Skip to content.

Home

Allens Arthur Robinson

Focus: Anti-money Laundering – September 2007

AUSTRAC outlines 'reasonable steps' towards compliance

In brief: The Australian Transaction Reports and Analysis Centre has released a Guidance Note on the Application of the Policy (Civil Penalty Orders) Principles 2006. The Guidance Note describes AUSTRAC's approach to the Policy Principles, including what are 'reasonable steps' toward compliance within the 15-month prosecution-free period. Partners Peter Jones and Anna Lenahan (view CV) and Senior Associate Judy Maguire look at some of the issues that arise from the Policy Principles.

How does it affect you?

  • Reporting entities that will not be in compliance with the customer identification requirements by 12 December 2007 should consider now what reasonable steps they can take towards compliance.
  • Reporting entities that do not identify customers to the required standard before 12 March 2009 may have to carry out some retrospective customer identification.
  • Reporting entities that intend to rely on the prosecution-free period should consider the implication of non-compliance on their third party contracts.
The Policy Principles

The Policy (Civil Penalty Orders) Principles 2006 (the Policy Principles) provide that the Australian Transaction Reports and Analysis Centre (AUSTRAC) will only apply for a civil penalty order against a reporting entity during the 15-month prosecution-free period after each stage of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (the Act) takes effect, if AUSTRAC is satisfied the reporting entity has failed to take 'reasonable steps' to comply with the relevant provision in the Act.

For a short analysis of the Policy Principles and the factors that the AUSTRAC CEO will take into account in determining whether a reporting entity has failed to take reasonable steps, see AAR's Client Update: Anti-money Laundering – February 2007.

Return to top

What are reasonable steps?

The Guidance Note on the Application of the Policy (Civil Penalty Orders) Principles 2006 (the Guidance Note) provides some practical direction as to what is expected of reporting entities during the prosecution-free period (including some guidance on what will constitute 'reasonable steps').

The Guidance Note states that the taking of reasonable steps will require 'a steady progression towards compliance', as distinct from 'no progression or minimal progression'. In assessing whether an entity is making a steady progression towards compliance, the AUSTRAC CEO may consider:

  • on a case-by-case basis, the circumstances of a particular entity, including its size, nature and the complexity of its business (among other factors) and the obligations of the reporting entity under the Act;
  • whether a reporting entity can demonstrate that it is taking its responsibility for ensuring it understands and complies with its obligations under the Act seriously and adequately; and
  • whether the reporting entity can demonstrate a commitment to fostering a culture of voluntary compliance.

Return to top

Other factors

In assessing whether reasonable steps have been taken in addressing any identified non-compliance, the Guidance Note states that the AUSTRAC CEO may also have regard to the following factors:

Whether the risks identified and assessed by a reporting entity are realistic, given its business (including its size, nature and complexity) and its risk profile.

This emphasises the importance of reporting entities carrying out appropriate and adequate risk assessments (eg by identifying the risks that may apply to different categories of customer and/or products) before deciding how to implement their customer identification procedures and Part A Anti-money laundering and counter-terrorism financing (AML/CTF) programs.

In our view, reporting entities who have not at least carried out a money laundering/terrorism financing (ML/TF) risk assessment before the time by which the relevant compliance obligations under the Act come into force (including, for example, customer identification requirements) may find it difficult to persuade AUSTRAC that they have been taking 'reasonable steps' to comply.

Whether a reporting entity has taken preparatory steps to implement systems and controls relevant to its identified risks.

This would include, for example, taking steps to identify what designated services it provides and to whom, and any gaps between the reporting entity's existing procedures and those required to be implemented by the Act.

The extent to which those systems and controls have been implemented.

If a reporting entity cannot implement a Part B customer identification program within the timeframes provided by the Act, it may be helpful if it can demonstrate that it has been able to implement some of the systems and controls contemplated by the program (for example, by applying those systems and controls to high-risk customers or products). If it is (or has been) regulated under the Financial Transaction Reports Act 1988 (Cth), it may also be helpful if it is continuing to apply the relevant requirements of this particular Act to its customers.

Whether a reporting entity has demonstrated good faith in assessing, preparing and implementing its AML systems and controls.

There are a number of steps which can be taken by a reporting entity that could demonstrate good faith in this context. This includes, for example, establishing that its board and senior management have taken ownership and control of its AML/CTF project and are across the specific nature of the ML/TF risk that applies to the reporting entity; by allocating sufficient funds and resources to the project; and by appointing a money laundering compliance officer (with the appropriate level of seniority).

Whether a reporting entity clearly considered the likelihood of any circumstances that may prevent it from complying with the relevant AML legislative obligations.

A reporting entity will have to consider, before putting its AML/CTF program in place, whether that program is affected by other legislation (for example, the Privacy Act 1988 (Cth) or, for those entities with overseas operations, overseas banking secrecy legislation). 

Whether a reporting entity rectified, in a timely and full manner, any identified AML matters (whether identified by the reporting entity or indicated to the reporting entity by AUSTRAC), that may affect the reporting entity's compliance.

AUSTRAC has indicated that it will attempt to resolve issues relating to non-compliance and system weaknesses in a cooperative manner through negotiation and guidance. Accordingly, reporting entities that cannot comply with their obligations for any reason are encouraged to include in their programs a resolution procedure that involves some dialogue with AUSTRAC.

Whether a reporting entity is monitoring its exposure to risk on a continual basis.

The Guidance Note issued by AUSTRAC on Risk Management and AML/CTF Programs provides some guidance on how a reporting entity can monitor its risk management procedures and controls on an ongoing basis.

Whether a reporting entity's position or ability to comply with relevant civil penalty order provisions is different when compared with industry sector peers.

In this context, reporting entities might find it useful to consult with their industry associations as to what industry guidelines or assistance is available.

Whether a reporting entity has taken into account relevant publicly available materials, including those issued by AUSTRAC regarding the AML risks that the entity faces.

AUSTRAC has already issued a number of publications on compliance with the Act, including a Guidance Note on Risk Management and AML/CTF Programs. They have indicated a Regulatory Guide will also be released. Other useful publications that deal with ML/TF risk in the financial sector include typologies and guidance published by the Joint Money Laundering Steering Group, the Financial Action Task Force and other regulators (eg FINCEN, the Monetary Authority of Singapore and the Hong Kong Monetary Authority).

The AUSTRAC CEO will also have regard to AUSTRAC's various policies, such as its Enforcement Policy, when considering whether reasonable steps have been taken by a reporting entity.

When dealing with any identified cases of serious or persistent non-compliance, AUSTRAC has indicated it will take into consideration factors such as the severity of the breach (including its effect on the overall integrity of the financial system), the reporting entity's compliance and enforcement history and the level of sophistication and complexity of the reporting entity's business.

Return to top

Alternative enforcement action

The Policy Principles do not restrict AUSTRAC from taking other enforcement action during the prosecution-free period, for example, requiring a reporting entity to:

  • carry out an ML/TF risk assessment and report its findings to AUSTRAC;
  • appoint external auditors to report on its risk management; and
  • provide information and documents to AUSTRAC and allow AUSTRAC access to premises to search for documents.

Additionally AUSTRAC can issue remedial directions to, and enter into enforceable undertakings with, reporting entities during the prosecution-free period.

Return to top

Other issues

The application of the Policy Principles raises a number of practical difficulties.

The obligation to carry out a customer identification procedure on pre-commencement customers comes into force on 12 December 2007. The Policy Principles may allow a reporting entity to delay bringing in its customer identification/verification program and putting in place its customer identifcation/verification systems until 12 March 2009. However, customers that become customers after 12 December 2007, but before those systems become operational, may not have been identified and verified to the standard required by the AML/CTF Rules.

If a reporting entity provides a designated service to those customers after 12 March 2009 without identifying them to the standard required by the AML/CTF Rules, it will be in breach of the Act. In these circumstances, the protection from enforcement action afforded by the Policy Principles will not apply. Therefore, in some cases it may be necessary to carry out a retrospective customer identification/verification on those customers.

Additionally, a reporting entity (the first reporting entity) can only rely on customer identification procedures carried out by another reporting entity (eg an Australian Financial Services Licence holder) (the second reporting entity) where it is satisfied that the second reporting entity is itself compliant with the AML/CTF Rules (and not relying on the prosecution-free period). If this is not the case, the first reporting entity will have to implement alternative arrangements for the identification of customers until such time as it is satisfied that the second reporting entity is carrying out customer identification/verification procedures in accordance with the AML/CTF Rules.

Finally, we expect that a number of contracts entered into between a reporting entity and third parties (including financing documents) in the normal course of its business may contain representations and warranties to the effect that the parties to the contract are not in breach of any legislation that applies to the reporting entity or its business. A reporting entity that is not in compliance with the Act within the required timeframe and that intends to rely on the prosecution-free period will, in effect, be in breach of such warranties and representations. Therefore, reporting entities should consider the implications that any such non-compliance may have for any third party contracts.

For more information on how the civil penalty regime may be applied and AUSTRAC's enforcement powers, see AAR's Focus: Anti-money Laundering – December 2006 and Focus: Anti-money Laundering – August 2006. 

Return to top

For further information, please contact:

Return to top

Tweet or bookmark with
Tweet this article

What are these?

 

Recent Banking & Finance publications