This is the second part of a blog series about the ways to ensure compliance with AML/CTF requirements. Read the first blog here.
Our AML/CTF review recommendations include:
1. Management oversight and compliance with the AML/CTF regime:
As well as nominating a designated AML/CTF compliance officer, companies must demonstrate that there is systematic management oversight of its AML/CTF obligations. For example, when AUSTRAC conducts periodic audits of a company's AML/CTF compliance, it always checks whether the organisation has a written AML/CTF program in place, which complies with the Act and the Rules and has been specifically adopted by the company's board or management committee. The adoption of the AML/CTF program should ideally be recorded in minutes of the company's compliance committee or a meeting of the board.
2. Assessment of customer risk:
The Rules provide that an AML/CTF program must include risk-based systems and controls to enable that reporting entities be reasonably satisfied that the customer is who they claim to be. This means that as part of its Know Your Customer (KYC) procedures, each company should (as best practice) determine the risk level of each client, and record that assessment on the client's account.
The level of risk assessment allocated to a client then determines what client identification information needs to be identified and verified. Companies should consider where they record the risk assessment determination for each client.
Companies should avoid assuming that all customers represent either a low or medium risk of ML/TF activity. A comprehensive risk assessment process should include considerations of the customer type and the jurisdiction in which the customer is based, as well as whether an individual customer or a beneficial owner1 of the customer is a Politically Exposed Person (PEP)2.
From 1 June 2014, amendments to the Rules have expanded the risk assessment process, so that it should include consideration of the following factors:
- the clients' source of wealth and funds;
- the nature and purpose of the company's business relationship with each customer type; and
- the control structure of non-individual clients (including beneficial owners).
Companies also need to create and implement a process for ensuring that a client's risk assessment result is re-evaluated if there are changes to the client's details (in relation to its control structure or beneficial ownership details, or there are changes in the nature of the company's relationship with its client). It should also set out how changes are identified (ie periodic re-screening).
3. Ongoing customer due diligence:
Following from the initial KYC procedures, companies are required to monitor all of their clients and their transactions on an ongoing basis.
The three (3) mandatory requirements of ongoing customer due diligence are:
- implementing trigger points for collecting additional KYC information (not just for high risk clients);
- implementing a transaction monitoring program, in relation to suspicious transactions; and
- implementing an enhanced customer due diligence program.
Companies should create their own unique 'trigger points' which, when reached, ensure that the company undertakes additional compliance checks and other monitoring actions to manage the ML/TF risk. For some companies, a trigger point is a monetary limit, whilst for others, it could be a request that funds are transferred to a third party beneficiary in another jurisdiction.
1 Beneficial owner means an individual who ultimately owns or controls an entity. Owns means ownership of 25% or more of an entity. Control means control by means of an arrangement or agreement which results in the person exercising control of an entity through the capacity to determine decisions about financial and operating policies.
2 PEP or politically exposed person means an individual entrusted with a prominent public function (for example, Heads of State, government, senior politicians or senior executives of state owned companies but not usually a middle rank or junior official), and includes:
- a person who is an immediate family member of that person, including spouse, de facto partner, child, child's spouse or partner or parent; and
- a close associate of that person.
close associate means a person who has joint beneficial ownership of a legal entity (or legal arrangement) with that person, or sole beneficial ownership of an entity (or legal arrangement) that exists for the benefit of that person. domestic PEP means a politically exposed person of an Australian government body. foreign PEP means a politically exposed person of a government body of a foreign country. international organisation PEP means a politically exposed person of an international organisation. international organisation means an organisation established by formal political agreement by two or more countries with the status of an international treaty, and recognised in the laws of the countries which are members of the organisation.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.