Changes to AML/CTF program requirements

The Bill would establish a clear requirement that a reporting entity must conduct a money laundering, terrorism financing, and proliferation financing risk assessment, known as an ML/TF risk assessment. The reporting entity must identify and assess the risks of money laundering, terrorism financing and proliferation financing it may reasonably expect to face in providing designated services to its customers. The ML/TF risk assessment would then be used to inform the policies, procedures, systems and controls that a reporting entity includes in its AML/CTF program to mitigate and manage the risk of money laundering, terrorism financing and proliferation financing. See Risk mitigation measures for details.

The Bill would require a reporting entity’s AML/CTF program to:

• consider the nature, size and complexity of its business in determining risk level
• incorporate relevant risks identified and communicated to the reporting entity, or otherwise published by AUSTRAC.

At a minimum, reporting entities would be required to consider risks related to:

• their types of customers
• the types of designated services they provide
• the methods of delivery
• the jurisdictions they deal with.

The Bill would amend the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) to clarify that the ML/TF risk assessment must be reviewed to remain up to date. The AML/CTF Act would specify triggers for the review and update of the risk assessment.

New requirement to consider proliferation financing

To align with the FATF Standards, reporting entities must consider the risk that their business may facilitate proliferation financing when conducting a risk assessment. Proliferation financing refers to the provision of financial services, or dealing with funds or other assets, in contravention of an Australian law aimed at combating weapons of mass destruction proliferation. Most notably, this includes UN Security Council sanctions.

Exposure to proliferation financing risk will vary significantly between sectors and businesses, and the AML/CTF regime would recognise that many businesses do not have material proliferation financing exposure.

Businesses that reasonably assess their proliferation financing exposure could be mitigated by existing measures which address money laundering or terrorism financing risks, or that the proliferation financing risk is immaterial, would not be required to implement additional policies, procedures, systems or controls.

AUSTRAC published a National Risk Assessment in 2022 that can help reporting entities incorporate proliferation financing in their ML/TF risk assessment.

The Bill would include an express obligation in the amended AML/CTF Act that requires a reporting entity to establish internal practices that ensure the business, its managers, employees and agents comply with AML/CTF obligations. These are necessary to support risk mitigation measures and ensure a culture of compliance.

Board or governing body responsibilities

A reporting entity’s board or governing body would be required to:

• oversee the AML/CTF program
• take reasonable steps to ensure that the reporting entity effectively identifies and mitigates the risks it may reasonably face.

The board or governing body would not be required to approve changes to the risk assessment, nor would it be required to exercise oversight of day-to-day, operational measures.

Where an entity does not have a board or other equivalent body to act as the governing body, this role may be performed by the individual or group of individuals with responsibility for governance and executive decision making.

AML/CTF compliance officer role and responsibilities

Reporting entities are required to designate an AML/CTF compliance officer at the management level, who will manage the implementation of operational measures.

The AML/CTF compliance officer would be responsible for:

• oversight and coordination of the AML/CTF program
• ensuring that any changes made to the AML/CTF program are approved by an individual in senior management (for example, the chief risk officer) and notified to the governing body.

For smaller entities such as sole traders, it may be appropriate for one individual to fulfil multiple roles. AUSTRAC will provide additional information in guidance.

The Bill would replace the current concept of a ‘designated business group’ under the amended AML/CTF Act with a simplified ‘reporting group’ concept.

All reporting groups would be required to have a lead entity, which would be responsible for:

• assessing money laundering and terrorism financing risk across the group and its members
• developing a group-wide AML/CTF program
• applying the group-wide AML/CTF program to all Australian business group members
• ensuring that all group members are compliant with the group-wide AML/CTF program.

Membership of reporting groups can be extended to related non-reporting entities to facilitate information sharing between group members for customer due diligence and risk management.

The concept would also allow other members (including non-reporting entities) within reporting groups to fulfil AML/CTF obligations on behalf of reporting entities. A non-reporting entity member of a business group will not, however, be subject to direct AML/CTF regulation for functions delegated to them. Liability for any failings in carrying out AML/CTF obligations would remain with the reporting entity on whose behalf the obligation is carried out.

Automatic or default reporting groups

The simplified ‘reporting group’ concept would automatically capture traditional corporate group arrangements as found in the financial services sector.

Elected reporting groups

Related entities in other non-corporate structures such as franchise arrangements and partnerships would also be able to elect to form a reporting group to manage their common risks.

Lead entities in a reporting group

Under a group-wide AML/CTF program, lead entities in a reporting group would be required to provide for:

• sharing of customer due diligence information and related record-keeping requirements for customer due diligence reliance within the group
• arrangements for a group member to fulfil AML/CTF obligations on behalf of another reporting entity in the reporting group
• sharing of information about customers for risk management and mitigation as well as to support group-level compliance, audit and AML/CTF functions
• safeguarding the confidentiality of shared information, including to manage the risk of tipping off.

The Bill would clarify the requirements for Australian reporting entities with offshore branches and subsidiaries. If the Bill passes, the amended AML/CTF Act would provide:

• the high-level and outcomes-focused principles that would be applied to all reporting entities providing designated services generally
• more specific obligations that would be applied only to those designated services provided in Australia, and not to those provided overseas.

To align with FATF Recommendation 18, the AML/CTF Act would require reporting entities to notify AUSTRAC where the laws of a host country prevent their foreign branch or subsidiary from complying with the

high-level general principles in the Australian legislation. This would provide the reporting entity with a defence from civil penalty liability, should the reporting entity take steps to effectively mitigate and manage the risk presented by the conflict.