Afterpay Touch Group (ASX: APT) shares sunk 6% today on news the regulatory heat is being turned up on the business by AUSTRAC the regulator responsible for ensuring compliance with Australia's anti-money laundering laws largely under the terms of the AML / CTF Act 2006.
By way of background it appears the buy-now-pay-later business has been classified as a reporting entity under The Act by AUSTRAC and therefore it's subject to all its obligations that include principal duties, among others, over proper customer ID verification, suspicious transaction reporting and having a framework in place (i.e. a written AML compliance business plan including policies and procedures) that satisfies AUSTRAC as the regulator.
Why and how does a reporting entity verify ID?
By way of background The Act is Australia's key piece of legislation to ensure consumer-facing financial services providers work to prevent criminals or terrorists laundering money or moving it around the world.
For example a money transfer business would be considered high risk in this space as an obvious way for a drug dealer to launder money would be to exchange $20,000 cash for another currency over the counter or by electronically transferring the proceeds of crime to an account in the U.S. to buy drugs for importation.
As such a money transfer business or ADI would be subject to stringent client ID verification requirements as criminals will obviously want to disguise their identity.
While I did raise in the past that Afterpay may face extra costs due to AML/ CTF requirements to identify customers, I did not think they would be too onerous, as Afterpay is not an ADI, remittance or money transfer business so presumably AUSTRAC classifies its services and client base low risk.
Indeed, there's a good argument to be made that Afterpay as a consumer credit provider should not be classified a reporting entity at all.
Either way it is, and it seems AUSTRAC is toughening up its approach on the business via last night's notice demanding that Afterpay appoints an external auditor (almost certain to be one of the big 4 audit firms with PWC well known for its work in this space) to audit the compliance of its client ID verification procedures with The Act.
So it seems Afterpay has a big job on to have its auditors confirm that its current online electronic ID verification services comply with The Act under AUSTRAC's interpretation of it.
For example it took me less than two minutes to open an Afterpay account recently and I think all I needed was an email address, phone number and name, which infers that whatever digital method Afterpay is currently using to "verify ID" is not the most stringent.
The key takeaway being that if Afterpay is forced to change its procedures it could be looking at a fair bit of extra compliance costs.
Why is transaction monitoring a big deal?
Secondly, it's worth noting that it also seems AUSTRAC is pulling up Afterpay in terms of its suspicious transaction monitoring and reporting processes and procedures.
For some background we recently saw the Commonwealth Bank of Australia (ASX: CBA) get absolutely slammed with a $700 million fine by AUSTRAC for its failure to report suspicious transaction at all, or on a timely basis. Both of which are obligations under the The Act for reporting entities.
From memory certain reporting entities must report every transaction over $10,000 for example and while Afterpay's cheerleaders may argue it doesn't process transactions over $10,000 this will not wash with AUSTRAC.
Why?
As Afterpay will be advised by its consultants and auditors (if it's not already aware) that a reporting entity must have a plan and procedure in place to demonstrate that it's monitoring all transactions and that it could in theory catch and report a transaction over $10,000.
This is not easy but possible, for example Afterpay will likely have to come up with some sort of system that at least has the potential to check every transaction is under a certain threshold.
This though could be something as simple as dumping all the transaction data daily onto a spreadsheet and filtering it for transactions for certain high risk products, retailers, or amounts for example.
Either way you simply have to demonstrate you have some sort of transaction monitoring process in place to the satisfaction of auditors and in turn the regulator.
If not, or if you mess up the suspicious transaction monitoring or reporting obligations the disastrous consequences are plain to see given CBA's recent nightmare.
Outlook
Overall, it looks like AUSTRAC is coming on a little heavy to Afterpay and it has form for putting on a big show, as we saw with the CBA whose bankers complained bitterly they had not been given fair warning to respond to AUSTRAC given its intentions.
The bottom line for investors is that Afterpay is being told to lift its AML/CTF compliance game, which will involve some one-off costs (in terms of the very expensive consultants but nothing too material) and probably the hiring of a few more staff to implement its AML/CTF compliance framework.
However, unless it messes up its obligations, I would not be overly concerned by this as a shareholder.
