Australia: Why your AML/CTF Program needs to be independently reviewed regularly

We have conducted lots of independent reviews. In this article we explain who the review obligations apply to, who can undertake them, where they come from, and what to expect.

If you provide financial, lending, remittance, gambling, digital currency (crypto asset) exchange or bullion-related services, you must enroll with the Australian Transaction Reports and Analysis Centre (AUSTRAC) as a reporting entity, and comply with the Australian anti-money laundering and counter-terrorism financing (AML/CTF) laws. Remitters and digital currency exchanges (DCEs) also need to register with AUSTRAC (yes, enrolment and registration are different things). AUSTRAC is Australia's AML/CTF regulator and specialist financial intelligence unit (FIU).

An important element of your AML/CTF compliance is the requirement to ensure that Part A of your AML/CTF Program is subject to an independent review. Part A of your AML/CTF Program includes policies and procedures which set out how you comply with your AML/CTF obligations, including (for example) management oversight procedures, an assessment of your business's money laundering and terrorism financing (ML/TF) risk, employee due diligence procedures, record keeping procedures, AUSTRAC reporting obligations and ongoing customer due diligence. Part B of your AML/CTF Program sets out your procedures for identifying and verifying your customers' identities.

What is an independent review of an AML/CTF Program?

AUSTRAC explains that an independent review is an impartial assessment of Part A of your AML/CTF Program, and considers:

• the effectiveness of Part A of the Program, taking into account the ML/TF risks which are faced by your business;
• whether Part A of the Program complies with the AML/CTF laws;
• whether your business has effectively implemented the policies and procedures set out in Part A of the Program; and
• whether your business has complied with the obligations set out in Part A of the Program.

The obligation to have an independent review comes from the Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1) (Rules). In particular:

• Part 8.6 of the Rules imposes the obligation on reporting entities that are required to have a standard AML/CTF program (see footnote 1 for an example of an exempt entity).
• Part 9.6 of the Rules imposes the obligation on reporting entities that have a joint AML/CTF Program. This is for reporting entities that are part of a designated business group (DBG).

Who can conduct an independent review?

The person that you appoint to conduct the independent review can be either an internal employee, or an external consultant, however they must be independent.

According to the AML/CTF Rules, "independent" means that the reviewer must not have been involved in:

• undertaking any of the AML/CTF obligations or procedures which are being reviewed;
• the design, implementation or maintenance of the procedures outlined in Part A of the Program; or
• the development of your ML/TF risk assessment or related internal controls.

This means that for a business with a small number of compliance staff, it will be difficult to appoint an internal person to conduct the review, as it is likely that they will not be considered to be independent.

However, a larger organisation (with several separate departments) could appoint an independent internal person to conduct the review, assuming that the reviewer has sufficient knowledge and expertise in AML/CTF law.

If you decide to appoint an external consultant to conduct the independent review, according to AUSTRAC, that person should be experienced in understanding and interpreting the AML/CTF laws, and in conducting independent reviews.

How often should Part A of your AML/CTF Program be independently reviewed?

The AML/CTF Act states that the independent review should be conducted "regularly", having regard to the nature and size of your business, the complexity of the services you provide, and the level of ML/TF risk faced by your business.

You could also arrange for an independent review when there has been a change to the business, or you have had compliance issues. For example, an independent review could be appropriate when you:

AUSTRAC guidance states that "high risk" organisations should arrange for an independent review every 2 to 3 years. In our experience, most reporting entities determine that a 2-3 year period between reviews is appropriate.

• change the services you provide;
• allow customers to transact using cash;
• provide services to customers with connections to high risk jurisdictions,

or if your industry or competitors are the subject of increased AUSTRAC scrutiny or enforcement action.

What's involved in an independent review?

When we conduct independent reviews, we check whether Part A of the Program includes policies and procedures which cover off on each of the business's Part A AML/CTF obligations, check whether each obligation has been effectively implemented, and whether they have been complied with.

On a practical level, this involves reviewing a number of documents, including:

• the AML/CTF Program document, the ML/TF risk assessment, and all supplementary policies and procedures;
• documents which show that the business has in fact complied with all of its AML/CTF obligations – for example:
  • AML/CTF training materials;
  • employee due diligence checks;
  • examples of the suspicious matter reports submitted during the review period (de-identified);
  • examples of when the ongoing customer due diligence, transaction monitoring and enhanced customer due diligence were conducted; and
  • the previous year's AUSTRAC Annual compliance report.

After reviewing the source documents, we then schedule a video call with the business to go through their management oversight and governance procedures, customer onboarding systems, ongoing monitoring and enhanced customer due diligence procedures, and transaction monitoring procedures.

We usually speak to the AML/CTF compliance officer, a representative of senior management of the business, and other compliance staff as required.

We then prepare a report of the review, which is a requirement of the AML/CTF legislation, and includes:

• the methodology we used to conduct the review;
• our findings; and
• our recommendations in relation to any amendments to the AML/CTF Program, or to the way that the business has implemented the policies and procedures in the Program.

The business must provide the independent review report to senior management, and to the board (where appropriate).

Is a review of Part B of your program required?

Not strictly speaking. However, we typically conduct high-level testing of whether the business has also complied with its Part B (KYC) obligations. Whilst this is outside the strict legal scope of a Part A independent review, we think reviewing your Part B obligations is an important way to test how effective you have implemented and complied with your Part A obligations.

Top 4 independent review report recommendations:

We regularly conduct independent reviews of many AML/CTF Programs, in a range of industry sectors, including remittance businesses, ¹, fund managers, derivatives and CFDs providers, and digital currency exchanges. Our most common recommendations include:

1. Ensure that your AML/CTF Program is based on an up-to-date, complete ML/TF risk assessment, which includes each risk category set out in the AML/CTF Rules.

The ML/TF risk assessment must consider your business's customer types, services and products, methods of delivery, and jurisdiction risks. It is not enough to state that you have applied a blanket assessment of "low risk" to your customers or products because (for example) you do not deal with cash, all customers are located in Australia, or you have determined that it would be difficult for customers to launder money or finance terrorism via your business.

You should have in place a detailed risk assessment methodology, which includes an assessment of the controls (being your AML/CTF procedures) which have been implemented to manage the risk that your business could be used to facilitate ML/TF activity.

When conducting your ML/TF risk assessment, we note that AUSTRAC has prepared a number of sector-based ML/TF Risk Assessments, which focus on a number of industry sectors (recent ones include the non-bank lending sector, remittance sector, superannuation funds and the banking sector). These industry risk assessments can be very useful to learn about the common ML/TF and fraud risks for your sector, and also suggest effective controls which others have implemented.

You must also ensure that the ML/TF risk assessment is reviewed and updated when you offer any new services, or if you change the way you deliver services to customers (including by implementing new technology solutions). In our experience, many businesses include this obligation in their AML/CTF Programs, but cannot provide examples of when this procedure has been complied with.

2. Ensure that your customer identification and verification procedures (KYC checks) are risk-based.

As well as the "enterprise wide" ML/TF risk assessment described above, you are also required to assess the ML/TF risk posed by each customer, and conduct risk-based KYC checks on the customer. For example, any customers assessed as posing a high ML/TF risk must be the subject of enhanced customer due diligence checks.

In our experience, many reporting entities apply a blanket "low/medium" ML/TF risk rating on all customers, as they have determined that their business generally is "low risk". This is contrary to the requirements of the AML/CTF laws.

3. Ensure that you implement appropriate management oversight and governance procedures, to ensure that any AML/CTF obligations which are outsourced to a third party are conducted properly, and in accordance with the AML/CTF laws.

A reporting entity is required to maintain management oversight of the way in which it complies with its AML/CTF obligations. In practice, this means scheduling regular meetings between the AML/CTF compliance officer and the directors or Board, to discuss any AML/CTF issues or required compliance actions, and understand how the business is complying with its obligations.

A business may outsource one or more of its AML/CTF obligations to a third party. For example:

• some reporting entities use third party electronic verification providers to conduct KYC checks on customers, or also, use automated transaction monitoring services.
• Fund managers and trustees typically rely heavily on outsourced administers to undertake a lot of their AML/CTF obligations.

Your management oversight procedures should include a process whereby the business is satisfied that the outsourced services are being provided properly, and in accordance with your AML/CTF Program. A way in which you could do this is to require the service provider to submit regular audit reports which summarise their performance over the previous time period (e.g. 3 months), which is then considered by management and any anomalies addressed. See here to see an article we've written about outsourcing your KYC obligations.

4. Ensure that your AML/CTF Program is tailored to reflect your business, and you are actually implementing all of the procedures set out in your AML/CTF Program.

A common deficiency in some AML/CTF Programs is where the Program simply paraphrases the obligations set out in the AML/CTF laws, and does not set out the procedures implemented by the business to ensure that it complies with those obligations. Some AML/CTF Programs are based on templates which have not been tailored to reflect your services and customer types. AUSTRAC takes a dim view of Programs which it deems to be "generic" or insufficiently tailored to reflect your business and your ML/TF risk assessment.

For example, rather than just stating that you will comply with the obligation to conduct and maintain your ML/TF risk assessment, ensure that the AML/CTF Program includes details of how and when this obligation will be complied with, and who is responsible for its implementation.

In some independent reviews, upon discussing the requirements with the business directly, they often explain that despite the high-level procedure referred to in the Program (which could be simply a repeat of the legislation, or the wording has been taken from a template Program), the actual procedure that they implement is quite different. Your AML/CTF Program should set out all of the procedures that the business has in place, and not merely re-state the requirements of the AML/CTF law.

At Holley Nethercote Lawyers, we can assist you with complying with your AML/CTF obligations by providing you with legal advice, conducting independent reviews, and assisting you with amending your AML/CTF Program to incorporate any recommendations which flow from an independent review. For businesses that require an Australian AML/CTF Program, we offer a template AML/CTF Program and Risk Register that can be easily tailored to your business.

Footnote

¹ Some financial advice providers do not strictly require an independent review. This is the case if they are purely an "Item 54 Provider", who only needs a Special AML/CTF Program. See here for more information about the differences: https://www.hnlaw.com.au/whats-the-difference-between-a-standard-aml-program-and-one-for-financial-advisers/

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.