Insights on AUSTRAC’s updated Compliance Report for 2019 has been saved
Insights on AUSTRAC’s updated Compliance Report for 2019
What you need to know
A review of the key changes in AUSTRAC updated Compliance Report to be released 2 January 2019.
On 2 January 2019, AUSTRAC will release an updated Compliance Report for reporting entities (REs) to self-assess their anti-money laundering and counter-terrorism financing (AML/CTF) compliance. Revised from previous years, the updated report has been socialised with the regulatory community and industry and brings an increased focus on data pertaining to an RE’s operational and risk profile, e.g. volume and risk of the customer population. The Compliance Report is now 10 years old, and, in line with that tenure, the updated version reflects AUSTRAC’s expectation that current programs are reflective of a more mature approach by RE’s regarding investment and program efficacy.
We have captured what we see as the key changes in five themes, which reflect AUSTRAC’s experiences of where they perceive greater risk:
- Granularity and profiling to identify systemic weaknesses and failures
- The identification of channels RE’s use and agency/principal arrangements
- The examination of risk assessments and risk drivers focusing on the nature and adequacy of those assessments in light of the undertakings on TabCorp and CBA
- Ongoing Customer due Diligence programs
- External assurance of programs driving a continued emphasis on completeness and accuracy of regulatory reporting.
1. Granularity and profiling
The report now provides a granular and quantitative basis on which AUSTRAC will be able to profile and compare REs against one another. Through this, we expect that AUSTRAC will have the ability to identify underlying anomalies, which may be used to focus supervisory effort, narrowing the attention on current ML/TF risks and areas of the regime where systemic weakness and failure have been identified.
It is critical that REs are confident in the veracity of their responses. While the Report has always stood as a formal statement from an RE to AUSTRAC, and open to review or challenge later in terms of possible supervisory or enforcement outcomes, the increasingly quantitative nature of this enhanced Report has the potential to expose REs that have not put in place adequate measures to collate and report the data.
2. Identification of channels utilised and outsourcing/offshoring arrangements
Compliance feedback has identified these channel attributes can be highly complex and problematic and it is therefore not surprising that AUSTRAC is keen to obtain more data on these components. Often a notorious driver of risk, particularly for extended value chains, our experience is that REs must ensure an appropriate level of oversight over outsourced functions, and initiate periodic reviews to ensure ongoing effectiveness. REs should also align with APRA’s prudential standards on outsourcing provisions when responding to these questions.
3. Risk assessments and drivers
The Compliance Report will examine ML/TF risk drivers and risk assessments with a key focus on the nature, extent and adequacy of your assessments, mirroring concerns exposed through AUSTRAC’s enforcement actions against both Tabcorp and CBA. We expect this will lead AUSTRAC to consider responses provided by reporting entities as a basis to review comparative assessments and test the appropriateness of treatment of ML/TF risk drivers (e.g. customer types, channels).
Questions on employee risk focus on the requirement to risk-assess individual employee roles and apply graded screening. In our experience, many organisations do not have a sufficiently risk-based approach to this component, relying instead on a 'one-size-fits-all' approach.
We believe the ‘changes to your program’ questions seek to capture what directly has caused changes to your program but also the consideration of environmental impacts within your risk assessment. We observe that, outside of legislative changes, many reporting entities have made limited changes to their AML/CTF program in the last 10 years.
4. Ongoing customer due diligence and transaction monitoring program (TMP)
Questions will delve into details of the maintenance of the ongoing monitoring programs including how frequently REs review monitoring rules, environmental drivers behind changes to the TMP, prioritisation of alert administration and the definition and numbers of high-risk customers, including PEPs. This will require careful decisions and documentation to evidence responses. Our experience in performing independent reviews of AML/CTF Programs across the industry is that data of this nature can be difficult to obtain quickly and subject to definitional problems and detailed decision making recorded across multiple sources that impact reliability and repeatability of the analysis.
5. Independent reviews and regulatory reporting
AUSTRAC seek to determine the nature and frequency of external assurance on AML/CTF programs as part of the independent review requirements and drive a continued focus on the completeness and quality of regulatory reporting. Some questions go directly to this element of your program, specifically probing the extent of assurance over regulatory reporting obligations, and the actions taken in response to AUSTRAC feedback or specific intelligence.
While the questions appear straightforward, there is often significant complexity in developing responses that are both reliable and repeatable. We recommend that reporting entities approach their responses with caution, considering both the level of accuracy provided and the potential impacts of their answers.
The increasingly quantitative nature of the questions suggests a more formal and data-driven approach is likely to be taken by AUSTRAC in the future when reviewing the Compliance Reports in their supervisory capacity, and starting to demonstrate a pivot in AUSTRAC’s focus towards the extent to which reporting entities are looking at the application of risk intelligence derived from, among other things, their sub-sector risk assessments. The Compliance Report is a formal regulatory document impacting the legal risk of the reporting entity, Board of Directors and Bank Executive Accountability Regime designates. We recommend that detailed evidence supporting the answers in the Compliance Report is formally compiled, assured and presented to the above stakeholders.
Published: December 2018
AUSTRAC Compliance Report 2018
Find out more
Raising the bar in prevention, detection and response
Seeing beyond the surface: The future of privacy in Australia