The AML/CTF Act places a number of obligations on financial service and credit providers that provide designated services (listed in section 6 of the AML/CTF Act) in order to deter and prevent money laundering and terrorism financing.

One of the obligations includes adopting and maintaining an AML/CTF Program which complies with the AML/CTF Rules. Part A of the AML/CTF Program must include procedures to ensure an independent review is conducted at regular intervals.

1460110a.png

What does an Independent Review involve?

The purpose of an independent review is to provide an impartial assessment of whether Part A of your AML/CTF Program has been implemented effectively, whether it addresses the ML/TF risks and complies with the legislative requirements. All of these requirements should be tested in the independent review.

Reporting entities can use their understanding of ML/TF risk to determine the specific actions and methodology required to complete the review and can determine the scope of the review required to be conducted, in consultation with the reviewer. Independent reviews also provide an opportunity to assess whether previous audit issues have been addressed.

Who can conduct an Independent Review?

An independent reviewer must be someone who:

  • was not involved in the design, implementation or maintenance of your AML/CTF Program;
  • is not involved in the development of your ML/TF risk assessment or the internal controls in place to manage these risks.

Whilst the reviewer should be someone who understands your business and the ML/TF risks involved, it is necessary to be able to demonstrate that your reviewer is independent. Accordingly, it is important to put measures in place to ensure the reviewer's independence.

In assessing the suitability of a person to conduct the independent review, a Reporting Entity may consider the following factors:

  • whether each reviewer is a member of a professional body that imposes relevant obligations on its members;
  • whether each reviewer is sufficiently free from influence by persons involved in the development of Part A of the Reporting Entity's AML/CTF program, or the Reporting Entity's risk assessment, and
  • the adequacy of the reviewer's understanding of, and expertise in applying, the obligations of the AML/CTF Act and Rules to the Reporting Entity.

For further information on how to determine whether the review is independent and what is required, please refer to AUSTRAC's website.

Please note: Sophie Grace does not provide AML/CTF independent or external review services.

What should be included in the Independent Review?

The review should assess and test:

  1. the effectiveness of Part A of the program in addressing your ML/TF risks;
  2. whether Part A complies with the requirements outlined in the AML/CTF Rules;
  3. how effectively your AML/CTF Program has been implemented; and
  4. if you have been complying with Part A of the program appropriately.

AUSTRAC may request an independent review report when a remittance or digital currency exchange business wants to renew its registration. Some banks may also require you to provide an independent review report when applying for a bank account for remittance purposes.

Frequency of Independent Reviews

The Australian Transaction Reports and Analysis Centre (AUSTRAC) recommends that high-risk organisations should conduct independent reviews at least every 2-3 years, but does not specify the frequency for low-risk organisations.

How do low-risk entities proceed?

One of the key concerns for low-risk entities is the cost of an independent review where the review is occurring every 2-3 years. AUSTRAC's guidance is that reporting entities should assess and consider the following factors when determining the frequency of an independent review:

  • the nature and size of your business;
  • the complexity of your business; and
  • the type of money laundering and terrorism risks your business faces.

We suggest businesses have an independent review after the first year of operations to ensure you are on the right track with your AML/CTF compliance and make sure that any breaches or systemic issues are rectified early on in the operations. After that, low-risk entities should consider independent reviews where there are new products, delivery channels, business partners, changes to business operations or systemic issues identified. Other than these scenarios, having an independent review on an intermittent frequency will ensure that your business is staying up to date with the requirements and industry standards.

Additionally, we suggest low-risk entities consider conducting an annual internal review of the AML/CTF risk assessment and compliance with the AML/CTF program and report the findings to the Board of Directors.

The internal review could include reviewing:

  • breaches of the AML/CTF program which have occurred and look for systemic issues;
  • the products offered, delivery channels utilised and the jurisdictions dealt with to ensure the AML/CTF risk assessment remains appropriate;
  • how well the business responds to recommendations from AUSTRAC or previous independent review reports;
  • any deficiencies in the AML/CTF program and developing plans to rectify them;
  • AML/CTF representative training completed and how well representatives understand and comply with legislative requirements;
  • how well your transaction monitoring systems are working in identifying unusual patterns and suspicious matters; and
  • due diligence completed on outsourced third parties.

The information collected in the internal review, together with the factors AUSTRAC expects to be considered, will help low-risk entities better inform their decision-making in relation to the frequency of independent reviews.

Background Information:

Part 8.6 of the AML/CTF Rules requires reporting entities to conduct an independent review of Part A of their AML/CTF Program. Reporting entities must have a documented report of the review that includes the findings and recommendations. The report must be presented to the Board for review and implementation.

Further Reading

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.