Vulnerabilities

In this section:

AUSTRAC assesses that there is a medium level of vulnerability to ML/TF in the financial planning sector. Vulnerability refers to the characteristics of a sector that make it susceptible to criminal exploitation. This includes customer types, source of funds and wealth, products and services, designated service delivery channels, use of cash, and the foreign jurisdictions with which it deals. Sector vulnerability also takes into account the operational vulnerabilities that are common among businesses in the sector, as well as the AML/CTF systems and controls in place across the sector.


Customers

Most SMRs lodged in the financial planning sector in the sample period were in relation to an individual, but companies and trusts were also represented.

Individuals

The majority of customers in the financial planning sector are individuals. Reporting entities noted that they tended to have older customers, who were more likely to have acquired wealth or be planning for retirement. SMR reporting indicated that older customers were more vulnerable to cybercrime – for customers aged 61–70 years, 67 per cent of offences related to cyber-enabled fraud, compared to 39 per cent across all age groups (where the customer’s age was included in the SMR). One financial institution reported that they were providing customer education services targeted towards older customers on cyber and IT security, to help address this.

Wholesale clients

Financial planners are required to submit SMRs with respect to wholesale clients. Although the Corporations Act 2001 differentiates between wholesale and retail investors, the AML/CTF Act does not. This means that for wholesale clients, there is a requirement to undertake customer due diligence as outlined in the Purpose section of this assessment.

Corporate entities and trusts

Of the SMRs in the sample period that related to non-individual entities, 42 related to companies; around half of these SMRs reported suspected money laundering offences. Another 23 SMRs related to trusts.

Although not all financial planners deal with companies and trusts, feedback to AUSTRAC from industry was that those financial planners who do deal with corporate customers often did not adequately assess the risks associated with those customers.

A significant challenge for financial planners is identifying the beneficial owner of a corporate entity, which in turn presents a vulnerability for the sector. The vulnerability is increased, for example, where a trust is established to conceal the owner’s identity; or a financial planner does not adequately identify the beneficial owner at the onboarding stage; or a customer is reluctant to discuss the role or purpose of the company or trust.

Several institutions suggested that complex ownership structures involving overseas entities are a key risk indicator, as these have been used to conceal the identity of offshore owners and foreign PEPs.

Politically exposed persons

Financial planners are required under the AML/CTF Rules to screen their customer base for domestic and foreign PEPs. Only a very small number of SMRs submitted by financial planners in the sample period related to PEPs. Although this may be because many financial planners do not deal with PEP customers, feedback to AUSTRAC from industry indicated that many financial planners were not fully aware of their obligations to detect PEPs and therefore may unknowingly have PEP customers (13). Financial planners are reminded of their obligation to identify PEPs and apply additional customer due diligence to these types of customers, including in higher risk scenarios such as when the customer is a foreign PEP.

Agents

The use of agents is generally considered to be higher risk; however, there were not many SMRs involving agents in the financial planning sector.

A small number of SMRs in the sample period mentioned the involvement of lawyers acting on behalf of customers in issuing instructions to financial planners. Most of these related to customers located or operating in foreign jurisdictions, and some involved money being moved into or out of a lawyers’ bank account.

There were also cases of accountants being involved, sometimes acting as an agent for the customer. In some SMRs, financial planners worked with the customer’s accountant to verify information and/or help resolve cases.

Financial planners in the box seat to know customers and detect suspicious wealth

Financial planners are in a trusted position with customers, often receiving detailed personal and financial information from their customers. This means that financial planners are in a unique position to observe anomalous behaviour and/or detect potentially suspicious sources of funds or wealth. However, industry experts engaged for this risk assessment believed that many financial planners do not adequately utilise this information to assess ML/TF risk and submit SMRs to AUSTRAC. More effective procedures and training in this area would significantly enhance the capability of the sector to detect criminal behaviour.


Source of funds and wealth

Financial planners are required to consider the risks posed by a customer’s source of funds and wealth, and report anomalous client wealth to AUSTRAC. Financial planners generally collect much of this information while preparing a Statement of Advice (SOA). However, there may be other factors relating to the customer which require further consideration or may present a challenge for the planner – for example, if the customer is from a foreign jurisdiction, requests time critical transactions, or is not willing to divulge information about the source of their funds or wealth.

During consultations with AUSTRAC, reporting entities outlined a number of controls they had in place to mitigate the risks associated with a customer’s source of funds. These included:

  • having systems to detect if new funds appeared unusual
  • using call-back procedures to verify source of funds
  • questioning customers on source of funds for all international transfers
  • issuing new SOAs – or addendums to SOAs – whenever an existing customer adds new funds to an account.

One financial institution also reported having a policy of requiring all aligned financial planners to ask customers how they arrived at their wealth. These planners were also provided with a page of hints and talking points to support this type of engagement with the customer.


Products and services

When assessing the vulnerability of products and services, AUSTRAC looks at the volume of transactions carried out, how easily a customer is able to make transactions or transfer ownership of the product/service, and whether the product/service allows the customer to remain anonymous.

Financial planners should also be aware that the advice services they provide can themselves be targeted by criminals. The skills, knowledge and detailed understanding that planners have of financial services make them vulnerable to exploitation and manipulation, including by serious and organised crime groups.

With industry revenue of $4.6 billion in 2015–16 (14), financial planners facilitate large volumes of transactions and significant amounts of money move through the sector. The range and complexity of the products and investment strategies managed by financial planners also creates vulnerabilities.

When considering anonymity, personal financial advice services are generally less vulnerable than general financial advice services, as personal advice (particularly comprehensive advice) must take into account the personal situation of the customer, and therefore the customer is known to the planner. However, personal advice that is limited in scope (for example, for just one type of product) may be more easily exploited for criminal purposes, as only certain information may be revealed to the planner.

Reporting entities consulted for this assessment emphasised that there was heightened vulnerability when customers issued time critical instructions because the SOA is often provided after the service. One financial institution said they sought to mitigate this vulnerability by only offering time-critical services to established customers.

Of the SMRs submitted in the sample period, 57 per cent were in relation to investment and account services – for example, when financial planners act on customer instructions to move money into or out of accounts, or open accounts.

Stockbroking-related services provided by financial planners were represented in 15 per cent of the SMRs. Some reporting entities highlighted this as a more vulnerable service because it often requires financial planners to execute customer instructions quickly.

A similar number of SMRs related to superannuation services provided by financial planners (15). Many of these SMRs were in relation to SMSFs, which reporting entities emphasised were particularly vulnerable to abuse, especially for tax evasion. Feedback from industry highlighted some examples of potential high-risk matters relating to SMSFs:

  • a customer asks to establish an SMSF in order to transfer ownership of recently purchased collectibles and/or real estate to the SMSF without being able to show proof of ownership or source of funds
  • a customer asks whether a trustee can bypass in-specie (asset) transfer rules
  • the members or trustees of an SMSF change several times over a short period of time.

AUSTRAC also received feedback from industry that life insurance products present particular risks in the financial planning sector. Potential indicators of criminal activity include:

  • a customer asks whether an exclusion period can be reduced or whether a benefit can be paid to someone other than the stated beneficiary or policy owner
  • a customer asks how long they need to pay premiums before a claim can be made
  • a financial planner submits life insurance applications without sufficient identification details and is unable to produce the customer’s data collection forms, or advises the insurer that the policy holder is unable to be contacted for underwriting.

Use of accounts

Customer accounts

Reporting entities have observed that some customers have multiple accounts (including personal accounts, joint accounts and trust accounts) that are linked to the products arranged by financial planners. Some institutions mitigated this risk by encouraging customers to have a single account from which to move funds in and out for various products. Some products also had payout rules which only allowed payments to be made to the customer’s primary bank account.

Third party accounts

Reporting entities also highlighted that the use of third-party accounts and making payments to third parties could be a vulnerability, due to potential exploitation by criminals. Some financial planning businesses had policies against making payments to third-party accounts; others that allowed this practice had processes in place to mitigate the risk, such as extra verification procedures.

Financial planner accounts

The use of either trust accounts or personal accounts by financial planners to manage customer funds is also a significant vulnerability. A financial planner receiving client fees through a personal account could be an indication of tax avoidance or avoiding the payment of fees to parent financial institutions. As such, many financial institutions reported that they now had policies against aligned financial planners using personal accounts to receive client fees.


Delivery channel

‘Delivery channel’ refers to the methods by which financial planners interact with and deliver services to their customers.

The move towards more online service delivery in the financial planning sector has led to increased vulnerabilities. Innovations in online services have increased the speed and ease with which transactions can be executed, with several reporting entities acknowledging the challenge this poses to conducting customer due diligence and comprehensive onboarding procedures.

The widespread use of email communication between financial planners and customers also creates significant vulnerabilities. For this reason, many financial planners continue to rely on phone communication with their customers in order to verify emailed instructions. Financial planners highlighted that a key indicator of potential suspicious activity was a change to the customer’s contact and bank account details, particularly when these changes are made online.

Face-to-face engagement is considered the least vulnerable channel, as it provides greater opportunity for financial planners to develop a relationship with their customers and understand their circumstances. One financial institution reported that – counter to industry trends – they were investing significantly more in face-to-face interaction, not only for business purposes (as their customers preferred personal engagement), but also as a risk management strategy.

On the other hand, some reporting entities also cautioned that regular and ongoing face-to-face engagement between a financial planner and customer had the potential to develop over-familiarity and complacency by the financial planner, making them less likely to look for or recognise suspicious behaviour.

Robo-advice

Robo-advice refers to the provision of automated financial product advice using technology without the direct involvement of a human adviser. The provision of robo-advice has grown rapidly in Australia, with a number of AFSL holders developing robo-advice models. Current robo-advice capabilities are relatively basic; however, technological advances are expected to give robo-advisers the capability to propose sophisticated investment solutions based on a customer’s financial circumstances and their investment goals.

Firms should consider their potential ML/TF risks and mitigation strategies related to robo-advice services, particularly if they are likely to attract new customers of a different risk profile to a firm’s current customer base.


Foreign jurisdiction

63 SMRs (23 per cent) submitted during the sample period identified the involvement of a foreign jurisdiction, where either the transaction involved a foreign bank account, or where one of the parties involved in the suspicious matter was in a foreign jurisdiction. These SMRs related to a wide spectrum of countries; around half of the SMRs referred to either China, the United States, United Kingdom or Malaysia.

Around half of the SMRs involving foreign jurisdictions were cases of suspected cyber-enabled fraud, in which attempts were made to send funds overseas, facilitated by a financial planner. The most frequently referenced countries for cyber-enabled fraud were the United Kingdom and the United States.

About one-third of the SMRs involving foreign jurisdictions related to suspected money laundering.

Some reporting entities noted during consultations that they only had Australian-based customers, and therefore rarely dealt with foreign jurisdictions. In such circumstances the ML/TF risks faced by the business may be lower.

Customers on significant investment visas

During consultations with AUSTRAC, reporting entities highlighted the difficulties in identifying the source of funds and wealth for customers on significant investment visas (SIVs), as this wealth is often acquired in foreign jurisdictions. Customers on SIVs are high net-worth individuals and some may be foreign PEPs or linked to jurisdictions known to be a high risk for ML/TF activity. Moreover, Australian financial planners often deal with intermediaries or accountants from foreign banks (with a presence in Australia), who represent the overseas-based end client, creating an additional layer of complexity during the customer due diligence (CDD) process.

Some potential indicators of suspicious behaviour by SIV customers include:

  • executing investments to satisfy visa requirements, then transferring funds into non-complying investments
  • aggregating funds from various sources into a SIV applicant’s account
  • funds coming through a third country or a high-risk jurisdiction.

Financial institutions consulted for this assessment have implemented a variety of controls for SIV customers, including more rigorous questions to ascertain source of funds, additional checks during the customer identification process, and comprehensive source of wealth checks. Some have also engaged offshore providers to assist with customer due diligence and other checks.

Despite the risks associated with customers on SIVs, there were very few SMRs submitted by financial planners over the last two years about SIV customers. AUSTRAC reminds financial planners that their reporting obligations also apply to SIV customers.


Use of cash

Cash transactions are generally a significant indicator of money laundering risk. There was a common view among reporting entities that the use of cash was not a significant vulnerability in the financial planning sector, as cash was rarely accepted by financial planners. Most reported that if a customer approached a financial planner wanting to use cash to purchase a product, that customer would either be denied service or referred to a bank to deposit the cash.

AUSTRAC’s analysis of the SMRs in the sample period revealed that 32 SMRs (12 per cent) related to the use of cash. There were 11 SMRs in which the customer was the suspicious party. These included cases where the customer:

  • had unexplained wealth
  • sought to deposit a large amount of cash from a foreign jurisdiction into an Australian superannuation account, via a financial planner
  • revealed to a financial planner that they were receiving undeclared cash income
  • requested financial planner to invest $50,000 in cash, despite being on a Newstart allowance.

16 SMRs were from banks reporting on financial planners who were suspected of money laundering by making large structured cash deposits or withdrawals. A small number of SMRs involved financial planners suspected of being complicit in welfare fraud or tax evasion by their customer.


Operational vulnerabilities

The nature and structure of financial planning businesses in Australia varies considerably, so the level of operational vulnerability will be specific to each situation.

During consultations with AUSTRAC, reporting entities explained that financial planning businesses often operated with paraplanners and administrative staff collecting customer information (such as identity documents and financial records). Sometimes these staff were the primary point of contact for customers. This could minimise the visibility that financial planners have over a customer’s circumstances and behaviour, particularly if support staff lack the training or expertise to identify potentially suspicious or unusual customer wealth or source of funds. Although financial planners who are only required to have a special AML/CTF program are not required to conduct AML/CTF risk awareness training of staff, these entities could consider educating their staff to protect their business.

Another operational vulnerability for some financial planning businesses may arise due to arrangements between the AFSL holder and the authorised representatives operating under that AFSL. Reporting entities consulted for this risk assessment highlighted that there can sometimes be very low levels of awareness of AML/CTF responsibilities among authorised representatives. AFSL holders should ensure that authorised representatives clearly understand their obligations and ensure there are controls in place to manage this vulnerability.

Some businesses offer a wide range of professional services to customers in addition to financial planning, such as accounting, real estate and legal services. Many entities engaged for this risk assessment saw these ‘one-stop shops’ as a higher risk for financial crime, as the services they offer may be exploited to support criminal activities. Moreover, law enforcement agencies have observed serious and organised crime groups establishing and being involved in one-stop shops, particularly in relation to self-managed superannuation funds.


AML/CTF systems and controls

AUSTRAC assesses that, at a sector level, there is only partial understanding of the AML/CTF obligations among financial planners; however, there is likely to be significant variation between businesses. Although many financial planners have reduced regulatory obligations because they operate under the special AML/CTF program provisions of the AML/CTF Act, feedback received from industry is that many financial planners are not adequately satisfying even these reduced requirements.

Specifically, there appears to be a perception among many financial planners that collecting and verifying a customer’s identification is all that is required to fulfil their AML/CTF obligations. This means that many financial planners are not fulfilling their obligations to have risk-based customer due diligence procedures and to submit SMRs to AUSTRAC. Almost all entities engaged for this assessment saw this as a significant vulnerability that requires attention from the sector.

Reporting entities and industry experts offered insights into potential reasons for this. These included the challenges of needing to arrange many products across different product issuers; the need to abide by other regulations, including the Corporations Act and Future of Financial Advice reforms; and the time pressure that financial planners face to meet their customers’ needs. Compliance staff in one financial institution had observed that top performing financial planners, in terms of sales, were often the least compliant; excessive growth in business for a financial planner was a red flag to the Compliance team.

There was also a perception among some in the industry that smaller financial planning businesses and independent financial planners tended to have weaker regulatory controls, due to not having the ‘depth of defence’ and additional oversight offered by the AML/CTF programs and processes of a larger institution. One large institution reported that they conducted internal audits to ensure that aligned financial planners abided by AML/CTF obligations and submitted SMRs when appropriate.

However, AUSTRAC was informed of incidents of high-risk behaviour by some individual financial planners employed in otherwise vigilant financial institutions. Moreover, the challenge for some larger institutions was ensuring AML/CTF compliance by a vast network of financial planners, especially where planners were geographically dispersed across the country. Some large institutions noted that this was a significant issue.

The grateful customer

Reporting entities told AUSTRAC that customers were often grateful for stringent controls and often responded positively when financial planners called them to check on potential suspicious transactions (while observing the tipping off provisions). Although the process could delay a transaction, customers saw this as the financial planner seeking to protect their money. The relationship between a financial planner and a customer can therefore be a significant asset to managing risk.


Footnotes

  1. Further information about obligations relating to PEPs can be found in chapter 6 of the AUSTRAC compliance guide.
  2. IBISWorld IBISWorld Industry Report K6419b: Financial Planning and Investment Advice in Australia, 2016.
  3. For more information, see page 12 of AUSTRAC’s Australian superannuation sector: money laundering and terrorism financing risk assessment.
Last modified: 21/12/2016 11:11