AfterPay has become the latest big name to declare in that they are “in dialogue” with the regulator, AUSTRAC. Other major players to use similar wording in the Annual Reports or other formal communications include National Australia Bank, Bank of Queensland and of course the Commonwealth Bank of Australia.
At the recent Australian Regulatory Summit, AUSTRAC Deputy CEO Regulatory Strategy, Peter Soros was clear with his message “You will see enforcement action from AUSTRAC in the year ahead.”
So, what do you do if you find yourself in the sights of the regulator who has now tasted blood?
1. Know your ‘current state’
Australia is over 12 years into this regulatory environment and organisations of all shapes and sizes should have a well developed AML/CTF Program which is implemented effectively throughout. Make no mistake, that is the expectation.
The purpose of a regular independent review is to help you understand the strengths and weaknesses of your systems so that improvements can be made. So, after 12 years there should be a reasonable expectation that your organisation has had maybe 5 or 6 independent reviews by now. Large and complex organisations should be doing an annual review. These reviews should help you understand the current state of the levels of compliance throughout the organisation.
If you have had less than 5 independent reviews or haven’t had a review in the past 2 years, then it will be difficult to answer questions from the regulator about your “current state” and will leave you at risk of regulatory non-compliance.
2. Have a well informed Board
AUSTRAC will expect that your Board is well informed on the current state of your AML/CTF regime.
The AML Compliance Officer should have a clear communication line to the Board and be able to demonstrate to the regulator the different topics that have been discussed. If the Board isn’t well informed about any shortcomings identified during independent reviews, or any self-identified problems then they can’t be expected to allocate budget to initiate remedial action.
Understandably this may be easier said than done, as it’s not uncommon for a Board to be primarily interested in the ‘good news’ stories rather than the compliance concerns. Nonetheless a good AMLCO should have the strength of character, and indeed the Board-provided freedom, to say what needs to be said.
Wilful blindness of the Board is not an acceptable excuse.
3. Have a clear plan
Mistakes happen – we all know and accept that. The important thing is what happens next as this is what AUSTRAC will be truly interested in. Peter Soros mentioned that many organisations had “looked under the hood and identified failings and shortcomings in their systems.” The smart ones have self-declared these to the regulator, along with a clearly articulated remediation plan.
The development of a clear remediation plan is particularly important where an organisation has identified a serious non-compliance. In recent years, AUSTRAC have examined the KYC implementation of organisations and have found many to be wanting. Customer databases are obviously the linchpin of any organisation and often very large in size – even a small to medium sized remittance company can have thousands of customers. If your KYC process hasn’t been properly implemented for the past 12 years then there could be a sizeable piece of remediation work to address.
AUSTRAC will expect to see that you have developed a Remedial Action Plan and taken positive action towards the successful completion, not just a plan for a plan. Your plan should have a single point of responsibility (often the AMLCO), clear milestones nominated and a sufficient budget for the human and technology resources required. Make no mistake, remediation is expensive and the budget should be appropriate.
A common cliché to consider at this stage is – “while there is a cost for compliance, the cost for non-compliance is significantly more.”
4. Have a good attitude
Ok, so you’re neck high in the doggie doo-doo (not a technical term) and now you have to be nice about it. Why – you ask? In my spare time I coach my son’s rugby union team and a key lesson for kids is to understand that the referee must be respected, because if you upset the referee he/she can make the rest of the game very difficult for you. It’s a good idea to remember that lesson when dealing with the regulator.
It would be a wise decision to go ‘cap in hand’ and seek forgiveness and assistance rather than take a combative stance. Again, we can look at the messages from AUSTRAC who have repeatedly stated that they are more interested in attacking the criminals rather than the reporting entities.
So, take an attitude of genuine commitment to remediating any and all non-compliance issues in a diligent and timely manner. If your remediation plan falls behind schedule, be prepared to provide a good story which shows any genuine issues which have impacted on the execution of the plan and how you have taken action to get back on track with the plan.
These tips will not guarantee that you will escape punishment, but they should put you in a good position to ensure a collaborative approach to non-compliance resolution with the regulator. Remember, you want the referee to be on your side so that you don’t lose the penalty count.
*Note: this does not constitute legal advice and you should seek professional legal advice if engaged with the regulator.