By Dr. Drew Donnelly, Compliance Quarter.
Last month in Financial crime doesn’t pay – three ways in which wrongdoers may soon be hit in the pocket we addressed the government’s increasing crackdown on financial crime and wrongdoing and those who would (even unwittingly) facilitate it. We mentioned the recent court case involving Tabcorp where the organisation agreed to pay $45 million for failing to meet its obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (the Act).
Today we take a closer look at the requirements of the Act. Specifically, we look at the risk-management obligations for small-to-medium sized enterprises (SMEs) under that Act and its associated regulatory regime. This should be particularly pressing for SMEs, given that the Australian Transaction Reports & Analysis Centre (AUSTRAC) recently identified risk-management as an area of uneven compliance.
Among other areas, AUSTRAC noted the overuse of templates, generic risk assessments and lack of independent review of programs as situations where businesses need to improve.
The requirement to develop a program under the Act
The Act and its associated regulatory regime set out a range of compliance requirements for ‘designated services’ including enrollment, record-keeping and reporting obligations.
Today we focus on the requirement under that Act that ‘designated services’ must develop and comply with a ‘anti-money laundering and counter-terrorism financing program’, which is designed to identify, mitigate and manage the risk that their services might involve or facilitate money laundering or the financing of terrorism (see Part 7, Division 2 of that Act).
The definition of ‘designated services’ in the Act is broad but includes account/deposit-taking services, payroll services, life insurance services and loan services.
The risk-management tool
AUSTRAC has developed a risk management tool to help SMEs with the development of their program. While there is no regulatory requirement to use this tool, it is intended to provide useful guidance for SMEs in the development of a program. The tool sets out several steps for businesses:
Step One: The business should Identify possible risks as part of their program. Categories of possible risk include:
- Customer risk, such as dealing with new, unknown customers;
Service risk, such as a consistent request to a bank for branch pick-up only;
- Business channel risk, such as use of a third-party agent or broker;
- Country risk, such as business with a country subject to trade sanctions; and
Regulatory risks, such as the risk to the organisation of not submitting their compliance reports.
Step 2: The business needs to carry out a risk assessment. That is, work out the chance that the identified risk will occur, and the impact of those risks occurring. This means that the business can then arrive at a ‘risk score’.
Step 3: The business needs to prepare its risk treatment. This includes developing policies and procedures to manage the identified risks.
Step 4: The business needs to prepare for and carry out risk monitoring and review.
Next steps for SMEs
Review the risk management tool (see http://www.austrac.gov.au/risk-management-tool-small-medium-sized-businesses) and consider AUSTRAC’s recent report on compliance (see http://www.austrac.gov.au/businesses/obligations-and-compliance/insights-compliance-assessments).
If you think that we could be of assistance in developing or reviewing a risk management program for your business, please get in touch.