We have seen an increase in outsourcing AML/CTF functions in recent years with some sectors, such as the wealth management, who strategically operate leaner financial crime functions and rely on outsourced providers to manage not only their operational obligations but their program development, risk assessments and elements of their risk-based approach. In the poll ran during our recent Compliance Return Webinar, 45% of the respondents confirm they outsourced four or more of their AML functions, with many of them outsourcing customer onboarding, transaction monitoring, ongoing and enhanced customer due diligence. Yet in the same poll, 57% of respondents identified their key risks and issues associated with outsourcing to be lack of details relating to processes and procedures followed by their outsource providers with 43% of respondents flagging concerns of misalignment with their own risk-based approach. When your service providers are applying risk-based approaches to multiple organisations, how do reporting entities ensure the risks appropriate to your business, products and clients are being applied?

The draft consultation paper on outsourcing released by AUSTRAC on 26 February indicates there are a number of services that may not currently be considered as outsourced activities by reporting entities. All of these will require a level of governance and oversight that we have not seen currently in place, for example, drafting the AML/CTF Program. AUSTRAC called out the importance of robust oversight and governance measures in their 2024 Regulatory Priorities document where outsourcing was listed as a serious and systemic deficiency.

Without proper oversight of these arrangements, these outsourcing decisions can result in introducing risk to your financial crime framework. Many organisations enter into these arrangements without an established formal Service Level Agreement (SLA) framework, resulting in inadequate assurance over the outputs. Where there are checks in place, there is an overwhelming focus on measuring quantitative standards, such as task completion times and reports received on time; however, key qualitative considerations are going unchecked. This often leads to issues going unnoticed until they escalate into significant problems, especially when outsourced entities fail to fully grasp the reporting entity’s risk-based approach to their AML/CTF compliance which could result in risk-rating arbitrage, a lack of defensibility and costly remediations.

In the last two years, we’ve seen the Compliance Return questions shift more focus on size of employee pools, scale of dedicated AML resources, outsourcing of activities and oversight of processes which all build a bigger picture for AUSTRAC to consider the capability, talent and operating model of a reporting entity in comparison to their peers. 

Another area called out by AUSTRAC in their 2024 priorities as a serious and systemic deficiency is board and governance oversight. Two years ago, a poll conducted by Deloitte during our annual webinar revealed significant gaps in assurance practices and board understanding of ML/TF risk assessments, with only 35% of respondents stating that their Compliance Report was approved by their board or a sub-committee.

However, despite recent shifts, the pace of change has not been as rapid as anticipated. Whilst there has been increased engagement from Board members to understand emerging risks and proactively understand financial crime implications to future-proof strategic choices, much of this remains reactive to enforcement actions. A significant portion of directors and board members still lack awareness to their organisation’s emerging risks and struggle to ask the right questions. This observation is highlighted from our recent poll results, where 63% of respondents stated that they share insights to the Board on the changes to the compliance reporting questions, yet only 44% feel that the Board fully grasp the intricacies of ML/TF Risk Assessments, including their operational implications on the Program.

Moving forward, it is imperative for boards to actively seek awareness of the AML/CTF program to demonstrate their active participation. Governance should prioritise substance over form, with a keen risk appetite to effectively manage risk issues. To aid in the information reported to boards, organisations must take steps to ensure that the information is provided in a format that is easy to read and offers more dynamic views of emerging risks, utilising tools such as pulse checks and dashboards.

On the topic of emerging risks, it is crucial to emphasise the significance of an effective risk assessment. Risk assessments establish the foundation upon which the AML/CTF programs are built yet many programs struggle with outdated perspectives on risks and methodologies or generic templates, resulting in significant gaps in their ability to identify and address emerging risks proactively. By ensuring that risk-assessments are up-to-date and tailored to their business, organisations can effectively combat emerging threats by guiding the allocation of resources, develop and invest in key control measures and formulate an informed risk appetite for the business.

One common issue observed in AML/CTF programs is the failure to update risk assessments to reflect evolving risks and changes in the operating environment, for example, where risk assessment scoring methodologies do not account for new products or channels resulting in certain risk ratings being unrated or defaulted to low. Poll results from our webinar shed light on the state of risk assessments within organisations, with only 64% of respondents confirming that they have updated their enterprise-wide risk assessment methodology in the last two years, and even less have made changes to their customer (40%), channel and product (32%), and jurisdiction (29%) risk assessments. The pace of change we’ve seen in the financial crime landscape calls for more flexibility and responsiveness from reporting entities and this disparity underscores the need for organisations to prioritise revisiting their risk-based approach.

In recent years, the questions within AUSTRAC Compliance Returns have introduced a number of new channels and delivery methods to reflect the shifting dynamics of financial crime, particularly through digital channels and cross-border transactions. Some of the newly added channels include video conferencing, online banking, wallet, non-ADI agent, with a specific question now introduced into this year’s report about whether your business has conducted ML/TF risk assessment on the new delivery methods introduced, a weakness we have seen exploited for some reporting entities and enforcement action taken on as a result. As new ways of interacting with customers and new technologies such as AI are available to criminals, organisations must be proactive in their focus on emerging risks, particularly through new digital channels, to determine if there are vulnerabilities in their operating model.

One of the new questions introduced this year is on the theme of mergers and acquisitions and whether your reporting entity has acquired or merged with another entity. In recent years, superannuation, wealth and mutual sectors have experienced a surge in M&A activities, propelled by changes in Your Future, Your Super regulations. Now with published annual performance tests results, underperforming funds or smaller funds lacking scale are incentivised to merge with bigger entities to capture the market share.

Many organisations facing merger or divestment activities are ill-prepared for financial crime and either lack awareness of Chapter 28 provisions or rely on the exemptions where limited assessment has been conducted on the appropriateness of relying on prior risk-based measures applied to customer records. And here’s the catch: relying on these provisions with insufficient AML/CTF due diligence can create issues down the line post-merger, where certain triggers such as inadequate customer records or SMRs will require the new organisation to re-perform KYC on deficient records within 14 days when issues are identified.

A common theme arising from merger activities in a fast-paced, high-pressure environment to increase value for organisations is the extent of due diligence undertaken. While companies often conduct thorough vendor due diligence checks on various aspects before mergers or acquisitions, more focus should be placed on understanding and evaluating the AML/CTF framework and associated risks before making the deal. When issues are identified post-merger, this has the propensity to increase compliance and remediation costs, open organisations to unknown risks and ultimately reduce the value of the business. Some examples of preventative measures that can be taken are:

a) Evaluate any independent reviews that have been conducted.
b) Review of the organisation’s ML/TF risk assessment and determine how this compares with your own business.
c) Sample test files to ensure compliance with AML/CTF regulations and how they are applied to the risk-based approach.
d) Understand the level of investment in financial crime resources and capacity within the organisation.
e) Assess the compliance culture, governance practices, and training programs for senior management and board members.
f) Review any ongoing projects or internal investigations related to financial crime.
g) Assess the maturity of the target company’s operating model and how it aligns with your own.

By thoroughly examining these aspects of the AML framework and associated risks, companies can better understand the potential challenges and opportunities associated with the merger activity, consider any change management events that are necessary and most importantly, prevent any untended ownership of costly regulatory issues down the track.

At a minimum, organisations should consider the following prior to submitting their Compliance Report:

• Ensure an appropriate level of governance – This involves evaluating the effectiveness of governance structures and processes in overseeing compliance activities. Does the senior management and board have appropriate level of awareness and oversight across the entirety of the AML program? Have you discussed your compliance report with the senior management and the Board prior to submitting it to AUSTRAC?
• Assess the control environment – This involves evaluating the effectiveness of internal controls, policies, and procedures in place to prevent and detect AML compliance breaches. Have you documented your controls? Are they fit for purpose? Have you undertaken testing to check the effectiveness of your controls in operation? Are your controls adequately mitigating the risks you are facing?
• Review the frequency and level of assurance – This involves evaluating the regularity and depth of compliance assessments, audits, and monitoring activities conducted to ensure that the assurance mechanisms in place are providing you with the right level of insight and transparency over the operations of systems and controls. How confident are you in the accuracy and completeness of the information submitted to AUSTRAC as part of your compliance report? Has this exercise highlighted potential weaknesses that need to be revisited prior to the next submission?
• Maintain a risk-based approach – This involves consistently assessing and prioritising compliance risks, aligning resources and efforts accordingly, and adapting strategies and controls to mitigate the most significant risks effectively. Are you and your organisation responsive to internal and external changes and able to actively incorporate those into your AML/CTF program?
• Benchmarking – Answers provided during the Compliance Return process provide an invaluable avenue for AUSTRAC to compare an organisation's compliance efforts with their peers and industry standards. This will increasingly inform regulatory expectations on the size and scale of the AML/CTF operating model and inform insights into areas for improvement. Have you considered how your organisation is tracking against your peer organisations?
  

For more information and tips to complete your 2023 compliance report, please refer to media release by AUSTRAC: Top tips for completing your 2023 compliance report | AUSTRAC.