Outsourcing Best Practices

You may choose to outsource some of your anti-money laundering and counter-terrorism financing (AML/CTF) functions to streamline your processes and reduce compliance costs. However, when outsourcing, you retain full responsibility for meeting your AML/CTF obligations.

AUSTRAC provides some general guidance about outsourcing. Key points from the guidance are:

1. Risk Identification and Management: Outsourcing can introduce ML/TF risks or failure to meet AML/CTF compliance requirements, if outsourced service providers lack industry-specific knowledge, fail to tailor services to your business needs, or are inadequately monitored. You need to assess your potential risks and develop mitigation strategies.

2. Due Diligence on Service Providers: Before outsourcing, you should conduct rigorous due diligence to ensure the service provider is capable of fulfilling the necessary AML/CTF functions. This includes evaluating their expertise, qualifications, past performance, resources, and willingness to work within your performance standards and to tailor their services to your needs. 

3. Understanding Legal Restrictions: There are strict legal requirements regarding the sharing of sensitive information, such as Suspicious Matter Reports and AUSTRAC-provided data. Unauthorized disclosure of this information can lead to severe legal consequences. You need to be aware of these restrictions and ensure that outsourcing arrangements do not violate confidentiality or privacy rules.

4. Written Outsourcing Agreements: AUSTRAC recommends using a written, legally binding agreement when outsourcing AML/CTF functions. The agreement should clearly outline the services to be provided, performance targets, monitoring procedures, and corrective measures if the service provider fails to meet expectations.

5. Monitoring and Review of Outsourcing Arrangements: For both one-time and ongoing outsourcing, you should implement procedures to monitor the performance of your outsourced service providers. Periodic reviews help ensure that the provider meets the agreed standards and that the business is compliant with AML/CTF obligations. Monitoring could involve checking whether customer identification processes are followed correctly or assessing the quality of suspicious transaction monitoring systems.

6. Handling Breaches: The outsourcing agreement should include provisions to address breaches. This could include timelines for rectifying issues, suspending services, or terminating the contract in cases of serious non-compliance.

7. Documentation in AML/CTF Program: You should include procedures for managing outsourcing within your AML/CTF program. This includes detailing the due diligence process, how outsourcing will be monitored, and how performance and compliance risks will be managed. Senior management should approve any significant changes to the AML/CTF program related to outsourcing and be responsible for overseeing the risks associated with such arrangements.

Importantly, AUSTRAC recommends you avoid using templates or global AML/CTF programs (which are not Australia-specific). This is because AML/CTF obligations and ML/TF risks differ between countries, regions and individual businesses, and template AML/CTF programs are generally not tailored to your business. In addition, global AML/CTF programs often don’t consider your particular obligations under the AML/CTF Act and AML/CTF Rules. The AUSTRAC warns you: “If you adopt a template or global AML/CTF program, this could lead to serious and systemic compliance failures with your AML/CTF obligation.”

What’s next

If you have developed your AML/CTF program yourself, I’d be happy to review it for you and assess any deficiencies and areas of improvement.

Alternatively, if you want to outsource the creation of your AML/CTF program, I can help you develop an AML/CTF program that Australian-law specific and tailored to your business.