Amendments to the Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1) (AML Rules) imposing new know your customer (KYC) and customer due diligence obligations, will commence on 1 June 2014. These new AML Rules will require significant changes both to KYC procedures and procedures for assessing money laundering/terrorism financing (ML/TF) risk.
What do you need to do?
Organisations will need to review and update their AML/CTF programs and client onboarding processes to reflect the changes to the AML Rules by 1 June 2014. There is no transition period and both new and existing customers will be impacted. There are complicated issues in relation to how these rules apply to existing customers that will need to be carefully considered. However, AUSTRAC will not enforce non-compliance in certain circumstances until 1 January 2016.
Summary and comparison of changes
The following is a table showing the changes to the rules and the impact of these changes.
Click here to view the table.
Assessing ML/TF risk
Under the new AML Rules, there has been an expansion of the factors that must be considered in determining the ML/TF risk of the organisation. These new factors are: the source of funds and wealth of customers; the nature and purpose of the business relationships with customers; control structures of non-individual customers, and the beneficial owners of customers. As a result, the new AML Rules specify that AML/CTF programs must enable the organisation to understand these details about customers; and identify and assess risks posed by changes to these details.
Identifying beneficial owners and settlors of trusts
Under the new AML Rules reporting entities will be required to:
- identify the beneficial owner of most types of customers;
- collect and take reasonable measures to verify the full name and residential address or date of birth of each beneficial owner; and
- identify and verify the details of settlors of trusts.
However, for customers who are individuals, organisations may assume the customer and the beneficial owner are one and the same unless there are reasonable grounds for considering otherwise.
The definition of beneficial owner has also been expanded from what it is now. It includes a person who directly or indirectly owns 25% or more of an entity or who controls another person. If there is a chain of ownership, the relevant beneficial owner is the person who ultimately owns or controls the customer. According to an AUSTRAC Explanatory Statement, there is no need to collect and verify details at each level in a chain of ownership.
Organisations with a global AML policy that deals with United States requirements may already have a similarly broad definition. However, for other organisations this will be a material change and additional identification and verification steps will need to be added to on boarding processes for certain clients.
In addition, there have been amendments to the ongoing customer due diligence and enhanced customer due diligence requirements incorporating further measures to be taken in respect of beneficial owner information. These are discussed in more detail below.
Politically exposed persons
Under the new AML Rules, certain measures must be taken before (or as soon as practicable after) providing a designated service to a customer who is a PEP. A PEP is an individual who is, or is an immediate family member or close associate of, a person who holds a prominent public position in a government body or international organisation.
Organisations must ensure that their AML/CTF program has systems for determining whether any customer or beneficial owner of a customer is a PEP, and if so, take additional measures in certain circumstances such as:
- if the PEP is a beneficial owner, collecting KYC information and verifying it if appropriate; and
- determining whether the PEP poses a high ML/TF risk.
If a customer is a foreign PEP or a domestic or international organisation PEP who is assessed as being a high ML/TF risk, reporting entities must take additional measures such as taking reasonable measures to establish the source of wealth and funds; and obtaining senior management approval before providing the PEP with designated services or establishing or continuing the business relationship with them.
There are additional due diligence measures that must be implemented if a customer is, or has a beneficial owner who is, a foreign PEP. These include applying the Enhanced Customer Due Diligence program to the foreign PEP. The Enhanced Customer Due Diligence program must now include systems and controls to ensure, where appropriate, measures such as clarifying, analysing, verifying or updating beneficial owner information collected from the customer; or collecting further beneficial owner information (such as the source of the beneficial owner’s funds and wealth) are taken.
Ongoing customer due diligence
Under the new AML Rules, there have been amendments to the ongoing customer due diligence obligations. Organisations must have appropriate systems and controls for determining when further beneficial owner information should be collected or verified to review and update existing records as well as the existing requirement to obtain further KYC information in certain circumstances.
The new AML Rules also place a general obligation on organisations to take reasonable measures, commensurate with the ML/TF risk, to keep, update and review the documents, data or information collected under customer and beneficial owner identification procedures.
This requirement was introduced to ensure the AML Rules were consistent with the Financial Action Task Force (FATF) recommendations (worldwide AML standards recommended by an inter-governmental body). The FATF recommends that organisations keep all customer information up to date and relevant by undertaking reviews of existing records. The FATF also recommends conducting ongoing due diligence on the business relationship and scrutinising transactions to ensure that the transactions are consistent with the organisation’s knowledge of the customer, and their business and risk profile.
Consistent with the FATF approach, and an AUSTRAC explanatory statement which states that the amendments to ongoing customer due diligence aim to clarify that these rules relate to ‘ongoing customers rather than new customers’; the obligation to review and update records applies to both existing customers and those who commence with the organisation after the new AML Rules commence. This raises complex issues that will need to be worked through carefully for existing customers. An explanatory statement to the draft rules also states that this approach is consistent with the requirements in the Privacy Act 1988 (Cth) to keep customer records up to date.
When will the new AML Rules be enforced?
AUSTRAC has released the Policy (Additional Customer Due Diligence Requirements) Principles 2014 to accompany the new AML Rules. These are issued under section 213 of the AML/CTF Act, which allows the Minister to make policy principles which are binding on AUSTRAC in the performance of its functions. The policy principles effectively allow some time for organisations to transition to the new AML Rules.
From 1 June 2014 to 31 December 2015 AUSTRAC will not apply for a civil penalty order or an injunction, issue a remedial direction, or require an external compliance audit for non-compliance with the new customer due diligence requirements if an organisation or its designated business group took reasonable steps to comply.
In determining whether reasonable steps were taken, AUSTRAC will consider all relevant matters including whether:
- the organisation complied with the new obligations as soon as could be reasonably accommodated through existing operations;
- between 1 June 2014 and 1 January 2016, for new clients assessed by the organisation as high ML/TF risk, the organisation complied with the new obligations as soon as practicable; and
- the organisation developed a transition plan before 1 November 2014 which: has actions and timelines for compliance with the new AML Rules in respect of new high ML/TF risk clients and full compliance with the new AML Rules prior to 1 January 2016; is sufficiently resourced; is approved by the board of the organisation (there are alternatives for designated business groups and entities without boards); is regularly monitored; and made available to AUSTRAC on request.