Paper 5 — information on the proposed measures to simplify the AML/CTF regime which will apply to current and new proposed reporting entities.

Paper 1 | Paper 2 | Paper 3 | Paper 4 | Paper 5

This is an article of a series of articles explaining proposed measures to amend AML/CTF regime by the Attorney General’s Dept.

Paper 5 outlines proposed measures aimed at simplifying the AML/CTF regime for both current and new reporting entities. The reforms aim to replace the existing prescriptive AML/CTF program and Customer Due Diligence (CDD) requirements with clear, risk-based, and outcomes-focused obligations.

Additionally, the paper details reforms to simplify, clarify, and update obligations pertaining to:

• Exceptions for assisting investigations of serious offenses.
• Updated obligations for gambling service providers.
• The tipping-off offense.
• Exemptions.
• The repeal of the Financial Transactions Reports Act 1988 (Cth).

A. AML/CTF programs

The proposed reforms aim to simplify AML/CTF programs, reducing administrative burdens and reinforcing a risk-based approach. Here are the key elements of the revised obligations:

1. Overarching risk assessment obligation: Reporting entities must assess the risk of money laundering, terrorism financing, or proliferation financing in the provision of designated services. Risk assessments will be codified and explicitly mentioned in the AML/CTF Act.
2. Proportionate risk mitigation measures: Entities must implement risk mitigation measures in response to their risk assessment, extending these measures to internal policies, systems, and controls to foster a compliance culture.
3. Simplified business group concept: The complex ‘designated business group’ will be replaced with a streamlined ‘business group’ concept, including non-reporting entities where appropriate. This facilitates information sharing and group-wide risk management.
4. Specific internal controls: Legislation will clarify the roles and responsibilities of a reporting entity’s board or senior management and its AML/CTF Compliance Officer regarding internal controls. The Compliance Officer oversees operational AML/CTF program implementation.
5. Simplified obligations for foreign branches and subsidiaries: Requirements for entities with foreign branches and subsidiaries will be simplified, reducing complexity when Australian obligations interact with host country laws.

1. Establishing a clearer requirement to conduct a risk assessment

The department proposes establishing a clear requirement for reporting entities to conduct a risk assessment. This would include considering the nature, size, and complexity of their business, incorporating relevant risks identified by AUSTRAC, and documenting the assessment methodology as part of their AML/CTF program. As a baseline, reporting entities would be required to consider risks related to customer types, types of designated services provided, methods of delivery and the jurisdictions they deal with. Additional factors may be specified in the Rules, if required.

A reporting entity’s board or equivalent senior management would be required to approve the entity’s risk assessment and be informed of updates to that assessment.

Reporting entities would need to review and update their risk assessments regularly, with triggers including changes to their risk profile or adoption of new technologies. They must also consider the risk of facilitating proliferation financing.

2. Ensuring reporting entities implement proportionate risk mitigation measures

To ensure proportionate risk mitigation, reporting entities would be obligated to develop, implement, and maintain enterprise-wide policies, systems, and controls aligned with the size and complexity of their business.

This obligation would be supported by specific types of risk mitigation measures that an AML/CTF program must include. These could include:

• enterprise-wide risk management practices, to ensure that risk is considered across the reporting entity’s day-to-day operations

• clear documentation of how the policies, systems and controls mitigate and manage the risks identified in the risk assessment

• details about customer due diligence (initial, ongoing, enhanced and simplified)

• review of risk mitigation measures in response to updates to its risk assessment, including when adopting new technologies, and

• identification and reporting of suspicious matters

3. Ensuring reporting entities maintain internal controls

The department proposes several measures to ensure reporting entities maintain internal controls:

• An express obligation in the Act would require reporting entities to establish internal practices ensuring compliance with AML/CTF obligations by the business, its managers, employees, and agents.
• Boards or equivalent senior management would need to ensure the effectiveness of the AML/CTF program in identifying, mitigating, and managing the entity’s risk.
• The Act would mandate reporting entities to have an AML/CTF Compliance Officer, responsible for overseeing and coordinating the day-to-day operation of the AML/CTF program.
• The Compliance Officer would need sufficient authority, independence, and resources, proportional to the business scale, and be certified as a fit and proper person by reporting entities to AUSTRAC.
• The AUSTRAC CEO would be empowered to make rules regarding the AML/CTF Compliance Officer position.
• Rules would specify requirements for the Compliance Officer to report annually to the board or equivalent senior management and for reporting entities to notify AUSTRAC of any changes in the Compliance Officer’s details.
• The Act would also mandate independent audits with a frequency determined by the entity’s risk profile, potentially every four years, with minimum standards for auditors outlined.

4. Establishing a new ‘business group’ concept and ensuring groupwide risk management

To enhance group-wide risk management, the department proposes replacing the designated business group (DBG) concept with a simplified ‘business group’ concept. This new approach would automatically include all related entities within a corporate group or other structure, simplifying risk management, information sharing, and compliance obligations.

5. Simplified obligations for foreign branches and subsidiaries

Additionally, the Act will allow flexibility for how a business group head meets general obligations under Australia’s AML/CTF regime, within the bounds of local laws in the host country. This aligns Australia’s AML/CTF regime more closely with FATF Recommendation 18.

6. Customer Due Diligence

The department proposes to revamp the Customer Due Diligence (CDD) framework by clearly outlining core obligations:

1. Customer risk rating: Reporting entities must assign each customer a risk rating reflecting the risks associated with providing designated services to them.
2. Initial CDD: Entities must collect and verify customer identity information and assess potential risks before providing services.
3. Ongoing CDD: Entities must apply ongoing CDD measures proportionate to risk, including transaction monitoring and re-verifying Know Your Customer (KYC) information when needed.

The customer risk rating determines the level of CDD required:

• Enhanced CDD: Additional measures for higher-risk customers and specified relationships.
• Simplified CDD: Lesser measures for low-risk customers.
• Standard CDD: For circumstances outside enhanced or simplified CDD, in line with Rules requirements.

Reporting entities must assign a risk rating before providing services and update it as part of ongoing due diligence. The format of the risk rating scale can vary but must clearly indicate high, medium, or low risk. Ratings can be applied individually or across similar customer groups.

The AUSTRAC CEO would be empowered to make rules specifying risk factors for customer risk ratings, ensuring flexibility, responsiveness to emerging risks, and clarity for reporting entities. This may include mandating high-risk ratings for certain customers linked to sanctioned countries.

7. Clarifying ‘initial customer due diligence

The department proposes to replace the existing ‘applicable customer identification procedures’ (ACIP) with the term ‘initial CDD’. The term ‘initial CDD’ more accurately reflects the purpose of this obligation and its operation under the CDD framework. It would shift the focus from prescriptive procedures to the outcome of knowing your customer and understanding the associated risk.

8. Refining the requirements for ongoing CDD

Ongoing CDD obligations require reporting entities to monitor and understand their customers on an ongoing basis. Reporting entities must be able to detect any suspicious activities, unusual transactions, and material changes in their customer’s behaviour.

The department proposes the Act would be amended to define ‘unusual transactions or behaviour’ as those that have no apparent economic or lawful purpose, or are inconsistent with what the reporting entity knows about:

• the customer

• the nature and purpose of the business relationship

• the customer risk or business profile, and

• where relevant, the source of funds. This would extend the ongoing CDD requirement to monitor for unusual behaviour.

9. Clarifying the application of ongoing CDD for a business relationship vs occasional transaction

If a reporting entity provides a designated service as an occasional transaction, not all ongoing CDD measures need to be applied. For occasional transactions, ongoing CDD would involve monitoring transactions and behaviours for suspicious or unusual activities over the course of the provision of service. It would not involve periodically re-verifying ‘Know Your Customer information’ or updating the customer risk rating as the need for these would be considered discretely for each occasional transaction

10. Confirming when enhanced CDD must apply

The enhanced CDD framework will continue existing requirements related to senior management approval to establish or continue a business relationship with a foreign PEP, or a high-risk domestic or international organisation PEP. Reporting entities will also be required to take reasonable measures to establish the source of wealth and source of funds for such PEPs.

11. Streamlining the application of simplified CDD

The department also proposes to clarify that a reporting entity is permitted to not undertake specific CDD measures where they have independently developed a suspicion of money laundering or terrorism financing, and they reasonably believe that undertaking those measures would tip off the customer. This would eliminate any perceived inconsistency between CDD obligations and the tipping off prohibition. In these circumstances, the reporting entity would be required to file a SMR in accordance with existing obligations under section 41 of the Act.

12. CDD exemption for gambling service providers

FATF Recommendation 22 requires casinos to conduct CDD when customers engage in a financial transaction equivalent to or above a designated threshold. The FATF determines this threshold to be either USD3,000 or EUR3,000. The exemption currently in Chapter 10 of the Rules has been in place since the introduction of the Rules in 2007. Therefore, the current threshold used in Australia has been well above the FATF threshold since the introduction of the AML/CTF regime.

The department proposes to lower the threshold exempting reporting entities from conducting CDD measures when providing certain gambling services to customers involving transactions from less than $10,000 to less than $5,000.

13. Tipping off offence

The department proposes to reframe the tipping off offence away from a prescriptive prohibition on disclosing that a reporting entity has given or is required to give an SMR or information related to a section 49 notice, or information from which this could be inferred. Instead, the new offence will focus on preventing the disclosure of SMR information or section 49 related information where it is likely to prejudice an investigation or potential investigation.

The proposed change to the tipping off offence framework would better target the underlying harms the offence is intended to prevent while being more flexible for reporting entities. By amending the offence in this way, the new framework would clarify that reporting entities can disclose information for legitimate purposes. This includes sharing information within business groups to manage and mitigate risks in accordance with the controls and business processes that will be outlined in the group’s AML/CTF program.