Getting ready to roll with AML reforms

 Current requirement

Proposed changes

AML/CTF programs – clarifying and simplifying

An AML/CTF program is divided into two parts – Part A (purpose is to identify, mitigate and manage the money ML/TF risks that a reporting entity may reasonably face in providing designated services) and Part B (applicable customer identification procedures).

No requirement for an AML/CTF program to have two parts.

A reporting entity must maintain an AML/CTF program which is defined to include the reporting entity's ML/TF risk assessment and AML/CTF policies. A reporting entity's AML/CTF policies should be designed to achieve two outcomes – the first is to manage and mitigate the ML/TF risks that a reporting entity may reasonably face in providing designated services, and the second is internal compliance management to ensure the reporting entity complies with the AML/CTF Act, AML/CTF Rules and regulations. Generally, these policies will include matters that are currently dealt with in Part A and Part B, however the definition of AML/CTF policies is broad and includes 'the policies, procedures, systems and controls' developed and updated to achieve these outcomes. Importantly, a reporting entity must comply with its AML/CTF policies.

Requirement to carry out ML/TF risk assessment is inferred.

An express obligation to carry out an ML/TF risk assessment which identifies and assesses the risks of money laundering, financing of terrorism and proliferation financing.

Where the reporting entity provides designated services at or through a place of business in Australia, it must have regard to the following four main factors when carrying out that assessment:

• the kinds of services being provided;
• the kinds of customers of a business;
• how the services are delivered; and
• the countries in which the reporting entity does business.

In addition, a reporting entity must have regard to any guidance issued by the Australian Transaction Reports and Analysis Centre (AUSTRAC) and any other matters specified in the AML/CTF Rules.

The ML/TF risk assessment must be reviewed where there is a significant change to any of the factors, or at least every 3 years.

The AML/CTF Rules impose an obligation for the AML/CTF program to be approved by a reporting entity's governing board and senior management and subject to ongoing oversight by the governing board and senior management.

A reporting entity's governing body must exercise ongoing oversight of the reporting entity's ML/TF risk assessment, compliance with its own AML/CTF policies, and compliance with the AML/CTF regime. The governing body must also take reasonable steps to ensure the reporting entity is identifying, assessing, mitigating and managing ML/TF risks and otherwise complying with the reporting entity's AML/CTF policies, AML/CTF Act and AML/CTF Rules.

A senior manager must approve the reporting entity's AML/CTF policies.

The governing body must be notified of any updates to the ML/TF risk assessment.

An obligation to designate an AMLCO is contained in the AML/CTF Rules.

This obligation will be moved to the Act, emphasising the importance of the role. Additional requirements will also apply. For example, the AMLCO:

• must be engaged at a management level and have sufficient authority, independence and access to resources and information to ensure they can perform their function effectively;
• must be an Australian resident where the reporting entity provides designated services from a place of business in Australia; and
• must be a fit and proper person.

AUSTRAC must be notified of the individual appointed to the role within 14 days of appointment.

'Designated business group' replaced with 'reporting group'

Designated business group must fall within particular criteria (such as being related bodies corporate), be providing designated services and have nominated to form a designated business group

 Replaced by a 'reporting group' concept.

• A reporting group can be formed where at least one member of the business group provides a designated service. This will enable non reporting entities to fulfil AML/CTF obligations on behalf of reporting entities in the group.
• One entity will be a 'lead entity' and will be responsible for undertaking ML/TF risk assessments and developingAML/CTF polices for the reporting group.

Customer due diligence

 Customer due diligence includes:

• Applicable customer identification procedures with the AML/CTF Rules requiring the collection and verification of basic identification information.
• Ongoing customer due diligence.
• An overarching requirement that when collecting customer information, reporting entities must use a 'risk based approach' to determine what additional information is to be collected and verified.

Moving these requirements to the AML/CTF Act and reframing them as:

• Requirements to undertake 'initial customer due diligence' and 'ongoing customer due diligence'.
• An outcomes focussed approach to (on reasonable grounds) establish: the customer's identity (eg the customer is the person they claim to be); the identity of their agents and beneficial owners; whether they are a politically exposed person (PEP) or sanctioned; and information about the nature and purpose of their business relationship with the reporting entity.

Ongoing customer due diligence program requirements are set out in the AML/CTF Rules.

This obligation will be moved to the Act, and will include an express requirement to:

• continually monitor for changes in a customer's ML/TF risk; and
• review know your customer (KYC) information at a frequency appropriate to the customer's ML/TF risk rating, and update customer information where the reporting entity has doubts about the veracity of the customer's KYC information.

Enhanced customer due diligence (ECDD) triggers are set out in the AML/CTF Rules and require a reporting entity to apply ECDD where the customer's ML/TF risk is high, a designated service is provided to a customer or beneficial owner who is a PEP, a suspicious matter report (SMR) has been lodged about the customer or where a reporting entity proposes to enter into a transaction with a party physically present in a prescribed foreign country (currently Iran and North Korea)

 ECDD triggers will be set out in the Act, and in addition to the existing triggers, ECDD will be required where:

• a customer, beneficial owner or any person on whose behalf the customer is receiving the designated service is an individual, body corporate or legal arrangement physically present or formed in a high risk jurisdiction for which FATF has called for ECDD to be applied;
• customers who are provided designated services are part of a nested services relationship; or
• the customer is of a kind specified in the AML/CTF Rules

Pre-commencement customers: Pre commencement customers are subject to customer due diligence only on specified events (eg an SMR obligation arises in respect of the customer).

 Pre-commencement customers will be subject to initial customer due diligence where:

• an SMR obligation arises in respect of the customer; or
• there is a significant change in the nature and purpose of the business relationship with the customer which results in a medium or high ML/TF risk rating.

Verification data: Customer identification information must be verified using reliable and independent documents or data.

Reporting entities will be required to use reliable and independent data that is appropriate to the ML/TF risk of the customer. This is likely to provide reporting entities with more flexibility when determining what sources of data they can use for verification purposes.

Tipping off – simplifying the prohibition to focus on ensuring that it doesn't hinder criminal investigations and enables reporting entities to detect, deter and disrupt ML/TF

Tipping off prohibition applies to reporting entities. To ensure that the tipping off prohibition is an enduring obligation – it will apply to a person:

• who 'is or has been' a reporting entity; and
• who is or was an officer, employee or agent of a reporting entity or a member of a reporting group.

Tipping off prohibition applies to a disclosure to any person (other than certain AUSTRAC entrusted people), except where an exemption applies. The blanket prohibition will be repealed and replaced with a new prohibition that:

• specifies who can commit the offence of tipping off (including reporting entities, 'reporting groups', and persons who once were a person described in the list contained in the AML/CTF Act); and
• only applies where the disclosure would, or could, reasonably be expected to prejudice an investigation by the Commonwealth or a State or Territory, or related to Proceeds of Crime legislation.

Under the changes, a person could share information within a reporting group, in the context of a merger or acquisition or to consultants who are engaged by the reporting entity to support AML/CTF reviews, remediation and uplift.

A number of exceptions apply to the tipping off prohibition.

The tipping off exception for crime prevention remains but now has a 'good faith' requirement embedded in it whereby a person can make a disclosure to dissuade a customer from engaging in conduct that could constitute an offence.

Extending the regime to virtual asset services

Digital currency exchange services are captured by regulation under AML/CTF laws

AML/CTF laws extend to 'virtual assets', which is broader than digital currency as it removes the requirement for the asset to be generally available to members of the public without any restriction on use.

A virtual asset is defined as a digital representation of value that functions as a medium of exchange, store of economic value, unit of account or an investment, that is not issued by or under the authority of a government body and that can be transferred, stored or traded electronically.

The AML/CTF Act only regulates the exchange of digital currency for fiat currency. The AML/CTF regime will apply to:

• virtual asset safekeeping services;
• the exchanging of one digital currency for another; and
• providing financial services ancillary to the offer or sale of a virtual asset.

Transfers of value

The AML/CTF Act distinguishes between transfers of value undertaken by financial institutions and those undertaken by remittance service providers, which results in different obligations applying to financial institutions and remittance service providers. 

This distinction will be removed and providers of value transfer services will be regulated. This streamlines and modernises the regulation of telegraphic transfers, remittances, and other transfers of value so that they are all brought under a single definitional umbrella of ‘value transfer services’.

Digital transactions are not captured as a 'transfer of value'. Value transfer services will include virtual asset service providers.

Value transfer services will include virtual asset service providers.

Travel rule (ie the requirement that certain payer and payee information ‘travels’ alongside a transfer of value) applies to financial institutions (ie ordering and beneficiary institutions).

The travel rule will be extended to remittance service providers and virtual asset service providers, for both domestic and cross border value transfers.

Intermediary institutions (that pass on a transfer message in a value transfer chain) are not reporting entities.

Intermediary institutions will be a reporting entity. Although, they will be exempt from most customer due diligence obligations because they do not have a direct customer relationship with either the payer or payee.

Although, an intermediary institution must monitor its transactions to identify unusual transactions and behaviours of the customers that may give rise to an SMR obligation.

International value transfer services – reducing IFTI reporting complexity, having regard to modern payment services

A report must be submitted for an 'international funds transfer instruction' (IFTI).

A report must be submitted for an 'international value transfer service' (IVTS) to align with the changes to transfers of value and value transfer chain.

The reporting obligation applies to the 'sender' of the IFTI out of Australia, or the 'recipient' of the IFTI into Australia.

The reporting entity closest to the Australian customer will have the IVTS reporting obligation.

This will enable more accurate customer information to be included in IVTS reports.

Intermediary institutions may be involved in reporting an IFTI where they are the 'sender' or 'recipient'.

A reporting entity may rely on an intermediary institution to discharge its IVTS reporting obligation where the intermediary institution provides a relevant designated service and the two entities have entered into a written agreement.

No reporting obligation for digital currency transfers.

The IVTS reporting obligation will apply to international transfers of virtual assets from an unverified self hosted wallet including those incidental to virtual asset exchange designated services.

Regulating additional high-risk gatekeeper professions

Australia is currently one of only five jurisdictions which does not regulate particular 'gatekeeper' professions. The Government has noted that this places Australia at serious risk of being 'grey-listed' by FATF

AML/CTF regime will be extended to:

• Real estate professionals when brokering (sale, purchase or transfer), selling or transferring real estate in the course of carrying on a business.
• Dealers (sale, purchase) in precious metals and stones in the course of carrying on a business, and where they make or receive a payment (cash, virtual currency or a combination of those) of $10,000 or more.
• Professional service providers that assist clients with particular types of transactions (including lawyers, conveyancers, accountants, consultants, insolvency and restructuring practitioners, financial planners, wealth advisors, business brokers, company secretarial service providers, and trust and company service providers).

Moving some exemptions to the AML/CTF Act and time limiting others

A number of exemptions appear in the AML/CTF Rules.

Some exemptions currently in the AML/CTF Rules will move to the AML/CTF Act by either reframing the primary obligation or incorporating an express exemption, and exemptions that remain in the AML/CTF Rules will be time limited.