Reporting to AUSTRAC via a third-party financial institution or MSB doesn’t remove your responsibility for complete and accurate reporting in the regulators eyes.
With AUSTRAC in the news at the moment, it’s no wonder reporting entities are reviewing their internal processes for accurate and timely reporting to the regulator. For direct reporting entities like Australia’s major banks or some of the larger money service businesses (MSB’s) who report their own IFTI and TTRs to AUSTRAC, it’s clear that reporting obligations are their responsibility and theirs alone. Get it wrong and AUSTRAC taps you on the shoulder. Period.
What isn’t as clear is the underlying responsibility of third-party reporters, which make up a significant part of the 14,865 entities that are required to send reports to AUSTRAC. Third party reporters could be financial institutions that rely on MSBs or the larger banks to report on their behalf, or organisations like superannuation funds who conduct some IFTI transactions, but not enough to report directly.
We frequently have conversations where reporting entities that rely on MSBs or other financial institutions to physically send their reports to AUSTRAC tell us that transactions get sent to their partner, often via spreadsheet, fax or email, to be reported. But is that enough?
Whether you report direct or via a third party, you have an obligation to report. But you also have a responsibility to ensure that reporting is complete. AUSTRAC regulations state that you must ensure your reports were submitted on time and are accurate. The implication here is that anyone reporting via a third party must be able to prove to the regulator that their partner fulfilled this requirement.
This poses both internal and external challenges for third party reporting entities. Firstly, do you have a clear, auditable and accurate view of reportable and non-reportable transactions that tallies across all payment systems? Knowing what isn’t reportable is just as important as knowing what is reportable as it’s the combination of the two that satisfies the test of ‘is my reporting complete’. If you don’t know what isn’t reportable, how can you prove that you’ve captured everything that is reportable?
Secondly, how often do you audit what is being submitted on your behalf? If you get an annual report from your reporting partner, do you check it against internal records? This is particularly important if you send all transactions to a third party and rely on them to determine what is and isn’t reportable. I would argue that even annual reviews aren’t enough, given that a single breach of the rules can land you in hot water, even years down the line.
The rules around IFTI’s in particular are also not clear cut, and how you interpret them can vary across message formats and payment rails. So, it’s important to know how your transaction data is being interpreted and what is and isn’t being left out. But we could talk about IFTI’s all day so that’s a topic for another time.
The important take away here is that even if you report via a third party, you are liable to AUSTRAC for timely and accurate reporting. So, do you need to do more internally to make sure you can prove that your process, and that of your reporting partner, works?