Founded in 1989, the Australian Transaction Reports and Analysis Center (AUSTRAC) is Australia’s financial intelligence unit (FIU), responsible for combating money laundering (ML), terrorist financing (TF), and other financial crimes. AUSTRAC operates under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) and the the Financial Transaction Reports Act 1988 (FTR Act), which outline compliance requirements for designated entities providing at-risk services. Some FIUs are only tasked with investigating potential suspicious activity reported to them and do not act as regulators. However, Australia has vested AUSTRAC with enforcement as well as investigative powers.
What Does AUSTRAC Do?
AUSTRAC is a key player in Australia’s approach to AML/CTF, providing tools, guidance, and enforcement measures for entities under its supervision. It also has been central to revamping Australia’s framework for combatting ML/TF.
As part of its mission, AUSTRAC processes the reports required from Australian financial institutions including those on suspicious transactions, international funds transfers, and transactions amounting to more than A$10,000. AUSTRAC investigates these reports, keeping tabs on specific clients and accounts. In 2022, the regulator announced that it would be updating its reporting system for supervised entities, making the process easier and more intuitive. The Reporting Entity System Transformation (REST) program, scheduled over a four-year period, will improve security and offer a more responsive interface to reporting entities. It will also allow those entities to see their reporting history and have more control over their reports – including making corrections themselves when needed.
To ensure that improvements are useful to regulated firms, REST has established a Customer Advisory Group (CAG) composed of entities that report to AUSTRAC. It is actively seeking input and has implemented several workshops with CAG participants. AUSTRAC is using the feedback it receives to implement improvements through its REST program. In this way, it hopes to make the reporting process as streamlined and effective as possible.
As one of five regulators in Australia’s financial system, AUSTRAC’s work connects in a particular way with the Australian Securities and Investments Commission (ASIC) and the Australian Prudential Regulation Authority (APRA). These two bodies are sometimes called the Australian financial regulatory system’s “twin peaks.”
Where AUSTRAC focuses on investigating and preventing financial crime and terrorist financing, these complementary bodies focus on a reliable Australian financial sector for consumers. They do so differently, but their work intersects:
APRA Regulates Systems – Concerned with stability and safety in the financial system, APRA oversees Australian financial institutions, from banks and credit unions to insurance providers and superannuation funds. Its job is to ensure that these institutions’ infrastructures are reliable for customers, confirming that they can manage money sustainably and keep client funds safe. Its focus is more on systems than individuals or their actions – unless those actions are likely to impact the large-scale stability of the Australian financial system.
ASIC Regulates Behavior – Although ASIC has many areas of overlap with APRA, it tends to focus more closely on correcting misconduct and investigating customer complaints. It monitors institutions and markets under its supervision, ensuring they operate ethically and fairly toward customers. It may also take action against financial or credit products that don’t work properly, among many other things. In contrast to APRA’s systemic focus, ASIC regulates individual and institutional conduct and advocates for individual customers.
Given their complementary interests, the three bodies were encouraged to increase their collaboration by the IMF-FSAP’s 2019 recommendations. ASIC is a partner in AUSTRAC’s Fintel Alliance. This alliance works to provide the financial sector with crucial law enforcement data to support their investigations of financial and organized crime, including child trafficking and human slavery. APRA and ASIC have also collaborated with AUSTRAC in specific cases, such as the $1.2 million infringement notice against a regulated financial institution in 2020.
What are AUSTRAC’s Regulations and Compliance Requirements?
AUSTRAC’s oversight primarily corresponds to, and enforces, the AML/CTF Act. The law places specific AML/CTF requirements on firms that provide any of the services designated in section 6 of the Act, such as those covered by financial service, digital currency exchange, and gambling providers. According to the Act, regulated institutions must enroll with AUSTRAC, fulfillingkey compliance requirements. This notably includes a requirement for a satisfactory AML/CTF framework, which should cover areas such as reporting, customer identification and verification (including due diligence for beneficial owners and politically exposed persons), transaction monitoring, and risk assessments. AUSTRAC requires that solicitors and motor vehicle dealers involved as insurance providers fulfill similar requirements under the FTR Act.
How Can Firms Comply with AUSTRAC Regulations?
Before being legally able to provide designated services, firms must have instituted a risk-based AML/CTF program fulfilling specific AUSTRAC requirements. The program must be documented in writing and accurately specify the processes a firm uses for addressing and combatting ML/TF. Aside from fulfilling legal requirements, this document serves as evidence and a point of reference for evaluating the adequacy and effectiveness of a firm’s AML/CTF measures. While there are certain general features every program should have, each firm’s specific framework should be tailored to their risks to effectively respond to them. That said, AUSTRAC underlines several features any program should comprise at minimum, including:
A ML/TF risk assessment in order to institute a risk-based program tuned to their risk profile and appetite.
Sound governance including involvement from upper leadership and a dedicated compliance officer.
Employee due diligence to ensure any employee ML/TF risks are identified.
Adequate training to ensure employees fully understand the firm’s risks and how to manage them.
Solutions ensuring the program remains up-to-date on regulator guidance and requirements.
Ongoing customer due diligence – including transaction monitoring – to ensure any risky elements in a customer’s profile or behavior are caught throughout the lifecycle of the business relationship.
Independent audits to ensure a compliant and effective program.
Related to the due diligence requirement, qualifying Australian financial institutions and organizations must report certain types of transactions as required by the AML/CTF Act. Alongside compliance reports, firms must submit the following reports online through their AUSTRAC account:
It is worth emphasizing that banks are not the only financial entities that must abide by AUSTRAC’s regulations. Any provider offering designated services as listed in the AML/CTF Act, as well as entities covered by the FTR Act, are under obligations. For example, AUSTRAC’s 2018 guide to AML/CTF programs for crypto firms highlights the importance of an effective, compliant, and risk-based program even for nontraditional financial services providers.
Penalties for Non-compliance
When a firm is deemed to have failed in complying with AML/CTF regulations, AUSTRAC has the power to enact enforcement measures. These can include civil fines, infringement notices, and remedial directions. For example, AUSTRAC may require a that a noncompliant firm assign an independent auditor or perform a compliant risk assessment.
In terms of fines, the cost of non-compliance can be high. In 2018, AUSTRAC fined a major bank A$700 million for compliance failures involving transaction monitoring, customer monitoring, and reporting obligations. In 2020, another major Australian bank faced a fine of A$1.3 billion for failures in multiple areas including their correspondent banking due diligence and reporting requirements.
AUSTRAC – Its Current Outlook
Australia’s 2015 Mutual Evaluation Report (MER) from Financial Action Task Force (FATF) revealed a combination of strengths and shortcomings with accompanying recommendations. Among AUSTRAC strengths, the MER noted that the agency provided:
Thorough and accessible data and analysis – Australian authorities at Federal, Territorial, and State levels can use the data they receive from AUSTRAC as intelligence and evidence. Important information is provided automatically and proactively and accessed directly through AUSTRAC’s integrated tool. AUSTRAC has also earmarked $20 million to improve its ability to fight terrorist financing.
Interagency cooperation – The regulator participates in sound international and interagency cooperation.
Promotion of compliance – AUSTRAC performs compliance assessments for regulated entities. It provides good recommendations on any deficiencies, which entities usually remediate voluntarily.
At the same time, FATF noted areas AUSTRAC could improve. Three, in particular, stood out:
Data usage gaps – The MER found that, despite the regulator’s robust and accessible data analysis system, State and Territory police made suboptimal usage of the information compared to Federal law enforcement. There were also deficiencies in how often the database was used to initiate ML/TF investigations.
Enforcement & risk-based guidance shortcomings – FATF noted that when enforcing “AML/CFT preventative obligations,” sanctions were used as penalties rather than fines, and the methods used did not effectively deter violations. The agency did not have the power to revoke licenses. In addition, the report noted that AUSTRAC’s industry-based enforcement actions were insufficient, highlighting a need for stronger Designated Non-Financial Businesses and Professions (DNFBP) supervision. The MER also recommended that AUSTRAC broaden the data it uses for the risk profiles provided to reporting entities.
Lack of DFAT screening – It was noted that AUSTRAC did not regularly monitor its databases for sanctions hits based on DFAT lists. According to the regulator, resources at the time of the review would have made such a task unrealistic.
In a 2018 update, FATF noted that AUSTRAC had begun making important improvements. Particularly, it had begun sector-specific risk assessments, in line with Recommendation 1. It had also begun work to update its supervisory model in mid-2018, corresponding to Recommendation 26.
AUSTRAC has been playing a key role in Australia’s AML/CFT framework improvements since the country’s 2015 FATF MER. From updating its own processes – including supervision and enforcement measures – to improving regulated firms’ access to sector-specific risk guidance and reporting tools, the regulator is making strides in upgrading its part of the supervisory framework. Firms under AUSTRAC supervision should consider conducting an enterprise-wide risk assessment (EWRA) and ensure they are up-to-date on their reporting responsibilities, keeping an eye on relevant new AUSTRAC resources and participating in REST events when appropriate.
A Guide to AML for Australian FinTechs
As Fintechs grow and acquire more customers, their AML/CTF programs must also mature. The firms best set up for success are those with scalable solutions and a sound understanding of AUSTRAC’s expectations.
Disclaimer: This is for general information only. The information presented does not constitute legal advice. ComplyAdvantage accepts no responsibility for any information contained herein and disclaims and excludes any liability in respect of the contents or for action taken based on this information.