The report now provides a granular and quantitative basis on which AUSTRAC will be able to profile and compare REs against one another. Through this, we expect that AUSTRAC will have the ability to identify underlying anomalies, which may be used to focus supervisory effort, narrowing the attention on current ML/TF risks and areas of the regime where systemic weakness and failure have been identified.

It is critical that REs are confident in the veracity of their responses. While the Report has always stood as a formal statement from an RE to AUSTRAC, and open to review or challenge later in terms of possible supervisory or enforcement outcomes, the increasingly quantitative nature of this enhanced Report has the potential to expose REs that have not put in place adequate measures to collate and report the data.

Compliance feedback has identified these channel attributes can be highly complex and problematic and it is therefore not surprising that AUSTRAC is keen to obtain more data on these components. Often a notorious driver of risk, particularly for extended value chains, our experience is that REs must ensure an appropriate level of oversight over outsourced functions, and initiate periodic reviews to ensure ongoing effectiveness. REs should also align with APRA’s prudential standards on outsourcing provisions when responding to these questions.

The Compliance Report will examine ML/TF risk drivers and risk assessments with a key focus on the nature, extent and adequacy of your assessments, mirroring concerns exposed through AUSTRAC’s enforcement actions against both Tabcorp and CBA. We expect this will lead AUSTRAC to consider responses provided by reporting entities as a basis to review comparative assessments and test the appropriateness of treatment of ML/TF risk drivers (e.g. customer types, channels).

Questions on employee risk focus on the requirement to risk-assess individual employee roles and apply graded screening. In our experience, many organisations do not have a sufficiently risk-based approach to this component, relying instead on a 'one-size-fits-all' approach.

We believe the ‘changes to your program’ questions seek to capture what directly has caused changes to your program but also the consideration of environmental impacts within your risk assessment. We observe that, outside of legislative changes, many reporting entities have made limited changes to their AML/CTF program in the last 10 years.

Questions will delve into details of the maintenance of the ongoing monitoring programs including how frequently REs review monitoring rules, environmental drivers behind changes to the TMP, prioritisation of alert administration and the definition and numbers of high-risk customers, including PEPs. This will require careful decisions and documentation to evidence responses. Our experience in performing independent reviews of AML/CTF Programs across the industry is that data of this nature can be difficult to obtain quickly and subject to definitional problems and detailed decision making recorded across multiple sources that impact reliability and repeatability of the analysis.

AUSTRAC seek to determine the nature and frequency of external assurance on AML/CTF programs as part of the independent review requirements and drive a continued focus on the completeness and quality of regulatory reporting. Some questions go directly to this element of your program, specifically probing the extent of assurance over regulatory reporting obligations, and the actions taken in response to AUSTRAC feedback or specific intelligence.

Take a look at the products and services we offer.

In complex disputes and litigation matters, Deloitte works with organisations and their lawyers in judicial and alternative dispute resolution forums, across a range of jurisdictions.