Using outsourcing to help meet your AML/CTF obligations
This guidance is for reporting entities that use outsourcing to help meet their anti-money laundering and counter-terrorism financing (AML/CTF) obligations.
Businesses may outsource functions relating to their compliance with the AML/CTF Act (AML/CTF functions) for a range of reasons, such as accessing specialist AML/CTF knowledge and expertise, and managing the cost of compliance.
If you outsource AML/CTF functions, you remain responsible for complying with your obligations under the AML/CTF Act and AML/CTF Rules.
Generally, your business will remain legally liable for any breach of its AML/CTF obligations, even under outsourcing arrangements, and will incur any penalty that arises from a breach.
AUSTRAC recommends that you take steps to manage any risks of outsourcing and have appropriate oversight of your providers.
This guidance will help you:
- comply with your AML/CTF obligations when using outsourcing
- identify, mitigate and manage money laundering and terrorism financing (ML/TF) risks and AML/CTF compliance risks that could arise when using outsourcing
- take steps to ensure the services that your business outsources and the outsourced service providers you use are appropriate for your business and its specific ML/TF risks.
On this page
- Disclaimer
- What this guidance covers
- Effective management of outsourcing
- Good outsourcing practices
- Related pages
Disclaimer
AUSTRAC provides this guidance for educational purposes only and it does not constitute legal advice. The information in this guidance should be read together with, and not as a substitute for, the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) and AML/CTF Rules.
AUSTRAC does not guarantee, and accepts no legal liability whatsoever arising from, or connected to, the use or reliance of any material contained in this guidance.
For more information, refer to our Disclaimer.
What this guidance covers
Outsourcing in this guidance means entering into an arrangement with a third party to carry out certain AML/CTF functions on your behalf.
Depending on the services you provide, you may outsource on a one-time basis (for example, to have someone develop your AML/CTF program), or on an ongoing basis (for example, to carry out customer due diligence, transaction monitoring or reporting).
This guidance provides suggested good practices and recommendations that may help you manage some of the risks that can arise when outsourcing your AML/CTF functions. It also notes certain legal obligations, such as record-keeping and restrictions on sharing AUSTRAC information and suspicious matter report (SMR) information.
What is not included in this guidance
The following activities are not covered in this guidance:
- Seeking general advice on AML/CTF obligations from an adviser (refer to Engaging AML/CTF advisers).
- Relying on services provided by another member of your designated business group (refer to Designated business groups).
- Engaging a provider to undertake an independent review of your AML/CTF program (refer to Independent reviews).
- Using technology (such as software applications) that help you meet your AML/CTF obligations in-house (refer to engaging a RegTech).
- Using databases maintained by government departments or agencies, such as the Australian Sanctions Office Consolidated List.
- Relying on applicable customer identification procedures performed by another reporting entity (refer to Reliance on customer identification procedures by a third party).
Effective management of outsourcing
The following steps may help you manage your outsourcing arrangements effectively and reduce potential risks when outsourcing.
- identify the risks that may arise through outsourcing
- conduct due diligence on outsourced service providers
- understand legal restrictions on sharing information with outsourced service providers
- use a written agreement for outsourcing
- monitor and review ongoing outsourcing arrangements
- document procedures for managing outsourcing arrangements in your AML/CTF program.
1. Identify the risks that may arise through outsourcing
Outsourcing can potentially create:
- ML/TF risk, where the use of outsourcing creates additional vulnerabilities in your business that criminals could exploit
- AML/CTF compliance risk, where you may fail to meet your AML/CTF obligations due to poor due diligence, implementation or monitoring of outsourcing arrangements.
These risks may arise if an outsourced service provider:
- does not tailor its services to your business’s unique ML/TF risks
- lacks the expertise or resources to carry out the relevant AML/CTF functions on your behalf
- is not aware of the legal restrictions on information sharing under the AML/CTF Act
- is not subject to adequate oversight and monitoring during the course of the arrangement.
Failure to address these risks when implementing an outsourcing arrangement could lead to systemic and serious non-compliance with your AML/CTF obligations.
Consider whether any proposed outsourcing is in line with the risk appetite that your board or senior management (if your business does not have board) has approved.
Outsourcing your transaction monitoring
It is critical that any outsourcing of transaction monitoring is based on a thorough ML/TF risk assessment, including an understanding of the ML/TF risks and specific indicators of suspicious activity relevant to your business.
Without this, transaction monitoring will not be effective and may:
- monitor for ML/TF risks and suspicious activities that are not relevant to your business
- fail to monitor ML/TF risks and suspicious activities that are relevant to your business
- lead to failures in reporting, such as failure to submit suspicious matter reports as required under the AML/CTF Act.
Refer to Transaction monitoring for more information.
2. Conduct due diligence on outsourced service providers
Before you enter into an outsourcing arrangement, AUSTRAC recommends that you conduct appropriate due diligence on the outsourced service provider. This is to ensure they can properly carry out the relevant AML/CTF functions on your behalf, taking into account any ML/TF and AML/CTF compliance risks you have identified.
Examples of factors you may want to consider include the outsourced service provider’s:
- experience in delivering the services required
- qualifications or expertise that may be relevant to AML/CTF and your industry
- willingness to agree to performance monitoring and mechanisms for dealing with any breaches of the arrangement.
Some methods you could use to verify your outsourced service provider’s suitability include:
- a demonstration of their services
- an explanation of how they will tailor their services to suit your business
- verification of their AML/CTF or other relevant qualifications, resourcing and performance history
- references from businesses similar to yours that have previously engaged the outsourced service provider. Where possible, you may want to consult businesses not suggested by the outsourced service provider.
The following could indicate that an outsourced service provider has sufficient experience or knowledge to carry out the relevant AML/CTF functions on your behalf effectively:
- they have experience providing AML/CTF services to businesses of a similar nature, size and complexity to yours
- they understand your industry, type of business or its ML/TF risks, or take sufficient steps to understand these factors
- they offer products that are tailored to your business, and do not offer generic or template products
- they develop their products after consulting you about your customers, designated services, delivery methods and jurisdictions you deal with.
3. Understand legal restrictions on sharing information with outsourced service providers
There are legal restrictions on sharing certain types of information. Criminal penalties apply to unauthorised disclosures of:
- SMR information and information obtained in response to a notice issued under section 49 of the AML/CTF Act, known as ‘tipping off’
- ‘AUSTRAC information’ provided to you by AUSTRAC staff.
There are limited exceptions to tipping-off.
You must ensure that any outsourcing arrangements do not involve the unauthorised disclosure of this information.
You may wish to obtain legal advice before entering into an outsourcing arrangement, particularly if the arrangement could involve SMR reporting obligations, AUSTRAC information, or notices issued under section 49 of the AML/CTF Act.
There may also be other legal restrictions on information sharing that apply to you, such as privacy laws.
4. Use a written agreement for outsourcing
To ensure your outsourced service provider is properly carrying out the relevant AML/CTF functions on your behalf, AUSTRAC recommends you outsource through a written and legally binding outsourcing agreement.
At a minimum, AUSTRAC recommends that the agreement:
- outlines the services and performance targets the outsourced service provider will need to meet to carry out the relevant AML/CTF functions on your behalf
- provides oversight mechanisms to ensure that the outsourced service provider is producing the agreed services and meeting the agreed performance targets
- includes mechanisms to manage compliance risks if the relevant AML/CTF functions are not carried out properly.
For one-off outsourced services, the written agreement could be relatively simple, requiring your outsourced service provider to produce a particular product to an agreed performance standard and rectify any failures to meet this standard in a timely manner.
For ongoing outsourcing arrangements, AUSTRAC recommends adopting more substantial oversight, monitoring and review standards to ensure that the outsourced service provider is continuing to carry out the relevant AML/CTF functions on your behalf throughout the course of the arrangement.
General details
The outsourcing agreement may include the following details as appropriate, depending on the type of agreement:
- when the agreement starts and ends
- whether the service is to be provided on an ongoing or one-off basis
- the details of the person in your business that will oversee and be responsible for the agreement
- specific details about what steps and obligations the outsourced service provider will complete and how this will fit into your business processes
- business continuity plans in case the outsourced service provider fails to carry out the relevant AML/CTF function on your behalf
- oversight, monitoring and review provisions for ongoing outsourcing arrangements
- expected service standards, including reporting arrangements and quality assurance processes
- if the outsourced service provider holds any data, who owns and controls that data – including whether you can share the outsourced service provider’s data externally with regulators, other institutions, clients and others if needed
- details of how you and your outsourced service provider will implement the outcomes of any independent reviews.
Performance targets
AUSTRAC recommends that you design your performance targets to provide assurance that the relevant AML/CTF functions will be carried out on your behalf if the targets are met by the outsourced service provider.
For one-off outsourced services, performance targets would typically include quality and timeliness standards that align with your AML/CTF obligations.
For example, performance targets for an outsourced AML/CTF program might include that the program:
- is delivered before you are legally required to adopt it (i.e. before you commence to provide a designated service to a customer)
- contains a ML/TF risk assessment that is informed by your designated services, methods of delivering designated services, customer types and foreign jurisdictions you deal with, and relevant AUSTRAC guidance and feedback on ML/TF risks
- contains all the mandatory aspects of an AML/CTF program required to identify, mitigate and manage ML/TF risks
- is tailored to your business and can be adopted by your business with reasonable adjustments to your systems.
Avoid generic AML/CTF programs
AUSTRAC recommends you avoid using template or global AML/CTF programs (which are not Australia-specific).
AML/CTF obligations and ML/TF risks differ between countries, regions and individual businesses. Template AML/CTF programs are generally not tailored to your business and its ML/TF risks, while global AML/CTF programs often don’t consider your particular obligations under the AML/CTF Act and AML/CTF Rules.
If you adopt a template or global AML/CTF program, this could lead to serious and systemic compliance failures with your AML/CTF obligations.
Refer to AML/CTF programs for further information.
In addition to quality and timeliness standards, ongoing outsourcing arrangements could require additional ongoing performance targets, such as:
- requirements for the outsourced service provider to regularly report on their adherence to the agreed performance targets
- a maximum number of breaches allowed before a review of the agreement is initiated,
- maximum timeframes to implement changes to the agreement if your ML/TF risks or circumstances change
- record-keeping targets that align with your record-keeping obligations.
For example, performance targets for outsourcing giving international funds transfer instructions (IFTI) reports to AUSTRAC might include:
- a requirement to submit all IFTI reports within the statutory timeframe of 10 business days from receipt or sending of the instruction
- a quality target to include all mandatory reportable details in IFTI reports
- a record-keeping target to retain all relevant records of IFTIs
- a requirement to provide you with an implementation plan within a set timeframe if the outsourced service provider is going to change their IFTI systems following an independent review of your AML/CTF program.
Verification of performance
AUSTRAC recommends that the outsourcing agreement include appropriate oversight clauses to verify that your outsourced service provider is meeting their agreed performance targets.
For one-off outsourced services, this will often be straightforward, and would typically involve your outsourced service provider producing draft and final products for your review within particular timeframes.
For ongoing outsourcing arrangements, you may require that the outsourced service provider:
- documents actions under the outsourcing agreement in writing and provides records to you when requested
- notifies you of any suspected non-compliance with your AML/CTF obligations and emerging ML/TF risks
- subjects themselves to ongoing due diligence and service quality checks against the agreed performance targets
- cooperates with scheduled independent reviews of outsourcing arrangements and associated ML/TF risks.
Breaches of the agreement
AUSTRAC recommends that your outsourcing agreement includes a range of options to allow you to take a proportionate and risk-based response to any breaches of the agreement.
Responses could include:
- requirements for the outsourced service provider to remedy any breach of the agreement within a specified timeframe
- suspension of the agreement until identified deficiencies are addressed
- termination of the agreement in cases of serious or systemic non-compliance with AML/CTF obligations or the outsourcing agreement.
In accordance with your AML/CTF program and the level of AML/CTF compliance risk or ML/TF risk you assess in relation to the breach, you may decide to escalate breaches by the outsourced service provider to your board or senior management for action.
You must also ensure that you meet your record-keeping obligations under the AML/CTF Act in relation to any possible non-compliance that has been caused by the breach.
5. Monitor and review outsourcing arrangements.
For one-off outsourced services, such as the development of your AML/CTF program, AUSTRAC recommends that you evaluate the service against the performance targets you have agreed to with the outsourced service provider, to ensure the service provided meets your AML/CTF obligations.
For ongoing outsourcing arrangements, AUSTRAC recommends that you continue to monitor and review the arrangement including to:
- verify that the outsourced service provider is meeting its targets under the agreement
- confirm that your business is meeting its AML/CTF obligations while using the outsourcing arrangement
- adjust the arrangement in light of any changes to the ML/TF risks your business is likely to be exposed to.
Such processes will help you detect non-compliance and mitigate potential ML/TF risks arising from the ongoing outsourcing arrangement.
AUSTRAC recommends that you set reviews of ongoing outsourcing arrangements at regular periodic intervals and not just in response to events or incidents, such as a potential breach.
As with your due diligence, AUSTRAC recommends that the processes you use to monitor the outsourced service provider are proportionate to the level of AML/CTF compliance risks and ML/TF risks you have identified with the outsourcing arrangements.
Examples you may want to consider include:
- asking the outsourced service provider to report periodically on how they are meeting the performance measures agreed to in the outsourcing arrangement
- reviewing the outsourced service provider’s documented procedures and processes periodically
- reviewing random samples of the relevant AML/CTF functions the outsourced service provider has carried out – for example to check how customer identification and verification procedures are carried out and whether they comply with your AML/CTF obligations
- comparing expected outcomes versus actual outcomes – for example the number of reportable transactions or SMRs generated may be higher or lower than expected, or the content of SMRs may not align with your expected ML/TF risks.
If the outcomes of your monitoring and reviews are not what you expect, it is important to investigate and understand the causes so that you can take appropriate action.
For example, if a transaction monitoring program facilitated by an outsourced service provider is not picking up suspicious activities in line with your expectations, consider if the issue is caused by the outsourcing arrangement, an incorrect assessment of ML/TF risks, or other factors.
6. Document procedures for managing outsourcing arrangements in your AML/CTF program
AUSTRAC recommends that you document in your AML/CTF program how you will:
- assess any AML/CTF compliance risks or ML/TF risks arising from an outsourcing arrangement
- carry out due diligence on potential outsourced service providers
- evaluate whether the service delivered meets your requirements and how you will remediate any identified issues
- monitor and review ongoing outsourcing arrangements, including who is responsible for actioning any findings.
Your board or senior management (if your business does not have a board) must approve any material changes to Part A of your AML/CTF program. AUSTRAC recommends that this approval be in writing, along with their reasoning.
AUSTRAC also recommends that you document how your board or senior management (if your business does not have a board) will:
- be responsible for the oversight, accountability and resourcing required to identify, mitigate and manage the AML/CTF compliance and ML/TF risks of outsourcing
- receive reports on AML/CTF compliance and ML/TF risks arising from outsourcing arrangements
- effectively resolve non-compliance with outsourcing agreements and adapt to changing ML/TF risks.
Good outsourcing practices
- Develop an AML/CTF program that identifies, mitigates and manages AML/CTF compliance risks and ML/TF risks that may arise from outsourcing.
- Conduct due diligence on your outsourced service provider to verify that they are capable of carrying out the relevant AML/CTF functions on your behalf.
- Have senior management oversight of your outsourcing arrangements and responsibility for dealing with AML/CTF compliance risks and ML/TF risks.
- Ensure that the outsourced service provider tailors their products to your business’s ML/TF risks, designated services, customer types, jurisdictions and methods of delivery.
- Ensure you understand your legal obligations in relation to outsourcing and information sharing under the AML/CTF Act, and obtain legal advice where necessary.
- Have a written and legally binding outsourcing agreement, including clear responsibilities and performance targets that the outsourced service provider must meet to effectively carry out the relevant AML/CTF functions on your behalf.
- Include oversight and breach clauses in outsourcing agreements that allow you to quickly detect and escalate non-compliance to senior management for appropriate action.
- Actively monitor your outsourced service provider and their adherence to the performance measures agreed to, and review the ongoing outsourcing arrangements to ensure they continue to meet your needs.
Related pages
The content on this website is general and is not legal advice. Before you make a decision or take a particular action based on the content on this website, you should check its accuracy, completeness, currency and relevance for your purposes. You may wish to seek independent professional advice.