• Introduction
• All recent publications
• Funds Management - Real Estate & Superannuation publications
• Funds Management - Real Estate & Superannuation services

Focus: Anti-money Laundering – December 2005

Federal Government releases Anti-Money Laundering Bill

In brief: The Federal Government has finally released its Exposure Draft Bill on Anti-Money Laundering and Counter Terrorism Financing. The Bill imposes onerous customer due diligence, reporting and compliance obligations. Partners Anna Lenahan(view CV) and Peter Jones (view CV)and Senior Associate Judy Maguire report on these obligations and flag issues for further consideration.

• Background
• Timing
• The legislation
• Coverage
• Core requirements
• Customer due diligence
• Transaction reporting
• Correspondent banking
• Record keeping
• The AML/CTF program
• Enforcement
• Concerns

Background

On 15 December 2005, the Federal Minister for Justice and Customs, Senator Chris Ellison, announced the release of the exposure draft of the Government's Anti-Money Laundering and Counter-Terrorism Financing Bill (the Bill). The new legislation, together with the terrorism financing provisions contained in the Government's Anti-Terrorism Act (No 2), (discussed in AAR's Focus: Anti-money Laundering, 9 December 2005) is intended to bring the Australian anti-money laundering (AML) and counter terrorism financing (CTF) regime into compliance with global AML/CTF standards by implementing the Financial Action Task Force's (FATF) Forty Recommendations on AML, which were revised in June 2003 (the Revised Recommendations) and its Nine Special Recommendations on CTF (the Special Recommendations).

The framework of the new legislation consists of the Bill, Regulations, Rules and Guidelines. The Government has released some 'sample' draft Rules and some guidance on the Bill (including draft Guidelines).

Timing

The Bill is subject to a public consultation period of four months. The Minister has indicated he will seek the Senate's agreement to refer the Bill to the Senate Legal and Constitutional Legislation Committee when Parliament resumes in 2006. The Minister has also indicated he wishes to introduce the Bill into Parliament in May 2006.

The Government has indicated that it intends to progressively release draft Rules in early 2006 and that these Rules will also be subject to public consultation. A cross-industry AML/CTF Advisory Group is also to be formed to provide input to the consultation process and the development of the Rules. The Government has also indicated that there will be a transition period after Parliament passes the Bill, but before it takes effect. Periods of between 12 and 36 months have been proposed, but further consultation is sought on this period.

The Bill represents the first stage of the legislation and covers designated services provided by the financial services and gambling industry. Once the first stage is implemented, the Government will consider a second stage of reforms that will cover designated services provided by lawyers, accountants, trust and company service providers, real estate agents and jewellers.

It is intended that, in due course, the new legislation will replace the Financial Transaction Reports Act 1998 (Cth) (FTRA), which will be repealed. However, in the interim, the current obligations under the FTRA will continue to apply. 

The legislation

The Bill sets out the primary obligations of designated service providers covered by the legislation (reporting entities). The Bill will be supplemented by Regulations that we understand will be mainly technical in nature (eg will set out applicable timeframes and other technical information – none have been released yet). The practical, operational detail of the AML/CTF regime will be in the Rules that will be drafted by the Australian Transaction Reports and Analysis Centre (AUSTRAC) and will have legislative force. The Government has indicated that Guidelines will be developed by AUSTRAC in consultation with industry. These Guidelines will not be legally binding, but will be issued to assist reporting entities to interpret their obligations (and it is anticipated that, in time, these Guidelines will represent a 'best practice' approach for reporting entities).

To date, the Government has issued only three sets of 'sample' draft Rules (on AML/CTF Programs, suspicious matter reporting and customer identification), two draft Guidelines and one draft Guidance Paper. As a lot of the practical, operational detail is to be contained in the Rules and the Guidelines, a complete assessment of the Bill's impact cannot be made until all of the draft Rules and the Guidelines become available.

Coverage

The Bill imposes AML/CTF obligations on a wide range of financial service providers (including those in the banking, life insurance, managed funds and superannuation sectors) and on the gambling sector.

The Bill applies to reporting entities who provide certain designated services. The Bill sets out a comprehensive list of 64 different types of designated services, including:

• opening accounts and conducting transactions with banks and authorised deposit taking institutions (ADIs);
• making loans;
• supplying goods under finance lease or hire purchase;
• issuing credit, debit and stored value cards and issuing or cashing travellers' cheques, money and postal orders;
• being involved in funds transfers;
• issuing or selling securities (which include interests in managed investment schemes although, given that securities is defined with reference to section 92 of the Corporations Act 2001 (Cth), it is expected that clarity will be sought on this during the consultation period), derivatives or foreign exchange contracts;
• issuing life policies;
• providing personal advice as a licensed financial adviser in respect of investing in securities, derivatives, life policies, ADIs, retirement savings accounts (RSAs) or super funds;
• issuing pensions or annuities or accepting super fund, ADI or RSA contributions etc;
• providing a custodial or depository service;
• guaranteeing a loan;
• exchanging, collecting or delivering currency;
• buying or selling bullion; and
• providing a gambling service.

The person providing the designated service will only be a reporting entity if the designated service is provided:

• at or through a permanent establishment in Australia; or
• by a resident of Australia at or through an overseas permanent establishment of that resident (a foreign branch); or
• by a subsidiary of a company that is a resident of Australia at or through an overseas permanent establishment of the subsidiary (an overseas subsidiary).

A person who provides a service while travelling or operating on a mobile basis in a country is taken to provide the service at a permanent establishment in that country.

Foreign branches or overseas subsidiaries will generally be required to comply with the legislation to the extent possible under local laws. They will, however, be exempt from some of the requirements. For example, the identification requirements do not apply to a designated service that is provided overseas by a foreign branch or overseas subsidiary.

Core requirements

Customer due diligence

The key requirements of a customer due diligence program are:

• know your customer (KYC);
• assign each customer a risk classification; and
• monitor the transactions of each customer.

Know your customer

Identification procedure

The Bill introduces a comprehensive customer identification regime. With limited exceptions, reporting entities must only provide a designated service where they have carried out an approved customer identification procedure (the identification procedure). The exact requirements of the identification procedure have not yet been released, but will be prescribed in the Rules. Some specific exemptions apply to customers (exempted customers) where:

• existing customers have been in a continuous relationship with the reporting entity before the Act's implementation. It is not clear what will constitute a 'continuous relationship' and this is expected to be clarified in the Rules or Guidelines. Rules that have not yet been released may specify events or circumstances that would break the continuity of that relationship;
• the designated service is designated under Rules (not yet released) as low risk;
• special circumstances justify the identification procedures being carried out after the designated service begins, but only where carrying out the procedure beforehand would disrupt the normal conduct of business, the service is specified in the Rules and either:
  • the service is not face to face; or
  • the service is acquiring or disposing of a derivative or security; or
  • the service is issuing or acting as insurer under a life or sinking fund policy.

In these special circumstances, the identification procedure must be carried out within five business days after the day the service commenced. Otherwise the reporting entity must cease providing the service until the identification procedure is completed.

Although there is no general requirement to verify the identity of exempted customers, all customers (including exempted customers) will have to be re-verified in the event of certain risk triggers occurring. Details of those trigger events have not yet been released, but will be prescribed by the Rules.

The Bill allows delegation of the identification procedure to third parties, who are internal or external agents of the reporting entity, another reporting entity or a third party accredited under the Rules. The provision applies where there is a 'chain' of reporting entities by allowing one provider to authorise an identification procedure to be carried out by another. The notes to the Bill cite the example of a superannuation provider authorising a financial planner to carry out an identification procedure.

In addition to designated low-risk services, the Rules may also provide that identification requirements do not apply to certain types of designated services. At this stage, it is not known what these will be, but industry has lobbied for life insurance and superannuation to be exempt.

Failure to comply with these provisions will attract criminal and civil sanctions. In certain circumstances, a defendant can rely on a defence on 'reasonable reliance'. There is an additional defence for reporting entities and others, if they can show they took reasonable precautions and exercised due diligence.

Customer information

For natural persons, the minimum KYC requirement is name, residential address, date and place of birth, and countries of residence and citizenship.

For companies, the information required is name, address of principal place of business, ABN or ARBN, country and date of incorporation, name of each director and company secretary, substantial shareholders (as defined in the Corporations Act) or, for non-listed companies, any person who meets the control test (which will be similar to that applied by s1207Q of the Social Security Act) and evidence of authorisation given by the company to deal with the reporting entity.

For non-natural persons that are not companies, the information will include the name of any person who is in a position to control the customer's funds; for example, the name of all trust managers or trustees where the customer is a trust.

Not all customer details will need to be verified.

For natural persons, there will be a choice of different identification procedures. These are likely to be a variation of the current 100-point check and electronic verification for non-face-to-face situations. It is intended that alternatives to the use of acceptable referees will be developed.

Different procedures will be prescribed for non-natural persons. Where a reporting entity is identifying a non-natural person, it may be able to rely on a disclosure certificate (which contains the required information) provided by the customer.

Reporting entities must update a customer's KYC information on a risk basis at appropriate intervals.

Risk classification

Reporting entities must assign a risk classification to each existing customer as soon as is practicable after the Bill comes into force. We expect consultation will be sought on the time frame for compliance with this requirement.

Reporting entities must also determine, as soon as is practicable after the Bill comes into force, whether any minimum or additional KYC information is required for existing customers. This will be based on the customer's risk classification and risk factors.

Reporting entities must also assign a risk classification to each new customer at the 'outset' of the business relationship. The classification will be based on the customer's KYC information (and may require additional KYC information) and whether the relationship with the customer involves any of the following risk factors:

• the customer being high risk;
• the relevant services being high risk;
• the relevant service delivery methods being high risk;
• the relevant jurisdictions being high risk;
• any high risk faced because a service is provided at or through an overseas branch; or
• the customer being a politically exposed person (PEP).

These risks must be assessed by the reporting entity (ie they will not be prescribed by the Government or AUSTRAC) and the assigned risk classification must be reviewed at appropriate intervals.

Additional KYC information that might be required at the risk classification stage or at other stages in the business relationship could include information about:

• the occupation, business activities or functions of the customer;
• the nature of the business, including the purpose of the specific transaction, or the expected nature and level of transactional behaviour;
• the income and assets available to the customer;
• the source of funds;
• the customer's financial position;
• details of the ownership and control structure of the customer;
• the beneficial ownership of the funds used in the designated service;
• the beneficiaries of the transactions and the destination of the funds; and
• for non-natural persons, the identify of any relevant related party.

Reporting entities must consider whether to apply enhanced customer due diligence (CDD) (on a risk basis), having regard to factors such as the customer's risk factors and involvement in unusual or suspicious transactions. The obligation to carry out enhanced CDD continues until the reporting entity's concerns are resolved. Enhanced due diligence may involve obtaining additional KYC information, analysing the customer's transactions and business relationship with the reporting entity and other factors.

Transaction monitoring

Reporting entities must put in place a transaction monitoring program. The extent to which transactions should be monitored will depend (on a risk basis) on the customer's risk classification and risk factors set out in the Rules. The program should identify unusual transactions by reference to the expected behaviour of the customer (this can be based on KYC or an appropriate peer profile) or the 24 matters listed in the Rules dealing with suspicious matter reporting.

Transaction reporting

There are several types of reporting obligations.

The suspicious matter reporting obligation is broader than suspicious transaction reporting under the FTRA. It applies where:

• the reporting entity starts to provide, or proposes to provide, a designated service to a customer; or
• a person requests a designated service; or
• a person merely inquires whether the reporting entity would be willing or prepared to provide a designated service; and
• at that time or later the reporting entity has reasonable grounds to suspect that information it has about the provision of the service may be relevant to tax evasion, a criminal offence or a terrorism financing offence.

The obligation, therefore, may arise before there is any business relationship between the reporting entity and a potential customer.

A report must be made to AUSTRAC within three business days of forming the relevant suspicion (or within 24 hours where the information relates to terrorism financing).

The draft Rules set out a list of 24 matters to be taken into account by the reporting entity in determining whether there are reasonable grounds to form the relevant suspicion. Where only minimum KYC has been carried out, the reporting entity will not have the available information and may not be able to obtain it without alerting the customer (and possibly running the risk of 'tipping off' – see below).

Unlike other jurisdictions, reporting entities do not need permission from AUSTRAC to carry on with a transaction if they consider it suspicious (although they have to consider if doing so constitutes a money-laundering offence).

The 'tipping off' offence is in similar terms to the existing FTRA provision. A person making a report in good faith and without negligence is exempt from civil suit.

Threshold transactions are those involving:

• the transfer of physical currency or e-currency of not less that $10,000; or
• transactions specified in the regulations.

The Rules and Regulations may also require reporting of international funds transfer instructions (IFTIs) to AUSTRAC.

Threshold transactions (and, if required, IFTIs) must be reported within 10 business days.

The obligation to report will not apply to any designated services or circumstances that are specified in the Rules. Also, it does not apply (apart from IFTIs) to designated services provided by the reporting entity at a permanent establishment overseas. Therefore, if a foreign branch or overseas subsidiary forms a suspicion, it does not have to make a suspicious matter report to AUSTRAC. It would, however, be caught by any local reporting requirement in the relevant jurisdiction.

Correspondent banking

The Bill introduces new requirements for correspondent banking. Financial institutions are prohibited from entering into correspondent banking relationships with shell banks and other financial institutions that maintain accounts with shell banks.

Any financial institution in such a relationship must terminate the relationship within five business days of the Bill's commencement.

A financial institution entering into a correspondent banking relationship must carry out a due diligence assessment on the correspondent bank and prepare a written report on that assessment. The assessment will cover:

• the nature of the respondent financial institution's business;
• its reputation;
• the quality of supervision of its employees, agents and contractors;
• whether it has been investigated for money laundering or terrorism financing;
• the adequacy of its AML/CTF risk controls and internal compliance procedures;
• its corporate culture in relation to those controls and procedures; and
• other matters as specified in the Rules.

Financial institutions already in correspondent banking relationships must carry out similar assessments at regular intervals.

Additionally, a financial institution must not enter into a correspondent banking relationship unless the respective rights and responsibilities of the parties are set out in a written agreement and unless it is satisfied that the correspondent bank has adequate customer verification procedures for customers with pay-through accounts. The same requirement applies to financial institutions already in a correspondent banking relationship who must terminate the relationship within five business days of the Act's commencement if not in compliance.

Failure to comply with these requirements attracts a criminal and civil sanction.

Record keeping

Reporting entities must retain (for a period to be specified):

• transaction documents provided by the customer;
• records of customer identification procedures and information recorded;
• records of information relating to the provision, or prospective provision, of a designated service; and
• reports of correspondent due diligence banking assessments.

There are general exemptions for designated services that may be specified in the Rules and where designated services are provided by a reporting entity at or through a permanent establishment overseas.

Third parties who carry out an identification procedure on customers of a reporting entity must give that information to the reporting entity within five business days of the procedure. The reporting agency must retain the information as part of its records.

The AML/CTF program

Reporting entities are required to develop, maintain and comply with AML/CTF programs that meet the requirements specified in the Rules. Failure to do so will attract civil and criminal sanctions.

The AML/CTF program must be designed to ensure appropriate action is taken to identify and 'materially mitigate' the risk of a reporting entity providing a designated service that might (inadvertently or otherwise) involve or facilitate a money laundering or terrorism financing offence.

At this stage, the Government has not clarified what is meant by 'materially mitigate'.

A reporting entity must put in place risk-based systems and controls to effectively identify:

• high-risk customers;
• high-risk services;
• high-risk delivery methods;
• high jurisdictional risks;
• risks associated with providing a service overseas; and
• customers who may be PEPs. Reporting entities may be able to rely on commercial PEP list providers. A self-identification process is also being considered as an alternative.

The AML/CTF program must identify any changes over time in the level or composition of those risk factors and amend its systems and controls accordingly.

Draft Rules and Guidelines indicate that the elements of an AML/CTF program should include:

• risk identification, including risk triggers, re-identification of customers as necessary, risk mitigation and controls;
• a customer due diligence program;
• an AML/CTF risk-awareness training program for employees;
• an employee-hiring due diligence program that includes employee screening;
• a third-party due diligence program;
• a compliance program; and
• a procedure for independent review to test the effectiveness of, and compliance with, the program.

The AML/CTF program should apply to all areas of the reporting entity's business involved in providing designated services, including those carried out by third parties and overseas. However, the AML/CTF program rules that deal with CDD and reporting requirements need not apply to designated services provided overseas. Instead, reporting entities must put in appropriate risk-based systems in overseas offices to ensure that these requirements are carried out according to local laws.

Reporting entities must risk-assess all new designated services, methods of delivery, and new and developing technologies used to provide a service before those services, methods and technologies are put in place.

The CDD program

This will include customer identification and classification, risk triggers and reverification as discussed above.

AML/CTF awareness program

Reporting entities must ensure employees understand their specific responsibilities in managing AML/CTF risks. Training should ensure that they understand the appropriate reporting requirements. The program must be reviewed and updated to take account of any changes to the legislation or the types of AML/CTF risks faced by the reporting entity.

Employee due diligence program

Reporting entities must put in place risk-based procedures for screening prospective employees who could facilitate a money laundering or terrorism financing offence and to re-screen where there is a material change in the employee's responsibilities. Screening must include a fit and proper determination.

Third-party due diligence program

This is required where a reporting entity enters into a third-party arrangement for the provision of services where the services have a connection with a designated service. Systems and controls should identify any material AML/CTF risk associated with any task to be carried out by the third party. If a material risk is identified, the decision as to whether the third party is suitable to carry out the service must be made by a senior officer.

If the decision is made to go ahead, the reporting entity must have risk-based procedures in place to manage all material AML/CTF risks during the arrangement and ensure the third party received appropriate AML/CTF training.

Board responsibility

The board and senior management must approve and conduct ongoing oversight of all the components of an AML/CTF program. Unlike other jurisdictions, there is no provision in the Bill or in the draft Rules for the appointment of a money laundering reporting officer, although this is recommended by FATF. The United Kingdom experience suggests that boards and senior management should put in place policies that demonstrate how they discharge their responsibility.

Regular review

The AML/CTF program must be subject to regular independent review to test its effectiveness, to ensure it complies with the Rules, and is effectively implemented and complied with.

Other matters

In developing and implementing the AML/CTF program, reporting entities must take account of international standards (if dealing internationally) and any feedback or guidelines from AUSTRAC.

Enforcement

The Bill introduces a civil penalty framework as an alternative enforcement mechanism to criminal proceedings. This is similar to the existing regime under the Corporations Act. The same conduct that constitutes the criminal offence will also be the subject of a civil penalty provision. Civil penalties would be used in situations where the offending conduct does not warrant prosecution and criminal prosecution would be used for more serious failures.

Pecuniary penalties are payable for contravention of civil penalty provisions.

Civil penalty proceedings can only be brought by AUSTRAC in the Federal Court.

The court must not make a civil penalty order against a person for contravention if the person has already been convicted of an offence arising from substantially the same conduct. However, criminal proceedings can be started against a person regardless of whether a civil penalty order has been made in respect of substantially the same conduct.

An authorised officer (ie authorised by AUSTRAC) can issue an infringement notice for failing to report movements of cross-border currency and Bearer Negotiable Instruments.

AUSTRAC is to monitor and report to the Minister on compliance by reporting entities. 

AUSTRAC can also apply to the Federal Court for restraining and performance injunctions against reporting entities.

Other than the above, there appears to be no administrative sanction similar to the powers of the UK Financial Services Authority to impose fines for non-compliance. Nor is there a general defence of compliance with the Rules or Guidelines.

Concerns

Obviously, until a full set of Guidelines and Rules become available, it is not possible to do a full assessment of the Bill's impact. At this stage, there are a number of matters we would expect to see raised during the consultation period, including the following:

• Clarification is required that managed investment schemes provide 'designated services'.
• The definition of an 'approved customer identification procedure' is still to be provided and will need careful examination.
• The need to verify an existing customer is based partly on whether there has been a continuous relationship with the customer. AUSTRAC can make rules that would break that continuity. Given the importance of this exemption to industry, the concept of 'continuous relationship', and the triggers that may affect that relationship, will need careful consideration.
• The requirements to assign each customer (once the Bill has been implemented) with a risk classification and to determine (once the Bill has been implemented) whether existing customers need minimum or additional KYC information could mean that existing customers will need identification and verification soon after the Bill's commencement.
• Low-risk services are yet to be identified. Industry has lobbied for all life insurance and superannuation products to be excluded and/or classified as low risk.
• Verification procedures, the use of electronic verification and the meaning of non-face-to-face transactions need to be clarified.
• Risk triggers for re-verification are still to be provided and will need careful examination.
• Minimum KYC requirements for publicly listed companies should be considered.
• The use of the Social Security Act control test (for non-listed companies) is unduly complicated.
• Transitional arrangements for an alternative to the acceptable referee test will need to be considered.
• The five-business day period for post-identification procedures could be impractical.
• The requirement to take into account all of the 24 matters listed in the draft Rules when considering whether to make a suspicious matter report is prescriptive and not risk-based. This requirement will, in some circumstances, be impractical and lead to the risk of tipping off. In addition, the time limits of three days and 24 hours may be impractical.
• The Bill provides that AUSTRAC can make and issue binding Rules. Although there is a general requirement for AUSTRAC to consult with industry, there is no obligation on them to do so in connection with the Rules.
• Given the nature of financial services, the screening provisions could require financial institutions to screen most prospective employees, not only before they join the organisation, but throughout their employment.
• The requirement for banks to have entered into written agreements with their correspondent banks within five business days of the Bill's implementation may be problematic.

AAR will continue to analyse the Bill, draft Rules and Guidelines (as they are released) in order to assess the effect of the legislation on our clients and make submissions as necessary.

Please contact any of the AAR AML team members below, or your usual contact at AAR, if you would like further information about the legislation or AAR's AML services.

For further information, please contact:

• Peter JonesPartner, Sydney
  Ph: +61 2 9230 4987
  Peter.Jones@aar.com.au
• Anna LenahanPartner, Sydney
  Ph: +61 2 9230 4132
  Anna.Lenahan@aar.com.au
• Catherine ParrPartner, Sydney
  Ph: +61 2 9230 4994
  Catherine.Parr@aar.com.au
• John BeckinsalePartner, Brisbane
  Ph: +61 7 3334 3520
  John.Beckinsale@aar.com.au
• Judy MaguireSenior Associate, Sydney
  Ph: +61 2 9230 4835
  Judy.Maguire@aar.com.au
• Simon McConnellInternational Partner, Hong Kong
  Ph: +852 2840 1202
  Simon.McConnell@aar.com.au

Bookmark with What are these?