Main take-aways:

• Liability for non-compliant AML/CTF program equivalent to not having a program at all

• Court found that an offence is committed each time a service is provided with a faulty AML/CTF program in place, meaning that the maximum penalty could be almost unlimited

• The fact that Tabcorp’s contraventions were not deliberate is barely relevant, the Act is aimed at deficient management practices

• A$3 million penalty for a single failure to carry out an identification check

Introduction

On 10 November 2017, Justice Perram released his reasoning for approving the A$45 million total penalty that had been agreed between AUSTRAC and Tabcorp (available here).  As it is the first judgment handed down in respect of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act), all reporting entities will need to carefully review the Court’s reasoning and re-assess their AML/CTF programs in light of the deficiencies identified.  Perhaps more importantly, the size of the penalties has reiterated that this matter requires board-level attention and that the penalties will be large enough to ensure that non-compliance with the AML/CTF Act will not be seen as “a cost of doing business”.

Entities in the Tabcorp group[1] admitted to breaches of four provisions in the AML/CTF Act:

• Failing to have in place an AML/CTF program that complied with the AML/CTF Rules (s 81)
• Failing to comply with the Suspicious Matter Reporting (SMR) obligation (s 41)
• Failing to carry out the applicable Customer Identification Procedure (CIP) (s 32)
• Failing to register as a provider of a designated service (s 51B)

We summarise the breaches below and identify the Court’s most significant rulings on issues that arise from the first application of the Act.

Having a non-compliant AML/CTF program

One of the most significant findings in the judgment is that the structure of ss 81-85 of the AML/CTF Act means that having an AML/CTF program that does not comply with the AML/CTF Rules is the equivalent of not having a program at all for the purpose of establishing liability for a breach of s 81.  This has the obvious consequence that an AML/CTF program that has a single deficiency is subject to the same maximum penalty as not having any program in place.  There is also a further consequence, namely that an offence is committed each time a service is provided while the deficient AML/CTF program was in place.  The result is that the penalty for this offence is, for practical purposes, potentially unlimited. 

Justice Perram noted that the Court may, in its discretion, treat multiple contraventions as a single course of conduct where there is sufficient connection between the legal and factual elements of each offence.  As a result, courts may treat multiple offences as a single contravention.  However, his Honour recognised that the “course of conduct” principle only ameliorated the effect of the AML/CTF Act’s drafting “to an extent”, saying that “where every infringement of s 81 springs from the same deficiencies in a program there is much to be said for the view that what is involved is a single course of conduct”: at [29].  This would not preclude different types of deficiencies being regarded as separate contraventions, each attracting the maximum penalty (being, as of 1 July 2017, A$21m).  However, it is worth noting that Justice Perram accepted that the six key deficiencies in Tabcorp’s AML/CTF program would be treated as a single course of conduct.

The next significant finding was that, despite the fact that management was not aware of the deficiencies in the AML/CTF program and received compliance reports, the offence was regarded as being towards the upper end of the scale in terms of seriousness.  Justice Perram said:

“Although the breach may appear dry in nature it went, in fact, to the heart of the operation of the Act. It had potential consequences for law enforcement agencies. It is true that the contravention was not deliberate but, in the present context, that may mean rather less than it ordinarily does. Section 81 is aimed at precisely the kind of deficient management practices which are now admitted.”

His Honour found that senior management should have taken steps to inform themselves of the fact that there were insufficient processes for consistent management oversight of the AML/CTF program and insufficient resourcing for the AML/CTF function.  The consequence of this was that the agreed penalty of A$15.5m (close to the maximum A$17m available at the time) was judged to be appropriate.

Failing to lodge SMRs with AUSTRAC

All reporting entities will be aware that, under the AML/CTF Act, they must file an SMR with AUSTRAC where they suspect on reasonable grounds that:[2]

• a customer, potential customer or customer’s agent is not who he/she claims to be;
• the information the reporting entity holds about the service that is proposed to be provided to such a person may be relevant to the investigation of a criminal offence; or
• the service that is proposed to be provided to such a person may itself be preparatory to the commission of a money laundering or financing of terrorism offence.

The SMR must be filed within 3 days of forming the suspicion (or 24 hours when it relates to a financing of terrorism offence).

In respect of Tabcorp, there were three sets of contraventions of the SMR obligation:

• Failure to lodge an SMR in relation to its suspicion of match-fixing regarding an NRL match between the North Queensland Cowboys and Canterbury-Bankstown Bulldogs on 21 August 2010.  Tabcorp had notified the NRL and co-operated with a NSW Police investigation, but the failure to notify AUSTRAC resulted in a A$1m penalty.
• Failure to lodge an SMR in relation to credit betting on 52 occasions.  Tabcorp had reported these matters to the relevant gambling regulator and State Police, but the failure to notify AUSTRAC resulted in a A$10m penalty.  This is notwithstanding that the Court accepted that the breach arose from a misunderstanding of Tabcorp’s obligation to report these matters to AUSTRAC as well as the police and regulator.  The Court noted that the maximum penalty could have been A$578m.
• Failure to lodge an SMR within the required time period in relation to 51 suspected examples of credit card fraud. In most of those cases, Tabcorp again had reported these to the NSW Police but failed to lodge an SMR with AUSTRAC within the required time period.  Justice Perram accepted that the failures should be classed into four separate tranches of conduct (producing a maximum potential penalty of A$68m) and approved the agreed A$15m penalty.

Failing to conduct CIP

Tabcorp admitted that it failed to carry out the necessary CIP in respect of one customer who sought to redeem winning vouchers in cash.  Tabcorp’s retail operator refused to cash the customer out because she believed that she knew who the ultimate customer was and an SMR was subsequently lodged with AUSTRAC. Apparently, the operator’s only error was that she did not take the identification details of the customer before her prior to her refusal to cash in the vouchers.  The Court approved the parties’ agreement to a A$3m penalty for this breach.

Failing to register as a provider of a designated service

The final breach was in relation to a misunderstanding as to whether one of the subsidiaries had to separately register as a provider of a designated service or whether it was permitted to report via its parent company. Tabcorp admitted that, on closer review, it was clear that the subsidiary had to separately register.  While the Court recognised that this was a minor breach of the Act, it stated that “the requirements of general deterrence necessitate the imposition of a substantial penalty so that it is known that even minor breaches of the Act have very serious consequences”: at [17].  As a result, the fine of A$500,000 was agreed by the parties and approved by the Court.

Summary and recent trends

• The Federal Court has laid down a marker that even non-deliberate, sometimes inconsequential breaches of the AML/CTF Act will have serious consequences.
• There is a significant risk that AML/CTF process failures can result in numerous breaches of the Act, allowing for substantial maximum penalties. 
• The extent to which the Court applied a penalty discount for Tabcorp’s admissions, cooperation and remediation in relation to its AML/CTF program is unclear.  However, given that the Court has significant discretion in determining whether certain breaches form part of a single course of conduct or not, the ability to negotiate the scope of a company’s admissions with AUSTRAC is a substantial incentive towards self-reporting and cooperating.
• Directors and officers are under a duty to put in place appropriate systems that ensure consistent, well-resourced oversight of their company’s AML/CTF program.  The receipt of compliance reports does not go far enough.  The Tabcorp decision identifies a range of further steps that need to be taken.
• AUSTRAC’s aggressive enforcement curve, commenced under former CEO Paul Jevtovic, looks very likely to continue under his replacement, Nicole Rose PSM, and the AML/CTF Act provides AUSTRAC with a number of potent weapons under which it can do so.
• AUSTRAC released for consultation a draft restructure of the existing AML/CTF Rules in July 2017.  The consultation closed in August 2017 and the industry should expect finalised amendments in 2018.  As noted above, the Tabcorp decision has meant that an AML/CTF program compliant with the current rules will need to be reviewed before any new requirements come into force, otherwise AUSTRAC could regard the out-dated program as being equivalent to failing to have any program at all.