
Home Contact us Recruitment E-learning Information Publication Scheme	AUSTRAC Online login

AUSTRAC Regulatory Guide

return to index

Chapter 3 - AML/CTF programs - Part A (general)

Chapter outline

This chapter discusses requirements and resources for Part A of an AML/CTF program and contains the following sections:

This chapter should be read in conjunction with chapters 2 and 4 of this Guide

Key points

Chapter applies to	All reporting entities - except some AFSL holders
Relevant part of the AML/CTF Act	7
Commencement date	12 December 2007
Relevant AML/CTF Rules	Chapters 8 & 9 of Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No.1)
Relevant guidance note(s)	Risk management and AML/CTF programs
Relevant FATF Recommendation(s)	15
Relevant section(s) of the AUSTRAC SAQ	A, B, C, F, G & I(2)
What does this chapter mean for me?	You must have an AML/CTF program with Part A, which sets out how you will identify, mitigate and manage the risk of money laundering and terrorism financing occurring in the services you provide.
What do I need to do?	You must conduct a risk assessment and document your procedures for identifying, mitigating and managing your money laundering and terrorism financing risk; and be prepared to implement it from this obligation's commencement date.

Additional external resources

Australian Standards

AS/NZS 4360:2004 Risk Management
AS 4811:2006 Employment Screening

U.K. - Joint Money Laundering Steering Group

"Prevention of money laundering/combating the financing of terrorism", Parts I and II.

Australian sanctions lists

Chapter last updated 11 December 2007

Introduction

This chapter covers Part A of an AML/CTF program, required under Part 7 of the AML/CTF Act.

This chapter should be read in conjunction with chapter 4 of this Guide, which covers requirements for Part B of an AML/CTF program, which also relates to Part 2 of the AML/CTF Act (identification procedures).

When do the provisions commence?

The provisions of the AML/CTF Act relating to Part A of an AML/CTF program commenced on 12 December 2007.

What is the relevant FATF recommendation?

The provisions in Part 7 of the AML/CTF Act implement FATF Recommendation 15. (15)

Appendix H contains the relevant FATF recommendations and associated interpretative notes.

What is Part A of an AML/CTF program?

AML/CTF programs are a new requirement introduced under the AML/CTF Act. The primary purpose of Part A of an AML/CTF program is to identify, mitigate and manage the risk that a reporting entity might knowingly, inadvertently or otherwise, facilitate money laundering or terrorism financing in the provision of designated services.

Identification is the assessment and recognition of ML/TF risks associated with a designated service a reporting entity provides.

Mitigation involves analysis of the identified ML/TF risks, prioritisation of the risks according to likelihood of occurrence and the consequences if it did, developing a strategy to prevent the risk occurring and implementing that strategy.

Management is monitoring and reviewing mitigation strategies.

The requirements for Part A of an AML/CTF program under the AML/CTF Act are:

to identify, mitigate and manage the risk of money laundering or terrorism financing that a reporting entity may reasonably face in providing designated services at or through a permanent establishment in Australia (16)
to comply with requirements set out in the AML/CTF Rules
if a reporting entity provides designated services at or through a permanent establishment in a foreign country, it must also ensure that it takes such action as specified in the AML/CTF Rules.

What are the requirements for Part A of an AML/CTF program?

Important

The requirements for Part A of an AML/CTF program do not apply to AFSL holders that are only providing designated services under item 54 of table 1 in section 6 of the AML/CTF Act.

Part A of an AML/CTF program must enable the reporting entity to:

identify significant changes in the risk associated with money laundering or terrorism financing it faces

recognise such changes in the risk associated with money laundering or terrorism financing for the purposes of the requirements of Part A and Part B of its AML/CTF program

assess the risk associated with money laundering or terrorism financing posed by:

all new designated services before introducing them to the market
all new methods of designated service delivery before adopting them
all new or developing technologies used to provide a designated service before adopting them.

What are the requirements for Part A of a standard AML/CTF program?

Reporting entities must include the following in Part A of an AML/CTF program:

ML/TF risk awareness training program. Such a program should cover:

the obligations a reporting entity may have under the AML/CTF Act, as well as the consequences of non-compliance
the risk of money laundering or terrorism financing the reporting entity may face (and potential consequences of that risk)
the processes and procedures in the AML/CTF program that are relevant to the work carried out by employees.

Employee due diligence program. Reporting entities must screen their employees for money laundering and terrorism financing risk. A reporting entity should consider the potential for risk associated with money laundering or terrorism financing in relation to individual positions in an organisation and apply the appropriate employee due diligence, or screening, in each case. For example, a reporting entity may determine that frontline staff present a different potential for such risk than staff in a capital markets area or private banking unit. Similarly, cashier staff in a casino may present a different risk from bar staff.

Oversight by boards and senior management. This is a critical governance issue and a reporting entity should ensure that processes are developed and implemented for regular reporting to and monitoring by senior management, as well as receiving feedback from them. Board and senior management oversight should also include a review, at set intervals, of the continuing adequacy of the AML/CTF program.

AML/CTF Compliance Officer. A reporting entity should consider a number of factors in relation to this position, including independence, seniority, accountability, reporting lines, access to executive/board and relevance of the competencies of the incumbent.

Independent review of the AML/CTF program. A reporting entity will need to assess the pros and cons of having the review undertaken by an internal area such as internal audit (or another 'independent' area) or having an external review. In either case, it is important to be able to demonstrate the independence and quality of the review process.

AUSTRAC feedback. Feedback from AUSTRAC on the reporting entity's own program and in relation to industry-wide matters will be a key driver in enhancing and maintaining the currency of a reporting entity's AML/CTF program.

Permanent establishments in a foreign country. A reporting entity will need to consider whether its standard AML/CTF program is relevant to its offshore operations, or whether the program needs to be customised to comply with local obligations. Certain requirements of Part A do not apply to overseas permanent establishments, as specified in the AML/CTF Rules.

The requirements for standard AML/CTF programs are contained in chapter 8 of Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1).

What are the requirements for Part A of a joint AML/CTF program?

The factors relevant to a standard AML/CTF program are also relevant to a joint AML/CTF program.

As mentioned in chapter 2 of this Guide, a joint AML/CTF program applies to reporting entities that elect to become part of a designated business group and choose to adopt a joint program. However, the joint program may need to be modified so that it is relevant to the needs of individual reporting entities within the designated business group.

It may be necessary to undertake a detailed analysis of the business activities of each reporting entity to identify which components of the joint AML/CTF program may need to be modified to meet the needs of individual members.

Requirements for joint AML/CTF programs are contained in chapter 9 of Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1).

Requesting information from customers

Where a reporting entity has a standard or joint AML/CTF program and has reasonable grounds to believe that a customer of a designated service has information that is likely to help the reporting entity comply with Part A of its AML/CTF program, section 92 of the AML/CTF Act allows the reporting entity, by written notice, to request the customer to provide the information within the period specified in the notice.

The AML/CTF Act gives reporting entities powers relating to discontinuing, restricting or limiting the provision of designated services to a customer until the customer provides the information covered by the written notice.

Protection from liability may be available under subsection 92(5) of the AML/CTF Act in relation to suits or proceedings taken against the reporting entity regarding actions it has taken in good faith in the (purported) exercise of this power.

Exceptions and exemptions

Subsections 82(3) to (5) of the AML/CTF Act provide that where a reporting entity has included something in its AML/CTF program which is not required by the AML/CTF Rules, then the reporting entity need not comply with that part of their AML/CTF program.

These provisions ensure that where an AML/CTF program exceeds the minimum legal requirements, reporting entities cannot be prosecuted for non-compliance with the non-legally required parts of their program.

Subsections 93(1) and (2) of the AML/CTF Act provide for designated services of a kind, or provided in circumstances, specified in the AML/CTF Rules to be exempted from specified AML/CTF program obligations.

Exemptions in relation to AML/CTF programs may be available under section 247 (general exemptions) and/or section 248 (exemptions and modifications by way of written instrument by the AUSTRAC CEO). Refer to the AUSTRAC Exemption Policy and AUSTRAC guidance note Exemptions and modifications under the AML/CTF Act for information on AUSTRAC's approach to exemptions which can be located at www.austrac.gov.au. A summary of the AUSTRAC Exemption Policy is in Appendix F.

What are the risk indicators of an inadequate AML/CTF program - Part A?

There are a number of risks associated with developing, implementing and managing Part A of an AML/CTF program. Examples of these risks include, but are not limited to:

failure to include all the mandatory components
failure to conduct a proper ML/TF risk assessment
failure to gain board or executive approval for the program
insufficient or inappropriate employee due diligence (for example employee screening is not commensurate with the money laundering or terrorism financing risk associated with the employee's position)
frequency and level of risk awareness training not being aligned with the potential risk of exposure to money laundering or terrorism financing
changes in business functions not reflected in the AML/CTF program (for example, the introduction of a new product or distribution channel)
feedback from AUSTRAC not acted on (for example, advice about an emerging risk related to money laundering or terrorism financing)
failure to independently review the content and application of the AML/CTF program.

What resources are available to assist reporting entities?

Conducting an ML/TF risk assessment

The following three resources may assist reporting entities in conducting a proper ML/TF risk assessment.

1. AUSTRAC guidance note: Risk management and AML/CTF programs

The purpose of this guidance note is to:

provide general information about risk management frameworks and relevant legislative requirements under the AML/CTF Act and AML/CTF Rules relating to
AML/CTF programs
assist reporting entities in implementing an AML/CTF program appropriate to their business having regard to the business size, nature and complexity.

Reporting entities may find this document particularly useful where it discusses the application of the AS/NZS 4360:2004 Risk Management framework to the AML/CTF context and in conjunction with the legislative obligations for an AML/CTF program.

This guidance note is available from the AUSTRAC website: www.austrac.gov.au/files/risk_man_and_amlctf_programs.pdf.

2. AS/NZS 4360:2004 Risk Management

This internationally-respected standard was updated and re-released by Standards Australia in 2004. Widely used, the standard provides a generic guide for managing risk. It may be applied to a wide range of activities, decisions or operations of any organisation and it specifies the elements of the risk management process.

This standard is available from the Standards Australia website: www.standards.org.au

3. ML/TF Risk Principles Framework

The ML/TF Risk Principles Framework was developed and agreed to in March 2006 by a joint government-industry working group in Sydney during the consultation period of the AML/CTF Bill. This framework is based upon and consistent with the Australian Risk Management Standard (AS/NZS 4360:2004) described above, but like the risk management guidance note is tailored to the ML/TF context.

This framework is available in Appendix B.

Creating a culture of compliance

AUSTRAC, like other regulators, encourages a culture of compliance within business. In doing so, AUSTRAC recognises the diverse nature of businesses that fall within the AML/CTF Act and the impact this legislation has on the operation of a business.

What is a culture of compliance?

While the AML/CTF Act requires reporting entities to have an AML/CTF program, the implementation of compliance systems alone may not necessarily lead to positive risk management or compliance outcomes. To ensure that the programs and systems established within a business are successful, compliance should become part of an organisation's culture. A culture of compliance is one where commitment to achieving risk management and regulatory objectives is embedded at all levels of the organisation (and in particular, senior management) and compliance is an inherent and expected behaviour that is considered to value add, rather than be viewed or practiced as a separate activity and considered an unwelcome business cost.

To successfully manage ML/TF risks and comply with regulatory obligations, management needs to recognise that establishing the 'right' culture will be a major responsibility for them, in parallel with monitoring and controlling responsibilities.

How can business benefit from a culture of compliance?

A strong culture of compliance will benefit businesses by improving the management and mitigation of both business and regulatory risks. The positive outcomes of a culture of compliance will result from improved employee performance in identifying and dealing with any unlawful conduct channelled through the organisation. Regulatory risk may be reduced, for example, in the event that AUSTRAC instigates legal proceedings, if the demonstrable existence of a culture of compliance were considered a mitigating factor by the court.

As well as reducing the financial and reputational risks associated with regulatory non-compliance, benefits can extend to such aspects of the business as customer service, employee and customer loyalty and ultimately competitive advantage. (17)

How can a culture of compliance be achieved?

AUSTRAC recognises that reporting entities have numerous regulatory obligations and expects that AML/CTF requirements will become part of a business's broader compliance programs and culture.

The values, attitudes and beliefs exhibited by management represent the single greatest influence on the successful implementation of a culture of compliance. If the board and management are not seen to be committed to compliance, it may send the message that compliance is discretionary.

Several of the factors that organisations need to consider to successfully integrate compliance into their culture are also required elements of AML/CTF programs; for example, an ML/TF risk awareness training program and oversight of AML/CTF programs by boards and senior management. However, to ensure that implementation of the AML/CTF program is successful, the following elements (18) of a culture of compliance should be considered in conjunction with the required elements of AML/CTF programs:

Compliance framework: compliance policies, processes, resources, training, monitoring and reporting are the foundation of a culture of compliance.
Behavioural factors: for the compliance framework to be effective it needs to be embedded in the culture, which will require training and demonstration and encouragement of the appropriate behaviours by management.
Structural issues: compliance should be integrated into all operational areas of the business, rather than a separate compliance function.
Business planning: a formal business plan will assist management throughout the organisation to incorporate compliance activities into units.
Inter-business unit management: some compliance functions will extend across several business units which will require careful planning and management.
Resourcing: senior management needs to demonstrate its commitment to compliance by allowing adequate time and resources for compliance activities.

The Australian Competition and Consumer Commission (ACCC) has observed (19) that organisations that effectively institutionalise a culture of compliance typically travel through three phases. While the observations were made in relation to the Trade Practices Act 1974, they are equally applicable to reporting entities seeking to achieve compliance with their obligations under the AML/CTF Act. The three phases are:

Commitment to comply. Management develops a willingness or commitment to address compliance issues and allocate the resources to achieve it.
Compliance know-how. Specialist personnel are appointed and made accountable for compliance program development and internal and external expertise is sought and assimilated. Corporate strategy takes account of compliance. Policies and procedures are developed to address compliance issues.
Compliance as business practice. Compliance becomes the way business is done and is no longer external to it. Compliance policies are considered integral to company objectives. Operational procedures take account of compliance; the performance of work duties in compliance with the law is the company norm.

Where can I get more information?

There are a number of resources available on achieving and benefiting from a culture of compliance, two of which are:

The Australian Standard for Compliance Programs (AS 3806) which sets out the principles required of an effective compliance program.

The Australian Compliance Institute's Protocols for Reviewing and Assessing the Adequacy, Effectiveness and Efficiency of Compliance Programs which provides protocols for organisations to undertake compliance reviews to assess the adequacy, effectiveness and efficiency of their own culture of compliance and arrangements and measures to meet regulatory requirements.

Additionally, other Australian regulators have produced guides to developing and implementing compliance cultures and programs, which may be of interest to reporting entities. For example, the Australian Competition and Consumer Commission has produced the Corporate Trade Practices Compliance Programs to assist organisations to update their compliance programs. This is available on their website at www.accc.gov.au/content/index.phtml/itemId/717078.

Know your employee (KYE)

Employee screening and due diligence is an integral component of risk management and a requirement for reporting entities under Part A of their AML/CTF programs.

The AML/CTF Rules on employee due diligence programs state that a reporting entity must implement risk-based systems and controls to enable it to determine the appropriate level of due diligence to apply to its employees, agents and consultants who carry out functions connected with the designated services provided by the entity and are in a position to facilitate an ML/TF offence.

Reporting entities may find the following resources useful in developing and implementing their employee due diligence programs:

The Australian Standard for Employment Screening (AS 4811:2006), which provides a basis for industry or organisation-specific screening policies and procedures. This handbook can be downloaded from ASIC's web page at: http://www.fido.gov.au/asic/asic.nsf/byheadline/how%20to%20use%20the%20reference%20directory

The Employment Screening Handbook, which is a companion document to the Australian Standard for Employment Screening, provides a framework for businesses to build an effective employee screening process. This handbook is available from the Standards Australia website at www.standards.org.au.

The Reference Checking in the Financial Services Industry Handbook, which has been developed jointly by the Australian Securities and Investments Commission (ASIC) and Standards Australia as a companion document to the Australian Standard for Employment Screening, provides a reference-checking framework for the financial services industry to minimise the movement of dishonest, incompetent or unethical employees or representatives within the industry. This hanbook can be downloaded from ASIC's web page at: http://www.asic.gov.au/asic/ASIC.NSF/byHeadline/Reference checking directory for the financial services industry

Additional resources to help identify, mitigate and manage risk

A variety of domestic and international resources are available to help reporting entities determine the risk associated with money laundering or terrorism financing that may be presented by their customers, foreign jurisdictions, products and services, or channels of designated service delivery.

For a list of international organisations and resources please refer to Appendix C.

The following is a list of domestic resources. While it is not a definitive list, it is likely to be
a useful complement to other information sources.

AUSTRAC

The AUSTRAC website contains useful information and resources to help understand money laundering, terrorism financing, AUSTRAC's role and the obligations of cash dealers, reporting entities and the public. One such resource is AUSTRAC's elearning Introduction to AML/CTF course, which broadly explains the threat of money laundering and terrorism financing and the obligations of regulated entities under the AML/CTF Act and FTR Act.

Additionally, there are various publications, including FTR Act guidelines, AML/CTF Act guidance notes, information circulars, typologies information, newsletters and presentations.

While the legislative framework allows for AML/CTF regulations, at the time of publication of this version of the Guide there are none in existence.

If any AML/CTF regulations are made to provide for countermeasures prohibiting or regulating entering into certain transactions, those regulations will be provided on the AUSTRAC website at www.austrac.gov.au.

Australian Bureau of Statistics

The Australian Bureau of Statistics is Australia's official statistical organisation.
It provides a wide range of Australian statistical information, including crime and justice, at www.abs.gov.au.

australia.gov.au

The websites of various Australian Government (such as the Australian Federal Police), state and territory agencies provide guidance that may assist reporting entities to assess their risk associated with money laundering or terrorism financing. These websites are accessible through www.australia.gov.au.

Australian lists and sanctions

For some reporting entities it may be a legal requirement to comply with some or all of the Australian sanctions lists outlined below. Legal advice should be sought on whether this is the case. AUSTRAC does not regulate compliance with any of Australia's sanctions lists. Despite this, AUSTRAC does expect reporting entities to consider Australia's sanctions lists in addressing money laundering and terrorism financing risk.

Australian Department of Foreign Affairs and Trade - Consolidated List

(Implementing United Nations Security Council sanctions)

Individuals and entities listed on the Department of Foreign Affairs and Trade (DFAT) Consolidated List are proscribed in Australia for the purposes of asset freezing under Part 4 of the Charter of the United Nations Act 1945 (UN Charter Act) and the Charter of the United Nations (Terrorism and Dealings with Assets) Regulations 2002 (the Regulations). At August 2009 there were approximately 1,130 individuals and entities on this list (excluding aliases).

Australia's international obligations to freeze terrorist assets derive from UN Security Council Resolutions 1267 and 1373 and their successor resolutions.

The UN 1267 Sanctions Committee maintains a Consolidated List of individuals and entities associated with Al-Qaida and the Taliban for the purposes of asset freezing. The Regulations operate to apply the provisions of Part 4 of the UN Charter Act automatically to any person or entity listed by the UN1267 Sanctions Committee.

UN Security Council Resolution 1373 obliges states to freeze terrorist assets and prevent funds being made available to terrorists. The Regulations enable the Minister for Foreign Affairs to proscribe an individual or entity if the Minister is satisfied that the person or entity is associated with terrorism within the meaning of Security Council Resolution 1373.

DFAT administers these Regulations. Once an individual or entity is listed by the Minister for Foreign Affairs or by the UN 1267 Sanctions Committee, it becomes a criminal offence to use or deal with assets owned or controlled by the individual or entity, or to make assets available to the individual or entity, directly or indirectly. The penalty for these offences is five years imprisonment.

DFAT offers the following services to help comply with the Regulations:

A regularly updated version of the DFAT Consolidated List at www.dfat.gov.au/icat/regulation8_consolidated.xls.
A subscription service notifying changes to the Consolidated List and offering a free LinkMatchLite software download designed to help match client names with names on the Consolidated List. Subscribe by emailing DFAT at asset.freezing@dfat.gov.au.
An overview of Australia's terrorist asset freezing regime at www.dfat.gov.au/icat/UNSC_financial_sanctions.html.

As it may not always be clear whether there is a match with a designated individual or entity, asset holders may request the assistance of the Australian Federal Police (AFP) to determine whether the asset is owned or controlled by a proscribed person or entity.

To facilitate this process, a referral process has been agreed between DFAT, the AFP and asset holders represented by the Australian Bankers' Association and the major banks. The relevant referral form can be downloaded from the DFAT website at www.dfat.gov.au/icat/UNSC_financial_sanctions.html.

The referral form should be sent to:

AFP Operations Coordination Centre
email: AOCCLiaisonOpsSupport@afp.gov.au
Fax: 02 6126 7555
Phone: 02 6126 7900

Australian Attorney-General's Department - List of terrorist organisations

The National Security Section within the AttorneyGeneral's Department provides an official list of terrorist organisations at www.nationalsecurity.gov.au.

Other useful information on the Department's website includes fact sheets on money laundering and terrorism financing, available at www.ag.gov.au.

Reserve Bank of Australia - international financial sanctions

Australia also imposes bilateral financial sanctions against certain countries and individuals. The Reserve Bank of Australia administers sanctions under the Banking (Foreign Exchange) Regulations 1959. Restrictions apply to conducting certain financial transactions with persons on the sanctions lists.

Lists of individuals and entities subject to Australia's bilateral financial sanctions are available from the Reserve Bank of Australia website at
www.rba.gov.au/MarketOperations/International/FinancialSanctionsCashReporting/

Electronic AML/CTF products

There are various off-the-shelf electronic AML/CTF products that may provide reporting entities with a variety of tools, including automated financial transaction reporting, customer and employee screening and record keeping.

News media monitoring

Monitoring major news sources is also a useful way to keep abreast of developments around the world concerning a range of politically exposed persons, entities and countries.

Additional AUSTRAC resources

Frequently asked questions

Q. What is an "AFSL holder that is only providing designated services under item 54"?

A. An AFSL is an Australian Financial Services licence. If a person acting in the capacity of the holder of an AFSL arranges for the provision of a designated service, the designated service is being provided under item 54 of table 1 in section 6 of the AML/CTF Act.

An AFSL holder who is only providing the designated services under item 54 may adopt a 'special' AML/CTF program, which sets out the entity's applicable customer identification procedures (Part B) but not the general requirements (Part A) of a standard AML/CTF program.

Chapter 5 of the AML/CTF Rules requires an AFSL holder to implement appropriate risk-based systems and controls as part of its special AML/CTF program. Chapter 5 also requires certain aspects of chapter 4 of the AML/CTF Rules to be incorporated in a special AML/CTF program.

Public Legal Interpretation (PLI) 2 - Item 54 of table 1 in section 6 of the AML/CTF Act provides AUSTRAC's legal view of the meaning of item 54, as well as guidance about the practical application of item 54. It can be found at www.austrac.gov.au/files/pli_n2.pdf.

(15) FATF, The 40 Recommendations, FATF, Paris, France, www.fatfgafi.org, viewed 24 February 2009.

(16) A 'permanent establishment' of a person is defined in section 21 of the AML/CTF Act as 'a place at or through which the person carries on any activities or business, and includes a place where the person is carrying on activities or business through an agent'.

(17) Australian Competition & Consumer Commission, 2005, Corporate Trade Practices Compliance Programs: Compliance.

(18) Peter Whyntie, 2004, Australian Compliance Institute Compliance e-news, "Promoting a Genuine Compliance Culture that Permeates your Company", 3[7]: 1822.

(19) Australian Competition & Consumer Commission, 2005, Corporate Trade Practices Compliance Programs: Compliance.