AML/CTF Program Governance Raises Its Head Again
Like the AfterPay Notice to Appoint an External Auditor, the Notice issued to PayPal takes a little deciphering, especially around the AML/CTF Rule numbers. I understand why the Notices are written in this way as they are for the reporting entity (and the External Auditor): however, only stating section or rule numbers can cause confusion for the wider audience to whom these Notices are also aimed. In this article I will try to expand on some of the areas outside the headline issue of IFTI reporting (AML/CTF Act subsections 45(2) & 45(3)).
Overarching Audit Requirements
Before I move to the specifics of the Notice, it is worth mentioning one of the over-arching requirements placed upon the External Auditor under the Notice. Paragraph 9 states that:
“The audit report must contain details of:
9.A Any provisions of the AML/CTF Act and/or the AML/CTF Rules which the external auditor concludes PayPal has not complied with or is not complying with; and
9.B. The facts on which the auditor has relied to conclude any provisions identified in 9.A have not been or are not being complied with”.
Para 9.A is considerably wider than the defined matters to be covered in the audit as laid out in the Schedule to the Notice. Para 9.A requires the External Auditor to report upon any breach of either the AML/CTF Act and / or AML/CTF Rules, past or current. This is a very broad remit for the External Auditor as there is little doubt that he or she may very well find other breaches of the Act or Rules whilst conducting the audit. If the External Auditor finds breaches, past or current, he or she must put this information into the report. I doubt that any reporting entity would be able to state that there has never been a breach of the Act or Rules.
Specific Audit Requirements
Onto the Schedule to the Notice which mandates the specific areas subject to the audit, namely: AML/CTF Program; Compliance with IFTI reporting obligations; and record keeping obligations. Keep in mind that the audit period begins on 1st July 2010. Coincidentally around the time when PayPal’s Enforceable Undertaking from 2009 was due to be completed.
When rule numbers are stated beginning with 9 these refer to Rule 9 which relate to Joint AML/CTF Programs for Designated Business Groups. For most reporting entities the equivalent is the Rule 8 obligation as it is basically the same.
Para 12. Whether each version of PayPal’s Part A Program in operation since 1st July 2010 complied with the requirements of subparagraphs 9.1.5(3), 9.1.5(4) and 9.1.5(5) of the AML/CTF Rules.
9.1.5 Part A must be designed to enable the group to:
9.1.5(3) - identify significant changes in ML/TF risk for the purposes of the group’s Part A and Part B programs, including:
(a) risks identified by consideration of the factors in paragraph 9.1.4; and
(b) risks arising from changes in the nature of the business relationship, control structure or beneficial ownership of its customers; and
9.1.5(4) - such changes in ML/TF risk to be recognised for the purposes of the requirements of the group’s Part A and Part B programs; and
9.1.5(5) - identify, mitigate and manage any ML/TF risk arising from:
(a) all new designated services prior to introducing them to the market;
(b) all new methods of designated service delivery prior to adopting them;
(c) all new or developing technologies used for the provision of a designated service prior to adopting them; and
(d) changes arising in the nature of the business relationship, control structure or beneficial ownership of its customers.
These are the ML/TF Risk Assessment provisions of the Rules. That should equate to a considerable number of ML/TF Risk Assessments to be considered by the External Auditor.
Para 13. Whether PayPal complied with the requirements of Part 9.4 of the AML/CTF Rules in respect of each version of its AML/CTF Program in operation from 1st July 2010.
9.4 - Oversight by boards and senior management
Just like the AfterPay Notice, the issue of AML/CTF Program governance is raised again by AUSTRAC. Auditing approval of version of an AML/CTF Program is relatively straight forward. Auditing the “ongoing oversight” of each of the PayPal reporting entity board or senior management will be more problematic. As neither the AML/CTF Act nor the AML/CTF Rules define “oversight” the External Auditor will need to come to a working definition of this governance concept.
Para 14 Whether, in putting in place risk-based systems and controls to ensure compliance with the requirements of subsection 45(2) of the AML/CTF Act, each version of PayPal’s AML/CTF Program met the requirements of paragraph 9.1.3 of the AML/CTF Rules from 1st July 2010.
Section 45(2) - reporting IFTIs within 10 business days.
9.1.3 Some of the requirements specified in these Rules may be complied with by putting in place appropriate risk-based systems and controls. In determining and putting in place appropriate risk-based systems and controls, Part A must have regard to the following factors in relation to each reporting entity in the designated business group:
(1) the nature, size and complexity of business; and
(2) the type of ML/TF risk that might be reasonably faced.
This if the first time that I have come across the Sect 45 IFTI reporting obligation be linked directly to the ML/TF Risk Assessment outside an assessment of regulatory risk. A curious development which will cause some anxiety for remitters and ADIs.
Para 15 Whether each version of PayPal’s Part A Program met the requirements of subparagraphs 9.9.1(1) and 9.9.1(2) of the AML/CTF Rules, in so far as it relates to PayPal’s obligation under section 45 of the AML/CTF Act from 1st July 2010.
Sect 45 - Reports of International Funds Transfer Instructions
9.9.1 Part A must include:
9.9.1(1) the obligations that apply to each of the reporting entities under sections 41, 43, 45 and 47 of the AML/CTF Act (reporting obligations); and
9.9.1 (2) appropriate systems and controls of each of the reporting entities designed to ensure compliance with the reporting obligations of the reporting entity.
Rule 9.9.1(2) can be considered a governances obligation. How does a reporting entity “ensure compliance” with its reporting obligations?
Para 16 Whether the requirements of PayPal’s AML/CTF Program that relate to section 45 of the AML/CTF Act have been effectively implemented throughout the period from 1st July 2010.
Has PayPal effectively implemented all of the IFTI capture and reporting requirements stated in the AML/CTF Program. Remember, a reporting entity must have, and comply with, an AML/CTF Program (Sects 81 and 82).
Record Keeping Obligations
Para 20. In respect of PayPal’s obligations under section 45 of the AML/CTF Act only, whether PayPal has failed to comply with the requirements of sections 106 and 107 of the AML/CTF Act at any time during the Relevant period, and if so:
a. the cause, nature and scope of the failure;
b. the actions, if any, PayPal has taken to remediate the failure, and whether those actions were effective; and
c. whether in each instance PayPal took appropriate steps to ensure that a similar failure to comply does not occur in future.
Sect 106 - Records of designated services
Sect 107 - transaction records to be retained
Not taking into consideration the audit requirements around IFTI reporting, the Notice tasks the External Auditor with a complex audit, especially around the AML/CTF Program governance and ML/TF Risk Assessment issues.
The AfterPay and the PayPal Notices should serve as a warning that AUSTRAC is focussing more on AML/CTF Program governance. About time too.