4 tips for “working with the regulator”.

AfterPay has become the latest big name to declare in that they are “in dialogue” with the regulator, AUSTRAC. Other major players to use similar wording in the Annual Reports or other formal communications include National Australia Bank, Bank of Queensland and of course the Commonwealth Bank of Australia.

At the recent Australian Regulatory Summit, AUSTRAC Deputy CEO Regulatory Strategy, Peter Soros was clear with his message “You will see enforcement action from AUSTRAC in the year ahead.”

So, what do you do if you find yourself in the sights of the regulator who has now tasted blood?

1. Know your ‘current state’

Australia is over 12 years into this regulatory environment and organisations of all shapes and sizes should have a well developed AML/CTF Program which is implemented effectively throughout. Make no mistake, that is the expectation.

The purpose of a regular independent review is to help you understand the strengths and weaknesses of your systems so that improvements can be made. So, after 12 years there should be a reasonable expectation that your organisation has had maybe 5 or 6 independent reviews by now.  Large and complex organisations should be doing an annual review. These reviews should help you understand the current state of the levels of compliance throughout the organisation.

If you have had less than 5 independent reviews or haven’t had a review in the past 2 years, then it will be difficult to answer questions from the regulator about your “current state” and will leave you at risk of regulatory non-compliance.

2. Have a well informed Board

AUSTRAC will expect that your Board is well informed on the current state of your AML/CTF regime.

The AML Compliance Officer should have a clear communication line to the Board and be able to demonstrate to the regulator the different topics that have been discussed. If the Board isn’t well informed about any shortcomings identified during independent reviews, or any self-identified problems then they can’t be expected to allocate budget to initiate remedial action.

Understandably this may be easier said than done, as it’s not uncommon for a Board to be primarily interested in the ‘good news’ stories rather than the compliance concerns. Nonetheless a good AMLCO should have the strength of character, and indeed the Board-provided freedom, to say what needs to be said.

Wilful blindness of the Board is not an acceptable excuse.

3. Have a clear plan

Mistakes happen – we all know and accept that. The important thing is what happens next as this is what AUSTRAC will be truly interested in. Peter Soros mentioned that many organisations had “looked under the hood and identified failings and shortcomings in their systems.” The smart ones have self-declared these to the regulator, along with a clearly articulated remediation plan.

The development of a clear remediation plan is particularly important where an organisation has identified a serious non-compliance. In recent years, AUSTRAC have examined the KYC implementation of organisations and have found many to be wanting. Customer databases are obviously the linchpin of any organisation and often very large in size – even a small to medium sized remittance company can have thousands of customers. If your KYC process hasn’t been properly implemented for the past 12 years then there could be a sizeable piece of remediation work to address.

AUSTRAC will expect to see that you have developed a Remedial Action Plan and taken positive action towards the successful completion, not just a plan for a plan.  Your plan should have a single point of responsibility (often the AMLCO), clear milestones nominated and a sufficient budget for the human and technology resources required. Make no mistake, remediation is expensive and the budget should be appropriate.

A common cliché to consider at this stage is – “while there is a cost for compliance, the cost for non-compliance is significantly more.”

4. Have a good attitude

Ok, so you’re neck high in the doggie doo-doo (not a technical term) and now you have to be nice about it. Why – you ask?  In my spare time I coach my son’s rugby union team and a key lesson for kids is to understand that the referee must be respected, because if you upset the referee he/she can make the rest of the game very difficult for you. It’s a good idea to remember that lesson when dealing with the regulator.

It would be a wise decision to go ‘cap in hand’ and seek forgiveness and assistance rather than take a combative stance. Again, we can look at the messages from AUSTRAC who have repeatedly stated that they are more interested in attacking the criminals rather than the reporting entities.

So, take an attitude of genuine commitment to remediating any and all non-compliance issues in a diligent and timely manner. If your remediation plan falls behind schedule, be prepared to provide a good story which shows any genuine issues which have impacted on the execution of the plan and how you have taken action to get back on track with the plan.

These tips will not guarantee that you will escape punishment, but they should put you in a good position to ensure a collaborative approach to non-compliance resolution with the regulator. Remember, you want the referee to be on your side so that you don’t lose the penalty count.

*Note: this does not constitute legal advice and you should seek professional legal advice if engaged with the regulator.

Tranche 2 hard for lawyers & real estate agents?

Amendments to the AML/CTF Act to include lawyers, accountants, real estate agents and motor vehicle dealers has occurred in New Zealand and domestic and international pressure is mounting on the Australian Government to do the same. Industry bodies are now in agreement and prepared to “do their bit”.

The below news clip shows that Australia has a $9 billion drug problem and real estate is a favoured money laundering method and the Australian Government is asleep at the wheel.  Twelve (12) years after inception, the AML/CTF Act has remained silent on the professional facilitators and money launderers are benefiting.  The necessary amendments, expanding the application of the Act, is commonly known as Tranche 2, and is now somewhat of a punch-line to jokes for AML/CTF professionals.  Australia will face the examiners from the Financial Action Task Force later this year and the report card will, once again, be damning if Tranche 2 is not enacted by then.  As the old ad from the 90s used to say “it won’t happen overnight but it will happen”.

Please share this article with those in your network who are real estate agents, car dealers, accountants and lawyers so they are informed and can make preparations. Thanks!

click here for the news link

Australian Regulatory Summit, 2019

For those who couldn’t attend, we thought to share with you some key messages from the AUSTRAC presentation at the Refinitiv Regulatory Summit.


1. There has been a 70% increase in SMRs submitted.
2. A new improved website will be released soon.
3. They are keen to provide more feedback to industry on criminal trends.
4. They have increased connectivity with law enforcement agencies.
5. They understand the need to keep pace with technology (AUSTRAC and industry alike).
6. They now have about 100 MOUs with foreign governments to share information.

1. Cash payments of $10k or more to become illegal (this has been flagged for some time now)
2. There is a strong need to develop a Trusted Digital Identity Framework.
3. There will be a streamlining of the AML/CTF Act (as a result of the 2016 legislative review).
4. AUSTRAC will have an increased focus on using their power to require independent audits.
5. AUSTRAC is aware that there has been an “under investment” in human and technology resources (13 years after enactment of the legislation).
6. There will be an increased focus on enforcement (balanced somewhat by their message that the key target is criminal actors).


Interestingly, when the audience were asked their opinion on the level of AML/CTF supervision, 56% indicated that AUSTRAC was not doing enough…


The dichotomy of the AML/CTF regime.

Banks and financial institutions exist for one thing – to make as much money as possible. That’s not a criticism, we live in a capitalist society and profits are a basic requirement of any business. Nonetheless, in order to maximise profits, they employ people with certain personality traits and create a culture built on the premise of building wealth. It is ingrained and institutionalised. Hollywood portray these alpha personalities in movies such as The Wolf of Wall Street, The Big Short and Margin Call. Sure, this is a grand stereotyping statement, but you get my drift. The intrinsic driver for many employed in financial institutions is to make money.

The other side of the AML/CTF regime are the law enforcement and intelligence agencies, who are supported through the actions of the national AML/CTF regulator/s. Now, law enforcement and intelligence agencies employ people with different personality traits and build a culture from a totally different mindset and purpose.  Speaking as someone formerly of LEA & Intelligence agencies, you don’t go into those careers with a view to amassing great wealth. The intrinsic drivers are more based in helping others and trying to make your community a better place.

Interestingly though, we ask that banks & financial institutions to be the “front line” in defending a national economy from criminal actors. Governments are entrusting, no requiring, financial institutions to hold the keys to the front door and saying, keep the criminals out, even if it means you have reduced profits. This is at great odds to their raison d’etre.

Having peaked behind the curtains of a number of financial institutions, big and small, I think the reality is the people and culture built over decades and centuries is so far removed from the AML/CFT regime there is little interest or commitment from people who see themselves as ‘money makers’ and not as ‘police officers’.  We have seen this similar approach in the aviation security sector, where airlines introduced check in kiosks and removed the need to show identification to check-in on domestic flights to improve speed and profitability at the expense of not really knowing who is onboard an aircraft. Airlines said, we aren’t law enforcement agencies, and the fraudulent use of airline tickets is a policing matter not an airline matter.

So, if we therefore accept that financial institutions aren’t very well experienced and possibly not greatly interested, in being the front line of defence, are we truly protecting the financial system? When you step into tier 2, and 3 financial institutions, the profit margins are thinner and yet the cost is still very high. Technology is best when you have economies of scale working for you, and when the volumes aren’t there, the cost per transaction increases. So in these cases the desire to spend profits is under greater pressure. We understand that the AML/CTF regime is ‘risk mitigation’ not ‘risk elimination’, so are these factors coming together and manifesting themselves in the form of poor compliance and then ultimately through penalties enforced by global regulators?

Most developed nations have a sophisticated AML/CTF regime which has been in place for over a decade, however, if you Google any major global bank and add “money laundering breach” in the search engine, you’ll find that most have received some form of penalty. Herein lies the problem. On one side of the coin is the need for increasing profits, on the other is the cost of risk mitigation through compliance. With this perpetual contradiction, we run the risk of “AML theatre”. That is, creating the illusion that an AML/CTF regime is in place to provide a level of confidence to the market and they appearto be making efforts, but the reality is far from effective.

I hasten to add that at an operational level, I have seen genuine efforts by staff working in AML units. They are keen to do their job to the best of their ability. However, as we know, the driver for business and the senior executive is profits and the cost of staff and technology impacts adversely on those precious profits. I am hopeful that this, more altruistic, attitude permeates through the culture of an organisation to provide a meaningful contribution, protecting the business and its reputation, and in turn protecting the national economy.

Culture plays a big role in the effectiveness of the systems implemented into an organisation. If the culture is negatively affected by a lack of support from senior executives who authorise expenditure for technology and people, the effectiveness of the regime is equally affected. People become frustrated and defeated by an organisations culture of apathy.

So, the dichotomy of the AML/CTF regime, as I see it, is that organisations are not culturally aligned to law enforcement, nor are they skilled in the function, are having a law enforcement function forced upon them at great expense. Is this a sustainable approach or do we need to invest more in organisational culture? Are we, as a society, satisfied with “AML theatre”?

This may be a cynical point of view, so I’m very interested to learn if anyone has an alternative opinion, based on their experience. If, however, this is a widely shared opinion, do we need to reassess the manner in which ML/TF risks are assessed, managed and mitigated?

Shifting FCC perceptions

The concept of a culture of compliance is somewhat cringe-worthy and not exactly an inspiring goal to aim for. It conjures up images of lines of androgynous human drones trudging through an office doing what they are told by Big Brother screaming through the TV screens. However, learning from other industries allows us to evolve our thinking and with this in mind I want to share something that I learned during my time working in the counter terrorism protective security environment. Perhaps it is a concept which can be introduced into AML & Financial Crime Compliance offices.

The security guarding operations of a major critical infrastructure facility was suffering from a poor reputation within the broader organisation, the operators of other businesses at the facility didn’t perceive them in a good light, and the morale of the staff was pretty ordinary.

A wise man who was in charge of the security operations set about a cultural change. It was a small change but the effect was hugely positive. Instead of positioning the staff as ‘Security Guards’ which had negative connotations (sometimes due to the behaviour of guards in other sectors) he added a few minor functions to their duties and re-badged them as Protection Officers.  He re-positioned them as a proactive group who’s first function was to protect the people and facility, rather than the reactive mob that you called when something went wrong. They proactively attended the business clients and became known for their positive service. This resulted in a more positive culture in the team, reduced sick leave, created a positive perception of the team within the business and provided better security outcomes for the facility.

Financial Crime Compliance teams are often viewed by the business in a negative light, simply as a cost to business. They are not revenue producing business units and are begrudgingly funded with many being under resourced and over-worked. However, the reality is that protecting the business from financial crimes and ML/TF is the first function of AML & FCC officers.  Compliance with the law and procedures is how it is achieved, but first and foremost protecting the company from attack helps to keep the business in business! Perhaps we can learn from the protective security industry and reposition the culture and perceptions of the FCC team – not as Financial Crime Compliance, but as a Financial Crime Protection Unit. Allow them to also have a more proactive role, visiting other business units to help build the understanding of the risks, the mitigation strategies, and, importantly, WHY they are in place (tell some “war stories”).

Perhaps this type of shift can create a positive culture for organisations to embrace, rather than simply view a cost centre. Who knows, it may just be worth a try…

5 Top Tips for your AML/CTF Program.

Over the years we’ve seen some good AML/CTF Programs but, sadly, most have been substandard. That’s somewhat understandable considering the competing priorities of many compliance managers and the lack of experience in this environment that most have. There are many complexities involved and everyone has their own opinions, but we’ve distilled things down to our top 5 tips, based on my experience, for your consideration. No doubt you could add a couple more…


Understand AML and CTF risk and consider them separately through their own specific lens. Too many people believe that because they understand business risks generally, and maybe fraud risks, that they understand AML/CTF risks. All too often, this has proven wrong or insufficient. Organise a group, don’t do this by yourself, and take the time to think like a criminal and then think like a terrorist. You know the vulnerabilities in your organisation, of course you do! Now, how would a criminal take advantage of them?


Make the program meaningful and relevant to the actual operations of the business. Too often we see templates used with little or no modifications which show that it’s relevant to the actual business. Some small businesses have Programs so huge they would suit a multi-national company – ridiculous.  The best Programs are often written by operational staff who do the work – not lawyers who know the law. You’re going to the effort of writing the thing, might as well make it worthwhile.


Explain what you mean, and don’t be vague. You think you might be clever by apparently allowing yourself some ‘wriggle room’ when the Regulator comes for a visit, but what it really does is creates confusion. Part of this is about maintaining corporate knowledge, so if you leave or go on vacation or train someone to assist your role, they have a clear understanding of what must occur. We have performed reviews where the compliance manager looks at a paragraph and says “Hmmmm what was I trying to say there?” Vague language leaves things open to interpretation and therefore gaps. Gaps lead to breaches. No so clever now huh…


Understand there is a difference and that the legislation bundles these words together and so it’s easy to read over the top of the actual requirements. Policies are the “what and why we do” components, while Procedures are the “how we do” components. Polices set the organisational expectations while procedures inform people of the steps required to complete the function. If you have procedures already created in other business units (e.g. staff vetting and training) simply reference that document rather than duplicating effort.


This is where the benefit of internal and external review processes become valuable. Make sure you do an internal review and give the person “permission” to constructively criticise.  Before submitting the Program to the CEO or Board for approval, have a peer review process in place. If someone else can not accurately interpret the document, it’s a good sign that it needs some amending.  An external review, not one by the regulator, should be performed in the spirit of continuous improvement, not judgement and blame allocation. This will best prepare you for the regulators visit.

We hope you found some use in these tips. Of course, the devil is in the detail!!

Financial Crimes Summit, 2015

We were proud to sponsor the Financial Crimes Summit held in Sydney at the end of July.  It was a great collection of industry and government representatives sharing information, concerns and solutions. With such an enormous body of information over the 2 days, we have taken the time to cut it down to some of the key takeaway messages which should provide you with some insight.  Please feel free to contact us at AML Solutions International for further information.

  1. Financial crimes involving the various new iterations of cyber crime and ID theft is a growing concern for both financial institutions and law enforcement.
  2. De-risking is currently a hot topic for financial institutions – with some consequences impacting on the alternative remitter sector struggling to remain in the regulated financial system.
  3. A point for debate revolves around the future regulatory management of the remittance sector which some industry members expect to return to its more informal hawala process of moving value without reporting.  Will this see the development of trade based hawala?
  4. We are seeing a diverse response by industry in the management of AML/CTF compliance.  Some sectors, as a result of adverse media exposure and regulatory penalties have thrown resources at the problem.  Other sections have not responded at all, preferring to offer a mirror to their head of AML compliance in order to show them the full size of their compliance team.
  5. AML/CTF compliance business units have always been viewed as costs centres rather than the opposite. Could the financial sector have a paradigm shift in their thinking and ask themselves; what is the cost of compliance versus the cost of non-compliance?
  6. Bitcoin and other crypto-currencies are here to stay and the financial sector.  The world’s’ central banks​ need to be more aware of this rapidly growing phenomenon and have a globally consistent regulatory and/or licencing approach.  One industry leader indicated that there is an estimated 153 virtual currencies in play today.
  7. We have seen a paradigm shift in law enforcement’s efforts from a national or domestic perspective to a global one.  Borders are inconsequential to crime syndicates which has impacted on the way intelligence and law enforcement approach their work.
  8. Regulators and law enforcement are moving from punishment frameworks to preventive & disruptive frameworks. As a matter of debate, Australia’s latest Mutual Evaluation Report in April 2015 noted that AUSTRAC’s compliance efforts were disruptive at best and deficient in their enforcement efforts.
  9. Law enforcement is moving from evidence gathering to intelligence & analysis.
  10. Some institutions have combined ABC, AML and fraud under the banner of financial crime.
  11. The major banks have joined forces to share fraud working group to share experiences and knowledge in the fraud environment.
  12. The next logical step should be to broaden the scope of this working group to incorporate all matters relating to AML/CTF and ABC.
  1. It is acknowledged that the single largest holding of financial information sits within the banks.  It was proposed that this financial data could be better used to conduct industry based intelligence products which can be used to inform internal risk financial crime processes.  For example, develop a number of “profiles” i.e a typical import/export business, or other cash intensive business, and their access to various financial products and analyse their transaction patterns.
  2. Transaction Monitoring Systems (TMS) traditionally focus on the unusual transactions & patterns (exception reporting), however it is now proposed the evolution of TMS should now focus on what has been historically considered usual and interrogate their databases for peer comparison and formerly usual transactions now to be considered unusual? In short, does a ‘plumbers’ financial profile at one major look the same at another major bank?  Look for the unusual in the usual.

AML/CTF deficiencies in Australia

“Australia has not implemented a targeted approach nor has it exercised oversight in dealing with non-profit organisations (NPOs) that are at risk from the threat of terrorist abuse. Authorities have not undertaken a review of the NPO sector to identify the features and types of NPOs that are particularly at risk of being misused for TF.”

This is the finding from the international delegation who recently conducted an assessment of Australia’s efforts in relation to Anti Money Laundering & Counter Terrorism Financing (AML/CTF).

The mutual evaluation report of Australia sets out how well Australia has implemented the technical requirements of the FATF Recommendations and how effective its AML/CFT system is. The report presents the key findings of the assessment team and the priority actions for Australia to improve its AML/CFT system. The report was released by FATF (Financial Action Task Force) last week.

Other findings highlight a massive hole in the oversight of non-financial businesses and professions such as lawyers, accountants and real estate agents. These key sectors are not subject to AML/CTF requirements even though they have been identified to be of high ML risk in Australia’s National Threat Assessment (2011).

There are 14 findings in the report, many highlighting good work and others indicating further improvements to be addressed.

What the above to key findings indicate is that we know that charities and non-profit organisations can be used as vehicles for moving money for terrorist purposes, however there are no controls in place. So we don’t know who is interacting with these organisations in order to determine the true extent of the risk.

Also the lack of obligations and oversight of lawyers and accountants, as gate keepers of significant financial information, means that organised crime can conduct money laundering business without any concerns through these channels. We also know that organised crime figures like to spend their money on expensive houses and cars, and yet these areas are not regulated. They have been on the drawing board since 2006 and still nothing has been done. Obviously there has been no political will to see this happen.

In 2011 the ACC estimated that at least $10 billion is laundered in Australia each year.

Click here for the full FATF report

Namibia success

We are extremely pleased to see that the Financial Action Task Force’s (FATF) International Cooperation Review Group has removed Namibia from their watchlist.  While there will be work to continue in Namibia, and indeed every country, to reduce the risk of money laundering and terrorism financing, it’s great to see progress.  We at AML Solutions International can attest to the genuine commitment by all members of the Namibian FIC to continue to improve the AML/CTF capacity across all sectors of law enforcement and regulated entities.

“The FATF welcomes Namibia’s significant progress in improving its AML/CFT regime and notes that Namibia has established the legal and regulatory framework to meet its commitments in its action plan regarding the strategic deficiencies that the FATF had identified in June 2011. Namibia is therefore no longer subject to the FATF’s monitoring process under its on-going global AML/CFT compliance process.”

We are proud to have contributed, in some small way, to the progress of the AML/CTF capacity in that country.

Click here for the FATF announcement.

Click here for a news article from The Namibian newspaper.

AML questions reach beyond HSBC

For many, HSBC has been the public face of AML compliance breaches since it’s massive $1.8 Billion fine a couple of years ago.  By no means has it been the last of the big banks nor the largest, with BNP Paribas facing a $10 Billion fine, handed down by Regulators but the HSBC story has had greater legs than the others.  These immense actions are no doubt sending off alarm bells through various sectors of the financial industry, far beyond just the banking sector.

With that in mind, Reporting Entities of all descriptions should be paying attention, and taking appropriate risk mitigation action.  The below article asks some key questions relating HSBC which could equally be posed to other enterprises.  It is simply a case of learning from the mistakes of others.

Click here to read the article.