Changes to AML/CTF – what does it mean for current reporting entities?
Approximately 17 years after the introduction of the Australian AML/CTF regime, the government has embarked on the much-anticipated process of expanding the reach of the regime to a number of new industry sectors, including lawyers, accountants, real estate agents, professional service providers and dealers in precious stones and metals.
The reform process also includes significant changes for providers of crypto-currency related services (referred to in the legislation as digital currency exchange services), as well as for remittance service providers, which are designed to clarify some existing requirements, and also address situations whereby technological advances and practical changes require changes to the current obligations.
There are also important proposed changes to the AML/CTF obligations for current reporting entities operating in the financial services sector, that is, existing providers of “designated services” who are already required to comply with the AML/CTF laws (“financial services businesses”).
These reforms are intended to “simplify, clarify and modernise” the regime, and the Attorney General’s Department has released several consultation papers which provide helpful details about the proposed changes. Although draft legislation has not yet been released, the consultation papers provide us with detailed information about the intended changes, as well as the concepts and rationale behind the proposed changes.
1. ML/CF risk assessment
Financial services businesses are required to assess the risk that their businesses could be used for money laundering/terrorism financing (“ML/TF”) activity. This is referred to in the legislation as the ML/TF risk assessment. Once a financial services business has completed their ML/TF risk assessment, they are required to create and implement an AML/CTF Program, which sets out their policies and procedures for complying with the AML/CTF obligations (as outlined in the legislation), which meet the minimum requirements of the legislation, and are tailored, as appropriate, to their ML/TF risk assessment.
Whilst the existing legislation, as currently drafted, requires a financial services business to undertake an ML/TF risk assessment (which is then reflected in the policies and procedures set out in their AML/CTF Program), the proposed change will set this obligation out in a clearer way, with additional, practical requirements.
For example, reporting entities will be required to:
- review the ML/TF risk assessment regularly
- ensure that it is kept up-to-date
- consider proliferation financing risk[i] (where relevant)
- include Board management and oversight as a key control to manage its ML/TF risk.
2. Management oversight
Currently, financial services businesses are required to have in place management oversight processes, which ensure that senior management (including the directors, or the Board) are overseeing the way in which the business complies with its AML/CTF obligations, and manages any areas of potential or actual non-compliance, as well as any high ML/TF risk situations.
The reforms impose a number of practical steps, policies and procedures which should be included in the management oversight processes, including:
- measures which ensure that employees and agents comply with the AML/CTF Program (this could include remedial training and disciplinary action where appropriate);
- certification by senior management that the AML/CTF compliance officer is a fit and proper person for the role; and
- requiring the AML/CTF compliance officer to report at least annually to the Board or senior management, regarding the effectiveness and operation of the AML/CTF Program.
3. Designated Business Groups (“DBG”)
Currently, several financial services businesses which are “related entities” (as defined in the Corporations Act 2001), can form a DBG, whereby they can centralise some of their AML/CTF procedures, so that they are managed and complied with by one reporting entity on behalf of the group.
The proposed changes are intended to simplify this process, so that even if a member of a corporate group (who is also required to comply with the AML/CTF regime) does not come within the definition of a related entity, they can now join the DBG.
Also, if an entity is not required to comply with the AML/CTF laws, but is a member of a corporate group which includes financial services businesses, that entity can join the DBG, and the DBG’s group head is responsible for the group member complying with their AML/CTF obligations.[ii]
Other changes include simplifying the DBG requirements for financial services businesses which have foreign branches or subsidiaries, or are part of a foreign-based group.
4. Customer Due Diligence (“CDD”) procedures (also referred to as Know Your Customer or KYC procedures)
In our view, financial services businesses will welcome the proposed changes to CDD requirements, as they will provide a level of clarity and certainty as to how to comply with the requirements.
Importantly, the changes will clearly require financial services businesses to assign an ML/TF risk rating to each customer, which reflects the level of ML/TF risk faced by the business when providing their services to that customer. Whilst this is a requirement of the current legislation, it is not expressed clearly and many financial services businesses have either been unaware of the obligation, or have resisted implementing this type of process.
The legislation currently sets out a number of risk categories which must be included in the customer risk assessment process, however, this will be simplified and clarified to assist financial services businesses to comply with the obligation. Risk categories include whether the customer’s identity can be verified, the nature of the proposed business relationship with the customer, the type of services to be provided, method of delivery and jurisdiction risk.
The government proposals recognise that some financial services businesses have not complied with the requirement to assess the ML/TF risk posed by each customer, and have noted that this process will need to be conducted on all customers, including those who received a service before the reforms come into effect (to be conducted over a period of time).
The changes will also define several different types of CDD procedures which must form part of the AML/CTF Program, as follows:
- Initial CDD – to be conducted before a customer is provided with a service (and includes the initial ML/TF risk assessment)
- Ongoing CDD – which must be conducted during the relationship with the customer, and includes transaction monitoring and, where appropriate, re-verifying the CDD checks;
- Enhanced CDD – to be conducted if a customer is assessed as high ML/TF risk;
- Simplified CDD – to be conducted if a customer is assessed as low ML/TF risk; and
- Standard CDD – to be conducted on a customer who is not eligible for Enhanced or Simplified CDD.
The current obligation to keep records of all CDD checks remains.
Whilst the obligations to conduct ongoing CDD, transaction monitoring and enhanced CDD are not new, the simplification and standardisation of the CDD obligations will assist financial services business with their compliance, by creating a clearer framework of obligations, rather than simply requiring their procedures to be “risk-based”.
Ongoing CDD will be expanded, so that financial services businesses will be required to also be alert to any potential proliferation financing activity, serious predicate ML/TF offences,[iii] as well as other serious crime risks, which are relevant for the business and have been considered in the ML/TF risk assessment.
The changes to Simplified CDD will also include reduced verification requirements (both initially and as part of Ongoing CDD) – for example, if a customer is low risk, then reporting entities may only be required to conduct reduced CDD checks, or conduct less onerous transaction monitoring.
In relation to Enhanced CDD, the current obligations will remain the same, however, the legislation will provide more specific scenarios or relationships which, if present, will impose a positive obligation on the business to conduct Enhanced CDD checks.
5. Prohibition on tipping off offence
Currently, financial services businesses are prohibited from disclosing information about a suspicious matter or a potential suspicious matter (“SMR information”) to any person (other than to an AUSTRAC authorised person), with some limited exceptions. The rationale for this prohibition is to protect the customer who is the subject of the SMR information from reputational damage (if they are the victim of a crime) and also ensuring that they do not alert the customer (who could be engaged in criminal activity) that their activities are being investigated.
The breadth of the current tipping-off offence has led to reporting entities being confused and unsure about when they can disclose this type of information (including within their corporate group), and also how and whether they can continue to provide services to the customer (about whom they have a suspicion).
Changes to the legislation attempt to clarify this situation, whereby the tipping-off prohibition is re-framed (and narrowed), so that rather than prohibiting the disclosure of SMR information to any person other than AUSTRAC, it will prohibit financial services businesses from intentionally disclosing SMR information where it is likely to prejudice a current or potential investigation.
Further, reckless or negligent disclosure of SMR information which prejudices an investigation, or a potential investigation, will also be an offence. An example of reckless or negligent disclosure of SMR information includes failing to develop, implement or maintain adequate AML/CTF procedures to prevent tipping-off.
The re-framing of the prohibition will allow disclosure of SMR information within corporate groups, and for other legitimate purposes, including the obligation to manage and mitigate risk, as long as the disclosure does not prejudice an investigation or a potential investigation.
As a result of these changes, financial services businesses will be able to disclose SMR information to a broader group of persons, but must ensure that they have appropriate policies, systems and controls to ensure that disclosure complies with the requirements of the legislation, including AML/CTF training and employee screening. The AML/CTF Program should include details of how the financial services business manages the risk of contravening the tipping-off prohibition, as well as the circumstances in which the financial services business would disclose SMR information, including physical controls, systems and training.
Holley Nethercote Lawyers provides detailed advice on compliance with the AML/CTF regime, and Holley Nethercote Compliance has prepared a range of template AML/CTF Programs (and supporting documents) for a range of industry sectors, including the financial services sector. Holley Nethercote Lawyers also assists many reporting entities to comply with their AML/CTF requirements, including tailoring policies and procedures so that they are both compliant with the legislation, and also reflect the requirements of the regime.
Author: Naomi Fink (Special Counsel)
Would you like to know more?
Contact Us | Our Expert Team | Our Training |
Endnotes
[i] Proliferation financing means the act of providing funds or financial services which are used, in whole or in part, for the manufacture, acquisition, possession, development, export, trans- shipment, transport, transport, brokering, stockpiling or use of nuclear, chemical or biological weapons and their means of delivery and related materials (including both technologies and dual use goods used for non-legitimate purposes), in contravention of national laws, or where applicable, international obligations (FATF Report: Combatting Proliferation Financing February 2010, page 11).
[ii] The current legislation only allows reporting entities to join a DBG, which excludes members of a corporate group which are not providing designated services as defined in the AML/CTF Act. Often, corporate groups appoint one entity in the group to manage the compliance obligations for each group member. The proposed change allows non-reporting entities to be included in the DBG, which enables all members of the groups to be subject to the same AML/CTF Program and supporting procedures.
[iii] A predicate offence is a crime that is a component of a more serious crime. For example, in relation to the serious offence of money laundering, the predicate offence could be fraud, theft or illegal gambling.