Afterpay Touch Group Ltd (ASX: APT) this morning reported that the AML/ CTF regulator AUSTRAC has appointed Mr Neil Jeans of Melbourne-based firm Initialism to audit Afterpay's compliance with its AML/ CTF obligations contained under the AML/CTF Act 2006 and general financial services laws.
Previously Afterpay has advised that it has established a specialist sub-committee to report to its board on the management of the external audit process with I imagine an underlying goal of passing the audit with just a few minor recommendations or qualifications.
I've previously covered how if Afterpay has any sense it will have already engaged a law firm and consultants such as PWC to basically complete a confidential audit of its existing processes and then build a comprehensive plan, policies and procedures for to basically plug any gaps or potential audit findings.
Of course engaging leading consultants and lawyers for a few months is likely to be an expensive process, but definitely not material for a company with more than $300 million sitting on its balance sheets.
Aside from the client ID issue, essentially what Afterpay needs to do to pass the audit is demonstrate it has an actionable AML/ CTF Program in place to maintain compliance with the relevant laws. This will involve written policies and procedures to box tick on a daily or regular basis for example.
It will also likely include a risk control self assessment document that identifies key AML/ CTF risks faced by the business and gives them an inherent risk rating (i.e. 5 high 1 low), then applies the control in place to mitigate the risk, and delivers a residual risk rating after the control is applied.
For example an inherent risk for Afterpay may be the risk it fails to properly identify clients (likely to be 5 as a high risk) the control would be its electronic verification procedures and the residual risk would then be something like 2 depending on the strength of the control.
Another risk could be its failure to report a suspicious transaction over $10,000, the control could be its systems that decline that much credit, and the residual risk rating would then be 1 or very low.
In terms of suspicious transaction monitoring and reporting Afterpay will probably have to dump all daily transaction data into a spreadsheet or similar before applying filters to it to search for any sort of transactions that could be considered suspicious.
For example if a retailer only ever sold the same item for $500 20 days in a row this could be considered 'suspicious" in terms of money laundering or terrorism financing and reportable to AUSTRAC.
Building these kind of dummy-proof systems to use for AUSTRAC reporting entities in the remittance, accounting, financial services, legal, gaming and real estate space is bread and butter for consultants like PWC and Afterpay should be able to implement them relatively easily with some staff hires and the like.
Client ID matters
However, when the interim audit report is handed in on September 24 all eyes will be on the auditor's verdict on Afterpay's compliance with its client ID verification obligations.
Afterpay is likely to be judged a low risk provider as it's just providing consumer credit and luckily then it will have lower standards applied in meeting its AML/CTD obligations.
For example an OTC or electronic money transfer FX business would be judged high risk and have higher obligations (including receipt of verified ID by a third party such as a JP, Dr, lawyer) as an obvious target for criminals looking to launder money, or to make electronic payments abroad to buy drugs.
A high-risk classified business like this is required to photocopy the original ID of any user (if you walk into an FX exchange in Sydney you need to have a driving license, etc, photocopied), but Afterpay has lower standards applied as it's almost impossible to launder money under its business model.
This is lucky for Afterpay as you would not want to be the temp employed to go back and photocopy all of its 4 million users' original IDs.
In all seriousness though we can see how if Afterpay is ordered to take retrospective actions in terms of its client ID verification procedures it could be costly for it, or a potentially worse scenario is if the auditor finds its existing processes don't meet its obligations as a 'low-risk' service provider under the AML/ CTF laws.
In either of these scenarios it would then be up to AUSTRAC to decide what penalties or sanctions to impose.
If Afterpay's management team follow the playbook in passing these kind of audits by engaging consultants, etc, it should not have much to worry about.
However, if it takes a gung-ho or ill-informed approach then of course there could be trouble ahead.
