AUSTRAC Reporting Entity Forum — General

AUSTRAC continues to observe many reporting entities with risk assessments that are generic or outdated and do not adequately reflect the specific risks relevant to their business. AUSTRAC said: "Your ML/TF risk assessment is the foundation of your AML/CTF program. If it's not tailored to your business risks, it undermines the effectiveness of your controls and increases your risk of criminal exploitation." The risk assessment must not be a static document — it must evolve with your business and be reviewed and updated regularly in response to changes.

ECDD is a critical component of a risk-based approach, but AUSTRAC continues to see inconsistent application. AUSTRAC said: "Where higher risks are identified, the application of ECDD is not optional. It is a legal obligation." ECDD must be applied when a customer presents a high ML/TF risk, when there are doubts about previously collected identification, or where the customer is a Politically Exposed Person (PEP). Actions and decisions must be documented.

Strong governance is about more than having policies on paper or AML/CTF listed as a standing item in a board meeting. AUSTRAC expects senior management to actively ask questions and be accountable for ensuring AML/CTF systems and controls are operating effectively. On outsourcing: outsourcing does not remove your responsibility. Agreements must be clearly documented, providers must be fit for purpose, and regular checks must be undertaken.

AUSTRAC continues to observe delays in SMR submission, incomplete or inaccurate Threshold Transaction Reports (TTRs), and in some cases failure to report at all. AUSTRAC expects reporting obligations to be fully embedded into business operations — staff must be trained to identify potential suspicious matters, internal procedures must support timely and accurate reporting, and governance processes must ensure obligations are met consistently.