Allens Arthur Robinson

• Introduction
• All recent publications
• Banking & Finance publications
• Banking & Finance services

Focus: Anti-money Laundering – July 2006

Customer identification requirements under revised Anti-Money Laundering and Counter-Terrorism Financing Bill

In brief: The revised Exposure Draft Anti-Money Laundering and Counter-Terrorism Financing Bill, released on 13 July 2006, has addressed a number of problems identified by industry in the previous Exposure Draft Bill. Significant changes have been made, but concerns as to how to interpret some parts of the Bill and its impact on the financial sector remain. This Focus - the first in a series to be issued by AAR on the Bill - deals with the customer identification requirements. Partners Anna Lenahan(view CV) and Peter Jones and Senior Associate Judy Maguire explain.

• Introduction
• The Bill
• The Rules
• What to do next

Introduction

Transition and timing

The critical question of a transition period still remains unanswered. The Minister for Justice and Customs, Senator Chris Ellison, has not outlined a transition period for the new anti-money laundering (AML) and counter-terrorism financing (CTF) law to take effect, although it is understood that a period of 12 months is the Federal Government's preference. A decision on this will need to be made quickly to allow industry (which is seeking a transition period of at least two years) to plan and resource the substantial changes to their systems and processes that will be required.

In the meantime, submissions on the revised Bill are due by 4 August 2006 and it is anticipated the  Exposure Draft Anti-Money Laundering and Counter-Terrorism Financing Bill (the Bill) will be introduced to Parliament in the Spring 2006 session and then referred for inquiry to the Senate Legal and Constitutional Committee (which may provide another opportunity for submissions to be made).

The package

The substantive requirements of the new AML/CTF regime (including those relating to customer identification) remain in the Bill, but a lot of the detail is contained in the Rules, which were also released on 13 July (including the detail as to what specific customer identification information is required and the methods by which these requirements can be implemented). Some draft Rules remain outstanding and the Government (in a table of Rules published with the Bill) has indicated some of these will be the subject of consultation.

The Bill will also be supplemented by Regulations, which could have a significant impact on the application of the legislation. So far no Regulations have been released.

The Government has indicated that Guidelines will be developed by the Australian Transaction Reports and Analysis Centre (AUSTRAC) in consultation with industry. These Guidelines will not be legally binding, but will be issued to assist reporting entities to interpret their obligations (and it is anticipated that, in time, these Guidelines will represent a 'best practice' approach for reporting entities).  

The Bill

Overview

The Bill imposes AML/CTF obligations on a wide range of financial service providers (including those in the banking, life insurance, managed funds and superannuation sectors) and on the gambling sector.

Core requirements include enhanced customer due diligence, transaction monitoring, threshold and suspicious matter reporting, record keeping, correspondent banking controls and the implementation of an AML/CTF program.

The customer identification obligations require entities (referred to as reporting entities) who provide specified services,¹ to identify and verifiy (and in some circumstances re-verify) the identity of their customers, and carry out ongoing customer due diligence. These requirements are discussed below.

The general requirement

As a general requirement, reporting entities will be required to identify and verify the identity of all new customers and any persons authorised to act on behalf of the customer (the customer's agent) before they can provide the customer with a designated service (unless they have already been appropriately identified and verified). How that procedure, which is referred to in the Bill as the 'applicable customer identification procedure' or the 'applicable agent identification procedure', is implemented is set out in the Rules and discussed below under the heading 'The Rules'.

If 'special circumstances' apply, customer identification procedures can be carried out after (but no later than five business days after) the provision of the designated service.² What are 'special circumstances' will be a matter for the Rules (which are expected to be issued after consultation with industry).

Existing customers

Existing customers (and their agents) are exempt from the general customer identification requirements. Under the Bill, if a customer was provided with a designated service before the legislation comes into effect, that customer (and its agent) will be exempt from customer identification requirements.

It is only if a suspicious matter reporting obligation (which is likely to have been triggered by a transaction monitoring program) arises that a customer identification procedure will need to be applied to an existing customer. If that happens, a reporting entity (in addition to making the suspicious matter report) will be prohibited from providing a designated service to the customer until the customer (or, if applicable, the customer's agent) is identified either by the reporting entity or an authorised third party (or such other action as required by the Rules is taken, such as freezing the customer's account).

The suspicious matter reporting obligations of reporting entities (which will be the subject of an upcoming Focus ) are set out in section 39 of the Bill and arise where the reporting entity (or an authorised third party) suspects on reasonable grounds that either:

• the person who receives, or will receive, the designated service is not who they claim to be;
• information concerning the provision, or the prospective provision, of the designated service may be:
  • connected to a breach of a tax law;
  • connected to a Commonwealth or state offence;
  • of assistance to a Proceeds of Crime Act 2002 (Cth) investigation; or
• the provision or the prospective provision of the designated service may be:
  • preparatory to a money laundering or terrorist financing offence;³  or
  • relevant to an investigation into a money laundering or terrorist financing offence.

This approach to existing customers does not go quite as far as the Financial Action Task Force (FATF) requirements which, applying the Basle Principles, suggest⁴ that a review of the identification of existing customers' identification is appropriate where:

• a transaction of significance takes place;
• customer documentation standards change; or
• there is a material change in the operation of the customer's account.

Low-risk services

The Bill provides that certain low-risk designated services (to be specified in the Rules) will be exempt from customer identification procedures.⁵ At this stage (despite industry lobbying for life products and superannuation to be exempt), no such designated services have been specified. The Government has indicated in the table of Rules released with the Bill that there is no need for rules in this area at this time.

Re-verification

A reporting entity must re-verify a customer where it has reasonable grounds to doubt the customer is who they claim to be.⁶ Once this occurs, the reporting entity must, as soon as practicable (or at the latest within 14 business days), take appropriate and reasonable steps (taking account of its money laundering/terrorism financing (ML/TF) risk⁷) to satisfy itself that the customer is the person claimed.

Again, this approach does not go as far as the FATF requirements. Recommendation Five of the FATF Forty Recommendations suggests⁸ that other circumstances which may raise some doubt as to the identification/verification information collected by an institution (and therefore require the institution to undertake further due diligence or verification) may include circumstances where there is a material change in the way an account is operated that is inconsistent with the customer's business profile. The new Rule does not cover this scenario, but it may be that this will be addressed in Guidelines.

Ongoing customer due diligence

A reporting entity must monitor (in accordance with the Rules) its provision of designated services in Australia with a view to:

• identifying;
• mitigating; and
• managing,

the risk it might reasonably face that it might facilitate 'money laundering' or 'financing of terrorism'. 

This seems straightforward, but it does bring back into play the problem identified by industry in the first consultation period that a reporting entity must be familiar with AML/CTF regimes and money laundering and terrorism financing risks in other jurisdictions.

This is because the definition of 'money laundering' and 'terrorism financing' includes money laundering and terrorism financing offences committed overseas (corresponding to Australian offences). As a consequence, the ongoing customer due diligence requirements will have to include (on a risk basis) measures with a view to identifying, managing and mitigating the risk of overseas offences, as well as Australian offences.

The ongoing customer due diligence requirements are implemented in Chapter 6 of the Rules, which requires reporting entities to put in place 'Know Your Customer' (KYC) systems, and transaction monitoring and enhanced customer due diligence programs (discussed below in 'Ongoing customer due diligence program').

Third party provisions

Reporting entities can delegate the identification procedure to third parties that are internal⁹  or external agents¹⁰ of the reporting entity, other reporting entities or persons accredited under the Rules (these third parties are referred to as 'persons authorised under section 34').

Persons authorised under s34 (with the exception of internal agents) must be authorised in writing to carry out customer identification procedures (although the authorisation can be general and does not need to be done for individual customers).

External agents who obtain (in the course of a customer identification procedure) customer identification information for one reporting entity can disclose that information to another reporting entity in the same 'designated business group'. This is a significant step forward towards avoiding unnecessary duplication of procedures (and the customer dissatisfaction which goes with it).

A reporting entity can rely on a customer identification procedure already carried out by another reporting entity (or accredited person). It is anticipated this will enable reporting entities in the same group to rely on identification procedures already carried out within the group and reporting entities at the end of the service chain to rely on identification procedures carried out by their introducer (without having to appoint external agents). The Rules on this are pending and we understand will be subject to industry consultation.

However, some difficulties remain.

• The definition of 'designated business group' applies only to groups of related companies and not to other entities, who may be linked to corporates (or to each other) such as incorporated joint ventures and trustees.
• The definition of an internal agent still only extends, in the case of non-natural persons, to officers or employees of that person and, despite the introduction of the concept of a designated business group, does not extend to officers or employees of a related company.
• The Rules provide that a s34 authorised person can only undertake an identification procedure on behalf of a reporting entity in accordance with that particular reporting entity's customer identification program. Conversely, the reporting entity cannot authorise the s34 authorised person to use its own system or to make any risk based decision in accordance with the reporting entity's program. As a consequence, s34 authorised agents may be faced with the prospect of complying with a number of disparate programs, depending on how many reporting entities authorise them.

A reporting entity must have risk based systems and controls to review whether the s34 authorised person is complying with its identification procedures (as outlined in the reporting entity's AML/CTF programs). This is consistent with the general provision that an AML/CTF program must apply to functions relevant to a designated service carried out by third parties.

Superannuation

Superannuation and retirement savings account providers who accept contributions, roll-overs and transfers will not have to identify fund members until the member reaches preservation age. This represents a significant concession for the super industry. Identification will still be required where the fund is paid out, rolled over or transferred.

The extent to which delaying identification until preservation age will alleviate the burden associated with identifying customers is not clear. Preservation ages vary depending on the type of fund. Will the reporting entity be required to identify all super customers when they reach that stage and, if so, how will they know and how will they do this?

In our view, there is a valid argument that, given that super is low risk, identification should only be required on pay out and not when funds are rolled over or transferred (as, arguably, these activities do not pose any ML/TF risk).

There are also concerns that the practical difficulties identified by industry arising from the interaction between the Superannuation Guarantee (Administration) Act 1992 (Cth) and the obligations in the Bill have not been resolved.

Defences

The Bill still provides a defence of relying on information provided (whether to the reporting agency or someone authorised under s34) for any breach of the customer identification procedures, but additionally contains (at ss 195A and 195B) general safe harbour provisions.

The Rules

As in the original draft of the legislation, the operational detail is contained in the Rules (not all of which have been issued). As a general principle, a reporting entity can implement the new AML/CTF regime using a risk based approach, but must, in identifying and maintaining relevant systems and controls, take into account the nature and complexity of its own business and the type of ML/TF risk it might face. In assessing that risk, it must specifically consider:

• customer types, including politically exposed persons (these are not defined);
• types of designated services provided;
• methods by which it delivers those designated services;
• foreign jurisdictions with which it deals; and
• designated services provided by its overseas offices.

Customer identification program

Overview

A customer identification program will implement the customer identification procedures in the Bill by using a risk based approach (as described in the Rules). In practice, this means that it will be up to reporting entities to decide what customer identification information is required based on what they assess as their ML/TF risk. This shift to a risk based (rather than a prescriptive) approach represents a significant change from the approach in the original draft.

Other changes which have been welcomed by the financial sector include:

• reporting entities will now be able to rely on electronic verification (EV) of customer identification information;
• the introduction of safe harbour rules for customer identification for lower and medium risk relationships; and
• the deletion of a specific requirement to undertake a risk classification within a specified period (although, as a practical matter, businesses will still need to undertake a risk assessment of their customers in order to design a suitable AML/CTF program).

There are different provisions for different types of customer (which include individuals, corporates, trusts and associations), but some overarching principles apply to all.

• The program must have appropriate risk based systems and controls so that the reporting entity can be reasonably sure the customer is who they claim to be.
• Whether any further KYC information is required or verified will depend on the ML/TF risk relevant to the provision of the designated service (and the KYC information itself will vary depending on the type of customer).
• Programs must be able to respond (on a risk basis) to any discrepancies in information that arise so the reporting entity can be reasonably satisfied the customer is who they claim to be. Presumably, as this is a risk based obligation, it can be tailored to apply to material discrepancies.
• Verification can be from reliable and independent documentation, electronic data or a combination of both. Methods of verification are discussed below at 'Methods of verification' .

Individuals

The minimum requirement for individuals is full name, date of birth and residential address for the purposes of collection and full name and either date of birth or address for the purpose of verification at the relevant time.¹¹ 'Relevant time' has not been clarified, but it appears that information will have to be verified at the same time that it is collected.

A safe harbour rule has been introduced (whereby less information is collected and verified) where the customer relationship is determined to be of medium or lower ML/TF risk. In practice, this may have limited application as the reporting entity will have to have sufficient information on the customer to make that determination and, additionally, it will only apply (if EV is used) to customers with three-year credit or transaction histories.

Corporates

The procedures for identification of corporates contemplate that a risk based approach will be applied.¹² A reporting entity must be reasonably satisfied the company exists and it knows (in the case of private companies) the name and address of the beneficial owners.¹³   

The minimum information to be collected from Australian companies is now:

• full name;
• addresses of registered office and principal place of business;
• ACN;
• whether the company is registered by the Australian Securities & Investments Commission (ASIC) as proprietory or public; and
• the name of each director (for private companies only).

Minimum verification requirements are:

• name;
• whether the company is proprietary or public; and
• ACN.

If a reporting entity confirms from a stock exchange, public document, or a regulator's records that the company is listed, a majority-owned subsidiary of a listed company, or licensed and regulated by a Commonwealth regulator (such as ASIC or the Australian Prudential Regulatory Authority) this will be taken as sufficient verification.

The requirement to collect the name and address of beneficial owners now only applies to private companies and those proprietary companies not licensed and regulated by a Commonwealth regulator.

The obligation to collect beneficial ownership information on other types of companies, ie foreign public companies, domestic unlisted public companies and any company licensed and regulated by a Commonwealth regulator, will depend on the ML/TF risk.

A beneficial owner is 'any individual who owns through one or more shareholdings more than 25 per cent of the issued capital'.¹⁴ This will require reporting entities to investigate the corporate structures of their clients, but this obligation is tempered by the fact they may be able (using a risk based approach) to rely on a disclosure certificate, which presumably can be provided by the client, to verify beneficial ownership information.

Trustees

The general requirement is that reporting entities must be reasonably satisfied where a customer is a trustee that:

• the trust does exist; and
• the name of all trustees and beneficiaries (or a description of each class of beneficiary) has been provided.

The Rules contain some inconsistencies, but in essence:

• Minimum information to be collected:
  • the full name of the trust;
  • business name (if any) and address of the trustee;
  • country where the trust was established;
  • where the trustee is an individual or corporate, the minimum applicable information for that type of person; and
  • full name of each beneficiary; or
  • if the trust identifies the beneficiary by class, details of each class.
• Minimum information to be verified:
  • the full name of the trust; and
  • where the trustee is an individual or a company, the minimum applicable information for that type of person.

Safe harbour regimes have been included. These differ slightly depending on whether the information goes to the existence of the trust or the beneficiaries of the trust.

Where a reporting entity confirms the trust is:

• a managed investment scheme (MIS) registered with ASIC; or
• an MIS not registered with ASIC that;
  • only has wholesale clients; and
  • does not make small scale offerings to which s1012E of the Corporations Act 2001 applies; or
• licensed and regulated by a Commonwealth regulator in respect of its trust activities; or
• a government super fund,

it does not have to verify that the trust exists (although, as it will still have to collect the information, it is questionable whether this provides much advantage).

In addition, where the trust is:

• an MIS registered with ASIC; or
• an MIS not registered with ASIC that;
• only has wholesale clients; and
• does not make small scale offerings; or
• a government super fund,

then information on beneficiaries and the full name and address of each trustee is not required.

If the trust is licensed and regulated by a Commonwealth regulator, the obligation to collect and verify beneficiary/trustee names and addresses is risk based.

Although the Rules provide that verification of information about a trust must be based on:

• trust deed, certified copy or extract of trust deed;
• reliable and independent documentation relating to the trust;
• electronic data; or
• a combination of all of these,

if some of the additional KYC information to be verified is not reasonably available from these sources, the reporting entity can rely on a disclosure certificate from the trustee.

Partnerships, associations, registered cooperatives and government entities

Discrete customer identification programs apply to each of these types of organisations.

Methods of verification

The Rules now specifically allow for customer verification by EV, as well as reliance on documentation.

The Rules refer throughout to the use of 'reliable and independent documentation' as a means of verification. 'Reliable and independent documentation' includes, but is not limited to, original primary photographic identification (such as a passport), original primary non-photographic identification (a birth or citizenship certificate), and original secondary identification document (such as a Tax Office or utilities provider notice).

However, the Rules indicate this is not an exhaustive definition and reporting entities can rely on other types of documentation appropriate to the ML/TF risk.

There are specific safeguards where EV is used in that there must be systems and controls in place to ensure that the data is reliable and independent and (among other matters) accurate, secure, up to date and comprehensive.

Agent identification program

The Rules for the identification of agents (ie persons authorised to act on behalf of the customer) have finally been released. In essence, the full name of the agent and evidence of authorisation must be collected. Verification will depend on the ML/TF risk relevant to the designated service.

Non-individual customers can appoint a verifying officer (this can be an employee, agent or contractor) who, on the collection of certain information, will be taken to have identified the agent. The reporting entity can rely on that identification. This allows reporting entities to easily accommodate changes in personnel who acquire designated services for their employer (account signatories etc). This is because the appointed verifying officer need only get limited information from company personnel and needs to provide even less information to the reporting entity.

Ongoing customer due diligence program

The Rules in Chapter 6 set out the elements of an ongoing customer due diligence program. These include risk based systems and controls to determine whether further KYC information should be obtained for ongoing due diligence (as opposed to initial customer identification), an enhanced due diligence program and a transaction monitoring program.

A transaction monitoring program is designed to monitor all transactions in order to identify (based on risk) any 'suspicious' transactions and any complex, unusually large transactions and patterns of transactions.¹⁵ The practical implications of this will be that a transaction monitoring program will monitor the transaction of all customers (not just those who have been identified).

An effective transaction monitoring program will require up-to-date KYC information and ask relevant questions to establish the reasons for any unusual activities. The scope and nature of the program will depend on the reporting entity's business activities, whether the business is large or small, the frequency of customer activity and the types of customer.

In establishing the parameters of a program a reporting entity will need to consider its specific  ML/TF risks and, in particular, who are its customers (including those who have not been identified) and what is 'normal' for those customers.

Generally, we anticipate that the ongoing due diligence requirements (KYC, enhanced customer due diligence and transaction monitoring) will be particularly difficult for the managed funds industry, given the complexity of the industry, the nature of their clients and the volume and frequency of customer transactions.

What to do next

Given the extent of government/industry consultation to date, it is unlikely that the Bill will be significantly amended before its introduction to Parliament (which the Government has indicated will be in the next session). That being the case, and given implementation is likely to be sooner rather than later, your organisation (if it has not already done so) should now plan and resource for the significant changes that will be required to bring it into compliance with the new regime.

AAR's expert AML team, which has been closely involved in the consultative process between the Government and the financial services industry through our membership of the IFSA AML Industry Guidelines Working Group, can provide efficient legal services at every stage of your AML project.

The Revised Bill and Rules can be found at the Attorney General's website.

Footnotes

1. These are set out in a comprehensive list and include: 
   • opening accounts and conducting transactions with banks and authorised deposit-taking institutions (ADIs);
   • making loans;
   • supplying goods under finance lease or hire purchase;
   • issuing credit, debit and stored value cards and issuing or cashing travellers' cheques, money and postal orders;
   • being involved in funds transfers;
   • issuing or selling securities (which in our view will include issuing interests in managed investment schemes), derivatives or foreign exchange contracts;
   • issuing life policies;
   • issuing pensions or annuities and in some circumstances accepting super fund, ADI or RSA contributions etc;
   • providing a custodial or depository service;
   • guaranteeing a loan;
   • exchanging, collecting or delivering currency;
   • buying or selling bullion; and
   • providing gambling services. 
2. In contrast, the original Bill provided examples of 'special circumstances'. These were, in the main, consistent with FATF and included:
   • where the service was not face-to-face;
   • where it consisted of acquiring or disposing of securities or derivatives for customers; or
   • issuing or undertaking liability under a life policy or sinking fund.
3. For the purposes of s39, 'money laundering' and 'terrorist financing' offences only include offences committed in Australia (although this can include laundering in Australia the proceeds of a crime committed overseas).
4. At Article 8 of the Interpretative Note to Recommendation Five of the Forty Recommendations.
5. Re-verification of low-risk service customers will only be triggered by a suspicious matter reporting obligation. 
6. As indicated above, a different re-verification trigger applies to existing and low-risk service customers.
7. ML/TF risk is a term used throughout the Rules. It is defined as the risk a reporting entity might reasonably face that the provision of designated services might (inadvertently or otherwise) involve or facilitate money laundering or financing of terrorism. The definition of 'money laundering' and 'terrorism financing' is discussed below under the heading 'Ongoing customer due diligence' .
8. At Article 5 of the Interpretative Note to Recommendation Five of the Forty Recommendations.
9. These include employees, officers (in the case of a company) and managers or trustees (in the case of a trust).
10. The definition of an external agent has been extended and now covers sub-agents and sub-sub-agents (facilitating the use of intermediaries).
11. There are specific provisions for individuals who are sole traders. 
12. Reference in this Focus is to Australian corporates. The Bill contains specific requirements for foreign corporates which are not addressed.
13. The 'control test' in the previous draft of the Bill has gone.
14. FATF describes a beneficial owner as the individual who ultimately owns or controls an entity, significantly the concept of control is not addressed in the Bill.
15. As the transaction monitoring program is part of the AML/CTF program, it can be applied to all members of a designated business group thereby facilitating group wide consistency.

For further information, please contact:

• Anna LenahanPartner, Sydney
  Ph: +61 2 9230 4132
  Anna.Lenahan@aar.com.au
• Stephen SpargoPartner, Melbourne
  Ph: +61 3 9613 8861
  Stephen.Spargo@aar.com.au
• John BeckinsalePartner, Brisbane
  Ph: +61 7 3334 3520
  John.Beckinsale@aar.com.au

Return to top

---

Bookmark with What are these?