What it means to be regulated under the AML/CTF regime

The Anti-Money Laundering and Counter-Terrorism Financing Amendment Bill 2024 would amend some of the key obligations under the AML/CTF regime. This page sets out what it would mean to be regulated if the Bill is passed by the Parliament and the changes under the Bill begin. 

Australia’s anti-money laundering and counter-terrorism financing (AML/CTF) regime uses a ‘designated services’ model for regulation. 

If a business provides one or more designated services, it is covered by the AML/CTF regime. This requires a business to put in place measures to prevent exploitation by criminals, including early identification of criminality or potential criminal activity. 

Not all businesses in a sector are regulated by the AML/CTF regime—only businesses that provide the designated services that are set out in the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (the AML/CTF Act).

In addition, AML/CTF obligations may not apply to all of a business’ obligations—only to the specific designated services set out in the AML/CTF Act.

Key obligations

Businesses need to fulfil the following key obligations to protect themselves from misuse by criminals.

If your business provides a designated service, you are a reporting entity and required to enrol with AUSTRAC. When you enrol with AUSTRAC, you are given an account with AUSTRAC Online. This allows you to submit transaction and compliance reports online, and view and update your enrolment details.

If your business provides one or more of the remittance or virtual asset-related designated services described in the AML/CTF Act, you also need to register with AUSTRAC unless your business is a financial institution.

An AML/CTF program sets out how your business will identify and assess the money laundering, terrorism financing and proliferation financing risks it faces, and outlines the controls that your business will use to mitigate and manage those risks.

Risk assessment

The AML/CTF regime takes a ‘risk-based approach’, where reporting entities design and implement measures commensurate with the level of money laundering and terrorism financing risk they face. When considering your business risks, the four main elements to consider are:

  • the types of customers
  • the type of services you provide
  • how your business provides those services and through what channels
  • the jurisdictions your business deals with when providing services.

Depending on how the elements above apply to your business, you will have different risks. 

For example, if your business is a real estate agency and you normally deal with clients who are buying or selling ordinary suburban residential properties as owner-occupiers, your risk exposure may be lower than if you commonly deal with international high-net-worth individuals buying luxury properties.  

In this scenario, if you provide a designated service to a young Australian couple buying their first home, this may present a lower risk. Your AML/CTF program may only require your staff in this lower risk circumstance to follow procedures for simplified identity checks. Where the customer is a foreign person of political influence, your AML/CTF program should require staff to conduct more enhanced and robust identity checks. 

AUSTRAC can provide guidance to assist you in identifying and assessing risks specific to your business.

Risk mitigation measures and internal controls

In addition to the risk assessment, you will be required to introduce policies, procedures, systems and controls to mitigate and manage the money laundering and terrorism financing risks faced by your business. These policies must:

  • mitigate and manage the risk of money laundering, terrorism financing and proliferation financing faced in providing a designated service
  • ensure that your business complies with the requirements imposed by the AML/CTF regime
  • by appropriate to the nature, size and complexity of the business.

In addition to these general requirements that apply to all entities, reporting entities located in Australia are specifically required to have policies in relation to:

  • undertake employee due diligence on employees or contractors that will fulfil AML/CTF functions
  • provide training to employees that will undertake AML/CTF functions
  • conduct independent evaluations of the AML/CTF program at least every 3 years.

Reporting groups

A reporting group will be required for all traditional corporate groups, but groups outside of these structures will also be able to choose to form reporting groups and  may be able to take advantage of group-wide risk management, group-level compliance management and group-wide information sharing. The centralisation of AML/CTF programs-related requirements provides more flexibility and efficiency, and better management of risks faced by the group as a whole. The lead entity of a reporting group is required to include policies in the group-wide program to provide for group-wide compliance and information sharing. 

A reporting entity must establish the identity of its customer. To do this, it must:

  • collect information that identifies the customer and the money laundering, terrorism financing and proliferation financing risks associated with providing services to them
  • verify their identity using independent and reliable data.

Initial CDD assists the reporting entity to understand, mitigate and manage the risks associated with providing designated services to the customer. As part of initial CDD, a reporting entity needs to do the following.

  • Identify the customer, including any beneficial owners if relevant, any person on whose behalf the customer is receiving the service, or any person acting on behalf of the customer. For example, this could include checking a driver’s licence, passport, company registration on the Australian Securities and Investments Commission (ASIC) website, or asking the customer about ownership structures.
  • Identify whether the customer is a politically exposed person or person designated for targeted financial sanctions. For example, this could include asking the customer directly about whether they fit into either of these categories, checking the customer’s background against public information, or using third party vendors or organisations to check.
  • Understand the nature and purpose of the relationship with the customer.

A reporting entity must undertake initial CDD before beginning to provide a designated service, unless certain specified exceptions apply. The level and type of initial CDD will be informed by the customer risk.

How to identify and verify the customer

In order to identify the customer, a reporting entity needs to collect and verify ‘Know Your Customer’ (KYC) information. For individual customers, a reporting entity must establish that the customer is who they claim to be. It also needs to identify the customer’s money laundering, terrorism financing and proliferation financing risks, based on the KYC information that they have available to them.

The AML/CTF Rules may specify certain KYC information must be collected for different kinds of customers in Australia. AUSTRAC will also produce guidance to support reporting entities to implement the initial CDD obligations in their business.

For example, for individual customers, initial CDD could include collecting the customer’s name, date of birth and address. A reporting entity has flexibility about how and the extent to which they verify that information. This could include verifying the details using the customer’s drivers licence and checking that the photograph in the drivers licence matches the customer.

For corporate customers, initial CDD could include collecting the company’s full name, ABN and address. A reporting entity has flexibility about how they verify that information. This could include verifying the details by checking the company’s ASIC registration, and if it is a proprietary company, by collecting the name of each director and shareholder holding 25% or more of the shares in the company.

Types of initial CDD

There are three types of initial CDD that can be conducted, based on the customer risk:

  • Standard CDD, where the reporting entity collects and verifies KYC information in line with any requirements in the AML/CTF Rules and the reporting entity’s AML/CTF program.
  • Enhanced CDD, where the reporting entity must apply additional measures to high-risk customers, for example, foreign politically exposed persons.
  • Simplified CDD, where the reporting entity may apply simplified due diligence measures to low-risk customers.

For example, if a customer is reasonably assessed to present a low money laundering, terrorism financing and proliferation financing risk, a reporting entity may apply simplified initial CDD measures in line with their AML/CTF policies. This could include:

  • requiring less evidence for verifying KYC information
  • not seeking information on the nature and purpose of the business relationship where this can be inferred from the designated service.

Reporting entities are required to conduct ongoing CDD, which requires them to monitor for any suspicious activities, unusual transactions and material changes in their customers’ behaviour. Where you have a business relationship with a customer, you must also periodically review and update KYC information about the customer and their money laundering, terrorism financing and proliferation financing risk.

A reporting entity must apply ongoing CDD measures proportionate to the risk of the customer throughout the course of a business relationship. This will look different depending on the length of the customer relationship, for example, a one-off transaction versus an ongoing business relationship.  

Types of ongoing CDD

There are three types of ongoing CDD that can be conducted, based on the customer risk:

  • Standard CDD, where the reporting entity monitors the customer in line with any requirements in the AML/CTF Rules and the reporting entity’s enterprise AML/CTF program.
  • Enhanced CDD, where the reporting entity must apply additional measures to high-risk customers, for example, foreign politically exposed persons.
  • Simplified CDD, where the reporting entity may apply simplified due diligence measures to low-risk customers.

For example, if a customer is reasonably assessed to present a low money laundering, terrorism financing and proliferation financing risk, a reporting entity may apply simplified ongoing CDD measures in line with their AML/CTF policies. This could include:

  • less frequently re-verifying KYC information
  • establishing different thresholds for transaction monitoring alerts.

Reporting entities are required to report certain transactions and activity to AUSTRAC, which can be done through the AUSTRAC Online account. 

Entities are required to submit a Threshold Transaction Report any time a transaction with a client involves $10,000 or more in cash. Entities must also submit a Suspicious Matter Report (SMR) if they suspect on reasonable grounds that a client is not who they claim to be, or there may be criminal activity.

Reporting entities are required to make and securely store records about their customer due diligence measures, the services provided and how they are meeting their AML/CTF obligations. If a reporting entity is misused for criminal purposes, records may help AUSTRAC or other authorities investigate.

In relation to CDD, your business is not required to keep copies of identity documents. Instead, you are required to retain records of what you did to identify a customer and the identifying information the customer presented. For example, reporting entities are required to make records of the details found on a passport that was used for verification purposes, rather than needing to take a copy of the passport itself.

All reporting entities regulated under the AML/CTF regime are required to comply with the Privacy Act 1988.