The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 and it’s associated regulations and guidelines (AML/CTF Act) have now been operational within the Australian marketplace since December 2007.

The AML/CTF Act uses a risk based approach to create a business environment that is hostile to the conduct of money-laundering and terrorism financing (ML/TF). This means that reporting entities and their officers have the responsibility to diligently assess ML/TF risk and to develop a program that effectively identifies, mitigates and manages the AML/CTF risk.

There is no definitive list of what type or style of enterprise will be a reporting entity. For the same reason that regulation of the ML/TF environment is addressed by a principles based regulatory regime the type of activity that might involve the movement of money and considered a designated service is controlled by loose definitions in the AML/CTF Act.

The closest AUSTRAC came to providing guidance on what might be considered a reporting entity was contained in Public Legal Interpretation No. 4 of 2008 – What constitutes a reporting entity. However, the guidance did not go so far as providing examples of businesses caught by the provisions of the AML/CTF Act.

So every enterprise should at some stage have performed an assessment of its risk exposure to the movement of money or other financial interests, dealing with offshore consumers or providers and any other form of financial transaction contemplated by the business. The underlying tests are whether the customer is being provided a “designated service”, the nature of the designated service and the degree of risk attaching to that customer – which dictates the level of client identification needed to meet the AML/CTF Act requirements.

Some obvious examples of reporting entities are banks, building societies, credit unions, mutuals and co-operatives, loan arrangers/mortgage brokers, fund managers, superannuation funds, superannuation administration providers, credit card issuers, stockbrokers and financial advisors and currency exchange services. But this list is merely identifying obvious examples – every enterprise should perform an assessment of risk relating to the style of money transactions that occur as part of operating their business.

Implementation of an AML/CTF program is required to be effected on a risk assessment basis, that is any enterprise required to have an AML/CTF program must have embedded controls and processes on how to manage the risks specific to it’s business. Enterprises that are governed by the AML/CTF Act have the flexibility to construct and tailor their risk management framework to address risks in a fashion that is appropriate to their business structure, the products and services that they offer and should be aligned to the ML/TF risk their enterprise reasonably faces. In simple terms – the enterprises risk framework should include a detailed consideration of the AML/CTF risk that the enterprise faces and should be aligned with and reflective of how the enterprise conducts it’s business affairs.

AUSTRAC has indicated that following a marked increase in failures within enterprises exposed to ML/TF risk that the level of inspections of reporting entities will increase. In addition to this heightened surveillance activity AUSTRAC has also released the findings of past surveillance which has highlighted that very few reporting entities are fulfilling their obligation to conduct a “regular independent review” in accordance with the AML/CTF Act.

Given that AML/CTF programs have now been in existence since 2006 the question is regularly asked – how often should the AML/CTF program and risk assessment be reviewed?

The AML/CTF Program needs to be reviewed annually as a requirement of Part A of the AML/CTF Program established for all reporting entities. This review is focused on the effectiveness of the operation of the existing AML/CTF Program and whilst logically the review should extend to the AML/CTF risk aspects within the enterprise it rarely will.

The style of the review needs to be something more than a lawyer reviewing the terms of the AML/CTF Program -the underlying intention is that the operational delivery of the requirements of Part A are assessed against the methodology for delivery of ML/TF monitoring and the degree to which Part A of a current program meets the thresholds established under the AML/CTF Act. By association it is next to impossible to properly assess the level of compliance of Part A of an AML/CTF Program without some practical review of the delivery of the Know Your Client aspects of Part B of the AML/CTF Program.

The need to review the effectiveness of the AML/CTF risk framework is also reinforced by the requirements of Risk Management Standard AUS/NZS 31 000:2009 which commenced from 1 July 2012 and embraces a requirement to annually reassess the existing risk management framework.

The AML/CTF Rules do not provide much clarity merely indicating that the review should be “regular’ and performed by an “independent”. Neither word is defined within the Rules – but prudence would suggest that if there has not been a review completed within the last few years then the ‘regular’ test will not have been met. There is a train of thought that ‘regular’ should require a review approximately every two (2) years and align with the annual reporting obligation on a reporting entity requiring that a review be effected every two (2) years within close proximity to the March lodgement of the annual AUSTRAC return.

Similarly, when it comes to the definition of ‘independent’ it is hard to contemplate that the internal staff of an enterprise can deliver the necessary independence to be sufficiently divorced from an existing AML/CTF program to provide a critical review and recommendations on any perceived improvements to the AML/CTF Program Part A or the broader risk management program.

As the requirement for the “regular independent review” of Part A of the AML/CTF Program has been an obligation since the commencement of ML/TF then the broader risk management program may need to be reconsidered as all risks should be reviewed, tested and if necessary reconsidered each year to ensure that your business is operating as efficiently as it can.