AML/CTF governance issues

Prepared by Julia Winzar

AUSTRAC has identified a number of short-falls in its recent review of reporting entities and their compliance with AML/CTF obligations.

The key areas for improvement that were identified by AUSTRAC were:

  • ML/TF risk assessments.
  • Application of the risk-based approach to AML/CTF  compliance.
  • Outsourcing and automation of activities.
  • Governance issues.

We will look at these areas for improvement in further detail over a four part series.

Reporting entities are required to conduct a regular independent review of Part A of their AML/CTF program. Part A of a reporting entity’s program is required to cover the following:

  • how the reporting entity identifies, manages and reduces the ML/TF risks it faces;
  • an ML/TF risk assessment of the business;
  • procedures for approval and ongoing oversight by the board and senior management;
  • appointment of a compliance officer;
  • processes for a regular independent review;
  • an employee due diligence program;
  • an AML/CTF risk awareness training program for employees;
  • policies and procedures for the reporting entity to respond to and apply AUSTRAC feedback and to notify AUSTRAC if any of their enrolment details change;
  • systems and controls to ensure the reporting entity complies with its reporting obligations (suspicious matter reports and threshold transaction reports); and
  • procedures for undertaking ongoing customer due diligence.

The independent review should assess:

  • the effectiveness of Part A of the program in addressing the reporting entity’s ML/TF risk;
  • whether Part A complies with legislative requirements;
  • whether Part A has been effectively implemented by the reporting entity; and
  • whether the reporting entity has complied with Part A of its program.

The independent review may be carried out by an internal or external party. However, if the reporting entity engages an external party to undertake this review, and the external party was also the entity that drafted the AML/CTF program, the reporting entity must be satisfied that the review will be undertaken on an independent basis and there is no vested interest in the outcome of the review.

Reporting entities need to be aware that the approach to an AML/CTF program is not “set and forget”. Entities must continually assess their compliance with the program and update their program when processes or legislation change.