In Brief: SMR’s and Security during Covid-19

by | Apr 11, 2020 | AFSL, KitLegal | 0 comments

Prepared by Rebecca Exley

Suspicious Matter Reporting:

On 1 April 2020, AUSTRAC reiterated the importance for reporting entities to monitor for new and emerging threats and submit SMR’s where appropriate. Companies across the globe have shifted the way they operate, with a sharp rise in the use of digital platforms such as Zoom and Teams. 

This rapid reliance on digital platforms, and the disappearance of face-to-face meetings, has left the financial services industry vulnerable to criminal exploitation. 

AUSTRAC considers the most vulnerable areas to be the:

  • targeting of government assistance programs through fraudulent applications and phishing scams,
  • movement of large amounts of cash following the purchase or sale of illegal or stockpiled goods,
  • out of character purchases of precious metals and gold bullion,
  • exploitation of workers or trafficking of vulnerable persons in the community,
  • an increase in the risk of online child exploitation following restrictions on travel,
  • a rise in extremist views either against members of the community or government. 

Some of these are probably already part of your risk-based controls, but others may be new. How would you protect staff and clients from extremist views? How do you ensure that phishing scams are correctly identified and managed when you are suddenly conducting 90% of your business digitally and remotely? 

Stress testing your current controls should highlight any weak areas that could leave you company open to attack. 

Outsourcing, Cyber Security and Data Protection:

With city offices closed for the foreseeable future, and people working from makeshift home offices, how your company manages its professional relationships should be a priority now. 

Are you confident that your outsourced service provider is able to meet their own regulatory requirements? For example, do they have sufficient controls in place for:

  • cyber security,
  • data protection, 
  • remote access. 

Of course, these controls apply to every company, but if you engage a third party, you remain responsible for the services that they undertake. 


The proverbial plate is probably full for most people, but the importance of reviewing your policies and procedures, both internally and externally, cannot be overlooked. 

The risk of the unknown is greater now than ever before.