Aside from the remittance sector, AUSTRAC's enforcement activity has been relatively dormant over the last few years, occasionally bubbling away like a volcano, quietly active but not posing an immediate threat. Then… BOOM ! - it erupts with force, power and unequivocally on its own terms, taking everyone in its sights by surprise. It is fair to say that the recent enforcement actions against CBA and Tabcorp demonstrates that the Regulator certainly has teeth and the confidence to take on any reporting entity it considers the not to have met its AML/CTF obligations.
The AML/CTF Act and Rules creates a regime where each reporting entity is required to implement certain controls, creating a first line of defence in combatting money laundering or terrorism finance (ML/TF) within their organisation. From a regulatory perspective, AUSTRAC has been known for taking a more collaborative approach in fulfilling its regulatory function, working with industry rather than taking a heavy handed approach. In response, many reporting entities have either misunderstood, mistaken or downplayed the importance of meeting their AML/CTF obligations.
As such, the issue of regulatory risk is often not considered by businesses to be either ‘real’ and/or ‘material’. That is a big mistake... huge in fact. Just ask Tabcorp and CBA. Earlier this year, AUSTRAC successfully sought civil penalties against Tabcorp for failing to meet a number of its AML/CTF obligations, including:
- failing to submit Suspicious Matter Reports (SMRs) on 105 occasions; and
- failing to undertake KYC on a customer and poor management oversight.
For those breaches, it was ordered to pay $45 million in civil penalties; the largest Australia has ever seen. However, the true financial cost of its regulatory failure was closer to $90 million.
Just over four months later, AUSTRAC has struck again. This time commencing civil penalty proceedings against CBA for systemic breaches of its AML/CTF obligations which were sustained over a three year period between 2012-2015 and included:
- failing to undertake a risk assessment when introducing its Intelligent Deposit Machines (IDM’s);
- failing to submit Threshold Transaction Reports (TTRs) on over 53,700 transactions;
- instances of failing to submit a Suspicious Matter Report; and
- failing to undertake enhanced customer due diligence as a result of suspicious matters.
The cost of those breaches has the potential to attract a maximum penalty of $1 trillion, although that is highly unlikely. What is likely, if the allegations are proved, is a fine which will dwarf Tabcorp’s and will no doubt serve as both a specific and general deterrent to industry.
Overview of CBA’s alleged conduct
By now you’ve probably read and understood that the allegations made by AUSTRAC against CBA centre around its IDMs. These machines allowed non-bank customers to deposit up to $20,000 without providing identification. The funds were then instantly credited to the nominated recipient account and available to be transferred to other accounts both domestically and internationally. Not surprisingly, IDMs were an extremely successful channel for CBA that saw $5.81 billion in cash deposits between January to June 2016.
However, over a three year period between 2012-2015, CBA failed to lodge over 53,000 TTRs for deposits received which exceeded the $10,000 threshold for reporting under the AML/CTF legislation. Of those late TTRs, 1,640 were transactions connected with known money laundering syndicates.
It was also alleged that CBA failed to lodge SMRs in relation to several money laundering syndicates, even though it was aware of suspicious activity on some of its accounts. CBA said the reason for failing to submit SMRs was that previous SMRs had been lodged for similar activity. Furthermore, in January 2015, CBA became aware that some of its customers were using its accounts for unlawful activity. They suspected that one of their customers was running an unregistered remittance business, but this was still not reported to AUSTRAC.
From a procedural perspective, CBA did not follow the steps outlined within its AML/CTF Program in relation to these deposits, such as collecting and verifying KYC information from the depositor. They also did not carry out an assessment of the ML/TF risk posed by the rise in cash deposits as a result of the rollout of the IDMs, nor a review to question why their TTRs had been declining.
So, what exactly is Regulatory risk?
AUSTRAC generally expects a business' risk management practice to address two main risks: business and regulatory. Business risk is essentially the risk that your business may be used for ML/TF and must address, among other things:
- customer risks;
- products or services risks;
- business practices and/or delivery method risks; and
- country or jurisdictional risks.
Regulatory risk is associated with not meeting your obligations under the AML/CTF Act and Rules. For example, the risk of failing to submit TTRs to AUSTRAC when required to do so under the AML/CTF Act. The enforcement action by AUSTRAC against CBA is predominately focused on this risk area.
Key issues in managing regulatory risk are:
a) an understanding of both regulatory expectations and how your business processes address these expectations; and
b) identification of process improvement opportunities to ensure the effective and consistent management of compliance and regulatory obligations.
Regulators such as AUSTRAC, ASIC, APRA, ASX and OAIC regularly publishes guides, case studies, reports and strategic plans to provide guidance to industry and to articulate their expectations as to what activity and conduct is expected of businesses in meeting their legislative obligations.
How to Manage Regulatory Risks
1.Document your Regulatory Risks
We undertake numerous Independent Reviews each year and regulatory risk is often completely overlooked, regardless of whether we are reviewing a global fund manager or a small advisory business. Each reporting entity should clearly capture its business and regulatory risks (ideally within a risk register), including any controls that the business has implemented to manage each risk.
So, as an example, if your business is one that may accept physical currency then the regulator (and any prudent manager) would presumably want some visibility as to the likelihood of its business failing to submit TTRs to AUSTRAC, the consequences if it did occur and the measures that the business has implemented to reduce the likelihood of this risk occurring and/or the consequences if it did occur?
2. Ask the tough questions
Have you really challenged your risk controls, including the information reported on and your overall reporting framework? Is it still fit for purpose? Are staff informed and enabled to identify and report issues? When was the last time you had an external independent review?
Undertake a review of your internal governance, risk and compliance framework and supporting processes, to assist in identifying improvements beyond your own experience. Be honest and critical in your assessment. Better still, ask someone independent to review and test your framework and assumptions to ensure it remains fit for purpose and is updated to reflect changes in the external regulatory environment.
3. Understand and acknowledge the changing landscape
Regulators and their powers exist for a reason and as the old adage goes: “Past performance is not an indicator of future performance.” Australian regulators have been putting the market on notice for a while now and they are using their enforcement powers more frequently. AUSTRAC in particular is under pressure to use more of its enforcement powers from the Financial Action Task Force (FATF) (the global body that monitors the progress of its members in implementing necessary AML/CTF measures), and the regulator is also actively seeking additional powers.
It is time to wake up to this perfect storm - the regulatory environment is changing which means your governance, risk and compliance efforts should too.
4. Educate yourself and your staff
When was the last time you attended an external course on AML/CTF? Do you just give your staff a brief overview of AML/CTF on induction and then leave them to it? Staff education is a key control in managing regulatory risk. So, if you play a key role in your AML/CTF program then make sure that you keep your knowledge up to date. Key staff should also maintain similar training plans which could include ensuring the AUSTRAC newsletters and publications are read, attendance at external workshops, or engaging consultants to provide independent training on regulatory requirements.
5. Invest in solutions
Without clear visibility of your overall compliance performance then a breach of the AML/CTF Act or Rules is likely, particularly with the sheer volume of legislation in this area. Manually managing risks, controls and incidents from manual processes or an Excel spreadsheet is almost impossible in today's regulatory environment, particularly as AML/CTF risk will be one of many risk categories within your organisation. Online solutions are now readily accessible, affordable and, depending on the nature, size and complexity of your business, seen by regulators as necessary into appropriately manage and report on regulatory requirements.
How CompliSpace can help
The AML/CTF regime is complicated, and is subject to almost constant change. CompliSpace assists its clients to unravel the complexities in this area, providing a full suite of AML/CTF services, ranging from external independent reviews, in-house training, AML/CTF Program design and KYC services.
Our team of compliance professionals and lawyers combine extensive expertise alongside practical technology-enabled solutions to simplify the complexity of the financial services regulatory environment to allow clients to focus on allocating resources toward improving financial performance.
Please contact Brooke Benson to discuss your AML/CTF requirements further.