Why an AML Program Independent Review is Invaluable
This article discusses some of the lessons from the authors’ years of experience conducting independent review of AML/CTF programs, and AUSTRAC’s publication ‘Insights from Compliance Assessments: Good Business Practices and Areas for Improvement’ of December 2016.
The AML/CTF laws require designated service providers to maintain an AML/CTF Program and undertake for regular independent review of Part A of that program (which necessarily also entails some examination of the operation of Part B (Customer due diligence)).
This independent review—and its regulatory cousin, the AUSTRAC Compliance Assessment—arguably ranks among the top ten least favourite tasks of all AML/CTF Compliance Officers, and the resulting review reports can constitute a substantial piece of professional development. It needn’t be so, however. According to a random survey of AML/CTF legal and compliance experts—who collectively have reviewed a very large number of Programs for organisations, ranging from the smallest and simplest, to the largest and most complex—these Programs show surprising consistency in the kinds of problems identified in the numerous independent reviews completed over a period of years. Furthermore, these issues correlate closely to the issues AUSTRAC identified in its recent analysis of the outcomes of compliance assessments it has conducted.
Being aware of, and addressing these danger areas ahead of time, has the potential to reduce the angst they cause, significantly. The following are our top tips for how to ace your review, whether it’s conducted by AUSTRAC or an independent reviewer.
Documentation: the AML/CTF Program
The AML/CTF Act and Rules mandate the content of designated service providers’ AML/CTF Programs. These requirements are drafted as broad principles to be addressed, and generally, are not prescriptive. For example, independent reviews are required to be ‘regular’. The frequency of review is not mandated but is a risk-based decision to be taken by the business. AUSTRAC requires a reporting entity to consider the ‘nature, size and complexity of the business, and the type and level of money laundering/terrorism financing (ML/TF) risk it might face’ in order to determine how often these reviews will be held.
Many AML/CTF programs are, essentially, a paraphrase of the requirements in the Act (“We will have a regular independent review of our AML/CTF Program” or “the reporting entity should…”) and avoid the next step of committing to the ‘what, who, when and how’ by which this will be achieved. That is, it is about determining what will be done in response to this regulatory commitment, who is to be responsible for ensuring it occurs, when will it be done, and how will it be achieved. Without this, the purported AML Program is no more than a register of AML/CTF obligations.
This type of AML/CTF Program is a risk to the reporting entity on two levels:
- it may not meet the AML Act obligation as it is not tailored to the unique circumstances and ML/TF risks of each reporting entity; and
- it creates a negative impression in the Reviewer or AUSTRAC’s mind that little or no work has taken place with regard to the AML/CTF Program since it was first developed or purchased.
AUSTRAC has criticised vague or non-committal language in compliance programs, saying:
Clear, straightforward language helps employees of the reporting entity to understand:
- what they need to do;
- circumstances that trigger additional action; and
- the nature of risk in the business, such as the types of transactions that the reporting has identified as posing ML/TF risks. 
One means of reducing the time and resources required to develop an AML/CTF Program is to purchase a template program and tailor it to the nature of the business. Necessarily, templates lack specificity in their nature, and in our experience, AUSTRAC has demonstrated a decreasing tolerance for this approach.
For example, money remittance businesses wishing to establish operations in Australia must be registered with AUSTRAC, which typically reviews their AML/CTF Program prior to approving the registration application. The experience of Holley Nethercote and its clients, in recent years, has been that while AUSTRAC does not disapprove of template programs as such, it does not hesitate to reject a Program it finds to be too general in reflecting the business’s operations and responses to ML/TF risks. AUSTRAC notes:
that many AML/CTF programs are templates obtained from external AML/CTF service providers that have not been tailored to suit the reporting entity’s business.
If a template is used as a basis for an AML/CTF program, AUSTRAC expects that it is customised for the reporting entity so that it addresses the specific ML/TF risks faced by the reporting entity.
The Government has recognised that current AML/CTF Program requirements are complex and require simplification. Calls for greater prescription have been resisted in the report of the statutory review, however, on the basis they would undermine the principles-based approach. Instead, the report recommended that:
AUSTRAC to develop tools and guidance that build the capacity of reporting entities to assess and understand risks and develop AML/CTF programs that respond to those risks. These tools should build on AUSTRAC’s existing sector-specific guidance on understanding risk and developing AML/CTF programs.
Work on this has already commenced, with the release in late 2016 of a risk assessment for the superannuation industry, and in January 2017 for the financial planning industry.
Tip #1: So, to ace your review, make sure you are familiar with AUSTRAC’s risk assessments or other publications relating to your industry, and that your program not only details the relevant AML/CTF obligation, but:
- documents the ‘what, who, when and how’ compliance policy your organisation has in place to respond to that obligation; and
- that this policy is tailored carefully to reflect the ML/TF risk profile, and the unique operations and processes, of your business.
Risk and risk management are easy to define in the abstract but can be difficult to pin down in practice. Developing, implementing and maintaining an AML/Program requires not only legal and compliance skills, but also expertise in the dark arts of risk assessment and risk management.
AUSTRAC has called ML/TF risk assessment ‘the cornerstone of a compliant AML/CTF Program’. It expects AML/CTF Programs to reflect two kinds of risk assessment:
- an assessment of the ML/TF risks the reporting entity faces as a business (i.e. that reflect an understanding of how the businesses products or services could be used to launder money or fund terrorism, and how likely it is that this could happen); and
- an assessment of the ML/TF risk of each individual customer.
It is not uncommon for these risk assessments to be done poorly. It is critical, for example, that assessments of products, customer types, jurisdictions and delivery channels are based on evidence. Many AML/CTF Programs simply assert that their customers or products, for example, are ‘low risk’. The recent AUSTRAC industry risk assessments of the superannuation and financial planning industries as ‘medium risk’ came as a major surprise to a substantial proportion of both industries. These risk assessments can’t be generic and must reflect the particular circumstances of the reporting entity.
Further, risk assessments must be linked operationally to controls—such as ensuring customers who trigger red flags, and who therefore are of medium or high risk assessment, undergo appropriate enhanced due diligence measures–to address a medium or high risk assessment. Also, the ML/TF risks must be reflected in the AML/CTF Program for obligations / processes that are risk driven.
It is good practice to include regulatory risks in the overall ML/TF risks assessment. These are the risks faced by failure to meet AML/CTF laws and rules. In fact, for many reporting entities their regulatory risks are higher than their ML/TF risks. If your business values its reputation it will work to reduce its regulatory risks.
AUSTRAC has published a great deal about risk assessments. Like any dark art, however, there is an element of judgement involved: knowing what questions to ask (your customers or yourself) and how to organise the information you have. In our view, the necessary expertise cannot be gained from books alone, any more than one can learn to drive by simply reading the manual. Risk managers can be of assistance in workshopping the risk assessment required to develop a program and providing AML/CTF Compliance Officers with the required risk management skills in the process.
Once the risks are identified, it is a simpler task to ensure they are reviewed periodically and kept up to date. Again, it is not uncommon for this simple housekeeping to be overlooked. When you review and / or update your ML/TF risks and risk register it is important to document and date the review. That way you can state with certainty that when it was done and that it is current.
Tip #2: To avoid your first independent review becoming a tutorial in how to conduct an ML/TF risk assessment, consult a risk management expert when you are developing your program to ensure you are correctly identifying the ML/TF risks, and the AML/CTF regulatory risks, to which your reporting entity is exposed and the controls required to address them, and that you have an appropriate risk rating methodology for customers. Once you have acquired the necessary risk management expertise, ensure you keep your risk assessments up-to-date.
Governance: monitoring and oversight
The AML/CTF Laws require that Part A of the AML/CTF Program is subject to ongoing oversight by the governing board and senior management. In a small business with few staff, it is essential to the operation of the business that the AML/CTF Compliance Officer meets regularly with the proprietor(s), if indeed they are not the same person. In larger and more complex organisations, however, with greater separation of board and management, it can be a challenge to engage the board and maintain governance arrangements that are fit-for-purpose (and do not either leave the board inadequately informed or swamp it in unnecessary operational detail in the name of ‘compliance’).
This balance is important, and can be achieved as, fortunately, sifting strategic information from the operational detail is a core skill of compliance professionals. As a starting point, an AML/CTF update should be a standing item on the Board (or relevant committee) agenda, if not monthly, then quarterly. Matters discussed should include, for example, the results of internal and external reviews of the Program, the annual compliance report, suspicious matter reporting, as well as important trends and changes in risk assessments. The key consideration is that the AML/CTF Program is not ‘set and forget’ but rather a living and responsive framework that forms an integral part of the businesses operations. The fact AUSTRAC does not ‘licence’ reporting entities—unlike ASIC in the credit and financial services industries, for example—does not reduce its importance as a matter worthy of board attention.
AUSTRAC provides two key examples of this in its discussion of outsourced and automated functions. It is easy to assume a function (such as customer due diligence), once outsourced, is the responsibility of the service provider and that the provider’s systems are compliant and working. Similar reliance and assumptions can apply in an IT context to automated systems. If anything, however, outsourcing and automation introduce additional risks that must be managed. The underlying obligation remains with the reporting entity. To borrow the Russian proverb made famous by Ronald Reagan during the Cold War: “Trust, but verify”.
To give the Board or senior management comfort around the overall AML/CTF framework it can be prudent to include an element of Compliance Management Systems ISO 19600:2015 (formerly, AUS/NZ Compliance Standard AS3806:2006) into the scope of the Independent Review. It is all well and good having a beautifully written AML/CTF Program but if the overall compliance framework is deficient then problems will arise in its implementation.
Tip #3: Don’t forget to monitor and review all aspects of your program.
Culture and Mindset: a parting word
In Australia, there is no requirement for independent review reports to be submitted routinely to AUSTRAC (though in theory, they could be requested, if AUSTRAC had cause for concern). Note, AUSTRAC will request any Independent Review report if undertaking a compliance assessment, or worse, under its extremely wide information gathering powers. Thus, rather than a potential threat to your and your organisation’s reputation, if the report includes any adverse findings, the independent review can be viewed as an opportunity to learn from the reviewer and strengthen your reporting entity’s AML/CTF Program. The stronger your Program, the fewer criminals and terrorists your organisation is unwittingly helping. The Review is your opportunity to improve the AML/CTF Program so use it wisely. Sometimes the Reviewer may find that your AML/CTF Program is over engineered so could be re-engineered to be more targeted to the ML/TF risk thereby saving on resources.
Tip #4: Cooperation between reviewer and the AML/CTF Compliance Officer is key to a strong program, and the best long-run outcome. The Review is a valuable opportunity to take stock of your overall AML/CTF Program to ensure that it is “fit for purpose” in mitigating both ML/TF risks and, importantly, regulatory risks.
Andrew Ham, Chair, GRCI AML/CTF Discussion Group, Legal Counsel, Wesfarmers Finance Pty Ltd 
Paddy Oliver, Managing Director, AML Experts
 Insights from Compliance Assessments. Good Business Practices and Areas for Improvement AUSTRAC, December 2016 available at http://www.austrac.gov.au/sites/default/files/compliance-feedback-report-FINAL.pdf
 See also Insights from Compliance Assessments p 17 for a further example.
 Insights from Compliance Assessments, p 7.
 Report On The Statutory Review Of The Anti-Money Laundering And Counter-Terrorism Financing Act 2006 And Associated Rules And Regulations, Australian Government, April 2016 pp 83-4.
 Report On The Statutory Review, p 84.
 Both available at http://www.austrac.gov.au/publications/mltf-risk-assessments. Both assessments concluded that the overall ML/TF risk assessment in both these industries is ‘medium’ which in our experience has been a higher rating than that given by each industry to itself.
 A popular one is that found in ISO 31000 which defines risk as ‘the effect of uncertainty on objectives’.
 Insights from Compliance Assessments p 4.
 Insights from Compliance Assessments. Page 9.
 Until recently Andrew was a Senior Lawyer at Holley Nethercote Commercial and Financial Services Lawyers where he conducted numerous independent reviews for a range of reporting entities, particularly in the credit, financial services and remittance industries. Any views expressed in this article are those of the author and do not necessarily reflect those of Wesfarmers Finance or Holley Nethercote.
 Paddy is a lawyer and AML/CTF compliance consultant, and an AUSTRAC Authorised External Auditor (S164(1)). Paddy has carried out numerous Independent Reviews for a wide range of reporting entities in many different industry sectors.
Paddy Oliver, Managing Director, AML Experts
Lawyer, AML Consultant, AUSTRAC Authorised Auditor
03 9636 3632
0431 174 124
Need to reduce your AML risk: the AML Experts can help you.