Navigating Your AML Independent Review: 10 Quick Tips

Under Australia's Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) laws, reporting entities are required to undergo regular independent reviews of Part A of their AML/CTF Program. An independent review is an impartial assessment to ensure you are addressing money laundering and terrorism financing risks, complying with legal obligations, and that your Program is effective. Higher-risk entities should conduct reviews more frequently (e.g., annually), while lower-risk entities might do so every 2-3 years. From next year, reviews will be required at least once every three years. If you're unsure whether you're a higher-risk entity, consider AUSTRAC's National Risk Assessments for guidance.

Independent Reviewer Selection

When seeking someone to conduct this impartial assessment, it's crucial they are independent of the Program's development. The reviewer should understand your business and its ML/TF risks and be appropriately qualified.

• Tip 1: Industry Experience and Qualifications. Ask potential reviewers if they have conducted independent reviews for other companies in your industry, as this indicates their understanding of potential challenges and risks. Also, enquire about their professional certifications, technical knowledge of AML systems, and grasp of emerging ML/TF typologies.
• Tip 2: Internal Reviewer Independence. If you choose an internal reviewer, ensure they had no involvement in developing any part of the Program, including assessing ML/TF risk and developing controls. You need to be confident in their independence.
• Tip 3: Fresh Eyes for External Reviewers. If an external party has conducted your review in successive cycles, consider if they can still offer a fresh perspective. If unsure, consider engaging a new reviewer.
• Tip 4: Seek Industry Referrals and Confirm Independence. Engage with others in your industry to find out who has performed well. There are many qualified independent reviewers available. When engaging them, ask for written confirmation of their independence. AUSTRAC also provides helpful guidance on questions to ask AML/CTF consultants and independent review firms.

What to Expect from an Independent Reviewer

AUSTRAC provides useful guidance on the methodology for independent reviews, which will ultimately depend on your organisation's context, including its size, scale, and complexity. Areas an independent review might consider include:

• Whether Part A of your AML/CTF program is current and adequately assesses that policies and procedures manage ML/TF risks.
• Assumptions underpinning the ML/TF risk assessment.
• Changes to your ML/TF risk profile.
• Changes to your AML/CTF practices and policies.
• Employee understanding and compliance with your program.
• Response to previous recommendations.
• Post-implementation reviews of program changes.
• Causes of deficiencies or violations and plans for rectification.
• Adequacy and effectiveness of your AML/CTF employee training program.
• Seniority and authority of your compliance officer.
• Effectiveness of transaction monitoring systems in identifying suspicious matters.
• Compliance of outsourced functions with Part A of your program.
• Implementation of Part A of your program by branches and subsidiaries (including overseas).

You might also consider having your independent reviewer examine Part B of your Program, especially its focus on customer due diligence.

• Tip 5: Adopt an Independent Review Procedure. Establishing a procedure for independent reviews can be very useful. This document can outline how you select your reviewer, how you confirm their independence, and the scope of the review. It can also help manage internal teams' expectations throughout the review process.

An independent reviewer will typically undertake four steps: Documentation Review, Client Interviews, Sample Testing, and Site Visits.

• Step 1: Documentation Review. This involves inspecting your Group Structure (identifying reporting entities), Program, Risk Assessment, AML/CTF policies and procedures (including those for Annual Compliance Reports, customer due diligence, transaction monitoring, suspicious matter reporting, AUSTRAC feedback, training, and record management), reporting lines, Board visibility, accountability framework, and, if applicable, information sharing practices and resource allocation for groups.
• Tip 6: Compile Documents in Advance. Before the reviewer begins, compile all current documents into a review folder. If you're unsure of specific requirements, ask the reviewer for a document list beforehand; this will save considerable time later.
• Step 2: Client Interviews. This step will likely involve interviews with the AMLCO and senior representatives from your Board/Senior Management, Operations, People, IT, and Risk and Compliance teams. This may include walkthroughs to understand and evidence the operationalization of the AML/CTF Program.
• Tip 7: Prepare Interviewees. Identify and engage these executives and senior leaders early to explain the scope and purpose of the Independent Review and the nature of these interviews.
• Step 3: Sample Testing. The reviewer will test relevant AML/CTF activities, including employee files, procedure compliance, and transactions. Sample sizes will be based on ML/TF risks and system/process walkthroughs. Anticipate testing of:
  • ML/TF risk awareness training registers.
  • Employee records to ensure Employee Due Diligence (EDD) Program adherence.
  • Records indicating appropriate governance (Board/Committee minutes/resolutions).
  • Enrolment details and engagement with AUSTRAC.
  • Transaction Monitoring Program (TMP) alerts, Enhanced Customer Due Diligence (ECDD), and investigation cases.
  • AUSTRAC reporting.
• Tip 8: Understand Sample Testing and Facilitate Access. Ensure you understand how the reviewer will conduct sample testing and have the necessary samples and staff available to facilitate a swift assessment.
• Step 4: Site Visits. This may involve visits to your branches, venues, or where your Program is implemented with customers, and may or may not be part of Step 3.
• Tip 9: Make Staff Available. If requested, make your frontline staff available to the reviewer, and ensure appropriate management is present during visits.

What to Expect from the Independent Reviewer's Output

The independent reviewer will issue a written Report containing findings and recommendations. It should detail what was tested, how tests were performed, sample sizes, limitations, and confidence levels of findings. Once received, this Report should be provided to the Board and Senior Management.

• Tip 10: Discuss Report Format and Delivery. Speak with your reviewer about the Report's format and detail. If you wish for them to present their findings and recommendations directly to your Board/Senior Management, ask them to do so.

What to Do After Receiving Your Report

Your Report will likely contain various findings and recommendations. After it's provided to your Board and Senior Management, we recommend:

• Creating a table of findings and recommendations, including columns for management's response and estimated completion time.
• Preparing action plans with attributed owners to address the recommendations where required.
• Tracking progress, reporting regularly to your Board, and, once finalised, reporting completion to your Board and Senior Management.

The report, its findings, and action items should not be viewed in isolation. Consider how these results integrate with your broader risk, compliance, and assurance frameworks; their interplay with internal audit activities; and how the findings feed into your business's risk assessment cycle.

Independent Reviews are a critical component of Australia's AML/CTF regime, providing assurance that reporting entities effectively control against money laundering and terrorism financing risks. Their effectiveness depends on thoroughness, independence, and your commitment to implementing recommendations. By implementing a robust independent review framework, you demonstrate your commitment to combating financial crime, contributing to the integrity of Australia's financial system and the global fight against it.