Opinion by Nathan Lynch, AML expert
On the first day of July, around 80,000 new businesses are expected to wander into the AML tent. Lawyers in suburban Sydney. Accountants running two-partner shops out of office parks in Tuggerah. Conveyancers. Real estate agents from the Gold Coast to Gundagai. Most, until very recently, thought an SMR was a Strata Management Report. This is a momentous change and a massive supervisory challenge for AUSTRAC, their new regulator.
To manage the influx, AUSTRAC has done something no regulator on the planet has done before. It has written the compliance program for them.
The regulator designed the program, the risk assessment, the policy and the processes. All drafted by the same agency that will, in a few years’ time, come knocking to inspect them. Adopt the Program Starter Kit faithfully (double-checking that you qualify) and section 81 of the AML/CTF Act, the keystone of multi-million-dollar enforcement cases, comes off the table. You are not designing your own program anymore. If you are eligible, you are following AUSTRAC’s.
This is a boon for smaller reporting entities, an estimated 60,000 of which will be eligible to use the kits in their published form. Larger or more complex firms may still be able to use them as a baseline, with modifications. The uniqueness of this situation is why AML Shield has turned the Word documents into a simple software-based workflow tool.
The starter kits are a regulatory game changer, and someone needed to simplify and streamline them. As AML industry veterans, we took up that challenge.
Looking under the hood
So what impact will this have on supervision and enforcement for Tranche 2?
We have all heard about the $2.5 billion in AUSTRAC civil enforcement penalties. Anyone who has read a CBA, Westpac or Crown Resorts statement of claim knows where AUSTRAC’s enforcement firepower has resided. Program failure. Inadequate risk assessment. Methodology that did not capture the risk. The whole architecture of section 81 has been the regulator’s trusty blunderbuss. Every time a business provided a designated service without an adequate AML program, AUSTRAC said it was risking a $21 million-plus fine. This led to theoretical trillion-dollar exposures for CBA and Westpac.
The tally of program failures also delivered the front-page headlines. The Netflix-ready statement of claim documents will be quoted at board meetings for years to come.
So what will AUSTRAC do when supervision and enforcement starts for Tranche 2?
If your starter kit is AUSTRAC’s design, then the enforcer cannot reasonably haul you into the Federal Court for getting the program wrong. You didn’t write it. The regulator did. The litigation pathway that dominated the last decade of AML enforcement cases does not align with a small business that relied on starter kits.
So what is the new pathway?
Fines, audits and persuasion
When the courtroom is not appropriate, regulators reach for the administrative toolkit. AUSTRAC’s powers under the AML/CTF Act run a long way before they hit civil litigation. Infringement notices. Enforceable undertakings. External auditors appointed under section 162, at the entity’s own expense, writing reports the regulator can use to tighten the screws or close the file. Conditional registration. Public warnings. Remedial directions will not make the front page of the Financial Review, but they will make sole-practitioner accountants in Maroochydore reach for their AML program folders.
Expect those tools to do the heavy lifting in the Tranche 2 enforcement era.
The big civil-penalty cases were always asymmetric. They worked because they were rare and ruinous, and the targets were big enough to settle in the hundreds of millions. It peaked at $1.3 billion for Westpac, whose AML failures included inadequate monitoring of payments later linked to child exploitation in the Philippines.
The civil-penalty era was a shoulder-mounted bazooka. The Tranche 2 enforcement era will be a series of quiet, targeted sniper shots.
None of that is likely to apply to a two-partner conveyancing practice in Penrith. The cost of investigation, the cost of running litigation, the cost of defending it: none of those numbers stack up for the regulator or the respondent. A $222,000 infringement notice, however, does. A direction to engage an external auditor does. A public statement naming a firm that failed to enrol does as well. AUSTRAC wants to have a collaborative relationship with the new sectors it regulates. Guidance and support are the keys to that relationship.
But in cases of flagrant disregard for the law, or significant community harm, it will use its tools. This is not a softening of approach. It is a tooling change.
What gets enforced now?
Here is the part the industry needs to consider. If you adopt the starter kit, the question the regulator will be asking you in three years’ time is not “is your program adequate?” The kit stipulated that already. The question is: “did you transpose it correctly, in full? Did you follow it? Are you sure you are applying it in full?”
That is a challenging question, and a much harder one for a small firm to fudge.
AUSTRAC can give you a beautiful 80-page AML program. But you need to ensure it does more than just sit on a shelf in the AMLCO’s office.
A regulator with a daily-tracked enrolment dashboard, 16 sectors to triage, and an explicit outcomes-over-compliance approach will go straight to that question. Not simply “explain to me how your program addresses your risks.” Instead, they may want to see your last twenty client files. Or the customer due diligence form for the property settlement you did last Tuesday.
That is a different kind of supervisory conversation. The compliance professionals who grew up on the big banking cases are going to have to retool. And so is the regulator.
The onus on AUSTRAC
The flip side of authoring the program is that the regulator also has to update it.
If the starter kit misses a risk, say, a real estate vulnerability that emerges six months in, or a precious-metals laundering typology the inherent-risk register did not capture, every entity that adopted the kit faithfully is, by definition, not capturing that risk. They are doing exactly what the regulator told them to do. They are also missing the threat.
The regulator has taken on an onerous task in continually reviewing the starter kits and communicating changes to the business community. The kits cannot be static. AUSTRAC has committed to a unique relationship with reporting entities, and it is a workload the agency has never carried before. It also creates an obligation on businesses to continually look for any updates and incorporate them into their “live” programs. This is another reason that we developed AML Shield: to ensure that businesses receive these program updates via our platform in a simple, seamless manner.
When AUSTRAC releases any updates to its starter kit programs, AML Shield users will be among the first to know.