Published 3 December, 2018
Know your customer checks (or KYC checks) generally take the majority of the focus when businesses consider their AML compliance obligations. Other obligations such as transaction monitoring, employee due diligence and regular independent reviews of the business’ AML compliance program often take a backseat.
However, businesses with AML obligations need to ensure that they are on top of all aspects of their AML compliance so that when it comes to submitting the “new and improved” AUSTRAC annual report by the end of march next year, there are no “shocks”.
One of the key items that we see businesses forget is the requirement to have their AML compliance program reviewed by an independent party. A business’ AML compliance program should set out how regularly the business has determined that it will complete an independent review of its program. The legal requirement is that an independent review is conducted “regularly”. For low risk businesses, it may be appropriate to perform a “regular” review every 3 to 5 years, depending on the size and nature of the business. It may also be appropriate to perform a one-off independent review between these scheduled reviews where there have been significant changes to the risks faced by the business, the activities or designated services provided by the business or significant change to delivery channels.
So when is an independent review required?
An independent review isn’t required where your business simply arranges for customers to receive other designated services (i.e. an “Item 54” designated service). Businesses that fall into this category include financial planners and fund managers (but not the fund itself). However, the independent review requirement will apply to your business if you provide any other designated service, including if you are a credit provider or the trustee of a property or mortgage fund.
Who can undertake the independent review?
The independent review of your business’ AML compliance program can be carried out by an internal or external party. If an internal party will be conducting the review, they must not have been involved in the preparation, implementation or oversight of the AML compliance program. This may be difficult for smaller businesses where there is no internal audit function, which is why some business look to engage an independent, appropriately qualified, third party to perform these reviews.
What does the independent review need to cover?
The review will need to look at whether the business’ AML compliance program (specifically Part A of this program):
· Addresses the risk faced by the business in an effective manner. An AML compliance program is generally prepared using a risk-based approach and as a result, it is important that the controls included in the AML compliance program are sufficient for the level of risk of the business.
· Meets all of the content requirements prescribed by the AML legislation.
· Has been effectively implemented by the business and whether the business is complying with the controls and procedures set out in the program.
The reviewer should prepare and make available to the appointed AML/CTF Compliance Officer, senior management and the Board a report setting out their findings from the review and any recommendations. It is then critical that any deficiencies are addressed by the business going forward.
It is important that businesses review the requirements in their AML compliance program now so that they can identify if the business is due for an independent review, and if so, take action before they are required to report to AUSTRAC on this as part of their annual compliance report.