AUSTRAC v Crown judgment: Key points of interest for reporting entities in Australia’s Anti-Money Laundering / Counter-Terrorism Financing regime

The Federal Court of Australia has approved a settlement between AUSTRAC and both Crown Melbourne and Crown Perth (Crown), resulting in a $450 million penalty for breaches of the Anti-Money Laundering and Counter-Terrorism Financing Act (the Act). This case contains many points of interest for reporting entities and highlights the criticality of robust risk assessment and meaningful Board/senior management oversight in AML/CTF programs.

The critical importance of risk assessment

Consistent with the position that AUSTRAC has adopted in its various other civil penalty proceedings to date, it is plain from the Crown case that AUSTRAC sees a robust assessment of the risk of financial crime activity (ML/TF risk) as foundational to any reporting entity’s ability to comply with its obligations under the Act.

In the Crown case, AUSTRAC’s position was that "Part A” of an AML/CTF Program (for which the primary purpose must be to identify, mitigate and manage the ML/TF risks that the reporting entity may reasonably face) will not be capable of holding that purpose unless it at least:

• refers to or incorporates a written ML/TF risk assessment methodology that is capable of appropriately identifying and assessing the ML/TF risks of all designated services provided by the reporting entity;
• is aligned to the ML/TF risks reasonably faced by the reporting entity with respect to designated services, as periodically assessed in accordance with an appropriate ML/TF risk assessment methodology;
• includes appropriate risk-based systems and controls that are capable (as a matter of design) of identifying, mitigating and managing ML/TF risks reasonably faced by the reporting entity, consistent with risk appetite; and
• includes or establishes an appropriate framework for approval and oversight by Board and senior management.

Lee J accepted that Crown’s AML/CTF Program failed to meet these criteria for a period and that it was therefore deficient throughout that period.  

This serves as a useful illustration to reporting entities that (contrary to misconception) they cannot hope to mitigate their risk of non-compliance with the Act by adopting a high level and non-prescriptive program framework – rather, a failure to both undertake and document a detailed assessment of risk and then to reflect that risk in well designed and specific processes, systems and controls will simply increase the prospect of their program being found to be deficient.

‘Appropriate risk-based procedures, systems and controls’

AUSTRAC’s position acknowledged that the Act ‘does not require ML/TF risks to be eliminated’ and that it does not (presently) prescribe exactly how a reporting entity is to manage its ML/TF risks. Rather, mirroring the language of Justice Perram in CEO of AUSTRAC v TAB Limited (No 3) [2017] FCA 1296, it ‘reposes trust’ in reporting entities to design and implement risk management procedures, systems and controls to detect and deter ML/TF, which are appropriate for its business and which it will adopt and maintain through its AML/CTF program.

Lee J’s judgment confirms that an AML/CTF program will not include ‘appropriate risk-based procedures, systems and controls’ if the reporting entity has designed them without taking into account:

• the nature, size and complexity of its business; and
• the ML/TF risks it reasonably faces, having regard to:
  • the types of designated services it provides;
  • the types of customers it provides designated services to;
  • the channels through which it delivers designated services; and
  • the foreign jurisdictions with which it deals.

Further, the judgment confirms that an AML/CTF program will only meet this standard of ‘appropriate’ risk based procedures, systems and controls if those procedures, systems and controls are ‘aligned and proportionate to the risks reasonably faced’, having regard to those matters.

In the Crown case, his Honour considered there to be particular deficiencies in Crown’s risk management of its junkets channel, which involved complex transactional chains and higher attendant ML/TF risk but was not said to warrant sufficient separate risk scrutiny and management in its AML/CTF program. This serves as a further reminder (consistent with past AUSTRAC enforcement actions) of the need to ensure that separate and careful focus is given to (and recorded in respect of) any aspects of a reporting entity’s business (impacting customers, channels, services, jurisdictions, new technologies, etc) that may carry a higher inherent risk of financial crime activity.

The requirements of board and senior management oversight

Crown acknowledged in the SAFA that Part A of its AML/CTF program had not been approved by the governing board and senior management and that:

• reporting to the Crown boards and senior management on AML/CTF compliance and ML/TF risks was ad hoc and incomplete;
• the Crown boards did not determine ML/TF risk appetite for the purpose of the Program;
• the Crown boards did not have documented process in place to ensure in-depth discussion of ML/TF risk as against measurable criteria at regular intervals as part of a rolling agenda; and
• there was a lack of clarity and understanding within Crown as to reporting lines from senior management and their roles and accountabilities.

These deficiencies, along with concerns about the appropriateness of the governance framework reflected in Crown’s Part A, contributed to the findings that Crown did not have a compliant Part A program for a significant period of time.

This is the first time that AUSTRAC has so clearly positioned the adequacy of board governance and oversight as itself contributing to an assessment of program compliance and will be of particular interest to boards of reporting entities in seeking to discharge their approval and oversight responsibilities.

Of course, while there are some governance requirements that are peculiar to the AML/CTF context, AUSTRAC’s heightened focus on governance and oversight in a non-financial risk management context is consistent with a broader regulatory trend over recent years, including in other high focus areas such as ESG. 

Transaction monitoring requirements

Lee J held that Crown’s transaction monitoring as reflected in its Part A did not fully comply with the requirements of the AML/CTF Rules, including because it:

• was not aligned with an appropriate ML/TF risk assessment, given such an assessment had not occurred (as noted above);
• was not capable of detecting various well known ML/TF typologies and vulnerabilities faced by casinos;
• was instead reliant on manual and observational processes, which were inadequate given the nature, size and complexity of Crown’s business and the types of ML/TF risks it faced. 

Further information on these deficiencies were reflected in the SAFA, which noted that Crown’s transaction monitoring processes were focused on individual transaction sets, and not capable of consistently detecting suspicious or unusual patterns of transactions or behaviours across complex transaction chains involving multiple designated services.

In addition, the parties agreed that:

• the transaction monitoring program did not provide adequate review criteria for the system-generated transaction activity reports that were central to the manual processes and nor did it provide adequate guidance on how to identify unusually large transactions;
• staff reviewing the system-generated transaction activity reports did not receive adequate ML/TF risk awareness training;
• the resourcing of Crown’s AML / financial crime function ‘did not support the consistent generation, review and actioning of systems-generated or exceptions- based reports’;
• the data underlying the system-generated transaction activity reports were unreliable in various ways, including due to manual data entry susceptible to human error, incomplete data collecting processes for certain customers / transactions, and unreliable linking of transactions to customers; and 
• there were no appropriate assurance processes to ensure that the systems and controls in the transaction monitoring program were being applied correctly, were operating as intended, and remained appropriate.

The above is not an exhaustive list but serves as a useful reminder to reporting entities of the complexity and issues that can arise in establishing a compliant and effective transaction monitoring regime.

Customer identification, due diligence and reporting requirements

Lee J also held that there were deficiencies in Crown’s Part A program in relation to its approach to customer due diligence and reporting.

Of particular concern in this context was Crown’s approach to enhanced customer due diligence (ECDD) in circumstances where many of its customers were higher risk, such as junket operators, international VIP customers and politically exposed persons.

A related issue in this context was Crown’s approach to customer identification and verification (IDV) under Part B of its AML/CTF program. Crown conceded in the SAFA that:

• customers were automatically rated as low risk for IDV purposes without appropriate consideration given to the ML/TF risk posed by the customer type; and
• its review of customer risk ratings was too infrequent to appropriately identify high risk customers and this process did not involve a referral of the customer for full ECDD. 

These design concerns then tied in with specific customer due diligence contraventions in the case of 546 admitted instances. 

Calculation of penalty

Notable aspects of the penalty imposed in this matter included:

The deferred payment plan sought by Crown/AUSTRAC

After some deliberation, the Court approved a payment plan whereby Crown must pay $125 million within 28 days; a further $125 million within one year; and the remaining $200 million within two years. The need for a payment plan was linked to Crown’s financial position, including the significant impact of COVID-19 restrictions on its business, continuing challenging trading conditions and the need to maintain sufficient liquidity to continue as a going concern and withstand future unanticipated costs. 

Justice Lee tested AUSTRAC and Crown on this point, wanting to be satisfied that the sum was in the appropriate range (including in circumstances where the payment plan and a lack of provision for interest meant its net present value was $405 million). 

His Honour expressed the view that aspects of the evidence of Crown’s financial position were ’scant, unsupported by business records, or not addressed’; and commented that in hindsight it may have been prudent to appoint an amicus curiae (friend of the court) to test the evidence and form a view on whether cross-examination was warranted (in circumstances where AUSTRAC ‘had become... a friend of the deal’ and would not be seeking cross-examination). 

Ultimately, though, his Honour was content to impose the payment plan (albeit with a mechanism for Crown’s financial position to be revisited at the end of FY23 and FY24 so that AUSTRAC can apply for payment sooner if its financial position has improved). 

Size of penalty relative to number and severity of contraventions / other cases

Justice Lee was satisfied the $450 million penalty was within the permissible range of appropriate penalties, but said this ‘on balance and not without some hesitation’. 

His Honour noted that the facts pointed to the ‘necessity for a very substantial penalty’. The factors his Honour viewed as particularly important in approving the figure were:

• In light of Crown's size and financial position, the proposed penalty cannot be regarded as a mere ‘acceptable cost of doing business’ and is adequate to ensure that Crown is deterred from engaging in future non-compliance.
• Crown’s non-compliance ‘arose from a breach of the trust reposed in it by Parliament’ - the contraventions were ‘appalling’, resulting in innumerable breaches of s 81(1) and a significant number of breaches of s 36(1) of the Act.
• The contravening conduct had real consequences for the Australian community and financial system. In the absence of appropriate risk-management programs, Crown failed to manage the risk of ML/TF posed by junkets and high-risk customers until November 2020. This resulted in a failure to monitor billions of dollars in suspicious transactions, which inhibited the investigation and prosecution of serious crimes by law enforcement agencies. 
• The contraventions persisted over a considerable period of time, namely six years from March 2016 to March 2022. They were not isolated events: they arose out of a fundamental failure to maintain an appropriate program for managing the risk of ML/TF.
• Crown obtained significant revenue streams during the period in which its AML/CTF programs were non-compliant, including revenue from high-risk channels (such as junkets) which bore the typologies of money laundering activity.

Whilst the figures in past AML/CTF cases run by AUSTRAC are higher, the judgment in this case illustrates how the appropriate penalty to achieve the primary (if not sole) objective of deterrence can only be determined by taking all circumstances into account, including the entity’s size and financial situation. As a result, an approach of looking at past AML/CTF cases can one take one so far in conducting the ‘instinctive synthesis’ required to arrive at an appropriate penalty figure.