Transaction Monitoring challenges

“NAB’s investment in its financial crimes operations is yielding hundreds and thousands of alerts a year, but the bank is still grappling with how much of the data it is generating is useful for its staff and regulators.” Transaction monitoring in complex business such as banks is a serious challenge. It is even moreso for smaller businesses who don’t have the human and financial resources to invest in technology.

There are reasonable questions to be asked, considering the enormous investments being made. As the lead intelligence agency in this field, shouldn’t AUSTRAC be providing market leading intelligence to reporting entities for transaction monitoring? The last Typologies & Case Studies Report is from 2014. Can industry rely on this?

If you’re not in the Fintel Alliance how do you build meaningful and current algorithmic rules for transaction monitoring? And what if you don’t have an IT system to perform transaction monitoring? The answer seems to be – have a go and hope for the best – but the regulator will whack you if you’re wrong.

The remittance sector has been deemed by AUSTRAC as a high risk sector, however, most remitters have English as a second language and do not have strong computer skills. Their business practices are simple and they do not have a good understanding of what constitutes transaction monitoring, let alone how to physically do something on MS Excel. Mention velocity and jurisdiction rules and you will see confusion wash over them. This is the reality. If an organisation the size and sophistication of PAYPAL can get transaction monitoring wrong, what hope do the smaller remitters have?

AUSTRAC is over 30 years old now, so should have extensive transaction monitoring skills which should be used to educate industry. Perhaps it’s time for a forum where AUSTRAC demonstrate transaction monitoring for small & medium enterprises. AUSTRAC needs to evolve to the next level and provide intelligence driven assistance to improve transaction monitoring by the regulated population.

Read the AFR article here.

AML Solutions Australia on 60 Minutes

“Suspicion” is such a low threshold to reach yet we find that AML Compliance Officers and their operations staff often try to play detective to solve the case. It’s important to understand that the decision to submit a Suspicious Matter Report to AUSTRAC is based only on the information to which you have reasonable access. One of those sources should be some fairly simple internet searches to determine if your organisation is doing business with a convicted felon. Then it’s up to senior management to ensure smart decisions are taken with regards to continuing to do business with those individuals.

Regardless of your decision to submit, or not submit an SMR, be sure that you document the reasons behind that decision.

As an AML Compliance Officer you will continually be battling with the conflict of revenue raising versus compliance. Your strength and integrity will be tested. Will your decisions result in a 60 Minutes expose like this one with Crown Casino?

This 60 Minutes interview with CEO Todd Harland highlights the fundamentals of an AML regime and when it isn’t effectively managed the ability for organised crime to operate flourishes.

Click here for the 60 Minutes interview.

4 tips for “working with the regulator”.

AfterPay has become the latest big name to declare in that they are “in dialogue” with the regulator, AUSTRAC. Other major players to use similar wording in the Annual Reports or other formal communications include National Australia Bank, Bank of Queensland and of course the Commonwealth Bank of Australia.

At the recent Australian Regulatory Summit, AUSTRAC Deputy CEO Regulatory Strategy, Peter Soros was clear with his message “You will see enforcement action from AUSTRAC in the year ahead.”

So, what do you do if you find yourself in the sights of the regulator who has now tasted blood?

1. Know your ‘current state’

Australia is over 12 years into this regulatory environment and organisations of all shapes and sizes should have a well developed AML/CTF Program which is implemented effectively throughout. Make no mistake, that is the expectation.

The purpose of a regular independent review is to help you understand the strengths and weaknesses of your systems so that improvements can be made. So, after 12 years there should be a reasonable expectation that your organisation has had maybe 5 or 6 independent reviews by now.  Large and complex organisations should be doing an annual review. These reviews should help you understand the current state of the levels of compliance throughout the organisation.

If you have had less than 5 independent reviews or haven’t had a review in the past 2 years, then it will be difficult to answer questions from the regulator about your “current state” and will leave you at risk of regulatory non-compliance.

2. Have a well informed Board

AUSTRAC will expect that your Board is well informed on the current state of your AML/CTF regime.

The AML Compliance Officer should have a clear communication line to the Board and be able to demonstrate to the regulator the different topics that have been discussed. If the Board isn’t well informed about any shortcomings identified during independent reviews, or any self-identified problems then they can’t be expected to allocate budget to initiate remedial action.

Understandably this may be easier said than done, as it’s not uncommon for a Board to be primarily interested in the ‘good news’ stories rather than the compliance concerns. Nonetheless a good AMLCO should have the strength of character, and indeed the Board-provided freedom, to say what needs to be said.

Wilful blindness of the Board is not an acceptable excuse.

3. Have a clear plan

Mistakes happen – we all know and accept that. The important thing is what happens next as this is what AUSTRAC will be truly interested in. Peter Soros mentioned that many organisations had “looked under the hood and identified failings and shortcomings in their systems.” The smart ones have self-declared these to the regulator, along with a clearly articulated remediation plan.

The development of a clear remediation plan is particularly important where an organisation has identified a serious non-compliance. In recent years, AUSTRAC have examined the KYC implementation of organisations and have found many to be wanting. Customer databases are obviously the linchpin of any organisation and often very large in size – even a small to medium sized remittance company can have thousands of customers. If your KYC process hasn’t been properly implemented for the past 12 years then there could be a sizeable piece of remediation work to address.

AUSTRAC will expect to see that you have developed a Remedial Action Plan and taken positive action towards the successful completion, not just a plan for a plan.  Your plan should have a single point of responsibility (often the AMLCO), clear milestones nominated and a sufficient budget for the human and technology resources required. Make no mistake, remediation is expensive and the budget should be appropriate.

A common cliché to consider at this stage is – “while there is a cost for compliance, the cost for non-compliance is significantly more.”

4. Have a good attitude

Ok, so you’re neck high in the doggie doo-doo (not a technical term) and now you have to be nice about it. Why – you ask?  In my spare time I coach my son’s rugby union team and a key lesson for kids is to understand that the referee must be respected, because if you upset the referee he/she can make the rest of the game very difficult for you. It’s a good idea to remember that lesson when dealing with the regulator.

It would be a wise decision to go ‘cap in hand’ and seek forgiveness and assistance rather than take a combative stance. Again, we can look at the messages from AUSTRAC who have repeatedly stated that they are more interested in attacking the criminals rather than the reporting entities.

So, take an attitude of genuine commitment to remediating any and all non-compliance issues in a diligent and timely manner. If your remediation plan falls behind schedule, be prepared to provide a good story which shows any genuine issues which have impacted on the execution of the plan and how you have taken action to get back on track with the plan.

These tips will not guarantee that you will escape punishment, but they should put you in a good position to ensure a collaborative approach to non-compliance resolution with the regulator. Remember, you want the referee to be on your side so that you don’t lose the penalty count.

*Note: this does not constitute legal advice and you should seek professional legal advice if engaged with the regulator.

Afterpay interview with Ross Greenwood on 2GB

AUSTRAC today announced that Afterpay would be required to engage an external auditor to examine:

1. Governance and oversight of decisions related to its AML/CTF framework
2. Identification and verification of customers
3. Suspicious matter reporting obligations
4. AML/CTF program, including the development of its money laundering and terrorism financing risk assessment

That is a substantial list and AUSTRAC have reached into their armoury for a different weapon with their use of the external auditor provisions.

Ross Greenwood sought a follow up interview to last week on his Money News program on 2GB/4BC. The link to the audio is below.

click here for audio

Tranche 2 hard for lawyers & real estate agents?

Amendments to the AML/CTF Act to include lawyers, accountants, real estate agents and motor vehicle dealers has occurred in New Zealand and domestic and international pressure is mounting on the Australian Government to do the same. Industry bodies are now in agreement and prepared to “do their bit”.

The below news clip shows that Australia has a $9 billion drug problem and real estate is a favoured money laundering method and the Australian Government is asleep at the wheel.  Twelve (12) years after inception, the AML/CTF Act has remained silent on the professional facilitators and money launderers are benefiting.  The necessary amendments, expanding the application of the Act, is commonly known as Tranche 2, and is now somewhat of a punch-line to jokes for AML/CTF professionals.  Australia will face the examiners from the Financial Action Task Force later this year and the report card will, once again, be damning if Tranche 2 is not enacted by then.  As the old ad from the 90s used to say “it won’t happen overnight but it will happen”.

Please share this article with those in your network who are real estate agents, car dealers, accountants and lawyers so they are informed and can make preparations. Thanks!

click here for the news link

Australian Regulatory Summit, 2019

For those who couldn’t attend, we thought to share with you some key messages from the AUSTRAC presentation at the Refinitiv Regulatory Summit.


1. There has been a 70% increase in SMRs submitted.
2. A new improved website will be released soon.
3. They are keen to provide more feedback to industry on criminal trends.
4. They have increased connectivity with law enforcement agencies.
5. They understand the need to keep pace with technology (AUSTRAC and industry alike).
6. They now have about 100 MOUs with foreign governments to share information.

1. Cash payments of $10k or more to become illegal (this has been flagged for some time now)
2. There is a strong need to develop a Trusted Digital Identity Framework.
3. There will be a streamlining of the AML/CTF Act (as a result of the 2016 legislative review).
4. AUSTRAC will have an increased focus on using their power to require independent audits.
5. AUSTRAC is aware that there has been an “under investment” in human and technology resources (13 years after enactment of the legislation).
6. There will be an increased focus on enforcement (balanced somewhat by their message that the key target is criminal actors).


Interestingly, when the audience were asked their opinion on the level of AML/CTF supervision, 56% indicated that AUSTRAC was not doing enough…


The dichotomy of the AML/CTF regime.

Banks and financial institutions exist for one thing – to make as much money as possible. That’s not a criticism, we live in a capitalist society and profits are a basic requirement of any business. Nonetheless, in order to maximise profits, they employ people with certain personality traits and create a culture built on the premise of building wealth. It is ingrained and institutionalised. Hollywood portray these alpha personalities in movies such as The Wolf of Wall Street, The Big Short and Margin Call. Sure, this is a grand stereotyping statement, but you get my drift. The intrinsic driver for many employed in financial institutions is to make money.

The other side of the AML/CTF regime are the law enforcement and intelligence agencies, who are supported through the actions of the national AML/CTF regulator/s. Now, law enforcement and intelligence agencies employ people with different personality traits and build a culture from a totally different mindset and purpose.  Speaking as someone formerly of LEA & Intelligence agencies, you don’t go into those careers with a view to amassing great wealth. The intrinsic drivers are more based in helping others and trying to make your community a better place.

Interestingly though, we ask that banks & financial institutions to be the “front line” in defending a national economy from criminal actors. Governments are entrusting, no requiring, financial institutions to hold the keys to the front door and saying, keep the criminals out, even if it means you have reduced profits. This is at great odds to their raison d’etre.

Having peaked behind the curtains of a number of financial institutions, big and small, I think the reality is the people and culture built over decades and centuries is so far removed from the AML/CFT regime there is little interest or commitment from people who see themselves as ‘money makers’ and not as ‘police officers’.  We have seen this similar approach in the aviation security sector, where airlines introduced check in kiosks and removed the need to show identification to check-in on domestic flights to improve speed and profitability at the expense of not really knowing who is onboard an aircraft. Airlines said, we aren’t law enforcement agencies, and the fraudulent use of airline tickets is a policing matter not an airline matter.

So, if we therefore accept that financial institutions aren’t very well experienced and possibly not greatly interested, in being the front line of defence, are we truly protecting the financial system? When you step into tier 2, and 3 financial institutions, the profit margins are thinner and yet the cost is still very high. Technology is best when you have economies of scale working for you, and when the volumes aren’t there, the cost per transaction increases. So in these cases the desire to spend profits is under greater pressure. We understand that the AML/CTF regime is ‘risk mitigation’ not ‘risk elimination’, so are these factors coming together and manifesting themselves in the form of poor compliance and then ultimately through penalties enforced by global regulators?

Most developed nations have a sophisticated AML/CTF regime which has been in place for over a decade, however, if you Google any major global bank and add “money laundering breach” in the search engine, you’ll find that most have received some form of penalty. Herein lies the problem. On one side of the coin is the need for increasing profits, on the other is the cost of risk mitigation through compliance. With this perpetual contradiction, we run the risk of “AML theatre”. That is, creating the illusion that an AML/CTF regime is in place to provide a level of confidence to the market and they appearto be making efforts, but the reality is far from effective.

I hasten to add that at an operational level, I have seen genuine efforts by staff working in AML units. They are keen to do their job to the best of their ability. However, as we know, the driver for business and the senior executive is profits and the cost of staff and technology impacts adversely on those precious profits. I am hopeful that this, more altruistic, attitude permeates through the culture of an organisation to provide a meaningful contribution, protecting the business and its reputation, and in turn protecting the national economy.

Culture plays a big role in the effectiveness of the systems implemented into an organisation. If the culture is negatively affected by a lack of support from senior executives who authorise expenditure for technology and people, the effectiveness of the regime is equally affected. People become frustrated and defeated by an organisations culture of apathy.

So, the dichotomy of the AML/CTF regime, as I see it, is that organisations are not culturally aligned to law enforcement, nor are they skilled in the function, are having a law enforcement function forced upon them at great expense. Is this a sustainable approach or do we need to invest more in organisational culture? Are we, as a society, satisfied with “AML theatre”?

This may be a cynical point of view, so I’m very interested to learn if anyone has an alternative opinion, based on their experience. If, however, this is a widely shared opinion, do we need to reassess the manner in which ML/TF risks are assessed, managed and mitigated?

Shifting FCC perceptions

The concept of a culture of compliance is somewhat cringe-worthy and not exactly an inspiring goal to aim for. It conjures up images of lines of androgynous human drones trudging through an office doing what they are told by Big Brother screaming through the TV screens. However, learning from other industries allows us to evolve our thinking and with this in mind I want to share something that I learned during my time working in the counter terrorism protective security environment. Perhaps it is a concept which can be introduced into AML & Financial Crime Compliance offices.

The security guarding operations of a major critical infrastructure facility was suffering from a poor reputation within the broader organisation, the operators of other businesses at the facility didn’t perceive them in a good light, and the morale of the staff was pretty ordinary.

A wise man who was in charge of the security operations set about a cultural change. It was a small change but the effect was hugely positive. Instead of positioning the staff as ‘Security Guards’ which had negative connotations (sometimes due to the behaviour of guards in other sectors) he added a few minor functions to their duties and re-badged them as Protection Officers.  He re-positioned them as a proactive group who’s first function was to protect the people and facility, rather than the reactive mob that you called when something went wrong. They proactively attended the business clients and became known for their positive service. This resulted in a more positive culture in the team, reduced sick leave, created a positive perception of the team within the business and provided better security outcomes for the facility.

Financial Crime Compliance teams are often viewed by the business in a negative light, simply as a cost to business. They are not revenue producing business units and are begrudgingly funded with many being under resourced and over-worked. However, the reality is that protecting the business from financial crimes and ML/TF is the first function of AML & FCC officers.  Compliance with the law and procedures is how it is achieved, but first and foremost protecting the company from attack helps to keep the business in business! Perhaps we can learn from the protective security industry and reposition the culture and perceptions of the FCC team – not as Financial Crime Compliance, but as a Financial Crime Protection Unit. Allow them to also have a more proactive role, visiting other business units to help build the understanding of the risks, the mitigation strategies, and, importantly, WHY they are in place (tell some “war stories”).

Perhaps this type of shift can create a positive culture for organisations to embrace, rather than simply view a cost centre. Who knows, it may just be worth a try…

5 Top Tips for your AML/CTF Program.

Over the years we’ve seen some good AML/CTF Programs but, sadly, most have been substandard. That’s somewhat understandable considering the competing priorities of many compliance managers and the lack of experience in this environment that most have. There are many complexities involved and everyone has their own opinions, but we’ve distilled things down to our top 5 tips, based on my experience, for your consideration. No doubt you could add a couple more…


Understand AML and CTF risk and consider them separately through their own specific lens. Too many people believe that because they understand business risks generally, and maybe fraud risks, that they understand AML/CTF risks. All too often, this has proven wrong or insufficient. Organise a group, don’t do this by yourself, and take the time to think like a criminal and then think like a terrorist. You know the vulnerabilities in your organisation, of course you do! Now, how would a criminal take advantage of them?


Make the program meaningful and relevant to the actual operations of the business. Too often we see templates used with little or no modifications which show that it’s relevant to the actual business. Some small businesses have Programs so huge they would suit a multi-national company – ridiculous.  The best Programs are often written by operational staff who do the work – not lawyers who know the law. You’re going to the effort of writing the thing, might as well make it worthwhile.


Explain what you mean, and don’t be vague. You think you might be clever by apparently allowing yourself some ‘wriggle room’ when the Regulator comes for a visit, but what it really does is creates confusion. Part of this is about maintaining corporate knowledge, so if you leave or go on vacation or train someone to assist your role, they have a clear understanding of what must occur. We have performed reviews where the compliance manager looks at a paragraph and says “Hmmmm what was I trying to say there?” Vague language leaves things open to interpretation and therefore gaps. Gaps lead to breaches. No so clever now huh…


Understand there is a difference and that the legislation bundles these words together and so it’s easy to read over the top of the actual requirements. Policies are the “what and why we do” components, while Procedures are the “how we do” components. Polices set the organisational expectations while procedures inform people of the steps required to complete the function. If you have procedures already created in other business units (e.g. staff vetting and training) simply reference that document rather than duplicating effort.


This is where the benefit of internal and external review processes become valuable. Make sure you do an internal review and give the person “permission” to constructively criticise.  Before submitting the Program to the CEO or Board for approval, have a peer review process in place. If someone else can not accurately interpret the document, it’s a good sign that it needs some amending.  An external review, not one by the regulator, should be performed in the spirit of continuous improvement, not judgement and blame allocation. This will best prepare you for the regulators visit.

We hope you found some use in these tips. Of course, the devil is in the detail!!

Comments sought by ABC News

The recent enforcement action against Australia’s largest bank, was a watershed moment in Australia’s AML/CTF regime.  Our CEO was asked for comment by ABC News (see below link).  The $700 million enforcement action eclipses the previous record of $45 million against Tabcorp and signals a new era for AUSTRAC as an enforcer with real muscle that it is now prepared to use.  While the $700 million only represents less than a months profit for CBA, they won’t like paying out and the reputational damage can not be quantified.

So that’s one major bank….who is next?