Recently we've seen Westpac Bank (ASX: WBC), Commonwealth Bank of Australia (ASX: CBA), Afterpay (ASX: APT) and AMP Limited (ASX: AMP) all fall disastrously short of their legal obligations under the AML/CTF Act 2006 (the Act) and associated obligations.
All could throw almost unlimited money or resources to meet their obligations, but all have failed. And it's no coincidence.
So what's gone wrong?
Clearly there's a 'professional knowledge gap' in Australia as to how a complex and technical piece of statutory legislation in the the Act should be interpreted and then practically applied into everyday compliance workflows.
All law students are rigorously examined on statutory interpretation and it's hard. Only the brightest and best will get top marks and go on to apply it as barristers or at top tier firms of solicitors.
We can see that leaving the enforcement of AML legislation to 'compliance professionals' or middle management box tickers with no legal training hasn't worked across corporate Australia.
The problem with 'paid for compliance'
Often reporting entities under the the Act such as banks, brokers, and even Afterpay sought legal advice or advice from big 4 consultants on to how to interpret and apply rules.
PWC for example has secured a lot of work since the Act's enforcement in creating specific AML/CTF programs and associated controls for clients to follow. Top tier law firms have also secured a lot of work.
An obvious problem with this 'paid for compliance' approach is that it doesn't always work.
You can buy a manual or compliance framework and controls to follow, but if there's a professional knowledge gap applying it the consequences are disastrous.
For example you could pay an expert consultant to write a 150-page manual on how to fly a Qantas jet from Sydney to Melbourne, but cabin staff couldn't fly the plane without a far deeper knowledge and training base.
Control failures
In terms of its relationship with banking counterparties, AUSTRAC has also accused Westpac of acting without "appropriate risk assessments and controls on the products and channels offered as part of that relationship."
Risk control frameworks are another key obligation of the AML/CTF rules and associated framework AUSTRAC enforces.
The control frameworks or 'compliance plans' that must be submitted to AUSTRAC annually have also often been completed in a 'paid for compliance' approach.
For Westpac an assessed AML risk may be that it processes transactions to 'high risk' countries (e.g. Iran) on behalf of politically exposed persons (PEPs). This would be a 'high' inherent risk rating in a control plan. The control in place should be that transactions to Iranian bank accounts are blocked or require specific approval from a senior/responsible manager.
In theory the control is relatively strong so the 'residual risk rating' is low. Assuming the control is enforced.
Entities reporting to AUSTRAC are supposed to build (or pay lawyers to build) these kind of risk control frameworks across their businesses providing designated services under the Act.
But again if the 'paid for controls' are not enforced, followed, or understood, and just sit in a compliance manual gathering dust – you'll hit problems down the line.
Transaction monitoring and reporting
Under the Act transaction monitoring and reporting obligations should be easier to interpret and follow than the differing level of client ID verification obligations that are widely considered to be confusing and impractical.
However, it seems that Westpac and CBA have fallen down in applying even basic transaction reporting obligations.
The obligations basically mean a 'reporting entity' must report 'suspicious transactions' to the regulator that can then decide whether to investigate them or not.
To meet the obligations a business like Afterpay could dump all its daily transaction data into a spreadsheet or database and then apply filters to it to weed out any 'suspicious transactions'.
For example any transaction greater than $10,000 would be reported. Or it could apply a filter to look for transactions through the same retailer on the same account buying the same product multiple times for $9,900. This might be considered 'suspicious'.
The point is that for well resourced banks (but maybe not so much start-ups) this sort of transaction data dumping, filtering, and daily reporting should be straightforward.
Of course over time filters or procedures would need to be updated or changed in line with complex business models, but to competent staff this shouldn't be a problem.
Again a failure to meet these basis obligations suggests a 'professional knowledge gap' within compliance teams and probably a tendency to brush knowledge gaps under the carpet.
A lot of this is also the result of the 'paid for compliance' culture where policies and frameworks sometimes submitted to the regulator for approval have not even been written by the reporting entity's own staff.
In a way AUSTRAC's own rules have incentivised this dubious approach.
AUSTRAC's own knowledge gap
Finally it's also worth noting that AUSTRAC's middle management going back say to 2010 (when these problems already existed) has itself sometimes been inadequate in providing compliance advice to its own reporting entities.
As the regulator itself has been uncertain in how to apply the legislation it's responsible for enforcing the flight towards 'paid for compliance' has also accelerated.
No surprise we're now seeing so many problems across corporate Australia.
