Is your AML/CTF compliance program up to scratch?
OPINION: On June 4th, Westpac released its 48-page response to AUSTRAC’s statement of claim following the conclusion of the Promontory led Advisory Panel tasked with identifying the primary causes for the well documented AML/CTF failings.
The findings in this report are by no means exclusive to Westpac. Many of these issues can be commonly found among large and complex regulated entities.
In this article, we will focus in on the main themes and key observations that came out of the report before providing our thoughts on recommended good practices for regulated entities to think about when looking to strengthen their financial crime compliance programs.
So here goes…
1. Board Governance and Accountability
At the top of the list was Board Governance and Accountability – as the saying’s go – the buck stops here and the tone is set from the top…
| Key Observations | Recommended Good Practice |
| – Not early enough recognition of systemic nature of financial crime risk issues Board reporting on financial crime matters was incomplete and inaccurate – Lack of clear accountabilities for AML compliance for individuals, teams, management and Board Directors – Three lines of defence model to financial crime compliance and monitoring was not operating as effectively as it should have been – Learning from international best practice could be improved – Developing a risk culture of accountability that is mature and not reactive has not been realised – Lack of remuneration structures that reward the achievement of managing non-financial risks effectively – Lack of management accountability outcomes for AML/CTF compliance failings | – Ensure that ML/TF risks and consequences are well understood from the top-down and ensure regular reporting of accurate metrics related to the AML/CTF program – Ensure roles and responsibilities are clearly defined and establish a RACI matrix which is understood about where responsibilities and accountabilities lie – Ensure regular and thorough independent reviews, control testing and continuous improvement framework is in place – Monitor and engage in domestic and international discussion forums and events to stay across AML trends, threats, guidance and learning – Embed risk culture and governance frameworks across the organisation including setting KPIs that encourage strong risk management – Establish clearly understood accountabilities (and consequences) for individuals where compliance falls short of expectations and includes disciplinary action, redundancies and reduced remuneration |
2. Understanding and prioritisation of ML/TF Risk Assessments
As money laundering and terrorism financing rules are risk-based, there is a strong emphasis put on having a robust and sound risk management framework for identifying and assessing risks, as the foundation for adopting appropriate and proportionate controls to help mitigate and manage these risks.
| Key Observations | Recommended Good Practice |
| – Identification and management of ML/TF risk was not given enough priority – Lack of understanding and appreciation of ML/TF risk and how it should be managed and mitigated by the Board and senior staff – Lack of suitably qualified and experienced domain experts to manage ML/TF risk assessments | – ML/TF risk assessments are foundational to the AML/CTF program – if risks are not properly understood then the control framework design and implementation could be ineffective – ML/TF risk management is an ongoing activity – things change in the internal and external environment – it is important that the approach is maintained, is current and is regularly – Engaging with experienced practitioners that have deep domain expertise, practical knowledge and experience in conducting ML/TF risk assessments reduces the risk of executing a risk assessment that is not fit-for-purpose |
3. Insufficient expertise and inadequate resourcing
It is critical to ensure that everyone from the Board down understands the importance of effective financial crime risk management and dedicates sufficient resources to discharge their individual and corporate responsibilities.
| Key Observations | Recommended Good Practice |
| – Inadequate resourcing of the financial crime control framework with employees having insufficient skills, expertise and experience to effectively manage AML/CTF Risk – Ensuring the money laundering reporting officer is senior enough and is operating with regular access to the most senior people in the organisation and is provided the resourcing to properly discharge the organisations responsibilities | – Regulated entities don’t (often) set out to intentionally facilitate money laundering but often pay the price for under-resourcing their AML programs or making bad decisions over time – Invest in people and ensure they have appropriate professional development, skills and experience to support them in their role – Ensure Board Directors are suitably aware of the importance of ML/TF risk and ensure that sufficient funding is allocated to discharge the organisations responsibility – don’t be pennywise and pound foolish, as cuts to budgets now could come back to haunt you years later. – It is critical for risk professionals to have a voice at senior levels and to be able to put a strong investment case together for appropriate funding to manage ML/TF risks appropriately |
4. Ensuring reporting obligations are met
Providing timely, complete and accurate reports to regulatory authorities is a complex and key requirement and must be given sufficient consideration.
| Key Observations | Recommended Good Practice |
| – Failure to submit timely and accurate reports to regulators – Having an over-reliance on technology and high turnover of key personnel, resulting in loss of continuity and specialist knowledge – Lack of post-implementation reviews to verify the quality and completeness of project delivery | – Having regular independent reviews to check that technology systems and operational processes are reporting all data that is expected to be reported and within the required timeframes to ensure that any issues are detected early and can be rectified to ensure reporting obligations are met – Often projects to deliver regulatory reporting requirements are complex and require granular analysis to ensure source systems related to customers, accounts and transactions are picking up the correct data, appropriate rules are applied and appropriate testing and ongoing monitoring processes are operating effectively long after the projects to deliver them have been handed back over to BAU. |
5. Ensuring the AML/CTF program remains compliant
In financial crime compliance nothing stays still for very long – laws change, threats change, businesses change, customer behaviour changes, country risk profile changes – this means that organisations need to be effective at managing and embedding change into their AML/CTF Programs.
| Key Observations | Recommended Good Practice |
| – Lack of processes related to interpreting and applying regulatory guidance to ensure the AML/CTF program remains in compliance with AML laws – Ineffective interpretation of regulatory guidance | – Ensuring compliance with AML laws relies on ensuring that the AML/CTF program is current and meets the laws and rules that are in place at any given point in times and ensuring appropriate resourcing is given to support tracking and interpreting regulator guidance is critical to staying in compliance – There can be a tendency towards group-think as organisations share information about how they think regulatory guidance should be interpreted which may be different to how regulators intend it to be – always go to the source and ask the regulator to clarify if you are unclear. |
There can be a tendency towards group-think as organisations share information about how they think regulatory guidance should be interpreted which may be different to how regulators intend it to be – always go to the source and ask the regulator to clarify if you are unclear.
6. Implement regular independent reviews and controls assurance
What gets measured, gets managed…without regular checks and balances in place to assess whether policies, procedures and controls have been designed and are operating effectively is a recipe for disaster.
| Key Observations | Recommended Good Practice |
| – Lack of ML/TF risk assessment and controls assurance over third-party relationships performing AML/CTF functions on behalf of the organisation – Lack of clear accountabilities for all three lines of defence resulting in slow detection of ineffective control design and operational performance – Independent reviews conducted too infrequently resulting in compliance issues remaining undetected and unaddressed for long periods of time, compounding many identified issues. | – Often regulated entities fail to initiate or conduct regular enough independent reviews which is a critical control designed to detect where AML/CTF Programs are falling short of regulatory guidance. It is critically important that these are scheduled frequently and embedded into financial crime risk management practices – Also, any control deficiencies should have a corresponding action, owner and delivery date which is tracked and reported to management and action taken where there are long time lags to implementing control improvements. |
7. Implement appropriate levels of AML/CTF training
Training is an essential ingredient in ensuring systems, procedures and controls that are in place to meet company, regulatory and community expectations in managing money laundering and terrorism financing risks.
| Key Observations | Recommended Good Practice |
| – Inadequate company-wide and Board level training on AML/CTF risks, expectations from regulators and potential consequences for systemic non-compliance – Implement role-based training on specific systems, procedures and controls to impacted staff | – Ensure from the Board down that all Directors, Senior Executives and Employees understand what company, community and regulatory expectations are through raising awareness on the costs of financial crime on society and the potential consequences of not meeting these expectations – Ensure employees that are performing operational roles are subject to induction and ongoing training into the capabilities required to perform the role effectively. |
8. Ensure effective relationship management with regulators
AML regulators (or Boards), generally don’t like surprises (particularly bad ones) so it is better to get on the front-foot and open a dialogue with regulators whenever possible to do so.
| Key Observations | Recommended Good Practice |
| – Increased self-reporting of issues to regulators in a timely manner – Clear communication of the progress of remediation projects to address deficiencies | – Forward-thinking regulated entities are actively involved in industry working groups which discuss the latest trends, guidance and laws which establishes a common understanding of regulatory expectations – Regulators provide a wealth of information designed to help regulated entities but if there is any doubt about how rules should be interpreted it is recommended getting on the front foot and opening a dialogue with your AML regulators – Implement a process, whereby direct regulatory feedback and industry guidance is embedded into the risk and control framework and continuously assess the effectiveness of these controls. |
The tables above act as a summary but are not intended as an exhaustive list and we would encourage any risk and compliance professionals operating in AML/CTF roles to read the response in full.
Our hope is that this article will provide risk and compliance professionals with a perspective on some of the common pitfalls that organisations could if they are not careful, run into when designing, implementing and maintaining AML/CTF Programs and look at ways in which continuous improvements can be embedded as part of these programs to raise the bar on financial crime risk management.
