16 September 2024

Significant reforms to Australia’s anti-money laundering regime

Robert Wyld

For many years, Australia has doggedly let criticism of its anti-money laundering (AML) regime wash over its continental beaches without so much as a blink other than to conduct numerous reviews and consultations. Finally, the Australian Government has initiated the long-waited for Tranche 2 reforms to its AML regime with considerable fanfare. On 11 September 2024, the Government introduced into Parliament the much-anticipated Anti-Money Laundering and Counter-Terrorism Financing Amendment Bill 2024 (AML Bill).

The AML Bill addresses three key objectives:

  • capturing higher risk 'gatekeeper' professions;
  • simplifying the anti-money laundering and counter-terrorism financing (AML/CTF) regime to improve its effectiveness; and
  • modernising the regime to reflect changing business structures, technologies and illicit financing methodologies.

The proposed start date for a number of the key reforms is 31 March 2026.

The intention is that reporting entities will have sufficient time to implement the necessary changes to their policies, processes, systems and controls. This is all directed towards the Government ensuring that the reforms are in place for Australia's mutual evaluation by FATF in 2026-27.

Key impacts of Tranche 2 reforms: lessons for reporting entities

Whether you are an existing reporting entity or a professional organisation where AML/CTF obligations are to be imposed on you, you should seriously consider the following action items ahead of the reforms becoming law:

  • Understand how the reforms will impact your AML/CTF program and customer due diligence processes, including money laundering (ML) and terrorism financing (TF) customer risk ratings and handling customer-related information.
  • For gatekeeper professions, develop a clear understanding of the risks your business faces, create and update existing ML/TF risk assessments models and methodologies and AML/CTF program and processes, systems and controls to ensure compliance with the law and the expectations of the regulator, Australian Transaction Reports and Analysis Centre (AUSTRAC).
  • Adopt a holistic approach involving business unit owners, financial crime operations, risk, compliance and legal to design and contribute to your AML program, whether updating a new one or creating the program.
  • Inform and train the Board, senior management, business owners and key employees of the proposed changes, your updated AML program and the anticipated impact on your business.

There are various changes that while on their face, are an attempt to codify current expectations from AUSTRAC, it is possible some uncertainty will arise in their practical implementation. For example:

  • It is unclear what changes may trigger risk assessments, which may need to be more frequent and cover the whole of the business.
  • The rules relating to governance and the role of the AML/CTF Compliance Officer (AMLCO) (or Money Laundering Reporting Officer) may impact the application of the three lines of defence model (policies, monitoring compliance and independent testing) in the context of AML/CTF.
  • The provisions relating to tipping-off introduce new interpretational questions around what might be reasonable and in "good faith" when tipping off.
  • The introduction of the ability to share information with other reporting entities may create some interpretation issues for the detection, deterring or disrupting of ML/TF.
  • Current reporting practices relating to value transfers need to be aligned with the proposed changes.
AML/CTF risk responsibilities

Reporting entities must understand and document their ML/TF risks and design their frameworks, processes, systems and controls to ensure that ML/TF risks are managed and mitigated.

AML/CTF programs

An AML/CTF program is divided into two parts:

  • Part A to identify, mitigate and manage the money ML/TF risks that a reporting entity may reasonably face in providing designated services; and
  • Part B on applicable customer identification procedures (ACIP).

While there is no formal requirement for an AML/CTF program to have two parts, whatever AML/CTF policies exist should be designed to achieve two outcomes:

  • to manage and mitigate the ML/TF risks that a reporting entity may reasonably face in providing designated services; and
  • to ensure the reporting entity complies with the AML/CTF Act, AML/CTF Rules and regulations.

Importantly, a reporting entity must comply with its AML/CTF policies.

Where the reporting entity provides designated services at or through a place of business in Australia, it must have regard to the following key factors when carrying out that assessment:

  • the kinds of services being provided;
  • the kinds of customers of a business;
  • how the services are delivered;
  • the countries in which the reporting entity does business;
  • any guidance issued by the Australian Transaction Reports and Analysis Centre (AUSTRAC) and any other matters specified in the AML/CTF Rules; and
  • the ML/TF risk assessment must be reviewed where there is a significant change to any of the factors, or at least every three years.
AMLCO

An obligation to designate an AMLCO is contained in the AML/CTF Rules which will be moved to the Act, emphasising the importance of the role. Additional requirements will also apply. The AMLCO:

  • must be engaged at a management level and have sufficient authority, independence and access to resources and information to ensure they can perform their function effectively;
  • must be an Australian resident where the reporting entity provides designated services from a place of business in Australia;
  • must be a fit and proper person; and
  • AUSTRAC must be notified of the individual appointed to the role within 14 days of appointment.
Corporate groups

The existing concept of a “designated business group” (DBG) will be replaced with a “reporting group”. There are certain key changes:

  • DBGs must satisfy particular criteria (such as being related bodies corporate), be providing designated services and have nominated to form a DBG.
  • A reporting group can be formed where at least one member of the business group provides a designated service, which will enable non reporting entities to fulfil AML/CTF obligations on behalf of reporting entities in the group.
  • One entity will be a “lead entity” and will be responsible for undertaking ML/TF risk assessments and developing AML/CTF polices for the reporting group.
Customer due diligence
Ongoing customer due diligence

An overarching requirement when collecting customer information, reporting entities must use a 'risk-based approach' to determine what additional information is to be collected and verified. These obligations will be moved from the Rules to the Act and are framed as obligations to undertake:

  • initial customer due diligence and
  • ongoing customer due diligence;
  • establish: the customer's identity (for example, the customer is the person they claim to be);
  • understand the identity of their agents and beneficial owners;
  • assess whether they are a politically exposed person (PEP) or sanctioned;
  • review and regularly update the “know your customer” (or KYC) information; and
  • understand the nature and purpose of their business relationship with the reporting entity.
Enhanced customer due diligence

Enhanced customer due diligence (ECDD) triggers set out in the AML/CTF Rules will be moved to the Act and will require a reporting entity to apply ECDD where:

  • the customer's ML/TF risk is high:
  • a designated service is provided to a customer or beneficial owner who is a PEP;
  • a suspicious matter report (SMR) has been lodged about the customer;
  • a reporting entity proposes to enter into a transaction with a party physically present in a prescribed foreign country (currently Iran and North Korea);
  • a customer, beneficial owner or any person on whose behalf the customer is receiving the designated service is an individual, body corporate or legal arrangement physically present or formed in a high-risk jurisdiction for which FATF has called for ECDD to be applied;
  • customers who are provided designated services are part of a “nested services relationship”; or
  • the customer is of a kind specified in the AML/CTF Rules.

Pre-commencement customers are now subject to certain requirements. Pre-commencement customers are subject to customer due diligence only on specified events (e.g. an SMR obligation arises in respect of the customer). Pre-commencement customers will be subject to initial customer due diligence where:

  • an SMR obligation arises in respect of the customer; or
  • there is a significant change in the nature and purpose of the business relationship with the customer which results in a medium or high ML/TF risk rating.
Verification data

Customer identification information must be verified using reliable and independent documents or data.

Reporting entities will be required to use reliable and independent data that is appropriate to the ML/TF risk of the customer. This is likely to provide reporting entities with more flexibility when determining what sources of data they can use for verification purposes.

Tipping off

The tipping off prohibition applies to reporting entities. To ensure that the tipping off prohibition is an enduring obligation, it will apply to a person:

  • who is or has been a reporting entity; and
  • who is or was an officer, employee or agent of a reporting entity or a member of a reporting group.

The existing tipping off prohibition applies to a disclosure to any person (other than certain AUSTRAC entrusted people), except where an exemption applies. The new prohibition imposes obligations that:

  • specify who can commit the offence of tipping off (including reporting entities, reporting groups, and persons who once were a person described in the list contained in the AML/CTF Act); and
  • only applies where the disclosure would, or could, reasonably be expected to prejudice an investigation by the Commonwealth or a State or Territory, or related to Proceeds of Crime legislation.

A person may share information within a reporting group, in the context of a merger or acquisition or to consultants who are engaged by the reporting entity to support AML/CTF reviews, remediation and uplift.

A number of exceptions apply to the tipping off prohibition. Importantly, the tipping off exception for crime prevention has a 'good faith' requirement, permitting a person to make a disclosure to dissuade a customer from engaging in conduct that could constitute an offence.

Regulating high-risk professional services

Australia is currently one of only five jurisdictions which does not regulate particular 'gatekeeper' professions. The Government has noted that this places Australia at serious risk of being 'grey-listed' by FATF.

AML/CTF regime will be extended to:

  • Real estate professionals when brokering (sale, purchase or transfer), selling or transferring real estate in the course of carrying on a business.
  • Dealers (sale, purchase) in precious metals and stones in the course of carrying on a business, and where they make or receive a payment (cash, virtual currency or a combination of those) of $10,000 or more.
  • Professional service providers that assist clients with particular types of transactions (including lawyers, conveyancers, accountants, consultants, insolvency and restructuring practitioners, financial planners, wealth advisors, business brokers, company secretarial service providers, and trust and company service providers).
Legal professional privilege

The AML Bill proposes the following regime for legal professional privilege (LPP).

  • The AML Bill proposes that:
    • noting in the AML/CTF Act affects the right of a person to refuse to give information or to produce a document on the grounds of LPP; and
    • if a person has provided a description of the information or document that does not, of itself, constitute a waiver of LPP.
  • If a person receives a request to provide information or a document and reasonably believes the document or information is subject to LPP, the person must send a prescribed LPP Form to the AUSTRAC CEO.
  • The LPP Form must set out the basis of the LPP claim and any other information required in the LPP Form.
  • While a reporting entity is obliged to file a suspicious matter report, it may refuse to do so if it reasonably believes all of the information forming the basis of the reasonable suspicion in subject to LPP.

The Minister may publish Guidelines on the making or dealing with LPP claims. In our experience, it is likely a regime may be implemented that already applies to a number of Commonwealth agencies (such as the ATO, the ACCC and ASIC), requiring a reporting entity to clearly outline the process for masking and dealing with LPP claims, apart from the contents of the statutory LPP Form.

The nature of LPP claims is likely, in our experience, to give rise to potential contests, particularly if a reporting entity adopts a too broad approach. The fundamental principles of LPP need to be considered: that is, the relevant information or communication must have been created for the dominant purpose of satisfying the legal advice and the litigation LPP tests. Each communication needs to be assessed on its merits, looking at the objective evidence of all the circumstances.

Regulating virtual assets

Digital currency exchange services are captured by regulation under AML/CTF laws. The AML Bill extends to 'virtual assets', which is broader than digital currency as it removes the requirement for the asset to be generally available to members of the public without any restriction on use.

A virtual asset is defined as a digital representation of value that:

  • functions as a medium of exchange;
  • represents a store of economic value, unit of account or an investment;
  • that is not issued by or under the authority of a government body; and
  • that can be transferred, stored or traded electronically.

The AML/CTF regime will now apply to:

  • virtual asset safekeeping services;
  • the exchanging of one digital currency for another; and

providing financial services ancillary to the offer or sale of a virtual asset.

Transfers of value

The AML/CTF Act distinguishes between transfers of value undertaken by financial institutions and those undertaken by remittance service providers, which results in different obligations applying to financial institutions and remittance service providers.

The AML Bill removes this distinction, and providers of value transfer services will be regulated. This streamlines and modernises the regulation of telegraphic transfers, remittances, and other transfers of value so that they are all brought under a single definitional umbrella of “value transfer services”.

Digital transactions are not captured as a 'transfer of value'. Value transfer services will include virtual asset service providers. Value transfer services will include virtual asset service providers.

The “travel rule” (the requirement that certain payer and payee information ‘travels’ alongside a transfer of value) applies to financial institutions (ordering and beneficiary institutions) and will be extended to remittance service providers and virtual asset service providers, for both domestic and cross border value transfers.

While intermediary institutions (that pass on a transfer message in a value transfer chain) will be reporting entities, although, they will be exempt from most customer due diligence obligations because they do not have a direct customer relationship with either the payer or payee. And, an intermediary institution must monitor its transactions to identify unusual transactions and behaviours of the customers that may give rise to an SMR obligation.

International value transfer services

The AML Bill seeks to bring the obligations up to date with modern payment services. A report must be submitted for an “international funds transfer instruction” (IFTI). In addition, a report must be submitted for an “international value transfer service” (IVTS) to align with the changes to transfers of value and value transfer chain.

The reporting obligation applies to the 'sender' of the IFTI out of Australia, or the 'recipient' of the IFTI into Australia.

In relation to the reporting obligation:

  • the reporting entity closest to the Australian customer will have the IVTS reporting obligation to enable more accurate customer information to be included in IVTS reports;
  • intermediary institutions may be involved in reporting an IFTI where they are the 'sender' or 'recipient'; and
  • a reporting entity may rely on an intermediary institution to discharge its IVTS reporting obligation where the intermediary institution provides a relevant designated service, and the two entities have entered into a written agreement.

The IVTS reporting obligation will now apply to international transfers of virtual assets from an unverified self-hosted wallet including those incidental to virtual asset exchange designated services.