• Introduction
• All recent publications
• Funds Management - Real Estate & Superannuation publications
• Funds Management - Real Estate & Superannuation services

Focus: Anti-money Laundering – August 2006

The US FATF evaluation report – implications for Australian financial institutions

In brief: Australian financial institutions won't necessarily comply with proposed anti-money laundering and counter terrorist financing laws if they simply adopt the compliance regimes of their US parent entities. Recent Financial Action Task Force evaluation of the US AML/CTF regime highlights the issues. Partners Anna Lenahan(view CV) and Peter Jones(view CV) and Senior Associate Judy Maguire discuss.

• Introduction
• The US framework
• The US compliance rating
• Implications for Australian financial institutions
• Designated business groups
• Conclusion

Introduction

The recent Mutual Evaluation report (the US Report) of the US anti-money laundering and counter terrorist financing (AML/CTF) regime by the Financial Action Task Force (FATF) has concluded the US AML/CTF regime is only partially compliant with some of the FATF Forty Recommendations and Special Recommendations on Terrorist Financing, in particular those Recommendations which deal with customer due diligence and suspicious transaction reporting. 

It has been the accepted view that the US AML/CTF measures provide examples of AML/CTF best  practice. Those Australian financial institutions who have US parent companies might be forgiven for thinking that compliance with US AML/CTF measures will be sufficient to meet the requirements of the new AML/CTF regime in Australia.

However, an analysis of the US Report highlights some areas where compliance by Australian reporting entities with the AML/CTF programs of their US parents will not be sufficient for compliance with the requirements of the Federal Government's Anti-Money Laundering and Counter-Terrorism Financing Bill 2006 (the AML/CTF Bill).

A detailed discussion of the AML/CTF Bill can be found at AAR's Focus: Anti-money laundering – July 2006 and Focus: Anti-money laundering – August 2006.

The US framework

The cornerstone of the US AML/CTF legal framework is the Bank Secrecy Act (the BSA), as amended by the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act 2001 (the PATRIOT Act). The BSA is implemented by a series of implementing regulations/rules which also provide interpretative guidance. 

The US Report notes that the US authorities have mostly applied a risk-based approach in determining the scope of which sectors should be subject to AML/CTF obligations and how these obligations should be applied. In effect, the US authorities have assessed the various sectors of the financial services industry and applied the AML/CTF regime to those sectors which, after consideration, they assess as vulnerable to money laundering and terrorist financing (ML/TF).

The US Report states that the vast majority of depositary institutions are subject to the full range of BSA/AML requirements, which include requirements to implement an AML/CTF program, a Customer Identification Program (CIP) and record keeping and reporting of suspicious activities. In the securities sector, brokers and futures commission merchants are subject to similar requirements but investment advisers¹ and commodity trading advisers² are not currently required to implement these measures (although draft rules are under consideration). There is also no specific requirement for insurance companies to carry out customer identification verification.

When it comes to the implementation of the AML/CTF measures, the US regime permits financial institutions to apply a risk-based approach to the application of the AML/CTF obligations. It is (as it will be in Australia when the AML/CTF Bill comes into force) very much up to financial institutions to assess their ML/TF vulnerability and tailor their systems and programs to mitigate their ML/TF risk.

The US compliance rating

The FATF evaluation reflects the AML/CTF measures in place in the US as at May 2006.  When assessed against the Forty Recommendations, the US scored a rating of 11 fully compliant, 22 largely compliant, two partially compliant and four non-compliant³. When assessed against the Special Recommendations, the rating was three compliant and six largely compliant. 

Significantly, the US was assessed as being only partially compliant with Recommendation Five which deals with customer due diligence. A summary of the factors underlying the rating indicates that the reasons for this include the following inadequacies in the US AML/CTF regime:

• no obligation in law to identify beneficial owners except in very specific circumstances (correspondent banking and private clients);
• no explicit obligation to conduct ongoing customer due diligence, except in certain defined circumstances;
• customer identification for occasional transactions are limited to cash deals only;
• no requirement for those life insurers who issue covered life insurance products to verify and establish the true identity of the customer;
• no measures applicable to investment advisers and commodity trading advisers;
• verification of identity post-establishment of the business is not limited to circumstances where this is essential not to interrupt the normal course of business; and
• no explicit obligation to terminate the business relationship if the verification process cannot be completed⁴.

Implications for Australian financial institutions

An analysis of the US Report raises a number of issues for the Australian financial sector. Those financial institutions that consider they will comply with the new Australian AML/CTF regime by adopting their US parents' CIP and AML/CTF programs may have to re-assess that position. There a number of areas where compliance by a reporting entity with the AML/CTF program of its US parent company may not meet the obligations contained in the AML/CTF Bill. These include obligations relating to:

• beneficial ownership;
• ongoing customer due diligence;
• timing of customer identification procedures and termination of business;
• thresholds;
• suspicious transaction reporting; and
• correspondent banking.

Beneficial ownership

The US Report found, in general, that the US CIP rules do not require financial institutions to look through their customers' details to establish the identity of beneficial owners in all cases. 

The US Report comments that, although a financial institution is required to look through a non-individual customer to the individual with authority or control over the account when the financial institution cannot verify the customer using standard verification methods, the only explicit statutory requirements to identify a beneficial owner before or during the course of establishing a business relationship are contained in sections 311 and 312 of the PATRIOT Act.

These sections only apply to accounts opened by residents of countries designated to be of money laundering concern, certain private banking accounts opened for non-US citizens and correspondent accounts provided to certain non-US banks and other institutions.

In contrast, the Draft Customer Identification Program Rules issued with the AML/CTF Bill specifically require reporting entities to collect (and if required on a risk basis, verify):

• the name and address of each beneficial owner of most proprietary or private companies and, on a risk basis, certain other companies;
• details of trustees, beneficiaries or class of beneficiaries; and
• know your customer (KYC) information about the ownership and control of foreign government entities (on a risk basis).

Ongoing customer due diligence

The AML/CTF Bill imposes a specific obligation on reporting entities to carry out ongoing customer due diligence by monitoring the provision of designated services with a view to identifying, managing and mitigating their ML/TF risk. How this is to be done is set out in the Ongoing Customer Due Diligence Rules which require:

• risk-based systems and controls to determine whether further KYC information should be obtained for ongoing due diligence;
• an enhanced due diligence program; and
• a transaction monitoring program.

There is no corresponding obligation in the US. The US Report noted there is no explicit legal requirement to undertake ongoing due diligence in all cases. The only specific requirement to carry out ongoing customer due diligence applies to correspondent banking and private banking.

Although the US authorities argue that the suspicious activity reporting obligations necessarily require institutions to have policies and procedures in place to apply ongoing due diligence⁵, this does not strictly comply with the FATF standard (which requires the obligation on ongoing monitoring to be contained explicitly in law or regulation).

Timing of verification

The AML/CTF Bill provides that in 'special circumstances' a customer identification procedure can take place after the commencement of the provision of the designated service. What are 'special circumstances' will be the subject of industry consultation (for example, the superannuation industry has suggested that identification can be done at the time of pay out).

FATF does allow some exemptions from the requirement to verify at the time the business relationship is established (such as where it is essential not to interrupt the normal course of business). 

The US regime however goes further than this. According to the US Report, there is no statutory obligation in the US regime to complete the verification process before or during the establishment of the relationship⁶.

Instead, financial institutions are required to verify customer identification 'within a reasonable time after the account is opened'. The US Report notes that in practice the financial industry interprets reasonable time to mean up to 30 days.

This would not meet the timing requirements in the AML/CTF Bill.

Termination of business

The US Report also makes the point that there is no specific requirement in the US CIP rules for a financial institution to close the account of a customer whose identity cannot be verified. Instead, this is left to the discretion of the institution⁷.

There is no specific obligation in the AML/CTF Bill to close a customer's account but there is a specific prohibition against continuing to provide any designated services until customer identification procedures are completed. Compliance with the US regime may therefore not meet the Australian requirements.

Thresholds

The US regime applies thresholds to some AML/CTF obligations. For example, financial institutions are required to keep records and identifying information pertaining to the sale of bank drafts, bank and cashier's cheques, money orders and travellers' cheques but only where they are in an amount in excess of US$3000⁸.

In contrast, the AML/CTF Bill provides that a reporting entity which issues a bank or traveller's cheque in any amount to a customer (who need not be an account holder) is providing a designated service. Accordingly, the reporting entity will require an applicable customer identification procedure on the customer to be completed before it can proceed with the designated service. Similarly, issuing or selling a money order where the value is in excess of A$1000 would also trigger the obligation for a customer identification procedure.

Additionally, whereas the AML/CTF Bill applies the obligation to include originator information to all international financial transfer instructions, the comparable US obligation only applies where the vale of the transfer exceeds US$3000⁹. 

Suspicious matter reporting

This provides another example of a situation where compliance with an AML/CTF program based on US AML/CTF measures will not necessarily meet Australian AML/CTF requirements. This is because the US has implemented a US$5000 (US$2000 for money service businesses) threshold for mandatory reporting. 

In contrast, the AML/CTF Bill requires reporting of all suspicious matters regardless of how small the amount involved in the transaction (or even before there is a transaction). As a practical matter, Australian reporting entities that share a transaction monitoring program with their US affiliates will have to ensure that the program is suitably amended to pick up all suspect transactions regardless of value.

Significantly, the US Report suggests that not only is the US position in conflict with the FATF standard which requires reporting all of suspicious transactions, but it also particularly impacts on the effectiveness of reporting relating to terrorist financing-related transactions, where tracking relatively low value transactions is important.

Correspondent banking

 Another area where the US AML/CTF measures do not come up to the proposed Australian standard is correspondent banking. Although the rule¹⁰ on correspondent accounts requires senior managers to approve the overall due diligence measures to be applied to correspondent accounts, there is no explicit requirement (as is required by FATF) that correspondent accounts should only be opened with senior management approval. This is a specific requirement in the AML/CTF Bill.

Designated business groups

The AML/CTF Bill introduces the concept of a designated business group (DBG). A DBG is defined as a group of two or more companies, where each company in the group is related to each other in the group (within the meaning of the Corporations Act 2001) or a group of a kind specified in the AML/CTF Rules. Members of a DBG can share certain customer information, a joint AML/CTF program and suspicious matter information. 

The DBG definition does not preclude overseas entities from being members of a DBG but the Federal Government has indicated (in discussions with industry representatives) that only reporting entities can be members of a DBG.

In effect, this may preclude US parent companies and affiliates from being members of the same DBG as their associated Australian reporting entity and the advantages of membership, such as a joint AML/CTF program or the relaxation of the tipping-off prohibition, may not extend to those US parent companies or affiliates.

The treatment of DBGs in the AML/CTF Bill is a matter of concern and is the subject of a number of submissions made recently on the AML/CTF Bill. 

Conclusion

The issues outlined above provide some examples of areas in which Australian reporting entities need to carefully review and, possibly tailor, the AML/CTF programs of their US parent companies to meet the proposed Australian requirements.

The same general approach applies to Australian reporting entities whose parent entities are based in other jurisdictions. Senator Ellison has indicated an intention to submit the AML/CTF Bill to Parliament in October. By that time, therefore, the details of the proposed Australian AML/CTF requirements should be largely settled. This will provide a firm base from which to do a comparative analysis of the Australian requirements against those of your parent entity's home jurisdiction.

Footnotes

1. Defined in the rules as anyone who, for compensation, engages in the business of advising others as to the value of securities or as to the advisability of investing in, purchasing or selling securities, or who issues reports concerning securities.  Significantly, they may also engage in managing clients' assets with varying degrees of discretion.
2. Some of whom, because they handle assets on behalf of clients, would fall within the FATF definition of a financial institution.
3. The non-compliant scores relate in the main to the fact that designated non-financial businesses and professions are not covered by the US AML/CTF regime.
4. Additionally, the effectiveness of the measures in the insurance sector (these came into force in May 2006) could not be assessed.
5. There is general guidance on the issue in the Bank Secrecy Act/Money Laundering Examinations Manual (the FFIEC Manual) published by the Federal Financial Institutions Examination Council (the FFIEC).
6. Although this is covered to an extent by the rules that require that a CIP must include risk based procedures for responding to circumstances where it cannot form a reasonable belief that it knows it's customer.
7. Although the rules suggest that the risk based procedures to be included in a CIP for responding to circumstances where a bank cannot form a reasonable belief that it knows it's customer should include:  (1) when the bank should not open the account;  (2) the terms under which the customer may use the account while the bank attempts to verify the customer's identity;  (3) when the bank should close an account, after attempts to verify have failed;  and (4) when the bank should file a SAR.
8. FATF comments that there are no requirements in US legislation in relation to occasional non-cash transactions of any size undertaken by persons who do not have an ongoing business relationship.
9. FATF has criticised the US regime in this respect pointing out that the threshold of US $3000 exceeds the threshold of US $1000 required by the revised Interpretative Note to SR VII.
10. 31 CFR 103.76.

For further information, please contact:

• Peter JonesPartner, Sydney
  Ph: +61 2 9230 4987
  Peter.Jones@aar.com.au
• Anna LenahanPartner, Sydney
  Ph: +61 2 9230 4132
  Anna.Lenahan@aar.com.au
• Judy MaguireSenior Associate, Sydney
  Ph: +61 2 9230 4835
  Judy.Maguire@aar.com.au
• Stephen SpargoPartner, Melbourne
  Ph: +61 3 9613 8861
  Stephen.Spargo@aar.com.au
• John BeckinsalePartner, Brisbane
  Ph: +61 7 3334 3520
  John.Beckinsale@aar.com.au

Bookmark with What are these?