Lisa leads Deloitte’s Australian and Asia Pacific Financial Crime practices. She specialises in the provision of financial crime consulting services to clients in the financial services industry. Lisa’s experience includes financial crime transformation programs, regulatory response (including AML/CTF civil penalty proceedings and enforceable undertakings), remediation, regulatory change, technology advisory and independent reviews/inspections. She has supported clients domestically and offshore and has worked with a range of clients across banking, wealth management and insurance. With experience across both the investigative and advisory aspects, Lisa has advised clients on all financial crime themes (AML/CTF, sanctions, anti-bribery and corruption, market misconduct, fraud). Lisa has a background in engineering and delivering major regulatory projects and enhancing operational frameworks at major financial institutions. She was formerly a lawyer specialising in contentious financial crime and regulatory matters.
On 6 September 2021, AUSTRAC put the major Australian banks on notice through its money laundering (ML) and terrorism financing (TF) Risk Assessment1 that the sector is high risk for money laundering (ML) and terrorism financing (TF). This will be AUSTRAC’s official position going forward and a major Australian bank will be hard pressed to argue otherwise unless substantiated by reliable data and a well-evidenced rationale. AUSTRAC also noted that it is particularly concerned about the low level of governance and assurance around AML/CTF compliance and inconsistency in the application of risk mitigation strategies among the major banks.2
So what should Board members consider in light of AUSTRAC’s findings?
In this short article, we explore some of the questions Board members and senior management of major banks may wish to consider following AUSTRAC’s ML/TF Risk assessments and its underlying concerns. Resolving such questions may assist Boards and senior management in ensuring that ML/TF risks specific to their organisations are properly identified and understood, including how and where in the business the ML/TF risk arises, and what measures are in place to manage the particular ML/TF risk.
What’s our residual risk?
AUSTRAC’s ML/TF Risk Assessment addresses inherent risk only – it does not consider the number and quality of the risk mitigation and compliance measures that Australia’s major banks have in place to combat the inherent risks that AUSTRAC has identified. For example, even if a major bank’s inherent risk may be high (as AUSTRAC has identified), its residual risk may be medium or low, in theory, once its mitigation measures have been considered.
However, the reality is that the residual risk rating for major banks is more often than not misleading given the challenges that major banks face in designing and documenting appropriate and sustainable mitigation strategies that clearly link back to inherent risks. This, coupled with difficulties with accurately measuring the extent to which such measures reduce the inherent risks, often leads to results being distorted and an inaccurate depiction of residual risk. A staged, diligent, and well-informed approach is needed where inherent risks are considered first and foremost followed by the specific mitigation strategies with residual risks being the final consideration.
Are we really low risk?
Inherently high ML/TF risk is rarely mitigated to a low risk profile. If you are a major Australian bank with a self-assessed low ML/TF risk profile overall, question whether you are being accurate and realistic in your assessment of residual ML/TF risk and make adjustments where necessary.
Banks are now expected to take a diligent and informed approach to assessing customer risk and not apply blanket assessments to a particular group of customers. There is a need to be accurate and realistic and base your assessments on data-led risk intelligence (i.e. your SMR data, data analytics modelling, law enforcement notices and industry feedback) as opposed to human judgment…and AUSTRAC is also keen to avoid organisations overly “de-risking” the business by applying blanket rules, a large degree of human judgment and/or offboarding of broad categories of customers.
Do we have enough visibility and understanding of our ML/TF risks and relevant controls?
It is important that ML/TF risks are described objectively using reliable data, highlighted in the right way and not conflated or deflated in Board reports. Ask yourself whether the information you are receiving is presented in a way that enables you to easily grip the key ML/TF risks relevant to your organisation and assess whether your risk mitigation measures are sufficient to address them. Likewise ask yourself whether your organisation is well placed to clearly articulate to your internal teams and the regulator how you are managing your ML/TF risks.
How do we apply and consistently communicate your AML/CTF program across the organisation?
Understanding and assessing ML/TF risks is only half of the task. You are also required to implement appropriate risk mitigation measures that address your ML/TF risks. Doing that in a cost effective and efficient way is a commercial imperative. AUSTRAC flagged inefficiencies in the application of controls across business units and a tendency to defensively over-report. Such inefficiencies and duplication can be overcome if you take a bird’s eye view of your ML/TF risks, simplify your AML/CTF operations and create AML/CTF uniformity and consistency in AML/CTF communication across your organisation. Specificity is critical – a small number of targeted, well designed, resourced, and assured controls are far better than a large suite of general controls.
What can we learn from our data?
AUSTRAC analysts reviewed and categorised each report in the SMR sample it took as part of the ML/TF Risk Assessment against 414 possible labels grouped by criminal threat, suspicious transactional activity, products and services, customer type, entity attribute and jurisdiction. This data could then be “sliced and diced” and visualised to gain unique insights into the major banks’ aggregate risk profile.
Like AUSTRAC, consider how you could potentially leverage your SMR data (as well as your Unusual Activity Reports and Transaction Monitoring alert data) and apply robust data analytics to gain useful insights into your key ML/TF risks and enhance your risk-based approach. This is provided that you are correctly identifying suspicious activity in the first instance and the data captured within SMRs is accurate and can be relied upon to form strategic judgments about trends in ML/TF risk.
Do we understand the risks in our value chains?
AUSTRAC raises the risks presented by agent banking relationships, third party electronic billers and introduction of the New Payments Platform.3
The speed and ease with which customers can transact using these arrangements, alongside developments in online banking and mobile apps, further limits the opportunity for banks to identify and prevent suspicious transactions and enables money launderers to quickly layer funds between various accounts. Agency relationships not only present a degree of regulatory compliance risk to your organisation but may also hinder your ability to identify ML/TF risks in accordance with your risk profile and appetite.
Have we sufficiently considered the impact of the AUSTRAC sectoral risk assessment on our organisation?
AUSTRAC’s ML/TF risk assessment contains useful guidance about specific ML/TF risks. Major banks should be reviewing their AML/CTF Program to respond to AUSTRAC’s guidance and feedback on ML/TF risk in accordance with the AML/CTF Rules4 and ensure that your AML/CTF Program and its associated compliance measures are updated to manage identified risks.
Where to next – what ML/TF risks are on our horizon?
AUSTRAC’s ML/TF Risk Assessment, whilst a useful snapshot at a particular point in time, is unlikely to encapsulate the ML/TF risks that you may be encountering now or ahead. It is critical to monitor all available internal and external risk intelligence and take a data-led approach to identifying risks that you may not otherwise recognise.
About us
The pressure to tackle financial crime has never been greater. Deloitte’s global financial crime practice is at the forefront of the fight against financial crime and has assisted many of the world’s leading financial institutions in developing, implementing and remediating all aspects of financial crime risk management programs, as well as investigating financial crimes.
Our Australian team works extensively with organisations in understanding, documenting and acting on ML/TF risk. We have advised boards and senior management on AML/CTF over a number of years, and in response to a significant regulatory events and enquiries.
1AUSTRAC, 6 September 2021, “Money Laundering and Terrorism Financing Risk Assessment: Major Banks”:
