A Lesson in AML/CTF Governance the Royal Commission into Banking Report
Reflecting on the recommendations outlined in The Royal Commission into Banking Report we should recognise that putting the banking sector in the limelight of scrutiny for their actions should only be a starting point. The precipice of much-needed reform to the entire financial sector.
Learning from the mistakes of others is essential to building better systems for governance, humanity has been doing this for generations, it’s how we’ve got to where we are today. This is particularly astute when we consider the evolution of regulatory compliance and the emergence of RegTech companies. Given the context, there is no better time than now to implement significant changes to place more emphasis on responding to non-financial risk such as AML/CTF.
June 2018, The Commonwealth Bank of Australia paid a record $700 million fine and admitted to the late filing of 54,506 reports on transactions of $10,00 or more through its “intelligent deposit machines” (IDMs). Additionally, the bank also failed to properly monitor transactions on 778,370 accounts to check for money-laundering red flags and showed tardiness in submitting 149 suspicious matter reports. All of these actions are direct breaches of obligations to the AML/CTF Rules. ABC Article
The previous highest breach to the AML/CTF Act was by Tabcorp in March 2017 who paid a $45 million fine.
“AUSTRAC CEO Paul Jevtovic said that the record $45 million civil penalty serves as a stark reminder to all reporting entities that there are serious consequences for non-compliance with the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act).”Tabcorp Penalty
When taking a risk-based approach to compliance with the AML/CTF Act, the initial and ongoing risk assessment process is there to identify and therefore minimise any risks to ML/TF the services may present. So how did these large, trusted organisations let such a big mistake slip through the cracks?
Mistakes were made
The AML/CTF Act compliance breaches identified in the Royal Commission on Banking enquiry provide a good example of failing to prioritise non-financial risk compliance.
With hindsight, we can now see that a lack of prioritisation on maintaining high standards of risk-related adjustments to policies and procedures can have some very significant negative compounding effects. Risk assessments are there to inform a business of the ML/TF risks and reassess their mitigation approach. It is especially important to re-address the risk assessment when providing an innovative and emerging product.
At the time the emerging 24/7 banking product was IDMs. Racing against the competition without considering the ML/TF risks made CBA take unnecessary high non-financial risks. Sacrifices to the backend compliance procedures were made to serve this emerging market with more efficacy, however as explored in the report, once this vulnerability was discovered as lacking AML/CTF risk mitigation controls, the product became ripe for money launderers to exploit.
As outlined in the report pages 396-397 of The Royal Commission into Banking Report
“What is clear is that when the audit committee was informed in December 2016 of the third ‘red’ rated audit report for AML/CTF issues, it did not do enough. The committee did not ask to see a copy of the audit report. It did not challenge, or at least adequately challenge, management about why three audit reports for the same issue over four years had all been rated ‘red’, or about management’s assurances that the matter was being dealt with." When asked what the committee did to hold management to account for the failings and require management to fix those failings, Ms Livingstone said.
The Report’s findings are concerned with the process of identifying, prioritising and managing risk. As well as understanding the effect of conflicts between duty and interest.
"“First, the information made available to the board about the risk management performance of the senior executives was plainly deficient. Among other things, it did not adequately inform the board of the nature or seriousness of issues that had been identified… It is concerning that the information made available to the board was deficient in those ways. It is more concerning that the board did not seek more detailed information…"
"It appears that, unless and until risk and compliance issues became publicly known, accountability for those issues was not reflected in adjustments to executive remuneration.”
Keeping up with AML/CTF Compliance
Compliance is rarely the core business of a company, yet as we have discovered an essential component to prioritise. The good news is there are existing tools and frameworks one can utilise to make keeping up with AML/CTF compliance obligations streamlined.
With the ever-increasing proliferation of digital technology business relationships and transactions are becoming less personal and money launderers more sophisticated, there will always be new risks and uncertainties to be aware of, quantify and mitigate. Anytime a business introduces a new innovative product, increases its digitisation, ads a delivery channel or even serves a new type of customer they must update and even redo an ML/TF risk assessment and make changes to their AML/CTF manual.
Lifting the level of knowledge and education is essential if we are to lift an industry understanding of AML/CTF compliance across the entire financial sector. AML/CTF compliance is not only the job of a compliance officer, risk audit team and decision makers. Everyone involved in the process providing a designated service should be aware of the risks and red flags an organisation has, this way a coordinated effort to fight financial crime can be realised.
Understand the tradeoffs. Don’t let efficiency and profit trump compliance obligations.
For bronID, the increasing complexity of compliance and compliance reporting is an opportunity to create new systems tailored to achieving positive reform to the way the financial sector manages non-financial risks such as money laundering and terrorist financing.
At bronID, we are developing a complete AML/CTF compliance toolkit to help companies streamline their compliance obligations to the industry best practices, for more information see bronID & the Knowledge Centre