Jade Thirdeye AML compliance blog

Bridging the gap: How to build a resilient AML program across multiple teams and technologies

Written by Jamie Muir | 9 May 24

The Jade ThirdEye team recently hosted a Senior Leaders Roundtable Lunch in Melbourne with an outstanding panel including Neil Jeans GAICD, Partner - Risk Consulting, Grant Thornton, Sonja Marsic, Partner, Norton Rose Fulbright

It was a full house with a mix of senior leaders sparking engaging and thought-provoking discussions. Below are the key callouts from the discussion:

Anti-Money Laundering (AML) in Australia: A Pivotal Moment

Australia’s AML landscape stands at a critical juncture. The transition from 17,000 to 130,000 reporting entities is no small feat. As we approach the 2026 FATF Mutual Evaluation, the second phase (Tranche 2) of reforms looms closer.

Recent landmark enforcement actions by AUSTRAC have dissected entire businesses, scrutinising control failures and operational aspects. In this pivotal moment, understanding the implications of impending reforms is essential. Non-compliance fundamentally stems from misidentification and mismanagement of risk. As Australia’s AML regime matures, these two pillars—risk identification and management—must remain the focus for all reporting entities.

However, challenges persist. There is no “one size fits all” approach for these pillars. Simplified and clear legislation is needed to address this complexity. Rushed legislation risks poor guidance and worsens the current situation.

Understanding Risk in AML/CTF Compliance

In AML/CTF, it's not just about eliminating risk, it's also understanding it thoroughly. AUSTRAC, as the regulatory authority, faces challenges when trying to second-guess an entity’s risk position unless it is well-documented. The AML/CTF Act is not a rigid checklist; rather, it’s designed to be flexible. This flexibility empowers reporting entities to allocate resources where they matter most in relation to compliance. However, some entities fall into the trap of taking an overly objective, black and white approach, missing the broader intent of the AML/CTF regime. The entities most susceptible to prosecution are those attempting a black and white approach, as well as exhibiting systemic non-compliance over time.

At the heart of effective AML/CTF risk management lies the Risk Assessment. AUSTRAC’s enforcement actions often reveal common failings related to risk assessments. Here are key takeaways:

Foundational Importance: Treat the risk assessment as the foundation for all subsequent actions. Its impact reverberates throughout the compliance framework.

Methodology Matters: AUSTRAC expects reporting entities to have a well-defined methodology as part of their risk assessment. Avoid impressionistic or opinion-based approaches. Instead, develop methods that can be consistently executed over time.

Holistic Approach: Cover all channels, products, and jurisdictions relevant to your business. Ensure alignment between identified risks and corresponding controls. You should be able to draw a line between the two.

Missing Links: If you cannot draw a clear line between a risk and a control, review your approach. Every risk should have a documented remediation process.

Context for Decision-Makers: When presenting your risk program to the board, provide context.

Embracing Flexibility in Risk Management

In the dynamic landscape of AML/CTF compliance, rigidity is not our ally. Rather, we must nurture risk with thoughtful governance and adaptability. Here’s why:

Not Prescriptive: The AML/CTF regime isn’t a rigid checklist. It’s designed to be flexible, allowing reporting entities to tailor their approach.

Risk Governance: Establish robust risk governance. Pivot when necessary. Risk management is an ongoing journey, not a one-time task.

Mitigation, Not Elimination: Our goal isn’t risk elimination; it’s mitigation. Effective risk assessment processes inherently tolerate some risk.

Slip-Ups Happen: Despite our best efforts, things may slip through the net. Acknowledge this reality and remain vigilant.

Enhancing Transaction Monitoring: A Data-Driven Approach

In the scope of AML compliance, transaction monitoring is a crucial aspect. Recent AUSTRAC cases highlight shortfalls in this area. Here’s how you can strengthen your approach:

Complex Business, Critical Automation: If your business is intricate, automation becomes paramount. Manual processes alone cannot capture every nuance. Complex payment changes demand automated solutions for effective monitoring.

Data: The Backbone of Automation: Efficient automation hinges on quality data. It’s the lifeblood of your monitoring system. Ensure data accuracy, completeness, and relevance. Without reliable data, automation falters.

The Continuous Loop: Transaction monitoring isn’t a one-time task. It’s a feedback loop. Gather insights from monitoring TM, suspicious transaction reports (SMRs), KYC screenings, and feed this information back to your risk governance team.

Remember, the link to data is critical. It empowers your risk management strategy and ensures responsible monitoring.

Enhancing Enhanced Customer Due Diligence (ECDD)

Effective ECDD is a cornerstone of robust AML/CTF practices. However, pitfalls can arise, even with sophisticated detection and escalation methods. Let’s delve into key considerations:

Guidance Matters: When a high-risk customer lands in the ECDD team’s queue, clear guidance is essential. What level of risk is acceptable? What warrants further scrutiny? Without this guidance, ECDD efforts may lack direction.

Nuanced Approach: ECDD isn’t a checkbox exercise. Consider a scenario: Customer deem suspicious in relation to OCSE, pays $30 at a time for video streaming sources from the Philippines. How does their Source of Funds or Source of Wealth provide value when identifying the risk? Arguably, it doesn’t directly. Instead, adopt a nuanced approach. Ask targeted questions based on suspicions. AUSTRAC expects all reporting entities to mature in this area.

Resource Efficiency: Over time, a targeted and nuanced approach to ECDD will free up resources. Avoid churning through volume mindlessly. Quality over quantity.

Curiosity Counts: Encourage your team’s curiosity. Measure their effectiveness not just by volume but by the depth of understanding they bring to each case.

Remember, ECDD isn’t about ticking boxes; it’s about informed risk management.

Build vs Buy: A Strategic Decision

The choice between developing an in-house solution or purchasing an existing product depends on several factors. Let’s explore the key considerations:

Problem Statement: Begin by defining your problem. What specific challenge are you trying to address? Ensure alignment across stakeholders.

Clarity of Purpose: Understand your project’s objectives and what success looks like. Is it about efficiency, scalability, or risk reduction?

Risk Mitigation: Consider how each option mitigates risks. Building in-house provides control but also introduces development risks. Buying off-the-shelf solutions may reduce development risk but introduces vendor dependency.

Fundamental Questions: Before diving into the build vs. buy conversation, ask:

  • What unique requirements does our organisation have?
  • Is there a suitable existing solution in the market?
  • Can we customise an existing solution to meet our needs?

Tailored Solutions: In-house development often arises when there’s no off-the-shelf product that fits perfectly. For instance, sectors like online gambling, with their data-rich and complex nature, may opt for custom-built solutions, with their deep understanding of risks a key driver of this choice. However, notably most organisations opt for an off-the-shelf solution where possible, freeing up time in their IT teams and benefitting from vendor ongoing maintenance, enhancements and industry expertise.

Remember, the decision isn’t binary. It’s about finding the right balance between building and buying to achieve your goals.

Board, Senior Management, and AML Team Responsibilities in AML/CTF Compliance

In the AML/CTF landscape, the roles of the board, senior management, and the AML team are pivotal. Let’s delve into their specific responsibilities:

Board Accountability:

  • Understanding the Program: The board plays a critical role in shaping the organisation’s AML and compliance risk management. They must comprehend the program they approve.

  • Instruction to Management: The board’s approval of the program serves as an instruction to management on how to manage AML and compliance risk.

  • Contextual Understanding: Given that most board members are not AML experts, it’s essential to provide context to enable informed decision-making.

Senior Management:

  • Program Adoption: Senior management ensures that the approved program is adopted throughout the organisation.

  • Effective Implementation: They oversee the implementation of AML and CTF measures, ensuring alignment with the board’s instructions.

  • Risk Management: Senior management actively manages AML and compliance risks, translating strategic objectives into practical actions.

AML Team:

  • Operational Execution: The AML team is responsible for the operational execution of AML/CTF measures.

  • Risk Assessment: They conduct thorough risk assessments, identifying vulnerabilities and designing appropriate controls.

  • Reporting and Escalation: The AML team ensures timely reporting and escalation of suspicious activities.

  • Continuous Improvement: They contribute to continuous improvement, adapting to evolving risks and regulatory changes.

Remember, effective collaboration among these stakeholders is essential to build a resilient AML/CTF framework and prevent compliance failures.


If you’re interested in attending future Jade ThirdEye events, please reach out to our marketing team at marketing@jadethirdeye.com to register your interest. Otherwise if you would like to talk to our team, fill out the form below.