The cost of non-compliance: Tabcorp and the $45 million fine
Last Thursday was an historic day in Australian corporate history. It was the day Tabcorp received the highest recorded civil penalty in Australia; $45 million for breaches of the AML/CTF Act. The buck doesn’t stop there. Once legal costs are factored in, Tabcorp is staring down the barrel of a financial impact exceeding $90 million, not to mention increased operational and compliance obligations, increased scrutiny and reputational damage. It was a day you were glad you weren’t Tabcorp.
In short, Tabcorp’s failings were these:
- It hadn’t enrolled with AUSTRAC as a reporting entity;
- It had insufficient processes and resources to facilitate management oversight, assurance and operational execution of its AML/CTF program. Its AML/CTF function was under-resourced, and Tabcorp’s senior management did not regularly receive reports in relation to AML/CTF compliance or its money laundering/terrorism financing (ML/TF) risks over a three year period;
- It failed to submit or submit within the required 3 business day time frame, suspicious matter reports on over 105 occasions; and
- It failed to undertake KYC on a customer who collected $100,000 in winnings.
AUSTRAC has long held that the financial sector is critical in acting as a first line of defence to detect and prevent money laundering, terrorist funding and other forms of serious and organised crime activities. The importance of the business community complying with its AML/CTF obligations is critical.
This landmark penalty should serve as a wake-up call to organisations as to the powers of AUSTRAC as a regulator and its appetite to enforce non-compliance. Paul Jevtovic, Chief Executive of AUSTRAC welcomed the decision and said during a media conference: “If you do not take your AML/CTF Act obligations seriously, AUSTRAC will take action”. So what are some key insights you can take away from the Tabcorp case?
- First, undertake a review of your existing business operations to determine if you fall within the AML/CTF framework, and if so, register with AUSTRAC.
- Ensure your risk assessments are tailored to your business activities, are reviewed on a regular basis including if and when there are changes in your business activity.
- Conduct regular training with staff to promote awareness and understanding of your AML/CTF obligations, including the requirements to report suspicious matters.
- Review and test your current procedures and systems to ensure that they are fit for purpose – are staff aware of how to identify and report a suspicious matter? How well has the process worked in the past? Here’s a tip – if you’ve been in operation for a while and haven’t had a suspicious matter then this may be an indicator that your procedures may be wanting.
- Ensure that you undertake frequent internal reporting and that an independent review is undertaken on a regular basis.
AUSTRAC and recent insights into Compliance Assessments
Ever wondered what AUSTRAC does with your section 47 Reports? Well now we know. For the first time, AUSTRAC has published a report of its key Insights from Compliance Assessments (the Report). As the name suggests, the Report highlights trends which AUSTRAC has identified as weaknesses within reporting entities with an existing AML/CTF compliance framework and suggests improvements to address these key areas. We’ve summarised AUSTRAC’s key insights for you below.
Tailored risk assessments
It should come as no surprise that a generic risk assessment will give a generic response and may not adequately identify ML/TF risks faced. However, AUSTRAC has identified it as an area of concern and one that goes to the heart of a robust AML/CTF Program. You should review your ML/TF risks assessments to ensure that the program demonstrates a clear understanding of how your products and services could be misused by criminals to launder money or fund terrorism and how likely it is that each product or service could be misused. Understanding where ML/TF risks existing allows you to build an effective AML/CTF compliance program to meet day-to-day operations and specific risks which apply to your business.
Adapting to Changes
Risks are dynamic in nature, much like your business and the wider environment in which you operate. It follows that your ML/TF risk assessment should also evolve over time to reflect changes and experience. In particular, you should be reviewing your experience arising from suspicious matter reports and ongoing customer due diligence activity to identify new patterns of behaviour and incorporating these insights into your risk assessments.
Money laundering and terrorism financing are different!
The drivers behind ML/TF activity are different, presenting different indicators and risks. Having a clear understanding and awareness of what activity may be an indicator of money laundering or terrorism financing is essential to implementing an AML/CTF compliance Program within your business. How well do you and your staff know your indicators?
Documenting systems and controls
Ensure that your AML/CTF Program demonstrates that you have actively considered your AML/CTF obligations, the specific ML/TF risks you face, the systems you will use to identify, mitigate and manage those risks and meet specific regulatory requirements. Do not just recite the AML/CTF Rules!
Insufficient oversight for outsourced or automated functions
Outsourcing or automating AML/CTF activities can assist you to manage your AML/CTF activities but they do not remove your underlying responsibilities. As such, having clear contracts and service level agreements which outline clear roles, responsibilities and performance measures and controls is key. In circumstances where automated systems are used to undertake AML/CTF processes, such as transaction monitoring, having controls in place such as regular testing to ensure that the program is functioning as intended, is key as are the skills, experience and resources available to analyse and assess the automated alerts in a timely and thorough manner.
Board of Directors oversight over these functions and procedures
AUSTRAC recommended that it is good practice for boards to be aware of AML/CTF legislative obligations and procedures that are in place to ensure companies were meeting AML/CTF requirements.
Independence and Completeness of Independent Reviews
You should ensure that any potential conflicts arising from the author of your AML/CTF Program and the person undertaking the review are considered and managed. In addition, you should as part of your review process, ensure that any independent review addresses the four criteria set out in the Rules. The independent review should assess:
- The effectiveness of Part A of the program in addressing the ML/TF risk of the reporting entity or each reporting entity in a designated business group;
- Whether Part A complies with the requirements outlined in the AML/CTF Rules;
- Whether Part A has been effectively implemented; and
- Whether the reporting entity has complied with Part A of its program.
Updating enrolment details
Many reporting entities failed to include in their AML/CTF Programs their obligation to update their enrolment details within 14 days of any change occurring. It is a legal obligation to maintain current and correct AUSTRAC enrolment details, including earnings and contact details.
The AML/CTF regime is complicated, and is subject to almost constant change. CompliSpace assists its clients to unravel the complexities in this area, providing a full suite of AML/CTF services, ranging from external independent reviews, in house training, AML/CTF Program design, and KYC services.