Suggested Posts

PayPal: The appropriateness of being partner & regulator

On 24 September, an episode aired of ABC’s The Business that looked at the appropriateness of ‘partner and regulator’ models. Presenter Elyse Morgan interviewed former AUSTRAC Director, Russel Wilson, who now works at global anti-corruption organisation, Transparency International.

Morgan asked Wilson:

Austrac CEO Nicole Rose spoke today about how PayPal is a fantastic partner. Is that the right way for a regulator to view these things, particularly when you know the gravity and the seriousness of things involved? You know, like pay per view child pornography, the funding of the drugs’ trade, guns’ trade, and the likes?

Wilson’s response was in line with the formal statement made by the FIU CEO earlier that day:

It’s a recognition, I think, that a regulator—particularly a regulator that acts in this field of financial intelligence—can’t work alone. It needs to work with industry towards a common goal of thwarting anti-money laundering and terrorist financing. So, in that sense, it is an appropriate way to describe it.

Wilson added this did not mean the regulator could not take appropriate action, where necessary.

However, despite the established practice of regulators obtaining their intelligence through the medium of threshold transaction reports, suspicious matter reports, and International Funds Transfers reporting provided by responsible reporting entities, some still have questions as to whether this might pose a conflict of interest down the line.

Since the FIU came under the leadership of Paul Jevtovic, there has been a push to break down the antagonistic relationship between regulator and regulated and to work in partnership to achieve a common goal of a clean Australian economy.

At the Fintel Alliance launch in 2017, the then-CEO said, “When we think about the relationship between regulators and the industries they regulate, they are often transactional, they are often silent, and in AUSTRAC, we are not immune to that description. The traditional perception of regulation has been a barrier, and the prevailing notion that we can’t be both regulator partner and collaborator is dangerously outdated.”

The Fintel Alliance is one example of a regulator-private sector alliance—of which PayPal is a founding member.

Duality and conflict?

A case in point on the topic of duality and conflict would be the Commonwealth Bank of Australia (CBA), which found itself firmly and publicly in AUSTRAC’s enforcement action sights. In their response to the allegations and to AUSTRAC’s handling of the same, the big bank intimated a sense of betrayal.

In an official statement in response to the announced action that would eventually result in a $700 million fine, CBA said:

CBA has historically had a good relationship with AUSTRAC, with which it collaborates extensively including through the Fintel Alliance and the AUSTRAC private/public sector partnership. AUSTRAC has acknowledged CBA’s contribution in this field, including by inviting the executive in charge of CBA’s financial crime prevention team as the Australian financial services delegate to participate at the Joint Experts Meeting of the inter-governmental Financial Action Task Force in Moscow in April 2017.

Annual compliance report

In the GRC Professional Podcast episode, The Lessons from the Austrac Compliance Report, we sat down with AML Networking Group Chair Andrew Ham, an AML expert. Ham addressed some of the concerns around annual compliance reports and AUSTRAC’s intentions.

Changes in the requirements for annual reporting was an indication of the regulator’s growing sophistication; however, according to Ham, the reports were more than just an opportunity to benchmark but an opportunity for organisations to account for content of their reports. This was made clear in the case of both CBA and Tabcorp.

“The answers provided in those compliance reports were, in some sense, held against the relevant entity when other misconduct was subsequently raised. And so, part of the enforcement response was to look at those reports and then to ask questions about why they had been completed in the way they were—which turned out in hindsight to be untrue,” Ham explained.

When asked how likely is it that annual compliance reports were not completed properly, Ham responded:

I must say that, based on the feedback heard through the AML discussions group and elsewhere, including my own experience in conducting independent reviews, I think it’s very likely. A lot of reporting entities are damned wither way: if their program isn’t up to scratch, they can either risk attracting the attention of AUSTRAC for basically confessing to having less-than-perfect processes or programs in the report, if they answer truthfully, or they can give in to the temptation to give an answer they know they should give, whether that’s because they misunderstand the obligations or because they are just completing the report as they think Austrac expects.

In short, according to Ham, to comply and ask the regulator for help can lead to unexpected potential enforcement action.

However, this week, Ham told GRC Professional that this is not the same thing as saying the relationship cannot work.

“Certainly, there is an inevitable conflict between the role of Fintel Alliance partner and regulator in the sense that the regulator may, in theory, be tempted to ‘go easy’ on the REs that are important Alliance Partners and, in order to maintain their trust, put the relationship before its charter obligation to enforce the rules. Equally, Alliance partners may be tempted to view their relationships with the regulator as placing them in a special position,” Ham said.

“So, while I have no inside knowledge at all—and while it is surely an understatement to say these Alliance partners would be disappointed by the enforcement action taken against them—it could be said, perhaps against the odds, that the fact these organisations remain as Alliance Partners shows the conflict can be managed effectively and the collaborative relationship sustained and quarantined from any enforcement action AUSTRAC ultimately decides to take.”

GRCI Member Calvert Duffy, who has worked with a range of organisations in the industry, told GRC Professional that industry perception on partner collaborator varies depending of the size of the organisation.

According to Duffy, the ‘small end of town’ welcomes discussion; however, very small organisations are worried the regulator might find something wrong.

“At the ‘big end’, I think probably more ‘experts’ stick their two-cents in, because consequences can be severe. However, we all want to know what’s going on, so dialogue is paramount. How it’s sold to the punter is key,” said Duffy.

Whatever the result will be for PayPal after its 120 days of external auditing, AUSTRAC looks to be staying true to its promise delivered by Peter Soros at the Refinitiv Australian Regulatory Summit: that there will be more enforcement action to come.

No tags yet.

©2018-2019 by The GRC Institute - Governance, Risk & Compliance.  ABN: 42862119377