Afterpay Touch Group Ltd (ASX: APT) shares climbed 8 per cent this morning as investors shrugged off news that the company's customer verification procedures didn't comply with the law.
According to an audit letter lodged with the ASX today, Afterpay didn't even collect the date of birth of customers until November 4, 2016.
It reportedly took "retrospective remedial' action in July 2018 to collect the date of birth of customers signed up before November 2016. This is an omission the regulator AUSTRAC will not look kindly on.
Low risk or no risk?
The good news for Afterpay is that the auditor confirmed that it can be designated a 'low risk' provider of financial services under the AML/CTF Act 2006 (the Act).
This is important as what risk rating (low, medium or high) a reporting entity is ascribed under the Act will directly impact how onerous its subsequent client ID verification obligations become.
For example as Afterpay is just providing short-term credit it's almost impossible for a criminal or terrorist to launder money using its services.
Whereas if a criminal wanted to launder the cash proceeds of drug sales an obvious target would be an over-the-counter (OTC) foreign exchange broker in any CBD.
As the criminal could swap the cash for another currency or ask for the cash proceeds to be wired to an overseas bank account.
When you walk into an OTC foreign exchange desk the teller will demand to photocopy your passport or driving license as the business is considered a 'high risk' services provider under the Act. The Act's rules specify that the FX teller must take a photocopy of an original ID to provide the service.
Imagine if Afterpay had to photocopy the ID of all 6.1 million of its customers retrospectively.
It would be an administrative nightmare that it's avoided by being classified 'low risk'.
An example of a business classified high risk would be money transfer business OFX Group Ltd (ASX: OFX). As criminals could easily target it using fake ID to wire funds to a U.S. bank account to buy drugs for importation for example.
For now it seems as long as AUSTRAC is satisfied Afterpay's existing electronic verification procedures can be applied retrospectively and going forward then Afterpay can carry on as before.
One takeaway is that one of the keys to Afterpay's incredible success is how easy it is to open an account. I did it myself online and it only takes a minute as all you need is your name, address and phone number.
If Afterpay is forced by AUSTRAC to make the account opening process more onerous it could hurt its spectacular growth rates.
The AML/CTF Act is Confusing Corporate Australia
The auditor also suggested that Afterpay was provided incorrect legal advice in 2016. The erroneous advice suggested that it was primarily providing a designated service to retailers under the Act, when in fact it was primarily providing a designated service of credit to consumers.
As a result of the incorrect interpretation of the Act its initial AML/CTF framework and associated controls were incorrectly focused on merchants rather than the consumers.
This confirms my inclination to believe that the Act is a poorly drafted piece of legislation that has regularly confused lawyers, big 4 consultants, reporting entities, and even AUSTRAC itself as to how it should be interpreted and enforced.
Anecdotally, I know that when professional compliance teams at regulated entities have asked AUSTRAC middle management for advice on how the Act should be interpreted the regulator itself has been unclear on the issues.
No wonder the likes of Commonwealth Bank of Australia (ASX: CBA), Westpac Banking Corp (ASX: WBC) and Afterpay have run into trouble complying with the Act.
Afterpay's compliance with the Act's client ID obligations in itself will be a subjective call by the regulator in part as the legislation is not perfectly compatible with the realities of the widely diverging business models it drags into its net.
As today's audit letter reports: "The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) and the Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1) (AML/CTF Rules) create a set of technical and complex obligations."
The regular findings of historic non-compliance across corporate Australia now are also the result of historically poor communication lines between AUSTRAC and corporate Australia.
While there's also been a wide 'knowledge gap' within the regulator itself and corporate Australia as to how to interpret and comply with the Act's complex obligations.
The key requirement of all legislation is to create as much certainty as possible in interpretation. It appears the Act has floundered in this goal and you could go so far to suggest it's been a disastrous piece of legislation.
A final wider question is whether Afterpay should be classified as a reporting entity at all? After all its business model contains no practical risk of money laundering or terrorist financing and the Act's authority may be too wide in dragging it in.
