In line with the 2016 Statutory Review, the Attorney General’s Department proposes to reform the Act to more clearly set out the globally recognised core AML/CTF measures and reinforce the risk-based approach to regulation. This will support regulated entities to prevent and detect financial crime by shifting the approach away from ‘tick a box’ compliance towards effective measures to identify, mitigate and manage money-laundering and terrorism financing risks.
Clarifying the obligations in the Act will reduce the burden on businesses of interpreting complex provisions. Similarly, changes to the Rules will help regulated entities to understand the outcomes they are expected to achieve. The Rules will be supported by guidance materials targeted at assisting regulated entities to implement effective AML/CTF measures within their businesses.
The 2016 Statutory Review identified two key obligations for priority reform:
· the requirement to adopt and maintain an AML/CTF program to identify, mitigate and manage money laundering and terrorism financing risks, and
· the requirements around customer due diligence.
In addition to these matters, the Department proposes reforms to modernise aspects of the regime to ensure provisions are fit for purpose, consistent with international standards and reduce the operational burden for industry and AUSTRAC. This includes:
· lowering the reporting thresholds for the gambling sector
· amending the tipping-off offence
· extending the regulation of digital currency exchanges
· modernising the travel rule
· providing a statutory exemption for assisting an investigation of a serious offence
· amending revised obligations during COVID-19 pandemic, and
· repealing the Financial Transaction Report Act 1988.
Obligations - Current State Vs. Proposed State
AML/CTF Obligations
Current State/Challenges
Proposed Changes
AML/CTF Program
Issues with current regime –
• the distinction between Part A and Part B of AML/CTF programs is complex
• obligations related to simplified due diligence were assessed in Australia’s 2015 FATF Mutual Evaluation as being non-compliant, and
• the lack of an express statement in the Act or Rules setting out the requirement for regulated entities to conduct a money laundering and terrorism financing assessment, despite many of the requirements for risk-based systems and controls implicitly requiring it.
Streamlining Part A and Part B into a single program
Part A and Part B requirements could be streamlined into a single requirement to develop, implement and maintain an AML/CTF program that is effective in identifying, mitigating and managing a regulated business’ money laundering and terrorism financing risk.
Risk Assessment
The explicit requirement to assess risk is absent from the current regime, with the obligation to assess risk implied from a number of provisions.
The Act could establish a clear overarching requirement that a regulated entity must take appropriate steps to identify, assess and understand the money laundering and terrorism financing risks it faces prior to the implementation of an AML/CTF program, including that:
• in determining risk level, a regulated entity must have regard to the nature, size and complexity of its business
• a regulated entity must document its risk assessment methodology, and
• a regulated entity must review and update its risk assessment when there is a change to its circumstances which affects its risk exposure.
The Rules could provide specific detail on each risk assessment requirement, including:
• event triggers for reviewing a risk assessment
• implementation of AUSTRAC guidance or feedback relevant to assessing money laundering and terrorism financing risks, and
• any required elaboration on event triggers, or appropriate periods for review of a regulated entity’s risk assessment.
Mitigating risk -Internal Controls
| The Rules specify some expected mitigation measures, but this detail is provided in separate chapters of the Rules. |
The simplified model could make mitigation easier for regulated entities by clearly articulating an overarching risk mitigation obligation in the Act that regulated entities will develop and implement enterprise-wide controls to address any risks. These controls could then form part of their AML/CTF program.
Group wide risk management for designated business groups
Currently, only members of the same designated business group can have a joint AML/CTF program. This limits the ability of designated business groups to manage risks, as related entities that are not themselves regulated entities cannot be party to the joint AML/CTF program even if they are performing compliance functions.
The Department proposes that related entities within a business group that perform functions to support regulated entities to comply with AML/CTF obligations should be captured under a designated business group, whether or not they are themselves regulated entities.
Group wide risk management for designated business groups
Currently, only members of the same designated business group can have a joint AML/CTF program. This limits the ability of designated business groups to manage risks, as related entities that are not themselves regulated entities cannot be party to the joint AML/CTF program even if they are performing compliance functions.
The Department proposes that related entities within a business group that perform functions to support regulated entities to comply with AML/CTF obligations should be captured under a designated business group, whether or not they are themselves regulated entities.
Proliferation financing risk
Australia does not currently explicitly require regulated entities to consider and mitigate these risks, although such risks are indirectly included in certain requirements in the regime.
The Department is considering potential reforms to clarify the requirement for regulated entities to manage their proliferation financing risks as part of their AML/CTF programs, noting that the level of exposure to such risk will vary significantly between sectors.
Foreign branches and subsidiaries
Challenges can include:
• limited reporting and record keeping obligations for designated services provided through overseas payment establishments
• limited internal controls for foreign branches and subsidiaries, and
• minimal additional systems and controls for a regulated entity that is operating in a foreign jurisdiction and is regulated by AML/CTF laws that are comparable to Australia.
These could be replaced with simplified and consolidated obligations in line with global best practice standards. The Act could be amended to include specific requirements, including that Australian businesses operating overseas should apply measures consistent with their AML/CTF programs in their overseas operations, to the extent permitted by local law.
Customer due diligence - Understanding Customer Risk
Core obligations to understand “Customer risk Assessment” requires regulated entities to assess and understand risks presented by each customer.
The Act could provide an overarching obligation to assess and understand the risk for each new and ongoing business relationship with a customer based on an assessment of key risk factors, including customer type, geographic risk, the type of service and the method of delivery. The Rules could provide specific risk factors to be considered as part of customer risk rating.
Customer due diligence-Know your customer
Current “Knowing your customer” obligation requires regulated entities to have and carry out applicable customer identification procedures to enable the regulated entity to be satisfied it knows the identity of the customer.
The Rules could set high level standards for risk-based customer due diligence policies, procedures and controls, and continue to specify special circumstances where identification and verification can be done after providing a designated service.
The Act could require a regulated entity to apply ongoing customer due diligence measures, proportionate to the risk that enable an entity to:
• ensure that transactions conducted are consistent with the entity’s understanding of a customer’s business and risk profile, by identifying unusual transactions and behaviours
• update and, where appropriate, re-verify customer information, including whether they are a politically exposed person, and
• update the regulated entity’s risk assessment of the business relationship.
Ongoing customer due diligence
Current “Ongoing customer due diligence” obligation requires regulated entities to monitor customers for the purpose of identifying, mitigating and managing money laundering and terrorism financing risk, and requires entities to have a transaction monitoring program.
| The Rules could require a regulated entity to have: • risk-based systems and controls to update and review customer due diligence information • a tailored monitoring program for transactions, and • continue the requirement to re-verify customer information where the regulated entity has doubts about its adequacy or veracity. |
Enhanced customer due diligence
Enhanced customer due diligence: Regulated entities must apply additional measures to higher risk customers.
Enhanced customer due diligence
The Act could require a regulated entity to apply enhanced customer due diligence measures where:
• it has assessed that the risk associated with the business relationship is high
• there is a suspicion of money laundering, terrorism financing, or identity fraud and the reporting entity proposes to continue the business relationship
• the customer or its beneficial owner is a foreign politically exposed person, or
• the customer or its beneficial owner is from a high-risk jurisdiction for which the FATF has called for enhanced due diligence to be applied.
Simplified Due Diiigence
Simplified due diligence and safe harbour provisions: Low risk entities may be permitted to apply simplified customer due diligence checks for low risk entities. The current safe harbour and simplified due diligence provisions are both prescriptive and found to be FATF non-compliant in Australia’s 2015 Mutual Evaluation,being insufficiently risk-based.
The Act could permit regulated entities to apply simplified due diligence measures where the entity has reasonably assessed that the risk associated with the business relationship is low, and none of the triggers for extended customer due diligence apply. This would mean replacing the safe harbour provisions currently contained in the Rules.
Lowering the reporting threshold for gambling sector
The regime exempts regulated entities from performing customer due diligence procedures when providing some gambling services which involve less than AUD10,000.
Reforms could reduce these risks by lowering the customer due diligence exemption threshold for gambling services to AUD4,000, which would improve compliance with the FATF standards.
Tipping Off
Under the current framework the sharing of SMR information under following arrangements is usually prohibited. The regulated entities having centralised financial crime operations in offshore subsidiaries or via third parties (domestic or overseas) need to seek exemption.
Adopt a flexible and outcomes-focused tipping-off regimes, which target and prohibit conduct or intention to compromise a law enforcement investigation.
Digitial Current Exchange
The Act currently regulates digital currency exchange providers when they engage in the exchange of digital currency (cryptocurrency) for fiat currency (AUD for example) or vice versa.
Consistent with these new FATF standards, the proposed reforms could expand the regulation of the types of services to cover the following services:
• exchanges between one or more other forms of digital currency
• transfers of digital currency on behalf of a customer
• safekeeping or administration of digital currency, and
• provision of financial services related to an issuer’s offer and/or sale of a digital currency (e.g. Initial Coin Offerings where start-up companies sell investors a new digital token or cryptocurrency to raise money for projects).
Modernising the travel rule obligations
Under the current regime, only financial institutions such as banks are required to include payer information for electronic transfers of fiat currency, and they are not required to include payee information. The current regime also does not require payer information to be verified, although this will frequently be the case where the payer is a customer of an Australian financial institution.
The proposed reforms could update the travel rule for financial institutions in line with the FATF Standards by requiring payer information to be verified, and require the inclusion of payee information.
Reforms could implement the travel rule for remitters and digital currency exchange providers, requiring payer and payee information for transfers on behalf of customers to other businesses.
Exemption for assisting an investigation of a serious offence
The current Rules allow the AUSTRAC CEO to exempt regulated entities from particular sections of the Act where providing a designated service to a customer would assist in the investigation of a serious offence. This require investigative agencies to initiate case-by-case application process and to be processed by AUSTRAC
Under the proposed reforms, eligible agencies would not be required to apply to AUSTRAC for an exemption. Instead eligible agencies would provide a written ‘keep open’ notice using a form specified in the Rules directly to regulated entities and copied to AUSTRAC. Receipt of a notice from an eligible agency would provide a sufficient basis for the regulated entity to rely on the legislative exemption.
Revised obligations during COVID-19 pandemic
AUSTRAC introduced Rules in 2020 (the COVID-19 Rules) to support flexible customer verification measures during the pandemic. These amendments supported regulated entities to conduct customer due diligence remotely, including relying on an uncertified copy of documents in accordance with their risk-based systems and controls.
With many businesses choosing to continue to provide online and remote service delivery, reforms could provide longer-term options for flexibility in how regulated entities meet their customer due diligence obligations that do not pose the same level of risk.
Repeal of the Financial Transaction Report Act 1988
The 2016 Statutory Review recommended the repeal of the FTR Act and associated regulations, and the transfer of the remaining obligations to the Act.
Remove duplicate requirements between AML/CTF Act 2006 and FTR ACT1988