Subscribe to receive our latest Risk and Compliance Insights and Research as they become available.
AMLCO Committee Membership Discussion
We are often asked by clients to advise on specific regulatory or risk issues. We are sharing this condensed POV discussion paper (recently completed for a client) as we’ve seen a few variations – and there may be several answers at large. In this one, we are heavily influenced by recent judicial commentary in the three major Australian cases.
An important question – What committees or forums should the AMLCO be a standing or optional member of to best meet the requirements of the role?
Hypotheses and recommendation – The AMLCO should either become a voting member of key committees dealing with data, technology change and products/services OR where they do not become a member, they should receive all agenda, papers, outputs – in order to meet the requirements of the role.
There are several considerations that play into the question. For the purposes of this insight, we have considered two elements:
Element 1 – Regulatory and legal expectations
What do AUSTRAC, the AML/CTF legislation, and recent AML cases say about the requirements here?
The first thing to note is that the role must be at a management level and have the authority and influence to ensure XYZ complies with its AML/CTF obligations. The AMLCO role is unique and one of few roles where there is a personal accountability that cannot be indemnified by the organisation – in other words, the AMLCO is personally exposed to legal sanctions for any material breaches by the organisation.
AUSTRAC provides guidance  on the Role of an AML/CTF compliance officer:
“Examples of duties a compliance officer may perform to ensure your business meets its obligations include:
- making sure your business complies with its AML/CTF obligations according to both the AML/CTF Act and AML/CTF Rules
- reporting regularly to your company’s board and senior management about how your business is meeting its obligations, including alerting them if your business is not complying
- taking day-to-day responsibility for your AML/CTF program
- helping to create, implement and maintain internal policies, procedures and systems for AML/CTF compliance
- being the contact point for your business’s dealings with AUSTRAC, for example, submitting reports such as suspicious matter or threshold transaction reports, or liaising about compliance audits and other AUSTRAC requests
- addressing any feedback from AUSTRAC about how you are managing your risks or about your AML/CTF program.”
There is no specific guidance specifying AMLCO membership of any committees one would normally expect to find in an ADI. However, some of the elements above have been examined in recent court cases providing some context for the extent to which the role needs to be able to influence the ADI to ensure the law is met.
Findings from judicial cases carry the most weight regarding how any ADI should seek to meet the AML/CTF law. It is where AUSTRAC and their prosecutions are tested, and penalties determined (or agreed).
In the judgment of Justice Beach in the recent Westpac case :
|#||What was said||What it means for XYZ?|
|1||His honour referenced failures in the CBA case derived from “…a misapprehension of obligations imposed under the Act, an inadvertent failure to update and configure automated processes, and an error when merging data from two of CBA’s systems.” Combined with other commentary the Court makes it clear that AML considerations need to be at the coal face of day to day activities within banks.
This means having an AML program and capability that ensures all the necessary stakeholders understand the organisation's obligations (in the context of their roles), that business processes are appropriately designed, implemented, documented, updated, and tested to support compliance with those obligations, and that the personal accountability of the AMLCO is reflected in their ability to directly influence these outcomes.
|AMLCO role should be sufficiently ‘wired’ into the management systems of the organisation to ensure these compliance outcomes are achievable.
Practically, this means the AMLCO is highly networked to each area of the business where compliance education/training occurs, where business processes are designed/implemented etc, where data governance and system changes are agreed and executed.
Given the resource profile of XYZ, the network effect desired here might be most easily achieved through a formal governance model which sees the AMLCO (or permitted delegates) sit as standing member of all committees/groups that directly impact the above areas. This should be a voting role in most cases, or at least include a veto that enables escalation to the CEO on matters of serious AML risk.
The committees might include:
- Data governance
- Technology Change
- Product Design and Distribution
The committees would not include:
a) ALM (Asset and Liability Management)
|2||The AMLCO did not become aware of serious reporting breaches for a year . Once they were informed then the matters were escalated and three months later AUSTRAC was informed of the scale of the issue (as it was then known).
The judgement describes the events and circumstances and says : “…flaws in the design and implementation of the correspondent banking due diligence assessment processes could have been identified and addressed earlier as Westpac had stronger first-line testing, second-line oversight, and third-line audit coverage.”
|XYZ’s business processes and financial crime controls need to be designed such that the AMLCO is made aware of AML/CTF breaches.
To this end, XYZ must have the right mix of first, second and third line processes in place to provide reasonable confidence that any breach would be detected and reported to the AMLCO.
Having the AMLCO being a member of, or direct recipient of information from, committees and forums that directly managed breach detection and reporting is the most cost-effective and confidence building approach to ensure the controls failures in the Westpac case are not present at XYZ.
These committees or forums should include:
c) Financial crime operations performance
d) Customer complaints (product/process not specifically service)
e) Compliance operations (first and second line)
f) Internal/external audit (findings)
|3||His Honour went on to say : “…(a) The reporting to the Board and senior management on AML/CTF compliance and the identification, mitigation and management of ML/TF risk reasonably faced by Westpac lacked completeness and sufficient insight; … (d) There was a lack of sufficient clarity and understanding within Westpac as to the particular accountabilities between the three lines of defence responsible for financial crime controls; (e) The AML/CTF compliance and risk management functions were not adequately resourced; (f) There were weaknesses in Westpac’s data management and technology systems concerning AML/CTF compliance.”||The AMLCO must ensure that board and senior management committees do have sufficient completeness and insight – membership or standing attendance at relevant committees is seen as a key control to help achieve that.
This would include:
g) Executive risk committees
h) Board risk and compliance committees
Such membership or presence, along with the data, technology change and product areas called out further above, helps address the other gaps identified in the Westpac case around clarity of accountabilities around controls and data and technology as it impacts AML.
In the earlier TAB case  Justice Perram also made some relevant findings.
|#||What was said||What it means for XYZ|
|1||“I accept that…(d) the contraventions did not arise as a result of a deliberate intention to contravene the Act. Instead, the state of affairs which prevailed under the Former Program came about because of insufficient resourcing together with insufficient processes for consistent management oversight, assurance and operational execution. Management should have done more.” ||The AMLCO should be personally satisfied that their membership or standing access to a broad range of business committees and forums provides sufficient oversight to allow XYZ to meet its AML obligations.
The TAB case reinforces the need for appropriate levels of oversight, assurance and operational execution.
|2||“In my opinion, a $45 million penalty is appropriate. It is true that the failures were system failures but that is precisely what this statute is about.” ||The significant role of data, products and technology in businesses like TAB, CBA, XYZ means that AML risk must be top of mind and built into the related business processes.
The presence of the AMLCO on relevant committees or forums to ensure oversight of AML compliance is a natural reaction to the themes identified in all three mentioned cases.
Element 2 – The relative risk profile for XYZ that impacts the options
XYZ has a lower risk profile than TAB, CBA and Westpac, which have been referenced above. What does this mean in terms of AMLCO oversight and committee membership to best support XYZ’s compliance with the Act? In this paper, we consider three inputs.
|#||What was said||What it means for XYZ|
|1||AUSTRAC’s 2019 risk assessment report  into the Mutual Banking Sector which provided an overall sector rating of Medium (but at high end).
Within the report AUSTRAC examined different aspects of risk, this included “vulnerabilities”. Vulnerability refers to the characteristics of a sector that make it susceptible to criminal exploitation. AUSTRAC’s assessment of vulnerabilities falls into five sections: customers, products and services, delivery channels, exposure to foreign jurisdictions and level of implementation of risk mitigation strategies.
On the Risk Assessment element, most relevant to this paper, they said: “A robust risk assessment is the centrepiece of an effective AML/CTF regime. It is important that risk assessment processes have the capacity to generate a genuine understanding of ML/TF exposure at an individual reporting entity level. This means the use of off-the-shelf risk assessment tools needs to be tailored to ensure it reflects the actual risks posed to mutuals operating within different contexts. Not only do risk assessments need to be entity-specific, they also need to be regularly updated to ensure changes in risk profiles and systems, and any changes to the nature of products or delivery channels are addressed in a timely and effective way.”
|AUSTRAC does not provide any more clarity on the AMLCO role or governance model than matters above. However, it reinforces the need to monitor and update changes to the risk profile and business (including technology) systems. The report recognises that most mutuals need to use third party providers to meet requirements.
It is suggested that the best way for XYZ to monitor changes to its risk profile (including products and channels as called out) is to ensure the AMLCO is networked into the business management systems that cover such things. This supports membership or direct access to relevant data, product and technology committees or groups to provide the oversight and intervention/escalation capabilities required.
|2||AUSTRAC has produced a high level checklist guide for AMLCO’s  which summarises four key activity areas:
(1) Assess and manage the ML/TF risks your business may face;
(2) Manage the AML/CTF program and keep records;
(3) Submit reports and be the contact point for AUSTRAC;
(4) Manage AML/CTF Culture and compliance within the business.
Element (2) contains four important activity areas:
• Work with the board and senior management to ensure continued compliance with AML/CTF obligations
• Report regularly to the board and senior management, including non-compliance and risk assessment updates
• Update internal AML/CTF compliance manuals, policies, procedures and systems
• Promote AML/CTF processes and procedures and train staff to understand your business compliance obligations.
Element (4) contains two other relevant items:
• Update the program before any new services, products or delivery channels are introduced
• Maintain and regularly update the program.
|The AMLCO can best achieve many of these expectations by being highly connected to the business processes that drive them – especially around services, products, channels and systems.
Being part of the committees or groups that oversight these areas is recommended as the most cost-effective way of creating this line of sight.
|3||AUSTRAC has also produced a high level checklist guide for Boards and senior management  which summarises four key activity areas: (1) ML/TF risk management; (2) AML/CTF Program; (3) AML/CTF Compliance Officer; (4) AML/CTF Compliance Function. It also states: “Boards and senior management must engage, question, challenge and be accountable for the ML/TF risks their business faces.” 
Elements (2) and (3) detail more specific requirements:
• Ensure the program includes monitoring and assurance processes to detect non-compliance
• Provide the compliance officer with adequate resources and authority to carry out their responsibilities
• Ensure the compliance officer has access to the board and senior management
• Provide oversight and ensure the compliance officer directs and controls AML/CTF compliance
• Ensure the compliance officer regularly reports on ML/TF risks and ongoing compliance to the board and senior management
• Ensure the AML/CTF function is structured appropriately for the business
|This summary reinforces the scope, authority and access of the AMLCO role.
Without investing in additional resources to develop more operational oversight and assurance activities, having the AMLCO have the recommended committee roles is seen as the most cost effective and risk adjusted option.
|4||Insync’s experience as a team of Financial Crime and AML/CTF specialists (including former AMLCO) working with many programs and projects.||Our strong view is that at a minimum the AMLCO should see the agenda, papers, and outcomes of all committees where AML/CTF is or could be relevant.
We believe they should also be voting members of some committees or otherwise have a clear right of escalation where they believe XYZ may be, or about to be, breaching its obligations or acting outside its risk appetite.
 CEO of Australian Transaction Reports and Analysis Centre v Westpac Banking Corporation  FCA 1538
 Op Cit, at para 89
 Op Cit, at para 123
 Op Cit, para 170
 Chief Executive Officer of Australian Transaction Reports and Analysis Centre v TAB Limited (No 3)  FCA 1296
 Op Cit, para 11
 Op Cit, para 53
 Op Cit, page 2
Chief Executive Officer
As a qualified lawyer and passionate technologist, Sean loves to work with clients to help them understand, articulate and reimagine their most important business challenges. He has focused on risk management and decision quality over the last few years and in this 4IR spends as much time helping clients think about emerging risk and opportunity, as about how they best design their risk management, compliance and assurance capabilities to meet existing expectations.