Employee AML/CTF risk awareness training
You must provide anti-money laundering and counter-terrorism financing (AML/CTF) risk awareness training for your employees who work in roles that you have identified pose a ML/TF risk to ensure they understand:
- your obligations under the AML/CTF Act and Rules
- the consequences of non-compliance with the AML/CTF Act and Rules
- the type of ML/TF risk the business might face and the consequences of such risk, and
- the business’s AML/CTF processes and procedures that employees must carry out.
Refer to AUSTRAC guidance on employee due diligence for more information on identifying roles that pose a risk to your business.
Part A of your AML/CTF program must include processes, systems and controls to provide tailored ML/TF risk awareness training for those identified employees and to help you identify, mitigate and manage the risks of ML/TF.
- regularly review your training program to ensure it covers changes to ML/TF risk or the level of ML/TF risk your business faces
- ensure that it reflects the current AML/CTF legal framework, and
- document any recommended changes from the review processes.
AUSTRAC provides this guidance for educational purposes only and it does not constitute legal advice. The information in this guidance should be read together with, and not as a substitute for, the AML/CTF Act and Rules.
AUSTRAC does not guarantee, and accepts no legal liability whatsoever arising from, or connected to, the use or reliance of any material contained in this guidance.
For more information, please read AUSTRAC’s website disclaimer.
Your AML/CTF risk awareness training program
It is best practice for your AML/CTF risk awareness training program to document and provide details on how your employees are trained on:
- your obligations under the AML/CTF Act and Rules
- the consequences of not complying with your obligations under the AML/CTF Act
- trends, methodologies and techniques of money laundering and terrorism financing relevant to your business and the designated services you provide
- the type of ML/TF risks your business may reasonably face and the consequences of these risks
- insights into your ML/TF risk assessment including the vulnerabilities of your products and services
- how you meet your obligations, including your processes and procedures detailed in your AML/CTF program that are relevant to the work carried out by your employees
- the roles of relevant persons in your organisation with responsibility for your AML/CTF program and risk assessment, including the AML/CTF compliance officer
- how to identify suspicious activity and transactions and prepare and submit suspicious matter reports (SMRs), and
- relevant industry guidance.
Who needs training and how often?
You should give all your relevant employees regular AML/CTF risk awareness training, including board members, directors, operational staff, contractors and consultants who are involved in providing designated services to your customers, in line with your ML/TF risk assessment.
The content and frequency of the training will depend on their roles in the organisation and the ML/TF risks your business may face.
Employees should have an understanding of the changing behaviours, techniques and practices, including relevant risk assessments and risk profiles, of money launderers and people engaged in terrorism financing. You can incorporate this information into training materials and special purpose training provided when you introduce a new product, service or technology. You should also take into account any changes to the AML/CTF regulatory framework including the AML/CTF Act and Rules and any enforcement updates from AUSTRAC that may be relevant to your business.
Certain events may trigger training requirements, such as:
- employees moving between jobs or responsibilities
- new methodologies or indicators relevant to your business emerge, including new information about ML/TF risks in your sector
- employees failure to comply with your AML/CTF program
- AUSTRAC-issued guidance or feedback on ML/TF risk in your sector, e.g. AUSTRAC financial crime guides
- AUSTRAC feedback on your business’ AML/CTF compliance.
Your AML/CTF program must detail how you will run your AML/CTF risk awareness training program for employees. It is best practice to include:
- which employees need training, such as new employees, employees being promoted or transferred, senior managers, consultants and new directors
- what the training intends to achieve
- the frequency of the training
- the delivery methods of the training
- how and where training and completion dates will be recorded, and
- whether and how employees will be assessed after completing the training.
Types of training
You can determine the types of training you provide for employees based on your ML/TF risks and the roles and responsibilities of your staff.
Options may include:
- online training courses
- in-house or external training with an instructor
- on-the-job training, especially if the risks are specific to a certain role
- induction training for new employees and existing employees who take on new roles or positions, and/or
- regular communication to employees via email, notices or bulletins about any changes or updates to your ML/TF risk systems, controls and procedures, including appropriate follow-up with employees to ensure that the information has been read and understood.
AUSTRAC provides e-learning modules and regularly produces other advice including financial crime guides, risk assessments, guidance and industry-specific resources to support you to understand and comply with your AML/CTF obligations. These products do not replace your AML/CTF risk awareness training, but can be used as a resource to contribute to fulfilling this requirement.
For a range of commercial or operational reasons, some reporting entities may outsource their AML/CTF employee risk awareness training to a third party service provider. Under an outsourcing arrangement, legal liability for any breach of compliance with these obligations remains with the reporting entity.
Before engaging a third party service provider, it is best practice to conduct appropriate due diligence to ensure that the third party service provider is suitable and has the appropriate skills, expertise, knowledge, experience and references to conduct the services in accordance with your expectations, AML/CTF program, systems and controls and your ML/TF risk assessment.
If you engage a third party service provider, it is also best practice to have appropriate systems and controls in place to monitor their performance as part of your overall governance and risk management arrangements. This may include regular reporting and conducting regular reviews (including independent reviews) to ensure that the third party service provider is meeting your agreed performance and compliance expectations.
You should document the details of your outsourcing arrangement, including your due diligence processes, performance management and governance arrangements, and decision-making, including senior management and/or board approvals of the outsourcing arrangement.
These questions are a guide only to assist you to determine whether your business is complying with its obligations.
- Do your employees have access to training on an appropriate range of ML/TF crime risks?
- How do you ensure that training is of a consistent quality and reflects current trends?
- Is the training tailored to particular roles?
- How do you assess the effectiveness of your training?
Examples of good and bad practices
|Good practices||Bad practices|
|Tailored training is in place to ensure that employees’ technical knowledge is adequate and up to date. Employees have easy access to policies and procedures.||Training materials and logs are not kept up to date and are not accessible to employees.|
|Training covers practical examples, uses case studies and provides information on how to comply with policies.||Training is provided by an external provider who has no or limited understanding or knowledge of the specific risks, systems and controls relevant to the business.|
|Training covers the consequences of not complying with processes and policies.||Training is not tailored and does not include the specific ML/TF risks identified by the reporting entity.|
|Refresher training is provided to ensure that employees remain up to date with changes to ML/TF risks, policies and procedures, and changes to the legal framework.||Training is too broad/high level or is not role-specific, so staff are unclear what ML/TF risks and AML/CTF policies and procedures relate to their role.|
|Training includes some form of testing on completion and the results are used to assess individual training needs.||Training is infrequent and refresher training provides no new information or content each time.|
|The reporting entity maintains up-to-date records including logs of training and completion dates.||The reporting entity is unable to demonstrate that employees have undertaken regular and appropriate training.|
The content on this website is general and is not legal advice. Before you make a decision or take a particular action based on the content on this website, you should check its accuracy, completeness, currency and relevance for your purposes. You may wish to seek independent professional advice.