Now that the dust has settled on the highest ever civil penalty in corporate Australian history, a deep dive into the unrestricted court documents reveals AUSTRAC's high expectations for money laundering and terrorism financing risk assessments.
If you're a reporting entity under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act), you should carefully consider whether your risk assessment and AML/CTF program meet regulatory expectations.
Tabcorp's settlement with AUSTRAC
- The Federal Court made orders effecting the resolution of proceedings between gaming giant Tabcorp and regulator AUSTRAC under which Tabcorp agreed to pay a A$45 million civil penalty, plus AUSTRAC's legal costs.
- It was reported that Tabcorp's key breaches were failing to register with AUSTRAC as a reporting entity by the statutory deadline, failing to report a significant number of suspicious matters to AUSTRAC on time (or at all), and failing to carry out due diligence on a customer before paying out $100,000 in winnings.
- However, the unrestricted Statement of Agreed Facts and Admissions filed in the Federal Court (the Statement) reveals that AUSTRAC's biggest concern may have been Tabcorp's failure to have a comprehensive money laundering and terrorism financing (ML/TF) risk assessment.
AUSTRAC's regulatory expectations
Risk assessments must consider specific factors and be used to develop a tailored AML/CTF program
The Tabcorp resolution indicates that AUSTRAC expects you to undertake, and regularly review and update, an appropriate risk assessment that comprehensively identifies and evaluates the ML/TF risk posed to your business, having regard to:
- the nature, size and complexity of your business;
- customer types;
- the types of designated services provided;
- the methods of delivering the services; and
- the foreign jurisdictions with which you deal.
Further, AUSTRAC expects you to use the risk assessment to develop an AML/CTF program that sets out risk-based systems and controls which are commensurate and proportionate to the level of risk identified. In other words, AUSTRAC expects the AML/CTF program to be "based upon" and "aligned with" an appropriate risk assessment.
The Statement describes Tabcorp's failure to meet this requirement as "serious" because:"The requirement to adopt and maintain a compliant AML/CTF program is an important aspect of the AML/CTF regulatory regime. An AML/CTF program is central to the risk-based scheme established by the [AML/CTF] Act and represents the primary means by which a reporting entity identifies, mitigates and manages the risks posed by money laundering and terrorism financing."
Failing to have a comprehensive ML/TF risk assessment may breach section 81 of the AML/CTF Act
AUSTRAC was able to argue that Tabcorp's failure to have a comprehensive ML/TF risk assessment was a breach of the AML/CTF Act, even though there is no express requirement in the AML/CTF Act or Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1) (Cth) (AML/CTF Rules) to have a ML/TF risk assessment.
It is true that many of the obligations under the AML/CTF Rules require consideration of ML/TF risk to determine the appropriate process to follow. For example, ML/TF risk is relevant to Know Your Customer (KYC) because a safe harbour verification method can only be applied to a customer if the relationship with that customer is of medium or lower ML/TF risk.
However, AUSTRAC took the position, and the Court accepted, that the failure to have a comprehensive ML/TF risk assessment breached section 81 of the AML/CTF Act, which provides that a reporting entity must not commence to provide a designated service to a customer if the reporting entity has not adopted and does not maintain an AML/CTF program that fully meets the requirements of the AML/CTF Act. Section 81 is a civil penalty provision, breach of which is punishable by a maximum penalty of A$18 million per contravention (increasing to A$21 million on 1 July 2017).
The link in the AML/CTF Act between the risk assessment and AML/CTF program is not immediately apparent:
- "AML/CTF program" is defined in the AML/CTF Act as a written program that is divided into Part A and Part B.
- "Part A" and "Part B" are also defined in the AML/CTF Act and those definitions include a requirement that the parts comply with "such requirements (if any) as are specified in the AML/CTF Rules".
- The AML/CTF Rules set out the content that must be covered in Parts A and B, such as training and customer identification procedures.
- The AML/CTF Rules also prescribe the factors that a reporting entity must consider in identifying its ML/TF risk (ie the factors listed above).
- A "ML/TF risk assessment" is defined in the AML/CTF Act as an assessment by a reporting entity of the risks it may reasonably face in providing its designated services and ways to identify, manage and mitigate those risks.
The combined force of these provisions is that if your AML/CTF program does not meet the requirements of the AML/CTF Rules (including the requirement to have regard to the ML/TF risk faced by the business), you may not meet the requirements of section 81 to adopt and maintain an AML/CTF program.
To reinforce its expectations for risk assessments and AML/CTF programs, AUSTRAC released a report in March 2017 on how reporting entities can improve their compliance. The report identifies ML/TF risk assessments as one of four key areas for improvement by reporting entities, noting that "the ML/TF risk assessment is the cornerstone of a compliant AML/CTF program" and that "compliant risk-based AML/CTF programs are developed and informed by an appropriate ML/TF risk assessment".
Compliance testing and adequate resourcing may emerge as AUSTRAC's new focus areas
Another insight from the resolution of the Tabcorp proceedings is that it suggests AUSTRAC may expect reporting entities to regularly test their AML/CTF compliance, and have adequate resources to perform AML/CTF compliance functions.
The Statement provides that Tabcorp's AML/CTF program "did not specifically set out the need for quality assurance checking of [suspicious matter report] templates for completeness and accuracy". It also notes that since AUSTRAC raised its concerns, Tabcorp's AML/CTF Compliance Officer has periodically reviewed records of suspicious matter reports to monitor compliance with AUSTRAC reporting requirements.
There is no express requirement in the AML/CTF Act or Rules to conduct compliance testing. There is a requirement for Part A of the AML/CTF Program to be subject to regular independent review, but this is more of an independent audit (ie at the third line of defence) rather than testing by the compliance function (at the second line of defence).
Further, the Statement provides that Tabcorp's AML/CTF function "was not sufficiently resourced" and "there were insufficient processes for consistent management oversight, assurance and operational execution of the Former Program". Unlike Australian financial services licensees, reporting entities under the AML/CTF Act are not expressly required to maintain adequate resources to comply with their obligations. The resolution of the proceedings makes clear however that under-resourcing can influence the view of a reporting entity's AML/CTF program and its ability to rely on the "reasonable precautions and due diligence" defence to liability for both criminal offences and civil penalties under the AML/CTF Act.
Our team has experience conducting independent reviews of reporting entities' risk assessments and AML/CTF compliance frameworks. We would be happy to talk with you about how an independent review can improve your business practices and reduce your regulatory risk exposure.