AML/CTF risk management: is it part of your company’s DNA?



Australia Publication December 4, 2019

We recently wrote a piece asking if our clients are treating Anti-money laundering (AML)/Counter-terrorism financing (CTF) risk seriously enough. We asked that question in light of the stark change in the regulatory landscape over the last 12 – 18 months, particularly with AUSTRAC’s well-publicised actions against various major organisations in the banking and payment space. This is in addition to APRA’s and ASIC’s intense focus on governance and how firms are managing non-financial risk. 

The regulatory and enforcement landscape has continued to evolve. These changes should now leave no doubt in the minds of regulated entities that boards and senior management have to take AML/CTF risk management seriously. Aside from the very real human impact of money laundering, the possible consequences of getting compliance wrong can be severe - court proceedings, threat of a class action, loss of jobs, a parliamentary enquiry, adverse media coverage, plunging share price, investigations by ASIC, APRA and the Australian Federal Police and unquantifiable damage to brand and reputation. Regulated entities should also reflect on what needs to be done if AUSTRAC does make enquiries and/or commences a formal investigation.

Take Stock – Now

It is not too late for organisations to take stock. In fact, addressing any gaps now should minimize the impact of any adverse findings later. Starting at the top, the directors and senior executives have to engage seriously and effectively with the challenge of AML/CTF compliance risk. The message has to be loud and clear about who is the primary owner of AML/CTF risk (in the case of banks, the first line /the business owns the risk) and that compliance is critical. The cultural attitude is all-important; all employees must understand that they have a role to play in identifying, mitigating and managing AML/CTF risk. People have to be positively encouraged to speak up and escalate issues – and, when they do, they have to be supported. 

It is time to:

  • review and update your risk assessments;
  • review applicable regulations and ensure that you are meeting your obligations under law/regulation as well as guidance notes issued by AUSTRAC and other regulators;
  • review historical internal/external audit reports that may have identified AML/CTF control gaps and check if these gaps have been remediated (and if not, why not);
  • revisit your disclosures to your regulators and think about whether these need to be refreshed;
  • do a “read across” to determine if the lessons learned from any known issues can help you identify new ones; thinking outside the box can help identify other unknown issues; and
  • consider if your AML detection technology is fit for purpose and aligned with your product offering.

AUSTRAC Enquiries: Pause, Reflect, Plan and Act

If AUSTRAC does make enquiries, requesting documents and information, it is important to pause, reflect, plan and act. Understandably, regulatory enquiries will be stressful and demanding but the need to respond in a detailed, accurate and timely fashion cannot be overstated. 

It is important to bear in mind that AUSTRAC will review and assess information provided to it as part of any self-disclosure and determine whether it needs to make its own enquiries, which it may then use in support of its case. 

Arriving at the right response to AUSTRAC will require the firm to think about not only the specific wording of the request/enquiry, but also what is at the heart of AUSTRAC’s concerns.  Clarifying this with the regulator, if needed, is part of the process – and having an existing constructive relationship with AUSTRAC can help with this. Achieving this effectively could also help the firm anticipate AUSTRAC’s concerns and therefore be ready to discuss these meaningfully with the regulator.

Getting this right requires response teams to be properly empowered and resourced. Firms should also consider how to manage the response to enquiries and any on-going remediation work concurrently; setting up a designated project team with clear responsibility and accountability is one option.

Role of Third Party Advisors

During an investigation, bringing in external advisors or appointing independent experts to help will be important but it is critical that accountability is not delegated.

It is management and employees who know the inner workings of an organisation, the possible technical rationale of AUSTRAC’s enquiries and how to best respond. With the right support and advice, it is those employees who can help an organisations come through a difficult time. Those same employees can use the (gruelling) experience to “up-skill” and apply that knowledge for the benefit of the company once the crisis passes and the company is moving to a “business-as-usual” state. 

If an independent expert is appointed (either by the firm or at the behest of a regulator), the firm must ensure that suitable accountability and governance is established over how recommendations are completed, embedded in the day-to-day running of the company and assured/validated.

In early December, Norton Rose Fulbright is hosting AUSTRAC outreach events in Brisbane, Sydney, and Melbourne (4, 10 and 12 December respectively) where it is likely that a number of these issues will be canvassed and discussed. 

Recent publications

Subscribe and stay up to date with the latest legal news, information and events...