Regulatory Spotlight: Money Laundering and Terrorism Financing Risks
The Australian Transaction Reports and Analysis Centre (AUSTRAC) has had some high profile cases over the past couple of years regarding weaknesses in Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) programs. In conjunction with our work on independent reviews and further enhancement of AML/CTF programs, these events have prompted us to take a deeper look at common themes and lessons that we can all learn from.
In the most recent high-profile case, AUSTRAC accused Westpac of committing 23 million contraventions of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) and the two parties recently agreed to an astonishing $1.3b penalty. The key concerns centre around insufficient risk assessment and controls of their correspondent banking relationships, not carrying out the necessary customer due diligence with respect to transfers to countries known for increased child exploitation activities, and failing to pass on relevant information regarding funds transfers (and in particular international funds transfers), including failure to report these to AUSTRAC as required under the AML/CTF Act.
Before this case, AUSTRAC took CBA to task for weaknesses in their AML/CTF program. The two parties agreed to a then record setting $700 million penalty for breaches in AML/CTF laws. At the heart of AUSTRAC’s concerns was CBA’s Intelligent Deposit Machines (IDMs), which were found to be used for the purpose of money laundering.
At the root of it, the issues present at both Westpac and CBA are found to cover the same themes:
1. Weaknesses in the approach to assessment of money laundering and terrorism financing (ML/TF) risks
In Westpac’s case the sufficiency of their AML/CTF risk assessments have been called into question, with suggestion that the risk assessment process employed was insufficient to reasonably identify all of the risks that were presented in each of their correspondent banking relationships. This has resulted in insufficient monitoring of funds going in and out of Australia. They also failed to pass on relevant information regarding the source of funds to other banks in the transfer chain, thereby denying them the ability to appropriately assess and manage their own ML/TF risks.
Further to this, there were inconsistencies in how these risk assessments were applied across the Westpac group and a concern that potential issues arising from these assessments may not have been shared across the group.
For CBA, their weaknesses stemmed from not conducting risk assessments specific to their new IDM channel, which therefore prevented them from identifying the risks posed by the IDMs. By way of background, these IDMs presented a new channel for customers to deposit funds instantaneously into CBA accounts, which could then be immediately transferred into other accounts, including overseas. As these deposits could be made anonymously, and without any limits being imposed, it is considered that the associated ML/TF risk through this channel were quite high.
Despite this, CBA did not undertake a risk assessment that was specific to its IDMs prior to their introduction and did not regularly undertake risk assessments on this channel as the usage of the IDMs by customers evolved over time. Conducting these risk assessments would have helped CBA to identify the potential concerns and provided an opportunity to introduce appropriate controls.
* Risk assessment processes should be defined and supported by templates to promote consistency in approach, not only across different business units, but across different risks.
* Risk assessments should be undertaken on all channels prior to roll out, they should be multi-faceted to cover for different uses within the channel, and should be re-performed periodically to account for changes that may occur over time.
* Results of risk assessments should be available to other business units as relevant and insights from updated risk assessments should be shared.
2. Failures in the control environment or failure to implement suitable controls for the risks presented
AUSTRAC noted Westpac's reliance on its due diligence of correspondent banking as a mitigating control of the risks posed, rather than availing itself of more potentially appropriate controls. AUSTRAC have called out insufficiency of information about payer/payee, limited visibility over source of funds and purpose of transactions, and a lack of limits of volume or value of transactions and cash acceptance from unverified sources.
In respect of CBA, as a consequence of not appropriately identifying all of the associated risks, they did not implement adequate controls to manage the heightened risks posed by the IDM channel. Even after conducting a risk assessment specific to the IDMs, and identifying high ML/TF risk associated with this channel, CBA did not introduce appropriate daily limits for cash deposits through its IDMs to mitigate these risks until years later.
* Controls should be reviewed and updated regularly with a mindset of looking for improvement opportunities.
* When control weaknesses are identified, programs should be implemented to address them with assigned accountabilities.
3. Untimely rectification of weaknesses and insufficient follow up once issues were identified
AUSTRAC noted Westpac’s delay in implementing automated detection scenarios for monitoring child exploitation risks though its LitePay platform and note that Westpac is yet to implement automated detection scenarios for other channels.
It is also noted that, in respect of individual accounts, where specific concerns on a customer’s account were identified (e.g. activity that is indicative of child exploitation), it appears that Westpac has not gone on to conduct a check on other accounts owned by the same customer. When it comes to ML/TF risks, identifying problematic accounts is a crucial first step, but being able to provide a holistic view and monitoring of the transactional activities of an individual and their account conduct demonstrates a more sophisticated AML/CTF Program and is likely to be of notable importance to law enforcement.
Similarly to Westpac, it took CBA months to implement sufficient controls after the gravity of its issues were identified and this did not occur until after AUSTRAC had commenced its investigation. In fact, CBA was aware of potential concerns of money laundering through their IDMs for years before suitable risk assessments were undertaken and cash limits implemented. When they did make steps to address the control weaknesses, they did this in such a way that people could still exploit the channel for money laundering for months while daily limits were being implemented. In particular, where a customer was to be terminated for inappropriate account behaviour, CBA provided these customers with 30 days’ notice, during which no additional restrictions were placed on the account. As a result, these customers could continue to engage in further suspicious or criminal activity, rather than being subject to heightened ML/TF monitoring.
* Resolutions should go beyond simply fixing the immediate concern. Considerations should also be given to wider business impacts.
* Organisations should act swiftly to address weaknesses regarding ML/TF risks and should have mechanisms in place to enable restrictions to be immediately placed on accounts when suspicious activity is identified.
4. Weaknesses in skills, resourcing and the IT systems employed to combat ML/TF risks
In addition to accusations of having insufficient skills and resourcing in the AML/CTF function, AUSTRAC has gone further to suggest that Westpac has not invested sufficiently in its IT systems.
Following their AUSTRAC investigation, CBA have since stated that they have spent over $400 million on systems, processes and people in order to enhance and uplift their AML/CTF compliance. This uplift includes hiring additional financial crime operators, risk and compliance professionals across the group, as well as launching an upgraded financial crime technology platform for enhanced suspicious transaction monitoring.
* Organisations should be prepared to invest in their people and systems in order to combat ML/TF risks.
* AML/CTF Programs should be upgraded in line with changes to systems, processes and products.
5. Weaknesses in the Transaction Threshold Reporting (TTR) program
In CBA’s case, they were found to have failed to identify a significant number of transactions that required reporting under AUSTRAC’s TTR requirements (being more than 50,000 TTRs over a three-year period). This resulted from a missing transaction code in their automated TTR process for transactions greater than $10,000 processed through the IDM channel.
Westpac now also stands accused of failing to report, over nearly five years, millions of international funds transfers instructions to AUSTRAC as required under the AML/CTF Act, and of not adhering to requirements to retain records of some international funds transfers.
* Relevant system and procedural changes should be communicated throughout the business and with relevant stakeholders.
* AML/CTF specialists should attend meetings regarding product and channel changes and be provided with information regarding changes to processes so that they can consider the wider impact of these.
6. Confusion about Suspicious Matter Report (SMR) requirements
CBA has been called out for not passing on information to AUSTRAC, under the erroneous conclusion that it was not required. Under one scenario, CBA was made aware of suspicious activity through their interactions with law enforcement agencies and did not believe that they would need to pass that information on to AUSTRAC as a result. AUSTRAC’s findings clarify that this is not the case; regardless of how an organisation is informed about suspicious activity, they should lodge an SMR.
In a similar vein, Afterpay has also found itself in hot water with AUSTRAC after allegations of breaches to the AML/CTF Act stemming from incorrect legal advice. This advice saw them establish ML/TF controls that focused on their interactions with merchants rather than the customers who were using Afterpay to buy goods. This essentially saw Afterpay operate for several years without doing identity checks on consumers.
* Points of concern should be clarified with regulators where possible. Regulators can assist with clarification and interpretation of regulatory requirements and legislation.
Potential Regulatory Changes
No doubt looking to learn from these highly publicised cases, changes have been proposed to the AML/CTF Act. In summary, these include:
* Updates to customer due diligence obligations, including circumstances for relying of the procedures of third parties.
* Requiring greater controls around correspondent banking relationships.
* Simplification of the ‘tipping off’ offence (the offence is intended to prevent information about a suspicious matter report made by a reporting entity reaching the person to whom the report related).
* Updates to secrecy offences and provisions regulating access to AUSTRAC information.
* Consolidation of separate reporting requirements for cross-border movements of physical currency and bearer negotiable instruments.
If you are looking for some assistance in enhancing your AML/CTF program, would like an independent review, or help setting up a structured process for your ML/TF risk assessments, give us a shout at Hall Advisory.
 Concise Statement (Nov 2019): AUSTRAC v WESTPAC BANKING CORPORATION
 Statement of Agreed Facts (Jun 2018): AUSTRAC v COMMONWEALTH BANK OF AUSTRALIA