Latest Products

The Importance of Getting It Right

Tuesday 27 February 2018

Long Read

In 2018, it will be more important than ever for organisations to ‘get it right’ when it comes to their GRC frameworks, especially when it comes to meeting anti-money laundering and the counter terrorism financing requirements under the Act.

GRC Professional caught up with Andrew Ham to look at changes in the financial crime space and some of the issues facing members of the GRCI AML Networking Group. Ham is Senior Legal Counsel at Lawyers On Demand in the ASIA Pacific, and is currently on secondment to a major financial services business in Melbourne. He has been a financial services lawyer and compliance professional for over 25 years, starting out in large legal firms, but more recently has worked in specialist financial services and regulatory practice. He has been in-house in a number of different regulatory roles at the Financial Ombudsman Service (FOS), and in banks, insurance companies and the not-for-profit sector.

“For me [financial crime] brings together legal, risk management and compliance skills and is an interesting mix in terms of the law and what is happening on the ground,” Ham said.

Yet, it is clear from the reports in mainstream media that organisations around the world are struggling to meet their AML/CTF obligations.

 What is it that organisations keep getting wrong?
“I spent years conducting independent reviews of compliance programs across all sorts of different-sized businesses and industries,” said Ham. “I see three main problems: the first would be ongoing customer due diligence—that is, keeping on top of changes to your customers’ risk rating, and changes in beneficial ownership. It often seems like no one keeps on top of the changes in the business or profile of their customers or, in the case of corporate clients, their beneficial ownership or board membership.  So often, not knowing what you don’t know about your own customer’s leads to unpleasant surprises.

“The second would be reporting obligations and doing them adequately, particularly with regards to suspicious matter reports (SMRs). It is often difficult to get the right balance in your report which requires often relatively low paid positions to be able to make relatively sophisticated judgements about all the complexities of human behaviour.  Getting it right with international funds transfer instructions (IFTIs), and threshold transaction reporting can also be a challenge, given the significant amount of detailed and complex information that has to be collected and transmitted.

“And, I guess the third main issue, broadly, is risk assessments. People find it very hard to do risk assessments and keep them up-to-date.”

The questions is how can regulators help industry to meet their own mandatory requirements? In Australia, some believe that the regulator should be giving them more specific guidance on how they can effectively meet their obligations.

Institutions’ complaints about not getting the enough guidance from AUSTRAC is one of the ‘eternal tensions’ in this area.

“There has been a great effort to produce a principles-based regime that provides broad guidance. It is supposed to tread that line between providing enough information for the regulated population to apply it with confidence, but not so much that you get tied up in detail.”

Yet, Ham explained there is always pressure to provide more detail with clear ‘black letter’ rules, in the quest for certainty. “You can look at other regulatory regimes within financial services, and there are multiple layers of detail and complexity that organisations have to contend with.”

AUSTRAC looked at whether they should give more guidance when they did the review of the legislations, but opted not to.

“Personally, I think they might have made the right decision to reduce the temptation to dictate in endless detail exactly what people should do, and instead have stuck to giving people guidance in the form of case studies, risk assessments and other high-level information and let them use these as tools to develop their own policies and AML programs.”

For Ham, the nature of the subject matter supports a principles-based approach, because organised crime is highly motivated to keep one step ahead of any rule, adapts it methods to defeat the latest counter-move by law-enforcement.  The principles-based approach gives regulated providers the flexibility to respond to their day to day experience in the operation of their businesses.

What were some of the themes from the 2017 GRCI AML Group?
A major theme for the GRCI AML Networking Group recently has been regulatory developments, particularly as AUSTRAC and the government respond to the 2016 AML/CTF statutory review with legislative amendments, new or amended regulatory rules and the issue by AUSTRAC of a series of industry risk assessments.
These risk assessments have an underlying methodology that businesses can take away and use in their AML financial crime program.

“Individual entities often are often tempted to underestimate their AML risk. So, many participants in the industries that they (AUSTRAC) have looked at have received a surprise, and had to adapt because they prefer to see themselves and the customers that support them as low risk,” Ham explained.

Another thing Ham sees is that both big and small organisations have to deal with the same rules.  Large corporations delivering AML designated services are fast-paced with complex and constantly changing delivery channels.  In this environment, with enormous resources devoted to compliance, obscure impacts of tiny details can bring on disaster and require superhuman powers to hunt down.  The same rules apply to one-man bands, in which the AML compliance officer is also CEO, shareholder and Head of Sales just trying to make a living.

 “It is a big ask for a small business even to be confident of the fundamentals, though in my experience very many indeed do a terrific job, against the odds,” he stated.

What should GRC professionals look out for in 2018?
One of the major changes on the horizon is the stretching of the AML/CTF framework to extend to DNFPBs.

In addition, there will be an expectation of rising standards as industry develops best practice expertise and comes to appreciate the value of compliance through bitter experience.  Legal action brought recently by AUSTRAC’s against Tabcorp and CBA has demonstrated in the starkest way possible the direct role businesses that allegedly don’t get it right can unwittingly play a role in facilitating organised crime. What is also important is looking at the traditional compartmentalisation of the approach to financial crime and seeing how this traditionally siloed approach can be broken so that risk and compliance frameworks can be more effective.

“As Carolyn Hanson [GRCI President] has said in a recent GRCI Financial Crime Summit, there is a convergence between the approach to fraud and AML, with the realisation that they are two sides of the same coin. Fraud for example is in one sense simply acquisition of dirty money, and AML is how you extract financial gain from it.”

How will it affect perspectives on compliance?
All these changes impact upon how compliance is viewed and where it is prioritised within the organisation.

“AML, historically, has been seen as a lower priority from a compliance perspective because it doesn’t involve getting a licence, unless you are a remitter,” Ham said. “If you look at AFSL and Credit businesses, ASIC issues a licence it can take away from you. And one thing the AUSTRAC prosecutions have demonstrated with the CBA and TABCORP cases is that reputational damage is associated with AML compliance performance. It is not just about ‘ticking the box’. There are real consequences involved in not getting it right.”

Click here to register for the AML and Financial Crimes Summit.