High profile enforcement cases are a timely reminder to check that your AML/CTF program aligns with the latest Australian Risk standards
Insight provided by Julian Hoskins, Principal at Senet

“Gambling industry operators need to ensure that their AML/CTF programs, policies, procedures and controls reflect the latest Australian Risk standard ISO31000:2018. Those failing to adequately maintain and enhance their AML/CTF program, including following regular independent reviews, risk facing potential action from the regulator and costly penalties.”

AUSTRAC continues to seek increasingly tough civil penalties in cases where there have been major AML/CTF failings, in order to send a clear message to reporting entities. Comments made by AUSTRAC on the ABC’s 730 report on 8 July, together with high profile enforcement cases against organisations such as Tabcorp, Commonwealth Bank and Westpac, are a timely reminder for operators to review their AML/CTF programs, policies, procedures and controls.  Failure to adequately protect against AML/CTF threats can be costly. Following recent breaches or alleged breaches across gambling and financial services, AUSTRAC is expected to increase scrutiny in these areas.  

Latest risk assessment techniques and management standards - IEC 31010:2019 and ISO 31000:2018

There are a number of international standards available to help guide an operator in respect of risk assessments and controls.  IEC 31010:2019 provides guidance on the selection and application of techniques for assessing risk in a wide range of situations and the Australian Risk Management Standard ISO 31000:2018 assists in relation to managing risk. In our experience some operators in the gambling services sector have an AML/CTF program which is still aligned to the 2009 rather than 2018 risk management standard. 

AML/CTF program should reflect the risk assessment 
AML/CTF programs must be tailored to reflect how an operator identifies, mitigates and manages the risk of its products or services being used for money laundering or terrorism financing, and must be appropriate to the level of risk the business or organisation may reasonably face. As such, an AML/CTF program should never be something purchased “off the shelf” without having regard to a specific risk assessment undertaken by the operator to reflect the relevant risks and controls. No two businesses are the same.  An organisation should also be regularly assessing risk as new products or business practices are introduced.  If an operator’s AML/CTF program has not been independently reviewed within the past 3 years and/or the program is based on 2009 risk management standards, then an independent review should be a priority to mitigate any risk. 

Financial Action Task Force global updates
In 2020, FATF have so far issued two guidance notes in relation to high risk jurisdictions and jurisdictions under increased monitoring.  FATF statements should be used by an operator to help guide their risk assessment (as required) and AML/CTF program, as well as decisions about submitting suspicious matter reports to AUSTRAC.

Quick compliance check - AML/CTF questions for operators

  • Has your organisation undertaken an independent external AML/CTF program review (covering Part A and, ideally, also Part B) within the past 3 years? 
  • Has your latest risk assessment and allocated inherent /residual risk ratings been prepared having regard to ISO 31000:2018? 
  • Where relevant, have the FATF global guidance updates been considered (as applicable) in respect of your AML/CTF risk assessment, AML/CTF program and any relevant SMR’s filed with AUSTRAC;
  • Are you undertaking a risk assessments each time a new product or business practice is introduced?; and
  • Have your employees undertaken AML/CTF training in the past 12 months and do they understand the changes since the last time they received training?

Independent AML/CTF Review prior to 31 March 2021
If you have answered “NO” to one or more of the above questions, then you should consider having your AML/CTF program independently reviewed before your next compliance report is due to be submitted to AUSTRAC (by 31 March 2021). An independent review is an impartial assessment of Part A of your AML/CTF program. It considers whether the organisation is complying with its program and that it properly addresses its money laundering and terrorism financing risks, complies with relevant legal obligations, incorporates guidance updates issued by AUSTRAC (and ideally other relevant regulatory authorities), and is working as it should.  A Part B review should also occur in parallel.