Financial institutions will welcome the move to a more risk-based approach in the draft AML/CTF Bill and Rules released last month by the Federal Government. This approach will assist in the dedication of scarce resources to manage risk, without prescribing a “tick in the box” risk culture. It will allow individual organisations’ some flexibility in managing money laundering or counter-terrorism financing risks.

However, Australian financial institutions should not view a risk-based regime as a lesser challenge. Other jurisdictions which moved from a reporting regime have found that the efforts to assess, monitor and embed demonstrable risk management around money laundering or counter-terrorism financing risks are considerable. It requires significant ongoing attention to these issues to deliver sustainable programs.

A common sentiment heard among sectors of the financial services community over the past 18 months has been that “we are low risk”, thus predicating that reduced levels of risk management will be applied to an AML/CTF program. However, even if a low risk classification is determined, it should be noted that the majority of the risk infrastructure of an AML/CTF risk program is still required for low risk transactions, as well as other risk categories.

The risk-based approach will require close examination of vulnerability to money laundering risks and this awareness raising may inevitably change perceptions in this area.

One considerable change which highlights this point is the requirement for organisations to now perform a risk analysis prior to adopting, or introducing, any new products, delivery methods or technologies used in the provision of a designated service to the market.

The revised Customer Identification Program outlines minimum standards for both the identification and more interestingly, the verification, of eight distinct categories of customer (from individuals and companies, through to government entities). Additionally, reporting entities must have risk-based systems and controls in place to determine whether additional Know Your Customer (KYC) information is required.

As widely expected (and in keeping with common sense), corporate groups will be permitted to share one program, although it will be important for large and diverse groups to ensure that AML/CTF programs are tailored to specific risks across different parts of their business. A generic ‘one-size fits all’ program can not be applied.

Agency relationships will be impacted by the introduction of minimum standards and procedures that will need to be followed upon entering into such a relationship, irrespective of whether this takes place on an individual or corporate basis. Perhaps the most significant impact will be on the distribution channels currently utilised by a large proportion of the Australian financial services sector. For example, financial institutions who use a platform, such as a WRAP, may encounter some difficult issues to manage.

It is true that reporting entities will now be able to rely on customer identification information obtained by third parties. However, to be able to do so, reporting entities must ensure that these third parties are applying a standard of identification at least equivalent to its own risk-based systems.

How significant are the implications for intermediaries and third parties?

There will be a significant impact on intermediaries and platforms, which may lead to questions in relation to:

• AML/CTF requirements – How will intermediaries deal with being required to adhere to (and apply) differing standards to KYC, reporting, or training and awareness, depending on which institution they choose to provide investors access to?

• Commercial impact – What is the commercial impact if some platforms decide to support only those product providers who have ‘lower’, or less demanding AML/CTF standards?

• Interaction with the customer – For those reporting entities who decide that they will not burden their distribution networks with this “hassle,” are they able to manage direct communication with the customer? Does the customer want this contact? How will customers react to being approached by a product provider for personal information?

• Outsourcing back office and administration – Will administrative ‘agents’be able to cope with the increased requirements from their customers? Will some outsourcing relationships need to be reassessed?

Even if reporting entities use third parties to obtain initial KYC information, practical difficulties may arise if additional customer information (i.e. enhanced due diligence) is required at some stage during the customer relationship, whether due to a change in risk profile or a suspicion having arisen.

It is notable that Australia’s approach to the collection of enhanced due diligence is inconsistent with other jurisdictions, where this information is gathered primarily at the commencement of the relationship. Consequently, the triggering of enhanced due diligence on suspicious activity has the potential to cause significant challenges around the ‘tipping off’ provisions.

In October 2005, Senator Ellison issued a press release announcing that the Government welcomed the release of the Financial Action Task Force (FATF) evaluation of Australia’s AML/CTF measures, stating that “the evaluation adds support to the Government’s proposed AML/CTF reforms aimed at meeting the challenges posed by increasingly sophisticated money laundering and terrorist financing techniques.”

An examination of recent mutual evaluation reports, however, reveals that in regard to international standards, Australiais one of the least compliant jurisdictions assessed by the FATF. While the revised Bill and Rules address a number of the existing deficiencies, there are some conspicuous omissions that will result in Australia continuing to fall short of international best practice.

For example, FATF Recommendation 5 requires the customer due diligence (CDD) measures to include “Obtaining information on the purpose and intended nature of the business relationship.” However, under the Rules regarding “Customer Identification Programs with respect to companies”, the collection of minimum information does not include information regarding the purpose of the relationship.

The exclusion of this requirement and partial carve out of beneficial ownership requirements is somewhat puzzling, given their importance as probably the two most significant risk criteria for evaluating both the genesis of funding and the ultimate control of the funds. Exclusion of these critical KYC criteria can result in a customer identification program becoming administrative in nature, rather than the risk management exercise sought by FATF.

The approach taken by Austrac to regulate a risk-based approach will be critical to ensuring a proportionate and measured level of AML/CTF risk management is undertaken by impacted institutions.

This will be important to ensuring that the initial investment in resources and operational processes is maintained through ongoing attention. The US has developed and published the Bank Secrecy Act AML Examination Manual to assist impacted organisations to better understand the examiners’ expectations.

Accordingly, we would strongly recommend that Austrac release a white paper or similar evidence identifying how it intends to perform its regulatory obligations within a risk-based approach.

The lack of formal guidance on this issue (or for that matter the lack of commitment from the government regarding an implementation period), should not stop financial institutions undertaking preliminary reviews of AML/CTF risks.

Chris Cass is an AML partner and Mark Peate is an AML director at Deloitte