AML/CTF outsourcing and automating

Prepared by Julia Winzar

AUSTRAC has identified a number of short-falls in its recent review of reporting entities and their compliance with AML/CTF obligations.

The key areas for improvement that were identified by AUSTRAC were:

  • ML/TF risk assessments.
  • Application of the risk-based approach to AML/CTF compliance.
  • Outsourcing and automation of activities.
  • Governance issues.

We will look at these areas for improvement in further detail over a four part series.

If a reporting entity outsources or automates any of the activities it is required to undertake to comply with its AML/CTF obligations, it is important for the reporting entity to remember that it still has the ultimate responsibility to ensure that these activities are carried out, and carried out correctly.

In the case of outsourcing, reporting entities should ensure that:

  • the roles and responsibilities of the service provider are clearly documented and contractually binding; and
  • it undertakes monitoring and/or testing of the services provided by the service provider.

In the case of processes that are automated, reporting entities should ensure that:

  • it undertakes regular monitoring and/or testing of the systems to ensure that they are functioning correctly;
  • it considers the impact of any IT changes (systems upgrades etc.) on the systems;
  • where an automated system produces reports or alerts, these are communicated promptly and to the appropriate person; and
  • any automated reports are reconciled against the source data.

Reporting entities need to have adequate oversight of any third party service providers or automated systems to ensure they remain compliant with their AML/CTF obligations.