Room to improve AML/CTF Systems and Controls – Our take on AUSTRAC’s Risk Assessment
In July 2017, AUSTRAC released its latest money laundering and terrorism financing (ML/TF) risk assessment which focuses on the securities and derivatives sector. Similar to past risk assessments released by AUSTRAC, this risk assessment has a broader application to the financial services industry as a whole.
Below, we outline a number of findings from the report along with our recommendations. We suggest that you consider whether these findings are relevant to your business and make changes to your Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) program, Risk Register and mitigating controls where appropriate.
The assessment highlights that the ‘occupation of your clients’ deserves greater scrutiny as part of the risk assessment. The customer occupations most likely to be the subject of Suspicious Matter Reports (SMRs) are occupations in the finance industry and managers or directors of businesses. Interestingly, customers who list their occupation as ‘unemployed’ constitute 35% of SMRs.
In addition, there are also a number of low risk customer indicators that the assessment suggests you consider (if you are not already). These include where the customer:
- is also a responsible entity under AML/CTF legislation;
- is subject to oversight by other regulators (e.g. ASIC or APRA); or
- has strong internal governance arrangements and controls in place, including detailed compliance programs, employee screening and accountability mechanisms.
Establish source of funds
Establishing source of funds is often a difficult task, which is required by the AML/CTF laws, especially with offshore based customers. However, this risk can be mitigated. AUSTRAC expects that when onboarding a customer, information about the savings and earnings of a customer should be obtained and updated annually, the amount of funds a customer could deposit based on their stated wealth and income should be calculated and customers should provide copies of bank statements of general transaction accounts used to fund their trading accounts.
Cybercrime should continue to be of high focus
Over the last 6 – 12 months, we have seen attention on cybercrime. The results of the risk assessment support this focus on cybersecurity and resilience. Fraud was the most common offence reported in SMRs (over 51% of SMRs) and half of these were enabled by cybercrime.
In particular you should be aware of the most common instances of fraud such as:
- fraudulent instructions from hacked email accounts;
- trades and fund transfers from hacked online trading accounts;
- accounts set up with stolen or fraudulent identification documents; and
- the fraudulent use of credit cards.
Other crimes not just Anti-Money Laundering
The securities and derivatives industry in general is very focused and has a great awareness of anti-money laundering. However, this has come at the expense of other risks such as terrorism financing (<1% of SMRs) and tax evasion (2% of SMRs). The industry should ensure their processes and procedures are in place to identify these risks also. Despite the low percentages of SMRs, you shouldn’t be complacent about the potential risk of terrorism financing. AUSTRAC believes that an increased awareness of this risk over time may result in an increased detection and reporting in the future.
With regard to tax evasion, intelligence of partner agencies indicates the threat may be more significant than reported for AML/CTF purposes. AUSTRAC reasons that the low instances of SMRs for tax-related offences is due to customers using offshore service providers to create corporate structures that conceal beneficial ownership of shares to evade taxes.
Risk in providing time critical services
If your business needs to provide its service or execute a trade quickly, this may stretch your ability to properly consider a customer’s profile and potentially identify suspicious behaviour. We suggest you consider and document your risks and mitigating controls so the business is aware of and comfortable with the risks they may encounter.
Risk in third party transactions
If there are third parties involved in the transactions of your customers, such as brokers, you may not have the full picture of customer’s trading activity and open positions which creates risks. We suggest that you consider these risks and the extent to which they may affect your business. We also suggest that you document and implement mitigating controls such as requiring further information of the customer.
Third party payments and off-market transfers
There is a major risk if payments can be made to third parties that are not the client. This requires significant supervision if you do provide this service to clients. We recommend that further due diligence be undertaken with regard to third parties, in particular to satisfy yourself that any third party is not fraudulent activity.
This risk also applies to conducting off market transfers. The purpose of the transfer may be to move funds to a foreign jurisdiction to launder funds, or to avoid tax, or to illegally transfer ownership. We recommend that you have in place extra due diligence if the receiving party is not your customer.
Services provided by an online delivery channel
Financial services provided online have a high delivery channel risk, particularly if the entire business is conducted online or via email without face-to-face relationships, there is a great potential for fraud.
If you do offer your services online, we recommend ensuring you consider the following controls to mitigate the risk as suggested by AUSTRAC:
- call back customers to check that the actual customer was requesting the transaction;
- where possible, have frequent communication with customers to get to know their financial situation and preferred methods of transacting; and
- take proactive steps to prevent fraudulent transactions such as by setting up electronic alerts identifying the location of IP addresses and legitimacy of email addresses and warn customers about email domains they use, to help them detect fraud.
Use of cash risk
Use of cash is a significant indicator of money laundering, particularly in today’s digital economy. Although most in this industry don’t accept cash, you may still be vulnerable to associated risks. If your client deposits funds in an account and transfers them between multiple accounts for no significant reason, this may be considered suspicious. If relevant to your business, consider mitigating controls such as limiting the number of accounts a client can list on your service.
Independence of independent reviews
As you will be aware, AML/CTF programs are required to be independently reviewed internally or externally. In the report, AUSTRAC found that there were inadequate independent reviews. We recommend that you give thought to whether your independent reviews are truly independent. If your internal reviews are undertaken by your AML/CTF compliance officer who drafts, updates and enforces the AML/CTF program, AUSTRAC may not consider these independent.
Regardless of what sector of the industry your business is in, if you are caught by the AML/CTF laws, you should review your AML/CTF program. You should have regard to the findings that we have outlined above and amend your program accordingly. In addition, you should ensure that these findings are communicated to your staff and that suspicious matters are raised appropriately to AUSTRAC.
Your AML/CTF officer should consider how many SMRs your organisation has raised with AUSTRAC in the last 12 months. If you haven’t submitted any or many SMRs, it may be possible that your AML/CTF procedures are not adequate.
If you have any AML/CTF questions or would like assistance in reviewing or updating your AML/CTF program, please contact our office to schedule in a consultation with one of our lawyers from our AML/CTF division.
This article was first featured in our T-REX July 2017 edition. T-REX is our “Tailored-Regulatory Exchange” subscription service that monitors and summarises regulatory changes that are relevant, and tailored to your business.
Author: Alexa Bowditch (Lawyer)