Until recently, AUSTRAC presented as a low profile regulator which, possibly, led to the perception that AML/CTF requirements presented a low regulatory risk. In recent times, however, AUSTRAC has wielded a big stick against 2 of the major banks.
- In 2018, the CBA was fined $702 million for breaches. (The fines could have been many times higher).
- Westpac has undergone a board and management shakeup, made provision for over $900 million for penalties and is yet to reach a settlement with Austrac for over 23.5 million breaches of anti-money laundering laws
Businesses regulated by AUSTRAC should take heed of the Westpac experience. According to Westpac, in December 2016, AUSTRAC issued a report which contained recommendations “for Westpac to consider in enhancing its compliance” but apparently “did not identify any non-compliance”.
That a regulator may not have uncovered a breach at the time it conducts a surveillance visit or an investigation does not mean that an entity is fully compliant. There’s still a risk of non-compliance because the regulator may not have focused on the non-compliant aspects of their operations. At a later stage, as in the Westpac matter, a regulator may discover serious breaches. AUSTRAC has now pointed to Westpac’s “indifference by senior management” and “inadequate oversight by the board” as major causes of the breaches.
Westpac has cited in its defence that an unnamed external party had previously confirmed its controls were operating as designed. In addition, its internal controls did not identify any breaches of the Anti-Money Laundering and Counter-Terrorism Financing Act. Without having sighted the scope of these checks and reports, it is difficult to know what went wrong.
Questions that one might ask:
- Did the Bank consider less-than-rigorous AML/CTF compliance to be an acceptable and relatively low risk, therefore requiring less resources for internal compliance monitoring and reporting?
- What was the Bank’s risk tolerance and how did the Board of Directors determine the levels of risk tolerance?
- Were there too many committees overseeing risk management and compliance which resulted in gaps in oversight and reporting?
The lesson to be learned is that a risk management approach to compliance is fraught with peril. All laws must be obeyed and there must be controls, checks and balances to anticipate and prevent breaches. By rating certain laws or regulators as lower risk, an entity may not implement adequate compliance measures to identify and remedy breaches. AML/CTF is certainly not a low risk matter and failure to implement proper compliance processes can have severe repercussions.
We have observed a very wide range of risk management processes in organisations, ranging from being over-complicated, thus making it difficult to monitor and implement risk management strategies; to being too simplistic and, as a consequence, failing to identify important risks.
In our view, risk management should be undertaken in a practical manner requiring in-house input from management with guidance and facilitation from independent risk and compliance specialists so that risks can be clearly identified, rated and ranked, thus leading to better management of those risks by a business. A risk management report should clearly articulate the risks, the risk management strategies and who is responsible for implementing those strategies and preparing the report to the board.
Risk management consultants should prioritise giving proper information to the clients ahead of the retention of their lucrative consultancy. It does little for a company to have a good report card from its consultants if the risk management systems and processes are lacking and place its operations at risk. If APRA issues warnings that a company’s risk management reports are inadequate, then that company should consider changing their risk management consultants or, at the very least, conduct a rigorous review of the consultants’ terms of engagement.
Know Compliance can assist organisations to identify their compliance requirements and develop appropriate risk management strategies. We aim to assist companies to have practical risk management systems that assist them to operate efficiently, honestly and fairly.