 of the AML/CTF Rules.|
|Measure 5: Analysis and monitoring of transactions||
Undertake more detailed analysis and monitoring of the customer's transactions - both past and future. This may include:
|Measure 6: Senior management approval||
Seek senior management approval for: