MoneyGram case a lesson in how not to handle a breach

At first glance, the Australian anti-money laundering agency's record A$459,000 in fines against remittance network provider MoneyGram represents a new quantum of penalties in the jurisdiction. Upon closer inspection, however, the case also acts as a stark reminder for reporting entities of the importance of handling a regulatory breach thoroughly, promptly and effectively.

In addition to reflecting a tougher approach to non-compliance at Austrac, the penalty demonstrates the financial consequences of being less than thorough in the aftermath of a regulatory breach.



In December last year, Austrac first announced that it had issued an infringement notice to MoneyGram for providing designated services through six unregistered remitters. The penalty was set at $122,400, which consisted of 12 contraventions at a cost of 60 penalty units each (or $10,200 per breach).

Austrac said it had taken into account the fact that MoneyGram had "voluntarily disclosed" and rectified the breaches when deciding what course of action to take.



It was ultimately a good news story of a regulated entity proactively reporting a technical compliance problem and then acting swiftly to put new compliance systems and controls in place.



In the case of a technical compliance breach of this nature, that should have been the end of the matter for MoneyGram.



Last week however, Austrac handed down a "second tranche" of its penalty against MoneyGram, bringing the total fine to $459,000. This was more than double the previous largest penalty handed down to a remittance provider for similar types of breaches. 



The fine was calculated on the basis of 33 additional contraventions at a rate of 60 penalty units (totalling $10,200) per breach.



The second fine made no mention of cooperation and instead indicated that regulator would take strong action against businesses with "systemic vulnerabilities, or repeated AML/CTF non-compliance.

"

MoneyGram, for its part, was less than communicative about the latest incident. Following the initial $122,400 fine a MoneyGram official in the United States told Thomson Reuters Accelus it had co-operated openly with the regulator to self-report the breaches and prevent any future recurrences. 



This time around, however, MoneyGram provided a firm "no further comment" on the matter.



So what went wrong at MoneyGram, and how did it manage to kick a resounding "own goal" in the handling of its first major Australian regulatory incident?

Did it fail to fulfil its initial commitment to Austrac that systems and controls were in place to ensure such simple compliance breaches would never happen again? Did it fail to report the full extent of its initial breaches? Did it genuinely self-report in the first instance, or was there a breakdown in the agreement struck between the gamekeeper and poacher in this situation? And, perhaps more importantly for other reporting entities, is Austrac likely to change its approach to enforcement in future, in view of its experience with MoneyGram?



When Austrac undertook a supervisory visit to MoneyGram in 2014, it uncovered evidence that the remittance network provider had failed to ensure that all affiliates were registered with Austrac. Since 2012, entities that provide remittance services in Australia have been required to register their affiliates on the AUSTRAC Remittance Sector Register.



Peter Clark, executive general manager for operations at Austrac, explained that the regulator had given MoneyGram an opportunity to self-report the breaches and to develop systems and controls to ensure that it would not provide a designated remittance network service to unregistered affiliates.



MoneyGram was essentially left to conduct an internal investigation to gauge the scope of the breaches and report back to Austrac - something that is not unusual in the case of "technical" types of compliance breaches.



"In addressing this requirement, MoneyGram identified and voluntarily disclosed to Austrac that it provided remittance network services to six unregistered affiliates," Clark said. 



The remittance network provider was also required to put in place a robust compliance framework to ensure that unregistered affiliates would no longer be able to provide services to customers.



As it turns out, MoneyGram failed to identify four further affiliates who had been operating without registration. The misconduct continued until January 25 this year, with a total of 33 "contraventions" coming to light. This was more than four months after the previously identified breaches — and more than one month after MoneyGram had agreed to pay its first fine with a view to settling the matter permanently.



The key lesson to emerge from the MoneyGram enforcement action is that reporting entities that are offered this type of regulatory olive branch following a breach should not take the privilege lightly.

Organisations that find themselves in this type of situation need to ensure that they allocate an appropriate level of resources to the remedial work and ensure that all "dirty linen" is aired in the first instance. As MoneyGram has demonstrated, failing to disclose up-front, completely and competently, could lead to further infringement notices down the track from a regulator who has solid grounds to believe that the matter has not been taken seriously enough.


In terms of the controls that Austrac expects to see from reporting entities in this space, Clark said there was a clear requirement for remittance network providers to register their affiliates prior to allowing them to conduct remittance transactions through the reporting entity's networks. 



Compliance consultants said remittance network providers needed to be careful that they did not activate affiliates' accounts before receiving written confirmation that they were registered with AUSTRAC. They should have systems in place to cross-reference their list of affiliates against the AUSTRAC register on a regular basis, to ensure that agents' registrations have not lapsed and the list of active affiliates is up to date.



In view of the publicly available nature of the AUSTRAC remittance register, it is difficult to comprehend how a remittance network the scale of MoneyGram could make such simple compliance mistakes. A breach of this nature has all the hallmarks of a disorganised or under-resourced compliance function, which is no doubt the reason that Austrac handed down its largest ever penalty over the incident.