Outsourcing AML Functions

Regulation Name: Outsourcing AML Functions
Publishing Date: 06 September 2024
Region: Australia
Agency: Australian Transaction Reporting And Analysis Center

On September 05, 2024, the Australian Transaction Reports and Analysis Centre (AUSTRAC) issued new guidance for reporting entities that use outsourcing to help meet their anti-money laundering and counter-terrorism financing (AML/CTF) obligations. This guidance will assist businesses in meeting their AML/CTF obligations when outsourcing & identifying, mitigating, and managing potential ML/TF risks, associated with outsourcing. This guidance provides steps to ensure that the services they outsource and the service providers they engage are suitable for their business and its specific ML/TF risk profile.

Effective Management Of Outsourcing

1. Identify The Risks That May Arise Through Outsourcing

Outsourcing can introduce two main risks: ML/TF risk (vulnerabilities that criminals might exploit) and AML/CTF compliance risk (failure to meet obligations due to poor oversight). Risks may arise if the outsourced provider:
– Does not customize services to your business’s ML/TF risks.
– Lacks the expertise or resources to perform the required AML/CTF functions.
– Is unaware of legal restrictions on information sharing.
– Is not adequately monitored.
To avoid non-compliance, ensure outsourcing aligns with your business’s risk appetite. For transaction monitoring, base any outsourcing on a thorough ML/TF risk assessment to avoid monitoring for irrelevant risks or missing relevant ones, which could lead to reporting failures.

2. Conduct Due Diligence On Outsourced Service Providers

Before outsourcing, conduct due diligence to ensure the provider can handle AML/CTF functions effectively, considering ML/TF and compliance risks. Assess factors such as the provider’s experience, expertise, and willingness to be monitored. Methods include service demonstrations, tailored solutions, qualification verification, and references. Indicators of a capable provider include experience with similar businesses, understanding of your industry, and tailored AML/CTF products.

3. Understand Legal Restrictions On Sharing Information

Be aware of legal restrictions on sharing certain types of information, such as SMR information or AUSTRAC information, which can result in criminal penalties if disclosed without authorization. Consider obtaining legal advice before outsourcing, particularly if it involves sensitive information. Ensure compliance with other relevant laws, such as privacy laws.

4. Use A Written Agreement For Outsourcing

AUSTRAC recommends using a written, legally binding agreement for outsourcing, specifying the services, performance targets, oversight mechanisms, and risk management measures. For one-off services, agreements can be simpler, but ongoing arrangements require more substantial oversight and review standards. Include details like start/end dates, oversight responsibilities, business continuity plans, and data control. Set performance targets aligned with AML/CTF obligations, avoiding generic programs that are not tailored to your business.

5. Monitor And Review Outsourcing Arrangements

To ensure compliance, evaluate performance against agreed targets for one-off services. Monitor and review regularly for ongoing arrangements to verify adherence, confirm your business meets its obligations, and adjust for changing ML/TF risks. Set periodic reviews and ensure monitoring processes match the identified risks. Examples include regular reports from the provider, reviewing procedures, sampling relevant functions, and comparing expected outcomes with actual results. Investigate discrepancies to take appropriate actions.

6. Document Procedures For Managing Outsourcing In Your AML/CTF Program

Document how you will assess risks, perform due diligence, evaluate services, and monitor ongoing arrangements in your AML/CTF program. Obtain written approval from the board or senior management for material changes. Clearly outline oversight, accountability, and risk management responsibilities, and establish protocols for resolving non-compliance and adapting to changes.

Read the details here.

Read about the product: Transact Comply
Empower your organization with ZIGRAM’s integrated RegTech solutions – Book a Demo