Chapter 3Issues raised in evidence
3.1At the heart of this inquiry lies the risk management culture of Gold Corporation (Gold Corp). The interim report of this committee detailed the failures of GoldCorp's risk management approach and appropriate Board oversight across multiple domains and across multiple years. That report highlighted that there has not been a single inadvertent failure of governance leading to a single adverse event.
3.2Instead, the lack of rigour in the overall approach to managing obvious financial risks has led The Perth Mint (The Mint) to multiple instances of breaching its legislated financial duties. Those breaches have been captured in the committee's interim report.
3.3This chapter considers the evidence to the committee across the course of the inquiry in relation to the root causes of those breaches and the remediation program being undertaken to ensure future safety of an important public financial institution.
3.4Relevant matters relating to The Perth Mint's regulatory compliance are analysed further in this chapter, including:
the adequacy and impacts of The Perth Mint's governance and risk management regime and Board oversight, including the culture of the Board's approach to risk management;
the adequacy of The Perth Mint's audits and post-audit remediation approach;
The Perth Mint's anti-money-laundering and counter terrorism financing (AML/CTF) compliance—with particular reference to registration and reporting requirements, the findings of the Australian Transaction Reports and Analysis Centre (AUSTRAC) review and ongoing remedial actions undertaken by The Perth Mint;
potential wider risks in the gold sector; and
the effectiveness of the risk-based regulatory approach for managing AML/CTF risks.
Adequacy of the governance and risk management regime
3.5Over the course of this inquiry, the committee has received a range of evidence reflecting on Gold Corp's attitude towards its wider obligations, governance and risk management.
3.6Various Western Aaustralian parliamentarians raised concerns about the activities of Gold Corp. For example, DrDavidHoney MLA reflected that Gold Corp's compliance issues appeared to have resulted from poor governance and oversight. MrShane Love MLA, Western Australian Leader for the Opposition, commented further on the level of risk:
The amount of risk that has been taken on by this [previous] management team for the amount of return is stupendously out of whack. It shows the culture that has grown over the years.
3.7The WA Auditor General, Ms Caroline Spencer, noted that when she took office in 2018:
… my office was dealing with a Perth Mint which was at times defensive and deflective and which exposed itself and, therefore, its owners—the Western Australian public—to unnecessary risk. Back then, broadly speaking, as an organisation it was doing okay. In fact, some things it was doing very well. My office's concern was that it had taken a detour from focusing on its core business. That core business of the Perth Mint, which is owned by the people of Western Australia, is to refine and market Australian gold and to run a museum in the heart of the city.
3.8Ms Spencer highlighted that The Perth Mint developed 'more complex online, offshore products', such as GoldPass, which appeared to distract it from its core business. Ms Spencer further outlined her view that, at that time, Gold Corp took inappropriate risks:
My view is that it got a little adventurous, pushing into new markets, new products and new customers, but with a failure to fully appreciate the additional risks and obligations those changes brought and to appropriately manage all risks across the organisation.
3.9Ms Spencer further suggested Gold Corp failed to consider its responsibilities to the Australian public:
… they didn't sufficiently focus in all their decisions—and I saw this in one of the ETF [Exchange Traded Fund] business cases or some documentation relating to it—on the risks and the benefits to the taxpayer, which were not of sufficiently high priority in balancing. That was the presentation on the issue by management. I think they lost their focus on that core obligation and benefit in all their framing.
3.10Mr Timothy Lear, General Counsel for AUSTRAC, noted that it was also AUSTRAC's view that Gold Corp did not meet its risk management obligations as it moved into new products:
It's not unusual for organisations to choose to introduce new products that may be riskier products, and that may be in different areas to where they have previously traded. The expectation that AUSTRAC has when you introduce new channels or seek out new customers or introduce new technology is that you identify the risks associated with those, assess the risk appetite and take the appropriate steps to mitigate and manage that risk. Obviously, in our view that is not something Gold Corporation has done; otherwise, we would not be at the point we are at with the enforceable undertaking.
3.11Mr Bradley Brown from AUSTRAC confirmed that 'from our perspective, the risk management processes and identification management and mitigation of risk through those [AML/CTF processes] have probably led to where we are now'. Mr Brown was clear that responsibility for AML/CTF compliance ultimately lay with Gold Corp's Board.
3.12The committee heard from the Australian National Audit Office (ANAO) around the governance expectations for any commonwealth entity:
In the Commonwealth, every entity is required to have an audit committee. That audit committee has … a number of functions. Part of that is reviewing the appropriateness of risk oversight and management and internal control. Part of the way most audit committees do that is by engaging with internal audit. Internal audit reports are reported to the audit committee, and the audit committee consider the findings coming out of those reports and monitor implementation of recommendations and the like…
If there were internal audits coming through that had issues, I would expect the audit committee to take quite an interest in that and to be tracking the implementation of any recommendations. If the audit committee had particular concerns coming out of any of those internal audits or any other information they were seeing through that committee, they would then be reporting that back to the accountable authority, which may be a board or an individual depending on what type of entity it is. They do have a reporting line directly to the accountable authority. I would expect that to be one mechanism where that kind of information would flow up to the top of an organisation.
3.13The ANAO further noted that a government business enterprise, such as ThePerth Mint, would be expected to report issues of concern as outlined above to the relevant minister and that, for The Perth Mint, it 'sounds like that didn't happen in this case'.
3.14Ms Spencer concluded that the post-2018 Board and senior management refresh, multiple reviews and Gold Corp's remediation activities have led to significant cultural, compliance and governance improvements:
It's encouraging to see that the Perth Mint is changing in response to our findings, the parliamentary media and community interest, and the work of other bodies. It now has a better grasp of its risk environment and requirements, and a greater willingness to deal with issues as they arise.
Adequacy of audits and oversight
3.15In February 2024, Mr Sam Walsh, Chair of Gold Corp, acknowledged the 'obligation of the board to ensure that The Perth Mint has good governance and compliance', and he advised that prior to the 2020 audit, the Board had understood that Gold Corp was meeting its obligations:
The board, quite frankly, was coming in from a position of believing that we complied. The board is not executive. The board has to act on advice from management and obviously the auditors, including the Office of the Auditor General, and the board was not made aware that there were problems—in fact, quite the opposite. The board was made aware in 2010 and again in 2014, as a result of the AUSTRAC reviews, that, yes, there were some minor issues that needed to be addressed, but we were assured that those issues were addressed. The board believed at the time that we were tracking in accordance with the AUSTRAC legislation. Clearly we were not … But it wasn't until we had the internal audit [of 2020], which identified that there was a shortcoming, that the board was made aware. The board determined that AUSTRAC should be advised, and the board initiated stage 1 of its remediation program.
3.16Mr John O'Connor, Member and Chair of Gold Corp's Audit and Risk Management Committee since 2016 and 2020 respectively, highlighted that regular internal audits on the AML/CTF program are part of the AML/CTF regime and their purpose is to 'ensure compliance with the legislation'. Hefurther advised 'that's one of the ways in which the board and the audit and risk committee gain comfort that the controls are in place and being exercised'.
3.17The committee asked The Perth Mint why earlier audits had not detected inadequacies in its AML/CTF compliance. Mr O'Connor explained its governance and compliance processes, advising the Audit and Risk Management Committee asked questions, that audits identified shortcomings, and remediation programs were put in place to address any and all internal audit findings. He noted these programs were then monitored by the committee.
3.18Gold Corp noted that there had been personnel changes within the auditing firm it used and this, in combination with personnel changes within Gold Corp, may have contributed to new adverse findings in the 2020 internal audit.MrJasonWaters, previous CEO of Gold Corp, suggested the changing quality of audit standards, different interpretations of obligations, and The Mint's technology refresh may explain why AML/CTF issues were not raised earlier.
3.19Likely in response to the issues raised by the 2020 internal audit, the 2021–22 operational objective for The Mint included—for the first time—reference to 'the Corporation's social and legal obligations in accordance with established Environmental, Social and Governance protocols'. Further, in 2022–23 its objectives included the requirement to 'ensure the Corporation operates in accordance with the Government's expectations and risk appetite', and that the Corporation 'maintain and improve' its reputation, suggesting the need to take a more tempered approach.
3.20Mr Waters reflected on The Mint's audit approach, observing that its audit function was entirely outsourced and that, while this is a valid model, he preferred a model which incorporated both external and internal audit staff 'who provide some ongoing oversight around governance matters, as opposed to just being reliant on an external firm'.
3.21Under further questioning by the committee, Mr O’Connor indicated:
It was a failing of management. The failing occurred between 2018 and 2020. The board doesn't live in the business day in and day out. The audit and risk committee doesn't live in the business day in and day out. We are non‑executive directors. Our focus is on process and what have you. So the failure which occurred was of the management team to do what the procedures required them to do. That was where the actual failure was.
3.22Mr Waters acknowledged that at the time of his arrival in 2022, in relation to AML/CTF remediation work, 'there was good work underway' but that the extent of the concerns was not necessarily known by the Board:
I certainly found that, within pockets of the executive team at the time, there was a deeper knowledge in relation to the amount of work and the size of the program. To be fair to those individuals, they had been working away at a remediation program that was not the same but not vastly dissimilar in scope to the one the mint currently has underway. But it certainly hadn't been conveyed to the board that the amount of work that needed to be done had been done.
3.23Mr Waters went on to note that, having raised the issues with the Board, they were fully supportive:
They wanted to know how we were going to do it and what was required. Certainly what I found was a hugely supportive environment to clear the way to ensure that we got that program up and running … I got a very supportive response, and I couldn't have been any happier with the sponsorship I got in relation to what I needed to do to deliver.
3.24Mr Waters from Gold Corp and Mr Brown from AUSTRAC separately highlighted that 'risk is not static and risk does change'. Changes to obligations, regulatory approach and the business environment mean that risk needs to be continually identified, managed and mitigated.
3.25Likewise, as capability and knowledge increases, so does 'appreciation of obligation'. Mr Waters observed that, because of reviews and changes which started before his tenure, The Mint went from viewing AML/CTF compliance as more of a back-office function which was the responsibility of one department, to a sense of AML/CTF compliance being a shared function and responsibility of all workers.[25] He also noted that that evolution in thinking 'occurred very quickly' and the 'acceptable standard of compliance and behaviour' was subject to 'a fairly steep and sudden uplift' from The Mint's perspective
3.26Mr Waters stated:
The expectations of auditors and authorities have rapidly increased out of need as the elements exploiting those systems become more sophisticated. Therefore businesses have had to continue to invest and progress down those pathways to ensure they remain both compliant and, in actual fact, resilient against that type of risk.
3.27In this context, the committee notes that there were significant risk and AML/CTF regulatory changes across the mid to late 2010s. In 2015 the Australian Prudential Regulation Authority (APRA) released its prudential standard on risk management—CPS 220—including compliance and regulatory risk. In this context, APRA made recommendations for improvement to the CommonwealthBank's risk management framework, particularly noting concerns with its identification and mitigation of operational and compliance risk. Furthermore, AUSTRAC enforcement action resulted in the Commonwealth Bank, Westpac, Crown Melbourne and Crown Perth being issued with penalties in the hundreds of million dollars ($1.3 billion in the case of Westpac) for 'serious breaches of anti-money laundering and counter-terrorism financing (AML/CTF) laws'.
3.28Likewise, the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (which commenced in 2017), resulted in greater focus on banking and financial services institutions, their governance, risks, responsibilities, and culture. The final report included discussion of the Commonwealth Bank's compliance with AML/CTF obligations and governance and risk management failures. There is no doubt that these events caused audit and consulting companies to also adjust their approach, to focus more sharply on governance and risk management issues—including those relating to AML/CTF.
3.29Both Mr Walsh and Mr O'Connor outlined the ways in which the board and executive membership have been refreshed and engaged since 2019 to improve compliance, governance and risk management.
3.30Mr O'Connor confirmed that Gold Corp internal audit plans are now subject to 'increased focus and scrutiny' as a result of the AML/CTF compliance findings, but also as a result of events in the wider marketplace, including a greater emphasis on cybersecurity and privacy.
Anti-money laundering and counter terrorism financing compliance
3.31The committee heard that 'the Perth Mint treats all its compliance obligations, including in relation to the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act), with utmost seriousness and is continually identifying and acting on areas for improvement'. This sentiment was echoed by the WA Government.
3.32However, as heard by this committee and as publicly reported—including through Gold Corp's Enforceable Undertaking—there is evidence that ThePerthMint failed to fully meet its obligations in key areas, including:
developing, implementing and monitoring its AML/CTF program and appropriate risk mitigations;
timely registration with AUSTRAC as a remittance service provider;
transaction monitoring and reporting of International Funds Transfer Instructions to AUSTRAC; and
appropriate customer identification checks, due diligence and risk ratings; and other related matters.
3.33Nevertheless, witnesses made clear to the committee that there has been no evidence of money laundering or other financial crime associated with GoldCorp.
AML/CTF Program development, implementation and monitoring
3.34Chapter 2 outlines the requirements for regulated entities—such as Gold Corp—to have an overarching AML/CTF Program to identify and address money laundering and terrorism financing (ML/TF) risks.
3.35Gold Corp's self‑initiated August 2020 assurance audit, covering the period August2017 to March 2020, determined that the design of its AML/CTF Program 'broadly aligned with the requirements of the AML/CTF Rules'. However, it also found there was scope to strengthen, formalise and more effectively implement controls and procedures so they were better understood and more consistently applied by its staff.
3.36The WA Auditor General, in her 2022 AML/CTF compliance framework audit into eight WA state entities—including The Perth Mint—found:
Six of the eight entities audited need to upgrade elements of their programs to improve the likelihood they can detect and respond to suspicious activity effectively and manage their money-laundering, terrorism-financing and regulatory compliance risks. Two of these entities are missing key program elements and are at greater risk of non-compliance and money laundering or terrorist financing activity.
3.37Other work completed by The Perth Mint, such as its independent internal audits, regular financial annual audits, and information technology implementation programs, identified AML/CTF compliance issues, including in relation to its overall AML/CTF Program. The committee heard that the Board of Gold Corp was made aware of these concerns in August 2020. The Perth Mint then pro‑actively commenced remediation, as discussed below.
3.38AUSTRAC's wide-ranging compliance review of Gold Corp (commencing in January 2021) also looked at its wider AML/CTF Program:
The supervisory engagement that we have with Gold Corporation, as per the notice and the appointment of the external auditor, provides a broader indication than simply the one system. It looks at their AML/CTF program, which is more generally about how they're managing and mitigating risk. It has a look at their customer due diligence requirements. It has a look at their reporting obligations. It also has a look at considerations around their enrolment. It actually looks at a broad number of obligations within our legislation, not purely at the IT [information technology] system.
3.39Both the WA Government and the Mint explained that AUSTRAC's investigation and the work of the external auditor which AUSTRAC required be appointed, assessed historical procedural compliance and did not investigate 'any concerns regarding the potential facilitation of money laundering or other financial crime'.
3.40In November 2023, AUSTRAC accepted an Enforceable Undertaking from GoldCorp which outlined areas of non-compliance along with commitments to undertake further remediation work. In addition to failures in AML/CTF processes and operations (discussed in Chapter 2), there were deficiencies in its central AML/CTF Program.
3.41The external auditor's final report, required by AUSTRAC as part of its supervisory action, confirmed these findings, including that the application of Gold Corporation's Part A Program was not compliant in respect of the AML/CTF Rules regarding further Know Your Customer information and beneficial ownership, transaction monitoring and Enhanced Customer Due Diligence.
3.42The Enforceable Undertaking stated Gold Corp 'may have failed to comply, and may remain non‑compliant' with a range of AML/CTF provisions, including 'failure to adopt and maintain a Joint AML/CTF Program within the meaning of section 83 of the AML/CTF Act'. Gold Corp agreed to undertake a formal Remediation Program and remains under supervision by AUSTRAC, as discussed later in this chapter.
Customer identification, due diligence and risk rating
3.43As outlined in Chapter 2, as a designated service provider The Perth Mint has AML/CTF compliance responsibilities for identifying, conducting initial and ongoing due diligence on, and risk rating its customers—the Know Your Customer requirements.
3.44Mr Bradley Brown, at the time Acting Deputy CEO of AUSTRAC, clarified why knowing your customer is so important:
Fundamentally, it goes to the fact that you need to know who you have as customers, you need to understand the nature of that customer and have some regard to the risks both around that customer and how information and the services you're providing move, for example, how transfers et cetera are conducted and which jurisdictions in the world you might have concerns with, to actually seek to prevent your business from being exposed to criminal activity.
3.45The committee's interim report highlighted The Perth Mint's growing awareness that its customer-related processes were not commensurate with its AML/CTF obligations and the inherent risks in its business. The August 2020 audit report raised concerns over the inconsistent application of Know Your Customer procedures and found that Gold Corp had taken action to address previous findings relating to AML/CTF training and customer due diligence, but the controls were not consistently applied. The Perth Mint immediately commenced its own remediation.
3.46AUSTRAC's 2022 Compliance Assessment Report also confirmed compliance concerns with Gold Corp's Know Your Customer processes, including:
failure to carry out Applicable Customer Identification Procedures;
failure to consider the ML/TF risk posed by its customers;
failure to monitor customers; and
failure to determine when additional Know Your Customer information would be collected.
3.47AUSTRAC explained its interest in customer-related processes to the committee:
We were obviously interested … in the customer due diligence processes that were being undertaken in Perth Mint. That was a key part of our considerations. Fundamentally, the reason is that, with the information that we obtained from the partners that you saw this morning, there were questions for us in relation to the customers of Perth Mint at the time and whether, necessarily, the systems and processes were robust enough, in terms of preventing the types of exposure that we have a mandate to seek to prevent'.
3.48In July 2023, the external auditor's report confirmed likely non-compliance with Applicable Customer Identification Procedures, customer due diligence requirements and customer risk ratings. This included inadequate identification of beneficial owners of customers, and identification of whether customers were a 'politically exposed person'.
3.49In 2022–23, The Perth Mint set up a centralised Customer Operations Team to implement improved customer-related procedures, and ensure appropriate due diligence and transaction monitoring to address the concerns. This work included a refresh of its entire customer database—around 70 000 customers—as well as process redesign and systems refresh (and other measures).
3.50In February 2024, Gold Corp advised that additional customers were being reviewed, advising it 'added 13,000 [customers] who we believe we comply with, but we want to make absolutely certain that we have covered every aspect of the AUSTRAC requirements'. These customers joined Gold Corp after the remediation process had started. By February 2024, around 50 per cent of customers—including active customers—had been re-verified. By the conclusion of the remediation process in April 2025, 100 per cent of Gold Corp customers will have been checked and remediated.
Enrolment and registration
3.51The AML/CTF regime requires entities providing services such as bullion and remittance services to enrol and register with AUSTRAC within certain timeframes. AUSTRAC confirmed that The Perth Mint has been enrolled as necessary as a gold bullion service provider from the commencement of the regime.
3.52AUSTRAC advised that The Perth Mint did not register as required when it commenced the GoldPass product in 2018 and operated as a remittance service provider. Gold Corp became aware of the non-compliance in early 2021, self‑reported to AUSTRAC, and complied with its registration obligations on5March2021. In its responses to questions on notice, The Mint responded it 'promptly registered as an RSP [remittance service provider] and wrote to AUSTRAC to voluntarily disclose its previous non‑compliance with registration requirements'.
3.53The AUSTRAC 2022 Compliance Assessment Report noted the compliance issues relating to the provision of designated services (including as an independent remittance dealer) while not registered to do so and to not advising AUSTRAC of changes in enrolment details.
3.54Federal laws make it an offence to provide remittance services without registration.
International Funds Transfer Instructions reporting and monitoring
3.55In early 2023, it was alleged in the WA Parliament that Gold Corp had not made any International Funds Transfer Instructions reports to AUSTRAC to the end of June 2021, despite Gold Corp 'operating an international gold trading app[lication] and selling bullion to customers in 130 countries'.
3.56The Perth Mint told the committee that the August2020 audit report also found transaction monitoring concerns—including for threshold amount and suspicious transactions. At the time transaction monitoring was 'largely manual, with a reliance on employees who processed transactions exercising judgement to identify suspicious transactions'. Gold Corp's Audit and Risk Management Committee was advised in August 2021 that an interim transaction monitoring system had been developed and implemented to 'reduce and manage risks whilst the corporation waited for new systems to come online'.
3.57AUSTRAC's 2022 Compliance Assessment Report identified the non-reporting of International Funds Transfer Instructions and failure 'to include an appropriate transaction monitoring program'. These matters were also considered by the external auditor, with them finding 'the Gold Corporation DBG [designated business group] failed to report 3,322 International Funds Transfer Instructions in respect of at least four separate value‑transfer scenarios' over the external audit period (January 2021 to August 2022).
3.58The report also found that 'the application of GoldCorporation's Part A [of the JointAML/CTF] Program was not compliant in respect of the AML/CTF Rules regarding … transaction monitoring' (amongst other matters) and that 'transaction monitoring rules were not designed or applied such that the GoldCorporation DBG could appropriately monitor high ML/TF risk activity by its customers'.
3.59As discussed below, through the Enforceable Undertaking, Gold Corp has undertaken to uplift its AML/CTF compliance through improvements to customer process and data remediation, and technology and data initiatives.
3.60In February 2024, AUSTRAC confirmed 'many of those reports have actually been filed now, so they have been back-captured by Gold Corporation'. It reported that Gold Corp submitted 4409 International Funds Transfer Instructions reports covering the period January 2021 to November 2023, with International Funds Transfer Instructions sent from Australia to the United Kingdom (62percent of transactions), United States (38 per cent), Singapore, NewZealand, Switzerland and the Cayman Islands.
GoldPass
3.61In 2023, Dr David Honey MLA, Member for Cottesloe and then WA Shadow Minister for Energy; Renewables and Hydrogen; Water; Industrial Development; Lands suggested that The Perth Mint's failure to comply with International Funds Transfer Instructions reporting requirements was facilitated by the GoldPass gold trading app.
3.62As of 29 August 2023, 139 645 transactions (buy, sell or transfer) had been undertaken in GoldPass, with a total transaction value of around $323.2million.
3.63Dr Honey alleged that the app's 'requirements for proper identification of the original and subsequent on line purchaser were weak and identification information was not archived for subsequent review', that gold ownership transfers could be carried out in a way that avoided AUSTRAC scrutiny, and The Perth Mint failed to report transactions.
3.64Dr Honey stated it is 'difficult to believe that anyone at the Perth Mint was unaware of this risk, let alone the senior managers and the Board who are responsible for the proper governance of the organisation', and submitted there was an expectation that proper governance procedures would be in place. DrHoney concluded that gold trading through the GoldPass app exposed The Mint to increased risk of ML/TF.
3.65AUSTRAC confirmed that the AML/CTF Act 'requires regulated businesses to identify, mitigate and manage the risk of the designated services they provide, including taking into account any risks involved in a mode or channel of delivery'. Gold Corp 'self‑disclosed compliance failures relating to its GoldPass service' during AUSTRAC's 2021 compliance audit.
3.66Gold Corp told the committee that, in relation to GoldPass, the new risk was the requirement to register as a remittance service provider—otherwise there were no new risks:
… the identified AML/CTF risks were actually the same as the identified 80A risks associated with our normal business. It's KYC [Know Your Customer]. The GoldPass customers all had to go through a KYC process. The GoldPass customers all had to be governed by our transaction monitoring processes. They were the risks that were called out, which were specific to GoldPass. There weren't new risks, by terms of nature, because the KYC procedures had to be undertaken over all of our new customers.
3.67Gold Corp went on to point out:
… there were no other reporting obligations [over and above Know Your Customer monitoring] because there were no IFTIs [International Funds Transfer Instructions] associated with GoldPass—zero. So there were no reporting of IFTIs which we omitted, because they are not associated with GoldPass, despite what has been said in the press over recent months.
3.68Gold Corp also clarified that prospective GoldPass customers were 'required to provide appropriate identification documents and a know your customer check was undertaken via [third party company] Trulioo, a company that provides electronic identity and address verification of both individuals and businesses', or by The Perth Mint customer service team prior to verification and trading.
3.69In answers to questions on notice, The Perth Mint noted that 'there was a procedure for a customer to open a GoldPass account and apply to convert PMGT [Perth Mint Gold Token] tokens to GoldPass Certificates'. However, GoldCorp advised 'this occurred in very limited instances due to the nature of the Know Your Customer and conversion process and the low consumer appeal of this feature'.
3.70A 'deep dive' of risks associated with GoldPass was undertaken by ThePerthMint in late 2021—including a desktop review of policies and procedures, and discussions with subject matter experts—and this resulted in a number of recommendations for improvement. Despite a large investment in the product, in late 2021 The Perth Mint decided to discontinue the product in 2023.
Other related factors
3.71Through this inquiry the committee has become aware of several other areas in which The Perth Mint's performance affected its ability to meet its compliance obligations under federal AML/CTF laws, including:
technology issues;
staff and Board training; and
appropriate recordkeeping.
Technology issues
3.72The committee heard that historically, The Perth Mint had to rely on largely manual processes to identify potentially risky transactions, and develop a single view of its customers, compromising its ability to meet its AML/CTF obligations.
Enterprise Resource Planning implementation
3.73The Perth Mint also experienced challenges when implementing technology solutions to improve its processes. As outlined in the committee's interim report, in 2014 funding of around $16million was set aside to purchase and implement an Enterprise Resource Planning (ERP) system of integrated business management applications—typically these systems include human resources, accounting, procurement, purchasing, production and sales modules.
3.74However, it became evident that the proposed solution would not meet TheMint's requirements and a revised One Future ERP Program commenced in August 2016, with a revised scope. In 2018, the Gold Corp Board agreed to replace its e-commerce platform and digital experience to support its core business.
3.75According to Mr Love, it was clear by this stage that The Mint had recognised that its technology systems were not sufficient to collect, manage and view data to help it manage its business and AML/CTF responsibilities, that The Mint still relied on manual and error‑prone processes in some cases, and that its systems were not sufficiently integrated and usable to meet it business needs.
3.76A review of documents outlining the implementation of the One Future Program highlighted that the project was complex, experienced cost and time over-runs, and that project information, status and risks were not always clearly reported to the Board. Problems experienced by the project were exacerbated by changes in consultants, key staff, scope changes, data integrity issues and the COVID-19 pandemic.
3.77Despite the problems, a February 2021 internal review of the project, which included input from independent parties, found 'there is a high degree of confidence that the overall solution is fit for purpose'. It concluded 'in the Sponsor's view, the Governance and implementation model is operating effectively [and] … the One Future Program is "well managed, and the Governance process is clear and effective"'. At the time the decision was made to continue, rather than pause the program. The ERP implementation was completed in November 2021, at a total estimated cost of $55.064 million.
Replacement of other technology systems
3.78In February 2024, Mr Jason Waters, in his role as previous CEO of GoldCorporation, told the committee that the ERP system was 'fully implemented and running' by the time he commenced with The Mint. However other business systems were contributing to risks within Gold Corp. Mr Waters stated 'it wasn't that system at all. It was another collection of older, disparate systems which were next cab off the rank in terms of replacement'. He added 'we simply didn't have the IT systems to enable us to do the transaction monitoring at the level required to not just remain compliant in the minimum way but remain futureproofed to AUSTRAC's requirements'.
3.79To address these obligations, The Perth Mint 'invested in a centralised onboarding model' to ensure a single source and view of customer data, including Know Your Customer requirements. Further uplift of systems and data is planned under the Enforceable Undertaking Remediation Program.
Board and staff training
3.80The committee also heard that a historical lack of Board and staff training and awareness was also a factor in The Mint's ability to meet its AML/CTF compliance obligations.
3.81Mr Timothy Lear, General Counsel for AUSTRAC, described the AML/CTF risk management frameworks to the committee as a 'risk based approach, which flows from international approaches through the Euro Pacific Bank and other organisations.' Mr Lear told the committee that under this approach:
It is ultimately not up to the organisations to mark their own homework. They cannot simply adopt very large risks without appropriately mitigating and controlling those risks.
…
At that particular time, around 2018, in that audit report, the board and senior management were responsible for marking the homework. They were also responsible for complying with the act … At the end of 2020, AUSTRAC decided it required a supervisory engagement with the Perth Mint—effectively externally marking the homework, if you like. It was through that process that we have ended up with the enforceable undertaking.
3.82The Perth Mint advised the committee that the 2020 audit review found:
there was scope to help control owners to better understand the controls they were applying and to apply them more consistently;
the conduct of 'AML risk assessment reviews and delivering AML general risk awareness training' was impacted by staff turnover;
records documenting the provision of AML/CTF risk awareness training were 'not available'; and
controls to address previous findings relating to risk awareness training and customer due diligence were not applied consistently.
3.83AUSTRAC confirmed that while it provides general e-learning modules and other guidance resources, regulated entities are required to provide AML/CTF risk awareness training to their staff, which is specific to their risks and circumstances.
3.84In August 2021, the Board was advised that training in general of AML/CTF awareness and understanding was 'at 100% completion', with relevant staff to complete an additional module on 'Customer Identification, Collection and Verification' and 'Typologies and Methodologies' the following quarter. Specialised training was also arranged for shop staff to 'accelerate their understanding of financial crime monitoring and management'.
3.85The Mint also put systemic and targeted training systems in place to ensure its staff receive training relevant to their role. The Mint advised:
In accordance with the AML-CTF Act and Rules, Part A of The Perth Mint's AML-CTF Program includes processes, systems and controls for The Perth Mint to provide ML/TF risk awareness training to employees at appropriate intervals and corresponding to the ML/TF risks that The Perth Mint has identified.
… The responsibility of maintaining and delivering training programs to address potential ML/TF risks rests with reporting entities, such as ThePerth Mint.
3.86Mr Waters told the committee that by the time he arrived in April 2022, GoldCorp had developed 'a really rigorous approach and requirement to mandatory training, and that included AML/CTF and KYC [Know Your Customer]'. He added, that there was a significant uplift in capability and investment in specialised staff 'specific to the management of KYC and AML/CTF requirements', as the expectations and obligations for AML/CTF have evolved and changed and become more sophisticated.
3.87The Board also received specific training—its 24 August 2022 meeting included a workshop on The Perth Mint's AML Remediation Program, including in relation to its compliance obligations and remediation.
Pro-active remediation
3.88The committee heard The Perth Mint undertook a wide range of audits (as required by the AML/CTF regime) and remediation over several years to improve AML/CTF compliance and reduce risk.
3.89In 2010, an internal assurance audit made six 'low' or 'medium' findings on AML/CTF processes and/or their application including:
Customer risk rating methodology
Transaction monitoring
Training of staff
Know Your Customer processes on a certain subset of customers
Timeliness of reporting to AUSTRAC.
3.90In 2014, a similar audit made one 'low' level funding relating to the 'timeliness of reporting to AUSTRAC'.
3.91In 2018, there were five 'low' or 'medium' findings related to AML/CTF obligations, regarding:
Training of staff
Transaction monitoring
Documentation of enhanced customer due diligence
Review methodology for AML/CTF Program (two related findings).
3.92After each audit The Perth Mint confirmed that it 'took action to address the findings … in a timely manner'.
3.93The Perth Mint's independent assurance audit of August 2020 made some 'significant findings', including 'concerns with the ability of the entity to adequately meet its AML/CTF reporting obligations'. This report appears to have provided the initial impetus for The Mint's proactive development of an AML/CTF compliance remediation plan, commencing the same month.
3.94The plan included measures to address AML/CTF obligations, including:
process redesign and systems refresh, including consultants and specialist legal advice and a single customer relationship management system;
staff training;
no longer accepting cash transactions;
transaction monitoring, including automated tracking and recording of customer transactions;
remediation and refresh of Know Your Customer data for all of its customers;
review and renewal of banking relationships;
reputation repair and management; and
monthly implementation monitoring by Board.
3.95As additional compliance issues came to light, from the Office of the Auditor General's AML/CTF compliance framework review, The Mint's regular financial audits and the AUSTRAC review, further updates to the program occurred.
3.96Implementation commenced in March 2021, and throughout the year Gold Corp worked with Deloitte to address AML/CTF risks, running training, commencing a compliance assurance framework, refreshing customer data, and updating its risk assessments.
Updates to the remediation program following AUSTRAC review
3.97The AML Remediation Program was originally scheduled for completion by July2022; however, GoldCorp reassessed the scope of its program 'following an external review and receipt of the June 2022 Compliance Assessment Report from AUSTRAC'. The revised remediation program was endorsed by the Board on 31August 2022. The Board continued to meet through late 2022 and late 2023 to specifically consider the AML Remediation Program.
3.98AUSTRAC acknowledged Gold Corp's amendments to their remediation program as further information came to light, stating:
Our findings that we provided to Gold Corporation in June 2022 provided additional information and insight. Similarly, the engagement and appointment of the external auditor and the undertaking of that audit throughout late 2022 into 2023 certainly provided additional information to Gold Corporation in relation to that remediation. Hence, they have been updating that remediation plan throughout that process.
3.99During 2022 the Minister for Mines and Petroleum, the Hon Mr Bill Johnston, was advised by the Chair and CEO of The Perth Mint of broader, historical AML/CTF non-compliance issues. The Minister requested advice from ThePerthMint on the extent of historic non-compliance and the 'pathway to resolve those historic non-compliance issues'. This led to a funding application for the remediation program through the Minister, as part of the 2022 annual budget process.
3.100The WA Expenditure Review Committee agreed to funding of $34million for the remediation program through to 2025–26, agreeing to Gold Corp withholding its annual dividend.
3.101As part of AUSTRAC's supervisory requirement for an external audit, GoldCorp proactively:
… requested the external auditor examine whether the scope of the Remediation Program was appropriate to deliver effective remediation of issues identified by AUSTRAC's Compliance Assessment Report and to identify, mitigate and manage ML/TF risks [moneylaundering/ terrorism‑financing risks] on a sustainable basis. The external auditor's report confirmed that the design and scope of the Remediation Program was appropriate to deliver effective remediation …
3.102However, the external auditor's conclusions were qualified, asserting:
… its ultimate effectiveness will depend on its implementation and the Gold Corporation DBG's [designated business group] continuing commitment to uplifting its approach to AML/CTF.
3.103At the November 2023 public hearing Mr Walsh reflected on the compliance findings and actions taken by Gold Corp over a number of years, saying:
That's been quite a journey as we've progressively improved and progressively discovered things that weren't up to par. We've taken action immediately as a board and implemented remediation and corrective programs. We understand our obligations and we are strongly committed to meeting those. Our remediation program is a good example of this. We've gone right back to square one, and we'll refresh all of our details in relation to Know Your Customer for the 70, 000 customers that the organisation has. We're deliberately working through, as I say, from square one to make sure that we absolutely meet the requirements.
3.104In February 2024, GoldCorp advised that implementation of the remediation plan was more than 50percent complete. It reiterated its full cooperation, with MrSam Walsh, Chair of the Board stating 'the Perth Mint team has remained resolutely committed to implementing our Anti-Money Laundering Remediation Program' and 'we are totally and absolutely committed to the work that is required to complete that [remediation program] by April 2025'. It also confirmed that it is sufficiently resourced to meet its remediation obligations.
3.105Gold Corp's willingness to engage and improve its performance was illustrated by its willingness to offer an undertaking to AUSTRAC, and the Enforceable Undertaking itself:
AUSTRAC acknowledges the co-operation and engagement of the GoldCorporation DBG throughout the Compliance Assessment. AUSTRAC also acknowledges that the Gold Corporation DBG has commenced a significant AML/CTF remediation and uplift, and has already completed a number of critical uplift initiatives as at the date of this Enforceable Undertaking.
3.106In the Enforceable Undertaking, Gold Corp made further undertakings to take action to meet its AML/CTF obligations, including with regard to:
completing its Remediation Program by 30 April 2025, with progress tracked monthly through a Traceability Matrix (or similar);
customer data remediation, including providing of evidence completion to AUSTRAC; and
appointment of an external auditor with the agreement of AUSTRAC to act as an Authorised External Auditor, reporting on progress and effectiveness every six months until the Remediation Program has been completed.
3.107In February 2024, AUSTRAC reiterated Gold Corp's cooperation, with MrBrown reporting 'throughout this process, I can confidently say that Gold Corporation have engaged with us in a manner seeking to uplift the processes and remediate the concerns that AUSTRAC has spelt out to them'.
AUSTRAC next steps
3.108AUSTRAC accepted Gold Corp's Enforceable Undertaking in November 2023. Gold Corp will remain under more intensive supervision by AUSTRAC until AUSTRAC gives Gold Corp written notice of the undertaking's completion or cancellation.
3.109This supervision entails AUSTRAC receiving a traceability matrix monthly, with senior AUSTRAC staff meeting with Gold Corp monthly, where the auditor will present information on progress against the remedial action plan. Mr Timothy Lear of AUSTRAC noted that:
Once that information is presented, we will sometimes challenge and test aspects of what we're being told to make sure we're comfortable that the actual outcomes that we're being informed about are there. You've got both the auditor doing that and AUSTRAC involved with doing it, and that's why it's a very close engagement through enforceable undertaking. I expect that rhythm to continue through to a conclusion of the enforceable undertaking.
3.110AUSTRAC confirmed that Gold Corp's non-compliance with AML/CTF requirements is ongoing. When asked by the committee whether Gold Corp is still an 'entity of concern to AUSTRAC', Mr Brown responded:
I don't know if I would characterise it as an entity of concern. AUSTRAC certainly has ongoing concern in relation to the compliance of Gold Corporation with its AML/CTF obligations, and hence the enforceable undertaking response to those concerns … Those concerns will continue until Gold Corporation uplifts and remediates the matters that the enforceable undertaking seeks for it to do.
3.111AUSTRAC expressed trust in Gold Corp and the Enforceable Undertaking processes, acknowledging remediation may take some time:
… the enforceable undertaking and the appointment of the external auditor in this context is still, in some respects, a continuum for Gold Corporation, but it gives AUSTRAC some confidence and assurance that this will see it through until April 2025 and provides obvious steps we can take if it does not.
3.112Accordingly, AUSTRAC will continue to monitor Gold Corp, including its completion of its Remediation Program, through bi-annual detailed reports on the remediation program, and monthly reporting and/or meetings to track progress. AUSTRAC retains the ability to take further enforcement action in relation to AML/CTF matters as required.
Potential for financial penalties
3.113Regarding the potential for AUSTRAC to pursue breaches and exact penalties, Mr Brown advised that its general approach is to improve entity capability and reduce risk of exposure to money laundering. AUSTRAC considers a range of factors including:
… the systemic nature of matters that might be provided to us. We determine, if there's a level of contravention, the harm that may have been created through that failing. We will consider the nature of the engagement—whether the entity has come forward to provide us with that concern or whether we have located it ourselves. We will have consideration to their level of engagement and commitment to their obligations and what they're doing. So there are a number of factors.
3.114When discussing the Enforceable Undertaking, Mr Lear of AUSTRAC clarified the extent of AUSTRAC's authority:
When we conduct these investigations—supervisory engagements—we're mindful that it's not ultimately AUSTRAC's position to be able to find a contravention. We form our own view. You'll see through the undertaking that we'll go through what AUSTRAC's view is in relation to the compliance. And so there is a little bit of care around not saying that they, in fact, contravened. That's the decision of the Federal Court. So some of this language is designed to ensure that there's a distinction between the position that AUSTRAC has formed and whether, ultimately, there's been a finding of a contravention of the AML/CTF Act.
3.115In February 2024, AUSTRAC told the committee that the risk of financial penalties being imposed on The Perth Mint was possible, saying, 'until they're compliant, that's right; they're always at risk of a penalty'. However, Mr Lear stated 'it is unlikely to occur if they comply with the enforceable undertaking'.
Reputational damage
3.116Given the obvious failings in Gold Corp's governance and risk management approaches, in particular between 2018 and 2020, some witnesses warned of the resulting reputational damage—not only to The Perth Mint, but internationally to Australia and Western Australia's reputation in the gold industry.
3.117Given the Gold Corp is a government trading enterprise (GTE), the WAGovernment guarantees The Perth Mint precious metals borrowings and customer owned precious metals, and the potential liabilities and penalties which Gold Corp could have incurred on taxpayers' behalf, MrShaneLoveMLA argued there was greater-than-usual responsibility for Gold Corp to meet its obligations.
3.118Dr Honey also highlighted the importance of 'having a reputable, local refiner [which] ensures that gold miners and, more generally, Australia gains the maximum financial benefit from gold production', to the benefit of all Australians.
3.119Mr Love warned that the activities of Gold Corp, in particular those relating to the meeting of exchange standards, had called into question the integrity of The Perth Mint's refining reputation, with Dr Honey concluding:
This is a serious matter as it undermines confidence in the Perth Mint. TheMint's reputation is critical to maintain its standing as an internationally recognised and respected gold trading institution.
3.120The Attorney-General's Department recognises areas of weakness in Australia's financial system have the potential to damage its reputation and attractiveness as a business destination, impact the safety and wellbeing of Australians, and may see funds fall into the hands of criminals and terrorist organisations.
3.121Inadequate compliance with AML/CTF requirements, and related matters by Gold Corp have raised questions about its operations. Gold Corp has publicly recognised and accepted responsibility for its failings on a number of occasions, with Board Chair, Mr Sam Walsh, acknowledging in the 2023 annual report:
It is impossible to discuss the past year without acknowledging that too often the Mint found itself in the headlines for the wrong reasons …
We take responsibility for historical shortcomings and are committed to learning from mistakes. I again acknowledge the impact that these incidences of non-compliance have had on our customers and the reputational damage they have inflicted on The Perth Mint and our people …
We have to accept the negative headlines, but the reality is they reflect past practices that do not speak to our values.
3.122Mr Waters told the committee that Gold Corp valued its reputation, and ultimately it appeared customer behaviour had been largely unaffected by media reporting:
Clearly, reputation is a major issue for us in terms of how we do business. Not only is the Perth Mint an iconic Western Australian business; it's also recognised as being a very substantial and major gold refiner in the world. I think the best tangible measure of how our customers responded to this is in relation to the trade that we've conducted following the media commentary. If you take the gold miners who ship their doré to us for refining … that has continued without any change. If you take our customers at the time of, if I can say, the intense media focus, our trade actually increased rather than decreased. So, in terms of the international aspects of the reaction, people know the mint, people understand what we're doing. They realise that from time to time in any business there will be issues, but they also accepted that we were actually taking proactive steps to remediate the issues.
3.123Mr Paul Graham was appointed as the new CEO of the Perth Mint in November2023 and made it clear that Gold Corp understood its wider responsibilities:
The Perth Mint is clearly working hard to meet its obligations to the WA community, the gold mining sector, its business partners and customers around the world and it is something I will be focusing on …
Potential wider risks in the gold sector
3.124The committee received evidence about the potential risks and wider regulation of the precious metals industry, of which Gold Corp is a part.
3.125The bullion industry is publicly recognised as a risky industry, and AUSTRAC, along with the Serious Financial Crime Taskforce 'had, over a period of time, considered conducting assessments of the bullion industry. In fact, aside from Perth Mint, in 2018–19 we did an assessment of a smaller bullion dealer in Australia'.
3.126The taskforce's website notes that tackling fraud in the precious metals refining industry has been an area of focus in recent times. On 1 April 2020, in response to the COVID–19 pandemic and intelligence gleaned from law enforcement partners, AUSTRAC issued a public notification. The notification indicated some sectors may be more vulnerable to exploitation during the pandemic, including 'out of character purchases of precious metals and gold bullion'. Itstated it 'suspected, or had seen, some change of behaviour … and possibly or actually … had seen some suspect bullion transactions'.
3.127AUSTRAC advised that it conducted a risk assessment of the bullion sector during 2021 and 2022, including consultations with government partners and 15bullion sector reporting entities.
3.128Mr Brown explained how an assessment is conducted:
For an assessment of that nature, we actually look back over a period of time. To develop an assessment of that nature, we actually looked back; we looked at the intelligence and suspicious matter reporting that we had in the years prior to 2021. I suppose it's more of a body of work that goes into developing a risk assessment of that nature and understanding the vulnerabilities of a sector. It's not at a point in time of the period of time, because it normally takes about 12 months for that assessment to be generated. We absolutely have used material prior to 2021-22 to form that overarching assessment for the bullion sector in Australia …
3.129Overall, AUSTRAC advised the bullion sector has 'a low criminal threat within the current considerations of activities within Australia'. Explaining the risks in the bullion sector, Mr Brown commented:
… there are some medium inherent vulnerabilities in the provision of bullion services that need to be considered by entities. Those particular services are the fact that many of the businesses within the bullion sector—I think there are approximately 150 different providers of bullion services in Australia, some large, some small. They can be inherently cash based activities because you have the buying and selling of gold bullion with cash.
I think you asked about this: because bullion has an intrinsic value to it, it can be exchanged as a commodity. Obviously, if someone is holding a significant amount of cash and doesn't wish to hold that cash, they have the ability to actually obtain a metal of value. I think, based on the current information, one kilogram of gold bullion is worth approximately $93,000 or maybe a little bit more in value, and therefore there is a value for which someone may consider moving proceeds of criminal activity into a different purchase.
3.130In its submission, AUSTRAC told the committee:
Factors that expose the [bullion] sector to ML/TF vulnerabilities include:
high exposure to cash, with many bullion dealers operating cash‑intensive business models, which present opportunities for money laundering
the ability to store and move funds
bullion dealers who also operate as bullion refiners, increasing the foreign jurisdiction risk, and risk associated with refining scrap precious metal
the delivery channels used by bullion dealers including face-to-face, online, phone and third-party arrangements.
3.131Some of the work of the Serious Financial Crime Taskforce, including consideration of the Euro Pacific Bank—recognised internationally as a tax haven and a previous customer of The Perth Mint—contributed to AUSTRAC's decision to look more deeply at Australia's largest bullion dealer, Gold Corp, in 2021.
3.132AUSTRAC confirmed that it has not changed its risk rating for the bullion sector, since the 2022 risk assessment was completed.
Australia's financial sector risk regime
3.133As discussed in Chapter 2, Australia's AML/CTF regime remains partly compliant or non-compliant with international standards, as reported by the international Financial Action Task Force (FATF). The next round of FATF assessment—Round 5—will be conducted between 2025 and 2027 and will include an assessment of Australia's laws and technical compliance. It will also consider an assessment of the effectiveness of our regime including the education and guidance provided. Mr Alexander Engel from the Attorney‑General's Department elaborated:
When we get to our evaluation, a big team will come out. They will look through our entire regime, the ecosystem of financial crime in Australia, how we're combating it and whether our measures are effective.
3.134The 2016 Statutory Review of Australia's AML/CTF regime found it 'is overly complexand impedes the ability of regulated entities to understand and comply with their AML/CTF obligations'. The committee heard that the current reform of the regime is aimed at improving compliance through streamlining and modernisation of provisions, as well as the addition of tranchetwo entities which are not already covered by the AML/CTF Act and Rules:
Part of that is that for some sectors … smaller regulated entities …we're looking at making it much clearer in the regime about what those obligations are and how to meet them and then sort of backing in, as I think mentioned earlier today, around having it as a risk based regime, so the types of services you are providing and the types of customers you have might change how you would apply protections to your business to prevent money-laundering. So we're looking at streamlining those aspects.
3.135AUSTRAC explained to the committee that Australia's regulatory approach is risk-based, in line with international standards. Mr Brown clarified the regime is aimed at preventing money-laundering and related crimes, rather than stopping it completely:
Australia's AML/CTF regime adopts a risk- and principles-based approach to regulation, recognising that regulated businesses are best placed to identify, mitigate and manage their ML/TF risk.
3.136He further clarified the nature of the framework:
Our legislation requires businesses to implement a program that identifies, manages and mitigates the risks of money laundering and terrorism financing upon their business. They have to have the program in place—that is, the systems and processes and controls, whether that be technology or pieces of paper—to do so.
3.137However, the Attorney-General's Department observed from a policy perspective that 'the explicitrequirement to assess risk is absent from the current regime, with the obligation to assess risk implied froma number of provisions'. The reforms may look to make this obligation clearer.
3.138In its current iteration, the AML/CTF Rules require a reporting entity—such as Gold Corp—to identify its level of risk and have an appropriate program in place to manage those risks. Consequently, risk mitigations put in place by one organisation could be very different to measures put in place by another organisation. Mr Brown confirmed 'the risks that they face are inherently different, so that means that the systems that they put in place to manage and mitigate the risks are very different as well'.
3.139Mr Engle of the Attorney-General's Department elaborated:
… it's a risk based regime. It's not a tick-box prescriptive thing where, if I just do this, then I'm fine and the government's giving me the tick. Because the government doesn't run, anymore, any of these private entities, they are private businesses. They understand how their business operates and what their risk should be. There will be guidance from AUSTRAC because there are known risks in certain sectors, but it is up to them. The obligation is to put in those protections and put in those mitigations …
The danger of a tick-box regime is that it's not one size fits all, depending on the type of business that you're running. The supervisor part of AUSTRAC will work based on its own understanding of intelligence and its priorities about where it's seeing money-laundering risk.
3.140Mr Brown indicated that, for AUSTRAC to regulate the 17 000 or so businesses falling within its remit, a risk-based approach which focuses on the highest risk businesses is required. Mr Brown went on to acknowledge that not all entities will be fully compliant at all times:
The regime is set up not to stop absolutely every crime that occurs, but for the reporting entities to have in place the systems and processes to identify particular suspicious activity that is then actually obtained by AUSTRAC and leveraged by our partner law enforcement agencies.
3.141Mr John Ford, Serious Financial Crime Taskforce chief and Assistant Secretary at the Australian Taxation Office, gave his assessment of the robustness of Australia's AML/CTF and tax regime, stating:
There's a regulatory framework there that my colleagues have gone through in terms of that reporting. It operates on two levels: a cash threshold and suspicious transactions. From a tax office perspective, we get many, many suspicious matter referrals to us. So there is active reporting in terms of tax evasion in our context. In that sense, I would say we have a robust regime and a good relationship across the Serious Financial Crime Taskforce, which is underpinned by laws that allow us to share taxation information across the task force and to collaborate and build intelligence. So it's not just about the anti- money-laundering regime but about how we take that information and build it into actionable intelligence. So I would say it is robust.
3.142Mr Brown highlighted to the committee that while he has observed an increase in the level of suspicious matter reporting over the last five years, this can be explained by better education across business sectors, strong regulatory action in specific sectors (such as banking and gambling), and a maturation in the regulatory approach since the AML/CTF Act's commencement in 2006. Heaffirmed:
Hence, on the back of some of those actions, there has been a strong response from industry in relation to the reporting of suspicious matters across the board.
Regulation of Gold Corp
3.143Recognising that AUSTRAC's approach as regulator has matured over time, the committee is concerned that there appear to have been significant, long‑standing breaches which were not detected by any of Gold Corp's regulators, specifically those relating to registration as a remittance service provider and International Funds Transfer Instructions reporting.
3.144The committee heard that AUSTRAC has engaged with Gold Corp on an ongoing basis, and had previously undertaken supervisory activity on targeted matters in 2009, 2012 and 2014. In relation to earlier AUSTRAC reviews, MrWalsh advised that they resulted in 'minor findings' and 'didn't indicate reporting issues in relation to transactions', and they did find areas for improvement, including training, and these were addressed by Gold Corp.
3.145Explaining AUSTRAC's approach, Mr Brown told the committee that assessments will not check compliance with every obligation:
That's the other thing to note: if we undertake an assessment of an entity, we may not look at absolutely every obligation that they have within our legislation, because we would be there for an extremely long period of time. So we try and target matters of interest. Those necessarily are early engagements that we've had with Perth Mint, and then the more recent engagement has regard to some of the information that we've obviously gleaned through the Serious Financial Crime Taskforce that had regard to elements that we're engaged in with them, in terms of when they might conduct their own internal, independent audits, which are required under the program requirements in legislation. Every entity must actually undertake an independent audit every two years, I believe it is, so those audits that entities themselves are conducting may identify particular issues that they need to remedy within their organisation.
3.146Mr Brown indicated that it was 'not uncommon' for reporting entities to themselves alert AUSTRAC of reporting failures, and that the obligation rests on the reporting entities:
If you have an obligation to provide remittance services, which is the movement of money into and out of Australia, it then becomes relevant that you actually are providing international funds transfer instructions to AUSTRAC. That's the provision that is required. Obviously, there is then the intelligence related value, in terms of information in relation to money flows et cetera.
3.147However, he also emphasised that AUSTRAC has and will continue to act where necessary:
In relation to Gold Corporation, we are taking the action that we are currently taking, and we are on the supervisory path that we currently are on to look at, necessarily, the comprehensiveness of their systems and processes at points in time. Those periods of time definitely extend back, given the different time periods that we now have been engaged on. There is a response—I suppose what I'm trying to say is that there absolutely is a response from us as the regulator in relation to what is occurring …
Other governance and risk matters
3.148While the following matters are largely outside of the scope of this inquiry—as they do not relate to Commonwealth regulatory matters—they nevertheless help build a view of the risk appetite of the then Board and senior management.
3.149Areas in which governance and risk management matters have arisen:
suppliers and procurement—including in relation to employment matters, seeking to engage cybersecurity services, and the gold supply chain. The latter resulted in a London Bullion Market Association (LBMA) Incident Review which found no misconduct or issues of non-conformance and saw Gold Corp remain on the Good Delivery List, while highlighting the need for improvements to due diligence and risk management;
gold exchange standard—Gold Corp's silver content of the permitted 0.01per cent non-gold component in its gold bars exceeded the Shanghai Gold Exchange specification of no more than 50 parts per million, for a limited number of gold bars. The Perth Mint took 'immediate action' to address the production issue. An LBMA review saw The Perth Mint remain on the Good Delivery List, and make improvements to its management systems;
purchase and investment products—Gold Corp developed a number of purchase and investment products with a commercial focus, at the time also working to increase GoldCorp's profile in Australia and overseas, and actively market its business. These products included: physically backed gold ETF which was listed on the New York Stock Exchange, and GoldPass (including a United States release). Around the same time, Trovio developed a digital token on the public blockchain—The PerthMint Digital Gold Token. It was a Trovio product branded under licence agreement with The Perth Mint. The Mint was 'custodian of the gold which was purchased by Trovio to back PMGT', however, 'the primary onus for AML/CTF compliance rested with Trovio'. These products have since been withdrawn; and
US Model State Commodity Code breach—in 2022 Gold Corp reported it had potentially breached the US Model State Commodity Code1985, affecting its ability to trade in some states. The potential non-compliance dated back to the late 1990s and affected 1305 accounts. Gold Corp is resolving the matter with the US regulator.
Calls for further reviews
3.150The WA Opposition advocated for a Royal Commission to help ensure the integrity of WA's gold and retain 'the confidence of our trading partners and the Australian public'. Mr Shane Love MLA wrote to the PrimeMinister calling for a Royal Commission to investigate issues beyond AUSTRAC's remit. Mr Love told the committee:
Members of the Committee will note I have called for a Royal Commission to be established to investigate the full breadth of the very troubling matters surrounding the Mint. Noting the ongoing AUSTRAC investigation by an independent auditor and the investigation by your Committee, it is still my firm belief there is sufficient need for such a Commission to be established.
3.151At the time, the WA Government referenced the AUSTRAC inquiry and noted that a further inquiry would 'duplicate this effort … and risks compromising these independent investigations'. The Australian Government agreed, with Senator the Hon Katy Gallagher, Minister for Finance, stating:
Calls for a royal commission by the WA opposition should be matters that the WA parliament deals with, and the suitable response should be there. But we are satisfied with the work that is underway via AUSTRAC doing their assessment, which is due to report to the government, or due to release its report, in May 2023.
3.152As discussed in Chapter 2, the WA Government established its own review in September 2022. At the time of writing the outcomes of the review had not been reported.