Most of us know by now that it is essential to have an AML compliance programme to comply with the AML/CTF Act, however the challenge is to truly comply, how do you avoid the template trap?
It can be all too tempting to use a ready-made template for your AML/CTF program but the reality is a template that isn’t tailored to your business won’t be robust enough to protect it.
In this article, we’ll show you how to build an AML compliance program that not only meets AUSTRAC requirements but is practical, effective, and tailored to your business.
Practical steps to building a strong AML compliance programme
As regulatory requirements evolve there has been a fundamental shift to put risk at the centre of compliance. While AUSTRAC are introducing starter-kits for tranche 2 businesses, there is no ‘one-size-fits-all’ AML/CTF program as every business risk is different.
Compliance is no longer a checklist, and programs need to reflect this. Here’s a step-by-step approach to building an AML/CTF program starting with the all-important risk assessment.
1. Conduct a risk assessment
Your risk assessment needs to be tailored to the unique risks your business faces, and give a clear picture of what those risks may be. It should also detail the likelihood of the risk occurring in your business and what the impact would be if it did.
Things to do:
- Identify risks inclusive of:
- Nature, size, and complexity of your business
- The products and designated services you are offering
- The delivery channels in which you provide these services
- The jurisdictions your clients reside/operate in
- The clients you deal with, and their geographical location
- Assess and measure the likelihood and impact of these risks via a risk scoring system
Document your findings so you can detail in your program the steps you will take to manage and mitigate this risk.
2. Implement staff training and appoint a compliance officer
It’s all well and good having a process and writing it down, however if your employees aren’t trained and don’t understand the procedures they must follow, your compliance will fail.
Ensure you have appointed a compliance officer at management level who is well trained, with the expertise to manage and maintain your compliance programme.
Ensure compliance activity is only carried out by trained staff who have been thoroughly vetted. Document how you carry out these processes.
Include risk awareness training for relevant employees so they understand:
- Your obligations under the AML/CTF Act
- The consequences of non-compliance
- The types of risks your business may face
- The processes and procedures they must follow
Include details of the staff training provided in your AML compliance program and document completion of training.
3. Create a customer due diligence framework
Customer due diligence (CDD) is the cornerstone of compliance activity and should be carried out on every single client you onboard that is captured under the AML/CTF Act.
Creating a framework which clearly outlines the steps you will take in your customer due diligence process is essential for your team’s understanding of what information they need to collect before onboarding a client.
Steps should include what documented proof is needed to:
- Identify and verify customers
- Identify and verify beneficial owners
- Identify and verify persons acting on behalf of customers
It will also need to show how you respond to discrepancies in customer information, and how you decide when you should collect additional information about a customer for enhanced due diligence.
Enhanced customer due diligence (ECDD)
If you carry out ECDD it means you have decided a customer is high-risk and requires a greater level of due diligence. You should document the reasons you consider customers high-risk and the due diligence actions you take when dealing with these customers.
- Define the types of customers, services, channels, and jurisdictions that you consider to be high or greater level of risk, and ensure procedures allow for consistent implementation of ECDD processes
- Identify who is responsible for carrying out ECDD
- Establish controls for consistently applying ECDD to ensure its operation, monitoring internal reporting, and maintain an auditable trail of decision making
Ongoing due diligence
State in your AML/CTF program what actions you will take to conduct ongoing due diligence. This includes what you will do and how you’ll manage risks throughout your relationship with your client.
- Establish controls on how you will monitor transactions and behaviours for suspicious activity
- Define how and when you risk rate customers and why risk ratings might change
- Show how you update and reverify information
4. Employee due diligence
Outline how and when you will carry out due diligence on employees performing AML/CTF duties. Also, establish and document processes to manage employees who fail to comply with your AML/CTF program.
5. Transaction monitoring
You must document how you monitor and manage transactions in your program. This should be based on your risk assessment and include details on the:
- Processes you follow to identify suspicious customer transactions
- The systems, controls, and procedures you use to mitigate and manage your risk
- The systems and controls you use to trigger alerts for further review
As like all other parts of your compliance program, transaction monitoring must have an effective governance framework and oversight.
6. Report suspicious activity and submit annual reports
There are several types of reports required under the AML/CTF Act, and you will need to outline the systems and controls you use to meet these requirements.
Reporting requirements include:
- Suspicious matter reports: for when you have a suspicion that a customer or transaction is related to criminal activity. Submit your report within 24 hours of becoming suspicious if it relates to terrorism financing, or within three business days for anything else.
- Threshold transaction reports: for transfers of A$10,000 or more in cash. Due within 10 business days after the date of the transaction.
- International fund transfer instruction reports: for transfers of funds of any value into or out of Australia, made either electronically or under a designated remittance arrangement. Due within 10 business days after the transfer instruction is sent or received.
- Annual compliance report: to summarise how you have met your AML/CTF obligations. Due between 1 January and 31 March each year.
7. Maintain robust record keeping procedures
Store all documents related to your compliance programme for 7 years after you’ve stopped providing any designated services to your client. This includes client identification procedures, staff training sessions, audit results, and transaction records.
State how you will keep written findings about your business relationships and transactions, and what additional measures you take when dealing with high-risk countries or clients.
8. Book in independent reviews
AUSTRAC requires all entities to have independent reviews carried out on their compliance program to check it complies with legal obligations, is working as it should, addresses your AML/CTF risks, and that you are complying with the program.
There is no specified timeline to do this but it should be done at least every three years. Decide when to do it based on your risk profile, and the size, nature, and complexity of your business.
If you’re a tranche 2 entity, we recommend reviewing your AML program after the first year to check you’re on track and compliant before any issues arise.
Independent reviews should only be carried out by somebody who has not been involved in the development, implementation, or maintenance of your programme.
Nobody likes a review, but take as much learnings as you can from it and avoid the heavier burden of a warning, fine, or penalty for non-compliance.
9. Establish a governance framework
Leadership sets the tone for successful compliance and your Board (or CEO) and senior management are responsible for the ongoing approval and oversight of your AML/CTF program.
They will also be the point of contact for your compliance manager to report on money laundering or terrorism financing risk.
10. Embed compliance in your business
Finally, remember that compliance is a continual process. It’s not a one-time exercise, but is a critical part of your business that will need assessing, designing, monitoring, reviewing and refining for long-term success.
5 common pitfalls to avoid
Despite good intentions, many businesses struggle creating compliance programs. Here are the five most common reasons programs fail, and how to avoid them.
1. Tick-box mentality
When policies are created to satisfy regulators, not to manage actual risks, employees fail to engage with them, and it leaves compliance gaps.
Take a risk-based approach to your compliance program, and take the time to understand the risks your business faces, the likelihood of these risks occurring and the impact they may have.
2. One-size-fits-all approach
Your business is unique so don’t copy generic templates without tailoring them to your specific industry, size, or customer base.
Use tools and resources to help guide you but adapt them to the needs of your business.
3. Being reactive rather than proactive
Compliance isn’t a set and forget. Don’t just take action after an incident or AUSTRAC audit.
Continuously assess and improve your processes, and make updates in line with changes to your business, client relationships, and regulatory updates.
4. Inadequate training
Employees will lack practical understanding of AML procedures if training is infrequent or too theoretical.
Make sure there’s ongoing training and support for employees dealing with AML obligations and they understand the processes to follow for your business.
5. Lack of senior leadership buy-in
Creating an effective AML program isn’t just about meeting regulatory requirements, it’s about embedding a risk-aware culture into your business, and this starts with buy-in from your leadership team.
Champion AML through leadership to reinforce priorities and build trust through your business. In building a risk-aware culture your customers also have a more positive experience throughout the AML process.
Conclusion: Build a compliance program that works in practice, not just on paper
By understanding your unique risks, developing tailored policies, training employees effectively, and maintaining procedures, you can build an AML/CTF framework that protects your organisation, strengthens your reputation, and remains compliant.
“AUSTRAC is moving away from tick-box compliance toward an outcomes-based model. That means our focus is on whether your systems are genuinely mitigating the risks in your business, not just whether you’ve filled out forms correctly.”
Brendan Thomas, CEO AUSTRAC
So go beyond the basics and create a program that isn’t simply a paperwork exercise but one that makes compliance part of your everyday business practices.
Need expert help building or reviewing your AML program? Our team can help you design a framework that’s compliant, practical, and tailored to your business.
Book a consultation or contact us at aml@ticcompany.com
About the author
Nicolas Charles
Nick has a background in financial services for nearly 10 years. During his time in retail finance and banking, he was directly involved in the application of AML verification and compliance, which gave him valuable skills for his current role as Head of Operations and Finance at tic company.
