Exploring the key roles in AML/CTF governance

The AML/CTF Act 2024 introduces specific governance requirements for the governing body, the concept of a responsible officer, and sets out the role and responsibilities of the AML/CTF compliance officer. The AML/CTF Act emphasises a more detailed and proactive approach mandating explicit risk-based assessments, regular reviews, and a stronger focus on resource allocation and training. 

Governance is a crucial role of the organisation's governing body in relation to AML/CTF, as they are responsible for: 

• the organisation’s compliance with AML/CTF obligations.
• ensuring adequate resources such as personnel, technology, and financial investment are allocated to AML/CTF compliance.
• setting the organisational tone, establishing the importance of AML/CTF compliance, influencing the organisation's culture, and ensuring that AML/CTF is appropriately prioritised.
• fostering a culture of compliance within the organisation, reinforcing the importance of adherence to the AML/CTF Program.
• defining the organisation’s risk appetite regarding ML/TF risks reasonably faced by the organisation, ensuring risk management strategies align with the organisation’s overall risk tolerance. 
• ensuring the ML/TF risks associated with the organisation’s operations, products, services, and customer base are understood.
• ensuring the AML/CTF program aligns with the AML/CTF Act obligations and AML/CTF Rule requirements and addresses the specific ML/TF risks the organisation faces.
• overseeing the implementation of the AML/CTF program, ensuring that the AML/CTF systems and controls are effectively put into practice and, where necessary, adapted as needed based on emerging ML/TF risks or AML/CTF regulatory changes.
• reviewing and monitoring performance against the AML/CTF program to identify areas for improvement.
• addressing any AML/CTF compliance deficiencies or failures, including the implementation of corrective actions and disciplinary measures if necessary.
• ensuring that strategic business decisions consider AML/CTF compliance risks, and that potential ML/TF risk exposure is appropriately mitigated and managed.
• the oversight of issue/breach management and ensuring that appropriate actions are taken to address the situation in case of an AML/CTF compliance issue or regulatory breach. 

These detailed requirements aim to ensure alignment with regulatory expectations, regular risk assessments and reviews to help identify and mitigate emerging threats, and a clear focus on a top-down approach that fosters a stronger organisational compliance culture. 

To ensure a top-down commitment to AML/CTF compliance, fostering a culture of integrity and accountability under the AML/CTF Act, the governing body is tasked with ensuring comprehensive risk assessments, implementing a risk-based approach, and providing effective oversight and governance, and: 

• must oversee the development and implementation of an effective AML/CTF program. This includes ensuring that the AML/CTF program (which now includes the ML/TF/PF risk assessment and AML/CTF policies) is tailored to the entity's specific risks and complies with regulatory requirements.

• must ensure the reporting entity conducts a comprehensive risk assessment to identify potential ML/TF/PF and the assessment is regularly updated to reflect the entity's risk profile changes.

• is responsible for implementing a risk-based approach to AML/CTF compliance. This involves requiring the development and maintenance of policies, procedures, and controls proportionate to the identified risks.

• must appoint a dedicated AML/CTF compliance officer. This officer must be employed or engaged by the reporting entity at management level, have sufficient authority, resources, and independence to oversee the entity's AML/CTF program and ensure compliance.

• must ensure that all relevant employees receive regular training on AML/CTF obligations and the entity's policies and procedures. This training should be tailored to the employees' roles and responsibilities.

• is responsible for establishing robust internal controls and monitoring systems. This includes regular audits and reviews of the AML/CTF program to ensure its effectiveness.

• must ensure that the entity complies with all reporting obligations, including the timely submission of suspicious matter reports (SMRs) and other required reports to AUSTRAC.

• must ensure that the entity maintains accurate and comprehensive records of all AML/CTF-related activities. These records must be retained for a specified period and be readily accessible for regulatory review.

For entities that are part of a reporting group, the governing body must ensure a consistent and coordinated approach to AML/CTF compliance across all group entities. This includes sharing relevant information and implementing group-wide policies and procedures, and ensuring safety and security of the information shared. 

The AML/CTF Act introduces the concept of a responsible officer to ensure the AML/CTF program is effectively designed, implemented, and maintained, addressing specific risks faced by the reporting entity.   

While the responsible officer may also be the AML/CTF compliance officer, if it is a separate role, under the AML/CTF Act, the responsible officer (where appointed) oversees the development and implementation of the AML/CTF program, conducts risk assessments, and ensures compliance monitoring and reporting, and: 

• must oversee the development and implementation of the entity's AML/CTF Program. This includes ensuring that the program is tailored to the specific risks identified in the entity's risk assessment.
• must approve the AML/CTF program as effective. This includes ensuring that the AML/CTF Program is tailored to the entity's specific risks and complies with regulatory requirements. 

Under the AML/CTF Act, the AML/CTF compliance officer has several critical roles and responsibilities.

These include overseeing the development and implementation of the AML/CTF program, conducting risk assessments, and ensuring compliance monitoring and reporting. As well as being responsible for implementing internal controls, ensuring timely reporting, liaising with regulatory authorities, and continuously improving the AML/CTF program. 

The AML/CTF compliance officer's role as set out by the AML/CTF Act is to: 

• oversee the development and implementation of the reporting entity's AML/CTF program, ensuring the program is tailored to the specific risks identified in the reporting entity's risk assessment. The compliance officer must also ensure that all policies, procedures, and controls are effectively implemented and maintained. 
• conduct and regularly update comprehensive risk assessments to identify potential money laundering, terrorism financing, and proliferation financing risks. 
• ensure that appropriate risk mitigation measures are in place and the risk assessment is updated to reflect any changes in the entity's risk profile.
• establish and maintain robust internal controls and monitoring systems.
• ensure timely and accurate reporting to AUSTRAC, including submitting suspicious matter reports (SMRs) and other required reports. 
• develop and deliver regular training programs for all relevant employees that are tailored to their specific roles and responsibilities and should cover AML/CTF obligations and the entity's policies and procedures, ensuring that employees are well-informed and capable of complying with AML/CTF requirements.
• ensure accurate documentation and comprehensive record-keeping of all AML/CTF-related activities, while maintaining records that are readily accessible for regulatory review. 
• act as the primary point of contact with AUSTRAC, ensuring prompt responses to regulatory inquiries or requests for information. 
• maintaining open communication with regulators and addressing any compliance issues that arise in the relevant timeframe.
• regularly review and update the AML/CTF program, ensuring it remains effective and up to date with regulatory requirements and emerging risks. This involves staying informed about changes in the regulatory landscape and best practices. 

The reformed AML/CTF Act also introduces a fit and proper regime to ensure the reporting entity’s governing body ensures that individuals appointed as AML/CTF compliance officers meet specific standards of integrity and competence, including: 

• Conducting thorough background checks on individuals being considered for the role of AML/CTF compliance officer, including verifying the individual's qualifications, experience, and any history of criminal activity or regulatory breaches. This applies to persons who are both internal or external to the reporting entity.
• Ensuring the AML/CTF compliance officer has the necessary skills, knowledge, and experience to perform their duties effectively, demonstrating a thorough understanding of the AML/CTF Act and AML/CTF Rules, as well as the ability to implement and oversee compliance with the AML/CTF Program.
• Regularly assess the performance and suitability of the AML/CTF compliance officer through periodic reviews of the officer's performance and ensuring they continue to meet the fit and proper criteria. Any issues identified must be addressed promptly. 

These measures aim to ensure that AML/CTF compliance officers are well-equipped to fulfil their responsibilities and maintain the integrity of the AML/CTF regime. 

The AML/CTF Act introduces new civil penalty provisions in relation to the governance arrangements, increasing the regulatory risk of non-compliance. These include: 

• Failure to exercise ongoing oversight of the ML/TF risk assessment, compliance with AML/CTF policies, and compliance with the AML/CTF regime.
• Failure to designate an AML/CTF compliance officer and notify AUSTRAC within 28 days of providing a designated service.
• Failure to ensure the AML/CTF compliance officer is a fit and proper person.