Sie sind auf Seite 1von 4



easures are available to mitigate the money laundering and terrorist financing (ML/ TF) risks to legal practices (all structures) and practitioners.1 As all practitioners face ML/TF risks, not just those who will be regulated by the Anti-Money Laundering & Counter-Terrorism Financing Act 2006 (Cth) (AML Act) and the Anti-Money Laundering & Counter-Terrorism Financing Rules 2007 (Cth) ( Rules), these measures should be universally considered. Practices regulated by the AML Act (regulated practices) will be obliged to implement these measures. 2 The majority of the measures should be identifiable in a competently run practice. If the current systems in a practice are used and built on, it may be that the mitigation of ML/TF risks, and complying with the AML Act, will be less problematic than
L I J D E C E M B E R 2 0 0 8

envisaged. As Tranche Two has yet to be finalised, there may be changes to the obligations under the AML Act.

The major obligations under the AML Act

At the outset it is important to outline the major obligations which may apply to regulated practices, namely, to: identify and know your client and to collect and verify identification information; undertake ongoing client due diligence throughout the retainer; report suspicious matters to the Australian Transaction Reports and Analysis Centre (AUSTRAC); retain records for defined periods; and adopt a n a nt i-mone y l au n de r i n g/ counter-terrorism financing (AML/CTF) program.

These obligations will apply to practices which provide designated services. Designated services have yet to be finalised, but will most likely reflect the Financial Action Task Force (FATF) Recommendation 12 3 for lawyers when they prepare for or carry out transactions for clients concerning the following activities: buying and selling of real estate; managing of client money, securities or other assets; management of bank, savings or securities accounts; organisation of contributions for the creation, operation or management of companies; and creation, operation or management of legal persons or arrangements, and buying and selling of business entities.



The risk-based approach

The AML/CTF framework under the AML Act is a risk-based approach, ensuring that measures to prevent or mitigate [ML/TF] are commensurate to the risks identified, allow[ing] resources to be allocated in the most efficient way [and] that the greatest risks receive the highest attention. 4 This will allow a regulated practice to leverage off existing risk management systems and to design its AML/CTF program to its own unique risk profile. However, the internal systems and controls, once designed, should be prescriptive, allowing for ease of use by the fee-earners and staff. The risk-based approach will require a regulated practice to identify, manage and mitigate the risk reasonably faced with providing designated legal services to clients that might (inadvertently or otherwise) involve or facilitate money laundering or financing of terrorism: ss84 and 85.

satisfied that a client is who they claim to be;5 and collecting and verifying minimum know your customer (KYC) information.

ML/TF risk assessments

To identify the ML/TF risks, an ML/TF risk assessment (RA) must be undertaken. The RA will provide the basis for the AML/CTF program. A robust ML/TF risk assessment process, and ongoing ML/TF risk management, can be built into a practice-wide risk management system. The RA is the identification and analysis of the ML/TF risks before those risks can be mitigated and managed. An RA should not be too onerous to undertake, especially as a practice should undertake similar exercises with regard to risk management in general. Also, guidance is available to assist practitioners in understanding and undertaking an RA.6 RAs on client instructions are a task that most practitioners execute. Any ML/TF RA should encompass the whole practice, not just the regulated practice areas. The factors to be considered in an RA include business and regulatory risks such as (Ch 8): the ML/TF risk profile of the firms clients; the ML/TF risk of the type of designated legal services provided to clients; the methods by which those designated legal services are delivered (face-to-face or non face-to-face etc.); the ML/TF risk profiles of the foreign jurisdictions with which it deals; and risks resulting from the provision of designated services through permanent offices in foreign countries.

complicated business structures which make it difficult to ascertain the real or beneficial owners; complex, unusual or uneconomic transactions; and no underlying legal service. These client ML/TF risks are closely aligned to the risks overall faced by a practice. If a practice keeps potential high risk clients from becoming clients, it reduces the overall risk profile of the practice and the ML/TF risk.

Legal services risk factors

Certain areas of legal practice are more susceptible to use by money launderers or terrorist financiers. These areas relate to financial, property and business-type transactions and include: property transactions; complex financial transactions; complex company or trust arrangements which obscure beneficial ownership; and cash transactions. The more complex and opaque a transaction, the more difficult it is for law enforcement agencies to understand the underlying transaction and to trace the source of the underlying funds.

AML/CTF program
A regulated practice will be required to have, and to comply with, an AML/CTF program: ss81 and 82. An AML/CTF program has two parts: Part A general; and Part B client identification: s84. A non-regulated practice could consider using these as a basis for an AML/CTF program. Part A relates to the identification, management and mitigation of the ML/TF risks that the regulated practice may reasonably face, including (Ch 8): ensuring systems are in place to assess the ML/TF risk of designated legal services provided; screening staff prior to employment and ongoing screening; training staff in ML/TF risks, internal systems and processes, and the consequences of non-compliance; and ongoing client due diligence, including the monitoring of client matters. Part B relates to client identification procedures and includes (Ch 4): establishing methods for identifying clients (and their agents), to enable the reg ulated practice to be reasonably

Geographic risk factors

A practice must consider the ML/TF risks emanating from jurisdictions in which it does business. Jurisdictions with a higher ML/TF risk can be ascertained from government agencies.7 There are also ML/TF risks from local and national geographic areas. These are probably more significant to practitioners. For example, does an area where the practices clients reside have a high crime rate or a high rate of mortgage fraud? Within these locations there is the potential that clients may possess, and attempt to use, money or property that is the proceeds of crime.8

Business risks
Client risk factors
Clients with the following ML/TF risk indicators may pose a higher risk to a practice: cash businesses with the potential to co-mingle legitimate and illegitimate funds;

Delivery channel risk factors

There are ML/TF risks in delivering designated legal services to non face-to-face clients, agents, and via online delivery methods.
L I J D E C E M B E R 2 0 0 8




Regulatory risks
A regulated practice faces regulatory risk by breaching the civil penalty provisions of the AML Act. These include: failure to report a suspicious matter (s41); failure to keep records (Pt 10); and failure to identify a client (Pt 2). Regulatory risk is mitigated by putting systems and controls in place to ensure that these obligations are not breached and by auditing those systems.

Result of the RA
The outcome of the RA will be information which will allow the practice to rank the ML/TF risks as high, medium or low. The ranking is the product of the chance of the risk happening (likelihood) and the impact if the risk happened (consequence). After ranking, an informed decision can be made as to the risk mitigation strategy and controls. One mitigation strategy for high risks may be to stop providing a service or servicing a segment of clients. Alternatively, high risk services and/or clients may have extra controls placed on them. The practice may accept all the low and medium ML/TF risks, but place extra controls around the medium risks.

The concepts are complementary. Client acceptance procedures include: identifying the client, who is providing the instructions, and the extent of those instructions; assessing client risk, including ML/TF risk; politically exposed persons (PEP) risk;9 prohibited persons subject to sanctions risk; conf licts of interest; client financial risk; location does the client come from a jurisdiction or area with a higher ML/TF risk?; work type does the practice carry out the type of work required?; the ability and capacity of the practice to do the work to the required standard in the timeframe available; the client accepting standard, and AMLrelated, terms and conditions; and the overall terms of the retainer.

help from inside organisations to assist and facilitate ML/TF. EDD ensures that a regulated practice will: determine whether and how to screen any prospective staff member who, if employed, may be in a position to facilitate an ML/TF offence; determine whether and how to re-screen a staff member whose role changes and thereafter may be in a position to facilitate an ML/TF offence; and manage any staff member who fails to comply with the AML/CTF program: (Ch 8.3). All staff members, including accounts staff, fee-earners, solicitors and partners, should be considered for EDD as there are ML/TF risks at all levels.

Staff education and awareness

One of the most important and effective controls against ML/TF risk is the education and awareness of staff: Ch 8.2. Staff includes partners, solicitors, other fee-earners and support staff. They all need to know and understand, to differing degrees, what ML/TF is, the ML/TF risk to the practice, the AML regulatory regime and the AML/ CTF program. Accounts staff are of particular importance as they are the gateway to the practices banking. Launderers have been known to try to deal directly with accounts staff in an attempt to circumvent practitioners.

Ongoing client due diligence

Ongoing client due diligence (OCDD) is the obligation to monitor clients with a view to identifying, mitigating and managing any ML/TF risk reasonably faced when providing designated legal services: s36. OCDD obligations are: systems to determine whether the collection of further KYC information is necessary; a transaction monitoring program; and enhanced client due diligence (ECDD): Ch 15

Ongoing RAs
After the initial RA it is important to undertake regular ongoing reviews of the RA. There is an obligation, and best practice for those non-regulated practices, to assess the ML/TF risk posed by: all new designated legal services (e.g. new practice areas); all new methods of delivery of designated legal services; and all new technologies used for the provision of designated legal services: Ch 8.

ECDD involves extra procedures that a practice would adopt when a client or matter meets certain defined risk criteria. In the context of legal practice it may be that ECDD will already be standard practice around retainer management. If a practice has robust client and matter acceptance procedures, they will most likely cover the ECDD requirement. ECDD may arise in situations where the client is new, is a non face-to-face client or a PEP. ECDD must be applied when a regulated practice: determines that there is a higher ML/TF risk; or a suspicion has arisen under s41: Ch 15

Key controls detection

Transaction monitoring
A transaction monitoring program (TMP) is a requirement for Part A: Ch 15. A TMP in the context of a legal practice means ensuring that partners and fee-earners monitor matters/transaction when designated legal services are being provided, to identify, having regard to ML/TF risk, any transaction that appears to be suspcious within the terms of s41. A TMP does not necessarily require an IT monitoring system; this is especially so in a legal practice where practitioners are knowledgeable about their clients and their legal affairs. Once a potentially suspicious matter is identified, the appropriate internal reporting and investigation procedures must be carried out.

Key controls prevention

Know your client and client acceptance procedures
Client acceptance and due diligence is an integral part of the process of forming a contract of retainer, and a key element of a practices risk management strategy. KYC and client identification procedures are obligations in an AML/CTF program and key controls: AML Act Pt 2; Rules Ch 4.
L I J D E C E M B E R 2 0 0 8

Employee due diligence

Employee due diligence (EDD) is important, as there have been instances of launderers or terrorist financiers seeking and/or gaining


Suspicious matter reporting

Suspicious matter reporting (SMR) (s41) is the most controversial obligation under the AML Act as it impinges on the duty of client confidentiality. The only defence to the SMR obligation will be claiming legal professional privilege, not client confidentiality: s242. If a regulated practice forms a suspicion on reasonable grounds, a subjective and objective standard,10 it must report to AUSTRAC within 24 hours for TF suspicions and three days for all others: s41(2). Practices will need to train all relevant staff to be aware of what is potentially suspicious. Robust systems are required to get the internal reports to the Anti-Money Laundering Compliance Officer (AMLCO) for investigation as the reporting times externally are short. The AMLCO will need to investigate and record the findings, whether or not the suspicion was reported.

system, it will be for the practice to justify the reasonableness of its decisions, systems and processes to AUSTRAC or, potentially, a court. It is important to keep records of RA decisions throughout a matter, including matter opening and periodic assessments. A contemporaneous note is best practice.

A robust AML/CTF program based on a thorough ML/TF risk assessment and linked to the current risk management system will provide an effective method to mitigate the ML/TF risks reasonably faced by a practice. It may also help improve overall risk management.
PADDY OLIVER is a lawyer, management consultant and director of legal risk with SSAMM Management Consulting. He has worked extensively in the areas of risk management, compliance and anti-money laundering for both legal and financial services organisations in Australia and the UK. Parts and sections in this article refer to the Anti-Money Laundering & Counter-Terrorism Financing Act 2006 (Cth) and chapters refer to the Anti-Money Laundering & Counter-Terrorism Financing Rules 2007 (Cth). 1. This article is a sequel to the authors article Danger in the laundry: risks for all under money laundering laws (2008) 82(11) LIJ 62. All opinions expressed are those of the author and are based on materials publicly available. 2. Practitioners are currently regulated by the Financial Transactions Reports Act 1998 (Cth) (FTRA), requiring reporting of cash payments over $10,000, and will continue to be so regulated until the AML Act supersedes the FTRA in relation to practitioners. 3. FATF, Forty Recommendations on Money Laundering, 2003, 4. FATF, Guidance on the Risk Based Approach to AML, June 2007, para 1.7. 5. It is arguable that practitioners should actually know who the client is before forming a retainer. 6. AUSTRAC Guidance Note , Risk Management and AML/CTF Programs; AS4360:2004, Risk Management. 7. Department of Foreign Affairs & Trade; US State Department. 8. Criminal Code Act 1995 (Cth), Div 400. 9. PEPs are foreign high-ranking government or military officials, their family members and close associates. Names of PEPs and prohibited persons are available from government and commercial watch lists. 10. AUSTRAC, Public Legal Interpretation No 6 of 2008: Suspect transactions and suspicious matters, para 56. 11. AUSTRAC Guidance Note, AML/CTF Compliance Officers, 08/02.

There is an obligation to independently audit, internally or externally, the AML/ CTF program: Ch 8.6. A good risk management system will provide for auditing and review of the system. Practices should carry out an annual risk audit which includes the AML/CTF program. A practices ML/TF risk profile will change over time, just as its overall risk profile changes. Partners need to know and understand the risks to allow for strategic risk decisions to be made. The audit findings should be included in the annual AML report to the partners. AML-related checks can be incorporated in general file auditing. Is the client acceptance and file opening procedure being circumvented? Do fee-earners and staff know and understand the overall file opening procedure and the importance of the AML checks? Is the ML/TF risk being considered through the life span of the matter or client relationship?

Fraud surveillance
Although not an AML Act obligation, it would be considered best practice to adopt fraud surveillance systems, especially to identify mortgage and power of attorney fraud.

Other obligations and controls

Record-keeping requirements
Records of designated services, transactions and KYC procedures must be kept for seven years: Pt 10. In the case of KYC records, this is seven years from the end of the client relationship: s113(2). Currently, files must be kept for a minimum of seven years, and many practices keep files for considerably longer, so some of these requirements may be met with relative ease. Care must be taken when the client relationship is ongoing. Records must be kept of the adoption and retention of the AML/CTF program: s116. This encompasses the initial RA itself and ongoing RAs. Under the risk-based

The AMLCO will be a vital role, both strategic and operational, and therefore should be a partner with seniority who knows and understands the risk profile of the practice: Ch 8.5. The AMLCO has many responsibilities, the most important being decision making around reporting, both internally and externally; audit and review of the AML program; and staff training.11 A good AMLCO could save a practice from criminal prosecution or regulatory action, save its reputation and ensure its continued survival.


The Holmes List


The Holmes List welcomes the following Readers:


Ground Floor, 555 Lonsdale Street, Melbourne Ph 03 9225 6444 Fax 03 9225 6464 DX 88 Melbourne Email Website Mobile 0417 362 010


Paul Holmes
Barristers Clerk
PaulHolmes_4H_1208.indd 1

Licensed by the Victorian Bar since 1992

3/11/2008 10:19:05 AM D E C E M B E R 2 0 0 8 43