Changes to the Australian AML/CTF Regime | February 2008
By Peter Jones and Judy McGuire

The Act
The Act implements the first part of the Australian Government's AML/CTF reforms. It covers the financial sector, gambling industry, bullion dealers and lawyers and accountants if they are in direct competition with the financial sector. The second tranche of the reforms, which is still in the consultation stage, will extend the AML/CTF regime to real estate agents, jewellers and a range of non-financial transactions provided by lawyers and accountants.

The Act sets out the primary obligations of providers of designated services (reporting entities). It is supplemented by AML/CTF Rules (the Rules) and various Guidance Notes and other material published by the regulator, the Australian Transaction Reports and Analysis Centre (AUSTRAC).

Implementation
The Act is being implemented in stages. Obligations relating to customer identification, records of identification procedures and AML/CTF programs came into force on 12 December 2007, and obligations relating to ongoing customer due diligence and suspicious matter and threshold reporting will come into force on 12 December 2008. Reporting entities are required to file AML/CTF compliance reports by 31 March 2008.

A 15-month prosecution-free period will follow each stage. The Policy (Civil Penalties Order) Principles 2006 provide that, during that period, AUSTRAC will only take civil penalty action against a reporting entity where the reporting entity has failed to take reasonable steps towards compliance with its obligations.

Application to Australian and Overseas Financial Service Providers
The Act lists more than 70 types of financial activity (known as designated services). These correspond to the Financial Action Task Force (FATF) glossary definition of financial institutions and between them cover the financial services sector and the bullion and gambling sectors. In order for an activity to be a designated service, there must be a geographical connection between the activity and Australia. This connection can be established in a number of ways.

One way is where a person provides a designated service at, or through, a permanent establishment of the person in Australia. This captures Australian financial institutions doing business in Australia, but may also capture overseas entities if they do business through Australian agents.

This is because the definition of “permanent establishment” includes not only a place at or through which a person carries on any business or activities, but also a place where a person carries on business or activities through an agent (these are not restricted to the business or activities that comprise the designated service).

It follows that, if an overseas financial institution carries on any business activities at or through the premises of an Australian agent, those premises will constitute a permanent establishment of that overseas financial institution for the purposes of the Act. If the overseas financial institution then provides a designated service at or through that permanent establishment, it will be regulated as a reporting entity under the Act in respect of those designated services.

Another way is where the person providing the service is a resident of Australia and the service is provided at a permanent establishment of the person overseas.

The definition of an Australian resident includes:
1. a company that is incorporated in Australia;
2. a company that is controlled (within the meaning of the Social Security Act 1991(Cth) by an individual that is a resident of Australia; or
3. a trust, the trustee of which is resident in Australia.

A third way is where the person providing the service is a subsidiary of a company that is resident in Australia and the service is provided at a permanent establishment of the person overseas.

Core Requirements
Core requirements include customer due diligence, transaction monitoring, compliance, threshold and suspicious matter reporting, fund transfer obligations, record keeping, correspondent banking controls and the implementation of an AML/CTF program.

Reporting entities that only provide designated services through permanent establishments overseas are exempt from a number of these requirements. Specifically, they do not have to comply with the customer identification, ongoing customer due diligence, suspicious matter and threshold reporting requirements and with some record keeping requirements. Although they are required to implement and maintain an AML/CTF program, this is to a limited extent only.

A reporting entity that fails to comply with its obligations under the Act may be liable for a civil penalty. These are significant, up to AUS$11 million for a corporate and AUS$2.2 million in all other cases.

12 December 2007 Obligations
Customer identification and verification

The customer identification and verification obligations that came into force on 12 December 2007 provide that a reporting entity must not provide a designated service to a new customer without having conducted an applicable customer identification procedure (CIP) on that customer.

Existing customers (customers to whom the reporting entity has provided a designated service prior to 12 Decembers 2007) and customers who receive only low-risk designated services (at present, no low-risk services have been identified) are exempt from the general customer identification requirements and will only need to re-identify/verify if a suspicious matter reporting obligation arises. Customers who have already been the subject of a CIP must be re-verified in certain circumstances. These include, for example, where the reporting entity has reasonable grounds to doubt the customer is who it claims to be.

The Rules provide how a CIP must be carried out and require a reporting entity to set out in Part B of its AML/CTF program how it will comply with its CIP obligations.

The Rules adopt a risk-based approach by prescribing minimum identification and verification requirements. They do, however, allow a reporting entity to determine on the basis of its money laundering and terrorism financing (ML/TF) risk what additional information (if any) must be collected or verified.

Safe harbour procedures that require only minimum identification and verification are available for customers who are individuals where the ML/TF risk is assessed as low or medium. Simplified verification procedures can be relied on where the customer is an Australian listed corporate (or a subsidiary of such a corporate), or is a regulated trust Generally, where the customer is a private or proprietary company, the names of directors and the names and addresses of all individuals that own, directly or otherwise, more than 25 per cent of the company must be collected. Where the customer is a non-regulated trust, the names of all beneficiaries must be collected.

Designated business group and third parties
Reporting entities that are members of a designated business group (DBG) can rely on a CIP already carried out by another member of the same DBG.

Membership of a DBG is restricted to:

• reporting entities that are related to each other within the meaning of the Corporations Act 2000 (Cth);
• in some circumstances, persons who provide designated services under a joint venture agreement; and
• in some circumstances, overseas corporates.

Membership of a DBG has other advantages. Members can rely on other members of a DBG to discharge their ongoing customer due diligence, record keeping and compliance reporting obligations. Members of a DBG can also share a joint AML/CTF program and, in some circumstances, can share suspicious matter information.

Reporting entities can also engage agents to carry out their customer identification procedures but will remain liable for the conduct of their agents subject to common law agency principles. Additionally, they will be able to rely on customer identification procedures carried out by item 54 licensee arrangers (subject to conditions set out in the Rules). An item 54 license arranger is a reporting entity that, in its capacity as the holder of an Australian financial services license, arranges for a person to be provided with a designated service by another reporting entity.

The AML/CTF Program
The AML/CTF program requirements that came into effect on 12 December 2007 are central to the risk-based scheme established by the Act. By that date, all reporting entities must put in place and thereafter maintain an AML/CTF program (which can be a standard, joint or special program depending on whether the reporting entity is an individual reporting entity, in a DBG or a licensee arranger).

Every standard or joint AML/CTF program must be divided into two distinct parts: Parts A and B.

Part A: The general program
The primary purpose of Part A is to identify, mitigate and manage a reporting entity's ML/TF risk and it must include risk awareness training and employee due diligence programs, procedures for board and senior management oversight, independent auditing and the appointment of a Money Laundering Compliance Officer (and, from 12 December 2008, a transaction monitoring program).

Although there is no specific requirement in the Act to carry out an ML/TF risk assessment, such an assessment will form the basis of any AML/CTF program and AUSTRAC can (where it is satisfied that the reporting entity has not carried out an ML/TF risk assessment, or that it has but it is inadequate or out of date) compel a reporting entity to carry out a risk assessment and provide a written report to AUSTRAC.

In assessing its ML/TF risk, a reporting entity must consider the risks posed by its customer types, including any politically exposed persons, the types of designated services it provides and the methods by which it delivers them, the foreign jurisdictions with which it deals and the provision of designated services overseas.

Part B: Customer identification procedures
Part B of a standard or joint AML/CTF program and the special AML/CTF program must set out how a reporting entity will comply with its CIP obligations.

31 March 2008 Obligations
Compliance reporting
By 31 March 2008 (and periodically thereafter), reporting entities must provide a Compliance Report (in approved form) to AUSTRAC on their compliance with the Act.

12 December 2008 Obligations
Ongoing customer due diligence
As part of the ongoing customer due diligence requirements, from 12 December 2008, reporting entities will have to monitor their provision of designated services in Australia with a view to identifying, mitigating and managing their ML/TF risks. This will involve the implementation of Know Your Customer (KYC) systems, transaction monitoring and enhanced customer due diligence programs.

Reporting
From 12 December 2008, reporting entities must report suspicious matters, certain transactions above a threshold and international funds transfer instructions (IFTIs) to AUSTRAC.

Suspicious matter reporting
Reporting entities are required to make a report to AUSTRAC if they suspect on reasonable grounds that:

• a customer (or potential customer or the customer's agent) is not who they claim to be; or
• that information about the provision (or prospective provision) of a designated service may be:
  
  a) relevant to an investigation or prosecution of a person for tax evasion (or attempted tax evasion) of a Commonwealth, state or territory taxation law; or an offence against Commonwealth, state or territory law;
  
  b) of assistance in the enforcement of proceeds of crime legislation;
  
  c) preparatory to the commission of a Commonwealth, state or territory money laundering or terrorism financing offence.

The obligation may arise before there is any business relationship between the reporting entity and the potential customer. The suspicion (and the grounds on which it is based) must be reported within three business days of forming the suspicion or, if it relates to terrorism financing, within 24 hours.

Generally, it is an offence to disclose information relating to a suspicious matter to any person (other than AUSTRAC) but there are several exceptions. These include disclosure to a lawyer to obtain legal advice, or in certain circumstances by a lawyer, accountant or other person specified in the Rules. Additionally, it may be possible to share suspicious matter information with reporting entities in a DBG.

Threshold and IFTI reporting
Reporting entities who start to provide, or already provide, a designated service that involves a threshold transaction must report the transaction to AUSTRAC within 10 business days of it occurring. Additionally, senders or receivers of IFTIs must report all such instructions, regardless of the amount, to AUSTRAC within 10 business days after the instruction was sent or received.

Impact of the Act
It is not clear to what extent the Australian financial services sector was compliant with the 12 December 2007 deadline, or will be compliant with the 12 December 2008 deadline. AUSTRAC will be in a better position to assess this after 31 March 2008 as, by then, they should have received the majority of the Compliance Reports due to be filed by that date. This will not only enable them to assess the effectiveness of the AML/CTF reforms but also provide them with information on whether and how they should carry out their enforcement role.

Peter Jones is a partner in Allens Arthur Robinson's Financial Regulation & Compliance team and jointly leads the firm's Anti-Money Laundering team. The AML team advises a range of clients including global and national banks and fund managers on compliance with the AML/CTF Act and Rules. Contact Details: Tel: + 61 2 9230 4987 Email: Peter.Jones@aar.com.au

Judy Maguire is a Senior Associate in the Sydney Office of AAR and a core member of the AML team. Judy has international AML experience and has worked closely with FATF. Contact Details: Tel: + 612 9230 4835 Email: Judy.Maguire@aar.com.au