We have seen an increase in outsourcing AML/CTF functions in recent years with some sectors, such as the wealth management, who strategically operate leaner financial crime functions and rely on outsourced providers to manage not only their operational obligations but their program development, risk assessments and elements of their risk-based approach. In the poll ran during our recent Compliance Return Webinar, 45% of the respondents confirm they outsourced four or more of their AML functions, with many of them outsourcing customer onboarding, transaction monitoring, ongoing and enhanced customer due diligence. Yet in the same poll, 57% of respondents identified their key risks and issues associated with outsourcing to be lack of details relating to processes and procedures followed by their outsource providers with 43% of respondents flagging concerns of misalignment with their own risk-based approach. When your service providers are applying risk-based approaches to multiple organisations, how do reporting entities ensure the risks appropriate to your business, products and clients are being applied?
The draft consultation paper on outsourcing released by AUSTRAC on 26 February indicates there are a number of services that may not currently be considered as outsourced activities by reporting entities. All of these will require a level of governance and oversight that we have not seen currently in place, for example, drafting the AML/CTF Program. AUSTRAC called out the importance of robust oversight and governance measures in their 2024 Regulatory Priorities document where outsourcing was listed as a serious and systemic deficiency.
Without proper oversight of these arrangements, these outsourcing decisions can result in introducing risk to your financial crime framework. Many organisations enter into these arrangements without an established formal Service Level Agreement (SLA) framework, resulting in inadequate assurance over the outputs. Where there are checks in place, there is an overwhelming focus on measuring quantitative standards, such as task completion times and reports received on time; however, key qualitative considerations are going unchecked. This often leads to issues going unnoticed until they escalate into significant problems, especially when outsourced entities fail to fully grasp the reporting entity’s risk-based approach to their AML/CTF compliance which could result in risk-rating arbitrage, a lack of defensibility and costly remediations.
In the last two years, we’ve seen the Compliance Return questions shift more focus on size of employee pools, scale of dedicated AML resources, outsourcing of activities and oversight of processes which all build a bigger picture for AUSTRAC to consider the capability, talent and operating model of a reporting entity in comparison to their peers.