Australia is one of the first countries to implement risk-based anti-money laundering and counter-terrorism laws from scratch. Shaun Drummond asks how they are faring in practice
AUSTRAC is now likely to be getting its first real inkling of how well-prepared Australian companies are to detect ill-gotten gains being washed through their organisation. If they received the number they were expecting by the 31 March deadline for compliance reports, AUSTRAC will soon be sifting through between 17,000–19,000 reports. The uncertainty in the figures is one indicator that it is still early days in this mammoth effort for service providers and the regulator.
For many financial services companies, it has been the biggest compliance effort of the past couple of years and may continue to be for some time. But it could have been worse. Australia is one of the first jurisdictions to implement risk-based anti-money laundering and counter-terrorism financing (AML/CTF) legislation from the outset, as recommended by the Financial Action Task Force.
Most industries argued for this as it makes good sense in theory – ensuring those with the least risk have to do the least to comply. It’s early days yet, but in practice the risk-based legislation has introduced something of a contradiction – a kind of enforced self-regulation, which will eventually be backed by tough penalties for non-compliance. This has left the less prepared to discover that they are facing potentially damaging penalties, but less certainty about how to avert these than would have been the case if industries were just told what they had to do.
Alison Deitz, a banking and finance partner at Deacons specialising in the AML/CTF regime, says many organisations hadn’t realised they could be targeted by AUSTRAC until they started getting letters in the mail in the last couple of months from the regulator. “[The risk-based approach] was what industry wanted, but now they’ve got it, the problems have arisen particularly in industries where the risks were not well-understood,” she says.
“It’s leaving it up to the individual organisation to determine what its risk is, and then to apply these principles according to that risk. That is a relatively new concept. People like prescription. Lawyers like prescription. Lawyers like black-letter: you can tick a box – ‘you have definitely complied if you do steps one, two, and three’,” explains Deitz. As such, she says it is “cutting edge” legislation for lawyers, industry and the regulator.
“There are some safe harbour provisions for identification purposes for individuals that do provide some means of prescription. But it is essentially left to the organisation, within the overall framework, to determine what its risk is and then to determine what the requirements are, based on that risk. There’s a lot of decision-making that has to occur from an organisation.”
The safe harbour provisions set a fairly high standard, according to Jodie Sangster, chief privacy and compliance officer at Axciom, a vendor of customer relationship management tools. “The ‘safe harbour’ standard requires verification of the prospective customer’s name and address against two independent, reliable data sources,” she says. “Additionally, the organisation must confirm its customer’s date of birth, or confirm that the customer has a three-year transaction history with another organisation.”
There a lot of flexibility built into the legislation, with 15-month moratoriums on civil action for each phase of the commencing provisions, which are spread over a two-year period until December this year. Although aimed at providing some breathing space, this has created its own uncertainty with some, for instance, worried they will have to go back to customers they have already signed up in that period once they have systems in place to do so. AUSTRAC is reluctant to give too much leeway in case the moratorium is just treated as a de facto extension of the law’s commencement.
Some say it also means there is the potential for a lot of variation in compliance, with some compliant entities still having to take information from clients that have collected information that isn’t detailed enough.
In the first tranche of the legislation, there are several industries that are well aware of their obligations and those are generally the ones that have the wherewithal to deal with it – the banking sector being the obvious one, and the one likely to be investing the most.
But the uncertainty is exacerbated by the fact that the legislation targets “designated services” rather than industries, and doesn’t require organisations to be licensed with AUSTRAC. So AUSTRAC ultimately doesn’t know itself exactly how many organisations should be submitting reports – hence the vagueness on the number of reporting entities.
However, given the breadth of industries the new legislation is covering – and there will be many more when the second tranche is introduced – many have pointed out that the law may be hard to swallow to begin with, but in the end it will be good medicine as it will help stifle the funding and avenues for investing the proceeds of illegal and potentially life-threatening activities.
Still, the novelty of the approach is leading some to treat it as a pure “compliance” exercise, says John Buttle, managing director at Protiviti, and demand guidance from the regulator on what they will be required to do to meet minimum standards. To some extent, this defeats the objective of the legislation for organisations to ascertain what their own risks are. However, the regulator is actively encouraging dialogue with organisations to help them understand their obligations.
Challenges
It may be the first step many of those captured have taken to even think about the risks to their business in a systematic way.
“The risk-based approach. We need to keep thinking about what the implications of that are,” Martin Codina, a senior policy adviser at the Investment and Financial Services Association, recently told an Informa conference on fraud in Sydney. He says the new approach is creating confusion because nobody knows exactly what it means to comply fully, and there will be varying levels based on different risks faced. As a result, he says the issue of “competitive neutrality” has come up a lot.
“There is a desire for regulatory certainty. We have to make the right call, but the regulator does not want to put out any list on what they think is high risk, and what is low risk.”
Julie Beesley, a specialist in AML at Deloitte, echoes this. Although the regulator has released “typologies” that give examples of activities that should be monitored, she says more guidance on what the regulator would consider high-risk activities would be a great help.
“The guidance from the regulator tells you what to do for low risk, it doesn’t say anything about high risk. For low risk, you need to do the minimum, for high risk you need to do a bit more. I’m yet to see guidance to say for low risk you should do this and high risk you should do that.”
However, the competitive neutrality issue – where a company may in theory be put at a disadvantage if they do too much compared to their competitors – has turned out to be a bit if a furphy, according to experience overseas. It would only be a factor if there was a significant difference in the sorts of questions that companies are asking their customer, she says.
“Organisations don’t want to do more than their peer group, but they want to do enough. The idea is that if you ask more than the competition down the road, the customer will go next door. There’s no evidence that’s actually happened. Just because you’ve asked two more questions, doesn’t mean they’re going to go next door.”
As mentioned, the exact boundaries of the legislation are hard to determine. Steve Ingram, a specialist in AML at PricewaterhouseCoopers, says one client of his in agribusiness was surprised to find they had parts of their company that they will need to report on. “AUSTRAC suspects that there are probably more organisations that they are not aware of yet,” he says.
Banks have large departments devoted to assessing risks to their activities, and have been subject to the similar requirements of the Financial Transactions Reporting Act for several years and 100-point identity checks since 1990.
Still, even for them, initial investments are getting up to the $100 million mark each, largely in revising their IT systems to capture the right data, additional staff and educating those staff.
But it won’t be as simple as taking ID details once and then relying on customers to update their records. From December this year, all entities must report on their “ongoing due diligence”, meaning they have to be keeping a closer eye on the activities of their customers to ensure what starts out as legitimate transactions, doesn’t then turn into something more suspicious.
For example, the former head of compliance at the local office of the Royal Bank of Scotland, David Eardley, says his former employer is still trying to determine how to treat one valuable customer who recently started to transfer large amounts around the globe in a manner out of character with their usual transactions.
Ingram says the best fraud detection devices are frontline people. “If it doesn’t pass the ‘smell’ test, then they’ll know,” he says. But for organisations that don’t deal directly with customers, carrying out the core requirement of the laws – “knowing your customer”, or KYC – poses greater challenges. For some, they may be able to depend on organisations they deal with that do talk directly with customers to check ID and report on the ultimate source of funds, but it appears this remains uncertain.
Codina at IFSA, for instance, said there was still some confusion over whether everybody in the chain to the final product that an entity invests in will need to be checking ID and the source of funds of the same customer. “Rather than everybody going to the client, we think that it should be just knowing the one next to you in the chain [has made appropriate checks],” he says.
Sangster from Axciom says some will only ever deal with customers online or over the phone. “There is currently no capability to electronically verify an individual’s identity against driver’s licence, passport or birth certificate information. Similarly, while electoral roll data has been made available for AML verification purposes, the date of birth information contained therein has not been released by the Electoral Commission, thus preventing a means of reaching ‘safe harbour’ verification,” she explains.
“Questions also surround the legitimacy of using credit reporting bureaus to assist with the process of identity verification, due to prior suggestions by the Australian Privacy Commissioner and the Australian Law Reform Commission (ALRC) that credit reporting data ‘not collected for that purpose’ be withheld.”
Privacy and AML
The privacy laws are themselves are another complication for the small end of town. Where they are held to be offering a designated service, the AML legislation automatically extends the Privacy Act to small business for those services. To date, any business with a turnover below $3 million has been exempt from complying with the Privacy Act.
Julie Beesley at Deloitte says due to the complexity of applying the privacy rules to one service offered by a business and not others, those affected are mostly just choosing to just comply in full with the Privacy Act.
Their coverage is coming at a time when the Privacy Act may be significantly toughened in the next few years as recommended by the ALRC in a mammoth review of the privacy regime it is due to complete in May.
Costs
We don’t actually know exactly how much money is laundered every year in Australia. There are two prominent estimates, one which was quoted by the Attorney-General’s Department at around $11 billion every year. That was based on assessments made by the International Monetary Fund of 2–5 per cent of global GDP extrapolated to Australia.
A more recent estimate by the Australian Institute of Criminology based on its own research suggests it is less than half that at around $4.5 billion.
Few are willing to say how much the cost of complying with the new AML law has been to date, but a couple have publicly stated it is in the tens of millions, including AMP on $10 million, and ANZ Bank about $66 million over the next three years.
PwC conducted a survey last year in the UK, which has had both a prescriptive regime and a risk-based law introduced in 2004, on the costs of the risk-based approach compared to its predecessor. It could find no evidence of reductions in compliance costs. However, Ingram says this was mainly because many organisations hadn’t measured the costs to them. “So they know how much the transaction monitoring costs, but they don’t necessarily know how much the other costs are – the training costs, the compliance time, staffing,” Ingram says.
Then there are the penalties. There were some initial high-profile fines issued by the overseeing regulator in the UK – the Financial Services Authority (FSA) – following the introduction of the European Union’s so-called second directive on money laundering, which ushered in the risk-based approach there.
This included £375,000 ($812,000) for the Bank of Ireland for failing to introduce controls to detect “high-risk transactions” in the form of bank drafts that failed to identify the recipient.
Ingram says compliance with the new risk-based approach in the UK is progressing well now, but many have said this is only likely to occur here when similar examples are made of companies by AUSTRAC, which has maximum penalties of up to $11 million for a corporation at its disposal.
So what if the total costs of compliance outweigh the value of money laundered? Ingram at PwC says this is a wrong-headed way to go about making a cost-benefit analysis. “I know of banks that have significant reductions in fraud as a result of introducing two-factor authentication. They have business units saying we are now spending more on two-factor authentication than we are losing on fraud, should we keep doing this?”
As one policy officer at a financial association pointed out to Risk Management, the cost of compliance is very high but then there is little choice, and it is ultimately something that everyone is prepared to engage in because it is for the greater public good.
For any fraud or crime, strengthening vigilance in one area, will just shift it somewhere else, says Ingram. So ultimately the AML/CTF laws had to cover as much of the possible parts of the economy that could be used to launder funds, and organisations need to be required to regularly assess their risks to ensure funds are not able to just shift to an easy target. That also means our laws have to be at least as tough as other jurisdictions.
Ultimately, he says the “tension” the legislation has created in many organisations to find that sweet spot between doing too much, and not doing enough to comply is a “healthy” one, although he stressed the difficulty in making that decision meant it was important someone senior and experienced in the business is appointed to determine accurately how far they need to go in complying with the AML/CTF requirements. Finding those people is another story.
News