Australian Anti-Money Laundering Rules require an Independent Review of the reporting entity’s AML/CTF Part A Program on a regular basis, which in practice is every one to three years depending on the risk profile of the business. Whether you’re new to AML Independent Reviews or it’s been a while since the last one, this article looks to provide you with insights on some of the key components of a Part A Program Independent Review so that you can anticipate and prepare for what is hopefully a quick and painless review.
Like all reviews / audits / investigations, AML Independent Reviews (Reviews) require key business resources to dedicate precious time to the Review by providing information and responding to sometimes multiple rounds of queries. And while we get excited combing through the details and finding ways to help clients improve their Programs, we recognise that a fast, insightful and efficient Review is much appreciated by compliance officers, Board and senior management.
Below are a few of the key areas the reviewer will assess, and how you can prepare.
1. Risk Assessment
The most important artefact other than the Program itself, is the reporting entity’s ML/TF risk assessment. The reviewer will look at the Program to understand how the entity assesses its ML/TF risk as this will drive their assessment of whether the Program has been designed appropriately given the ML/TF risk exposure of the reporting entity.
The Rules are relatively prescriptive on which factors the entity needs to consider when assessing risk – this includes customer types, types of designated services, foreign jurisdictions, etc. And most-often, these factors are considered and rated individually to inform the overall risk position. AUSTRAC expects that the reporting entity includes all available data in the assessing risk (e.g. trends in usage of a product or channel, transaction monitoring results, suspicious matter raised, relevant AUSTRAC industry assessments).
The reviewer will be verifying that all the factors have been considered and assess the appropriateness of the rating methodology and outcomes.
The reviewer will also consider how the assessment is documented and how often it is updated. Given that the risk assessment is intended to be a living document, the expectation is that it is contained in an easily updatable format (i.e. not solely in the Program documentation) and that it is revisited frequently or when there is significant change in the business. AUSTRAC has provided guidance on its expectations of ML/TF risk assessments.
2. Board Approval of Program
The reviewer will want to see the current version of the Part A Program, as well as any version of the Part A Program that was in place during the review period which is normally 12 months. Therefore, it can be useful to agree a review period where only one version of a Part A Program has been in effect. The reviewer will also ask to see your AML/CTF Policy.
The reviewer will be looking for evidence that the Program was approved by senior management or the Board, usually in the form of Board meeting minutes noting that the Program was approved. They’ll also want to see other supporting policies (e.g. HR policies covering employee screening and on-boarding, risk-rating methodologies) and any standalone process documents or desktop procedures which provide detailed descriptions of processes like transaction monitoring and suspicious matter reporting.
3. Training Content and Delivery
The reviewer will be considering training from a few different angles. Firstly, has the reporting entity considered what levels of training should be provided to which staff (based on their roles and the ML/TF risk arising)? Have all employees completed the AML/CTF training required for their role? Is completion monitored? A training register spreadsheet, or system report showing training completed should be sufficient to demonstrate completion.
The content of the training will also be reviewed. The Rules are prescriptive on what needs to be included (obligations under the Act, consequences of non-compliance, entity-specific risks and consequence and AML related processes and procedures) so the reviewer will want a copy of the training materials provided to verify that the content meets the requirements. In our experience, reporting entities tend to receive findings related to the lack of entity-specific training content.
While there is a plethora of general and generic AML/CTF training available, AUSTRAC expects that employees be trained on how ML/TF risks might present themselves specifically in the organisation they work for, and roles they work in. Risks faced by a fund manager may be greatly different than those face by frontline staff at a large bank. And while some general content is fine, the expectation is that training is tailored to the organisation and to specific roles.
Finally, the frequency of training and training refreshers will be considered. Standard practice is that AML/CTF training should be included in induction training for all employees, and potentially increased or more in-depth training for higher risk-rated roles. An annual re-fresher training for higher risk-rated roles is better practice with all employees having a refresher training at a regular frequency (e.g. every 2 years). Programs should specify the frequency of training so that the reporting entity can clearly demonstrate compliance. Avoid using words like “regular” as this is open to interpretation.
4. Suspicious Matter Reporting
The Act is relatively clear on what matters to report and the timeframes to do so. The reviewer will look to see that these details are outlined in the Program. The reviewer will assess the design of the process which should clearly detail the steps for raising, investigating, and reporting suspicious matters, including forms, systems, roles and responsibilities and timeframes. If any suspicious matters were raised or reported in the period, the reviewer may want to walk through a couple of examples and see the documentation trail to ensure that any matters raised were investigated and reported in line with the Program.
5. Transaction Monitoring Program
While the Program will outline the transaction monitoring process and controls, this area may also have additional process documentation to ensure that those responsible can consistently execute the process. The reviewer will consider how transactions are monitored (i.e. manual vs automated), who is performing the review and its frequency, the logic used to determine which transactions are flagged including how often it is reviewed, and how transactions are investigated and the integration into suspicious matter reporting.
If reports are used, the reviewer will look at how the entity ensures that the reports are complete particularly if no transactions have been identified for further investigation. Likewise, with automated monitoring the reviewer should, at minimum, obtain an understanding as to how the entity ensures that the system is operating as intended and who can setup and change monitoring logic.
6. Ongoing Customer Due Diligence
In addition to performing due diligence on customers at the onboarding stage, the Rules require that some level of review and update of customer identification data is performed throughout the relationship with the customer, particularly in relation to high risk rated customers. We commonly see that this requirement is overlooked, perhaps due to the amount of effort required to update customer data at any frequency.
The reviewer will be considering the risk-based approach to OCDD the reporting entity has applied (which should be documented in the Program or a supporting standard or procedure) and whether the processes and controls are in place to ensure the OCDD program is consistently executed.
We often see high level statements in Programs in relation to keeping customer information up to date. These high-level policy statements cause issues for reporting entities come Review time. By being too vague and open ended, reporting entities can find themselves in a position where they are unable to demonstrate compliance with this aspect of their Program.
7. Employee Due Diligence
The reviewer will want to see written details (whether in the Program itself, or a separate cross-referenced policy) of the reporting entities practices in relation to considering which roles are higher risk from a ML/TF perspective, and what additional due diligence applies to these higher risk roles.
Weaknesses we observe include reporting entities that state the job titles of higher risk roles, without providing any basis for the assessment (e.g. level of influence / seniority, involvement in operating key fraud or ML/TF controls, involvement in relationship management). Another common weakness is Programs that deal with EDD at the onboarding stage but do not have regard to movements of staff from lower risk to higher risk roles.
A quick win here is to ensure alignment between policies and procedures – we sometimes note inconsistencies between the actual onboarding practices of the HR function relative to what is stated in the Program drafted by the Compliance function.
8. Outsourcing and using suppliers
If you use third parties to execute any aspect of your AML/CTF Program, the reviewer will want to see evidence of the usual third party risk management controls being in place e.g. written contracts, risk assessment, due diligence, ongoing monitoring. Screening tools should be vetted to ensure they are fit-for-purpose and that the reporting entity understands the limitations. We have seen examples of the Program relying on certain tools only to later discover that a certain module was never switched on. AUSTRAC has provided useful guidance in relation to reliance on third parties for ongoing CDD arrangements.
If you’re looking to uplift your AML Program, for additional guidance to prepare for your next AML Independent Review, or are interested in speaking to use about performing your next Independent Review, reach out to tanushree@px.partners.