AML/CTF compliance: observations from our independent review work
Forensic Foresight: February 2017
One of the key findings from the statutory review of Australia’s AML/CTF regime reported by the Government earlier this year was that industry stakeholders expressed that greater support and guidance was needed for understanding their AML/CTF obligations1. We continue to observe that our clients face challenges around understanding and complying with their AML/CTF regulatory obligations imposed by the law and moreover applying these requirements within their unique and often complex operating and risk environments. The consequence we often see of this is a direct impact on the capacity of the AML/CTF program to deliver the operational outcomes expected that demonstrate the program is working effectively.
Reporting entities2 have also recently completed transitional programs arising from substantial changes to legislation in mid-2014, known as the new customer due diligence rules (new CDD Rules), which lifted AML/CTF compliance requirements in several areas that have been challenging for reporting entities in the past, such as beneficial ownership, politically exposed persons (PEPs), risk assessment and ongoing and enhanced due diligence.
With a year almost passed since reporting entities implemented system and business changes for the new CDD Rules, it is now an optimal time for reporting entities to evaluate the effectiveness of their AML/CTF compliance programs. In particular, there are three key pillars of an AML/CTF program which reporting entities should be scrutinising, which can have a profound influence on the effectiveness of the program:
- Building a risk-based approach from an informed view of ML/TF risk to the enterprise
- Designing the AML/CTF program to be effective and produce real operational outcomes
- Senior governance and oversight and continuous evaluation of the effectiveness of the program.
Building a risk-based approach from an informed view of risk
While it is important that the AML/CTF program is regularly reviewed to accommodate changes to legislation, awareness and sensitivity to changes which influence the ML/TF risk environment are also central to the risk-based approach upon which the program is designed. AML/CTF programs that are not deeply linked with the risk context of the organisation are unlikely to be effective.
There is an increasing amount of guidance and risk intelligence from regulators, law enforcement or industry bodies about ML/TF risks in the industry, which supply case studies, insights and expertise that assist reporting entities with understanding their ML/TF risk environment and benchmarking their assessment of risks to peer institutions.
The starting point for the risk-based approach remains a comprehensive and demonstrable risk assessment of ML/TF risks across the customers, channels, products and services and relevant jurisdictions of the business. However, in addition to looking for coverage of these traditional vectors, regulators are increasingly testing the effectiveness of risk frameworks and examining the consideration of contemporary criminal threats and vulnerabilities, such as online hacking and cyber fraud.
Reporting entities have also been challenged by the regulator on their risk profiles, which has reinforced the importance of a reporting entity’s risk profile being informed by a carefully rationalised and well-documented methodology that demonstrates ML/TF risks have been fully considered and assessed.
Designing the AML/CTF program to be effective and produce real operational outcomes
A shortfall we repeatedly observe is that the AML/CTF program is documented to closely replicate the requirements of the Act and Rules, but does not in practice set up systems and controls that sustainably manage the levels or types of risk identified from the risk assessment. This manifests in diminished operational outcomes delivered by customer facing, operational and supporting service teams that are responsible for executing the program.
There are some key indicators that can indicate a AML/CTF program is not operating effectively – high risk customers, transaction monitoring alerts and suspicious matters reported, among others. Enhanced customer due diligence, assessment of risks of Politically Exposed Persons (PEPs) and reporting of suspicious matters are three areas of an AML/CTF program that are prone to low execution levels because systems and controls have not been informed by the risk assessment:
Enhanced customer due diligence (ECDD)
ECDD programs are often ineffective where high risk triggers or events are not well-defined. Understanding these triggers requires reporting entities to closely assess their customer’s profiles and the business activities of the organisation, and to consider factors that increase the risk presented by a particular customer (for example, PEPs, foreign jurisdiction risks and where the customer exhibits suspicious behaviours).
Triggers for enhanced due diligence that are not based on the risk profile of the business also lead to ineffective operational outcomes. For example, jurisdiction risk triggers do not produce strong operational outcomes for businesses with only domestic operations and clients. This would often indicate that the ECDD program is not commensurate with the risk profile of the business and may therefore not be considered risk-based.
It is common for name screening against databases such as World Check to be relied upon for identifying PEPs, however we have observed that there often aren’t follow-on review processes or escalation channels required to confirm (or disprove) matches and assess risk. This has a downstream impact upon the enhanced measures that are now required for foreign PEPs and also where other PEPs have been assessed as high risk. Reporting entities are expected to implement systems and procedures to identify as well as assess the risks of PEPs in recognition of the increased risk of corruption and the laundering of proceeds of corruption associated with these positions.
Suspicious matter reporting
There is increasing scrutiny over reporting entities3 that have continuously reported low numbers of suspicious matters. Regulators examine this information to evaluate reporting levels against the risk profile and reporting statistics of the industry. For some reporting entities, low reporting has been an indicator of ineffective detection and reporting controls, and this has led to substantial remedial activities to ensure that suspicious matters are identified, investigated and reported appropriately through, for example, tuning of transaction monitoring scenarios and improved training and awareness around detection of suspicious matters.
Strong governance around managing compliance and evaluating the effectiveness of the AML/CTF program starts with effective escalation and reporting channels from the front line and back office to senior management and the Board. Navigating the challenges and complexities around AML/CTF compliance requires well-organised and structured oversight and review channels that examine the program as well as the surrounding governance, resourcing and ongoing maintenance controls that support the program, such as:
- Regular internal review and reporting to senior management and the Board
- Review processes for responding to changes that impact the risk assessment and the program
- Testing the performance of systems and controls
- A regular, robust and comprehensive independent review.
Reliance upon third party service providers to perform AML/CTF-related activities also presents challenges and problems can emerge where these responsibilities are not proactively managed. Accountability for compliance always remains with the reporting entity under these agreements and it is therefore important that reporting entities are regularly engaging their service providers to ensure that their standards and practices are being met and that these are adapted to the risks faced by the reporting entity.
Deloitte Forensic has supported many organisations with developing, reviewing and enhancing their AML/CTF compliance programs to address increasing compliance requirements and a growing environmental risk profile, in addition to providing professional services and expertise in ML/TF risk management over numerous years.
Please don’t hesitate to contact our team to request further information, ask questions or discuss your AML/CTF program.
1. The statutory review can be accessed online from https://www.ag.gov.au/consultations/pages/StatReviewAntiMoneyLaunderingCounterTerrorismFinActCth2006.aspx
2. This refers to entities that provide designated services defined by the AML/CTF Act
3. Entities that are regulated by Australia’s AML/CTF regime.