Prospective Changes
The Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Amendment Bill was introduced into Parliament on 11 September 2024. The Bill will bring new sectors under AML/CTF capture, and it will simplify, modernise and clarify the AML/CTF regime for new and existing reporting entities. Some changes will enter into force as soon as the Bill is passed into law, while other changes will be operational in 2026. This article discusses changes for all reporting entities and special considerations for the law sector.
Risk Assessment
The Attorney-General’s Department (the Department) proposes to establish a clear, rather than an implicit, requirement for you to conduct a risk assessment. For the risk assessment, you will need to consider:
nature, size and complexity of your business;
customer types;
services provided;
delivery methods;
jurisdictional exposure; and
risks that your business may facilitate proliferation financing.
You will need to document your risk assessment methodology.
AML/CTF Program
Once assessed your risks as part of your AML/CTF program, you would need to develop, implement and maintain proportionate measures to mitigate such risks. These measures should be documented in your AML/CTF program.
The Department proposes to streamline the separate parts of the AML/CTF program into a single obligation. This means that the current Part A and Part B of the AML/CTF program will be unified in a singular AML/CTF programme.
Governance
Your board or equivalent senior management will need to ensure that they are reasonably satisfied that the AML/CTF program is effectively identifying, mitigating and managing your risks. Further, the Department proposes to clarify that the AML/CTF Compliance Officer:
is an employee at the management level responsible for overseeing and coordinating the day-to-day operation and effectiveness of your AML/CTF program;
has sufficient authority, independence and resources to fulfil their function; and
is certified as a fit and proper person by you to the Australian Transaction Reports and Analysis Centre.
Customer Due Diligence
The Department proposes to clearly outline the following core customer due diligence (CDD) obligations:
risk rating each customer;
conducting CDD before providing a service;
conducting transaction monitoring on an ongoing basis and re-verifying CDD information when appropriate;
applying enhanced CDD procedures:
for high-risk customers;
when there is a suspicious of money laundering, terrorism financing of identity theft and you propose to continue the business relationship;
for a foreign politically exposed person (PEP); and
when the customer or a beneficial owner is present (or is a legal entity formed in) a high-risk jurisdiction, as identified by the Financial Action Task Force; and
applying simplified CDD for low-risk customers.
The Department proposes to shift the focus from prescriptive procedures to the outcome of knowing your customer and understanding the associated risk. You must verify your customer’s identity (and other relevant information) using reliable and independent source documents, data or information. Before providing a designated service, you must be reasonably satisfied that you know:
the identity of your customer;
the nature and purpose of the business relationship or occasional transaction;
the identity of the beneficial owners of your customer;
the ownership and control structure of your customer;
the identity of any person acting on behalf of your customer and their authority to act; and
whether your customer or beneficial owner is a PEP or designated for targeted financial sanctions under an Australian sanction law.
‘Being reasonably satisfied’ involves collecting and verifying information about a customer, and having reasonable grounds to believe that the customer is who they claim to be.
Ongoing CDD
You must have appropriate ongoing CDD measures to monitor unusual transactions and behaviour that may give rise to suspicious matter reports (SMR), update and reverify CDD information (when relevant), and update customers’ risk ratings.
Unusual transactions and behaviours will be defined as those behaviours that have no apparent economic or lawful purpose, or are inconsistent with what you know about:
the customer;
the nature and purpose of the business relationship;
the customer risk or business profile; and
where relevant, the source of funds.
Law Practitioners and Designated Services
AML/CTF compliance will apply to you while carrying out designated services. The proposed designated services are as follows:
Preparing for or carrying out transactions on behalf of a person, to buy, sell or transfer real property, and legal entities.
Receiving, holding and controlling or disbursing money (other than sums paid as fees and retainers), accounts, securities, digital assets, or property on behalf of another person.
Preparing for, carrying out, or organising transactions for contributions for the creation, operation or management of legal entities, on behalf of a person.
Formation, creation, operation or management of a legal entity (excluding a testamentary trust), on behalf of a person.
Acting as, or arranging for a third person to act as a director or secretary of a company, a power of attorney for a legal entity, a partner of a partnership, a trustee of an express trust, or similar (excluding as executor or administrator of a deceased estate).
Acting as, or arranging for a third person to act as, a nominee shareholder, on behalf of a person.
Providing a registered office address, principal place of business address, correspondence address or administrative address for a company, partnership, or any other legal entity.
You will be a reporting entity only if you provide any of the above services. For example, general advice on matters such as directors’ duties or employment law would not be captured, and if you only provide such services, you would not be considered a reporting entity.
Legal Privilege
The Department acknowledges the challenges that you may face in relation to legal privilege and SMRs. Legal professional privilege is currently protected by section 242 of the AML/CTF Act, which states that the AML/CTF Act does not affect the law relating to legal professional privilege. The Department proposes to insert a provision in the AML/CTF Act establishing that nothing in the Act affects the right of a person to refuse to answer a question, produce a document or give information on the grounds that the answer to the question, document or information is subject to legal professional privilege.
Moreover, considering the concerns that the three-day timeframe for lodging SMRs is not adequate to allow a proper assessment of whether relevant information is privileged or not, the proposed timeframe will be five days.
Pre-Commencement Customers
You will not be required to conduct CDD on your pre-commencement customers (i.e., customers that have an existing business relationship with you as of the date you are becoming subject to AML/CTF obligations). However, you will be required to assign a risk rating to existing pre-commencement customers, and there will be new triggers for undertaking initial CDD when there is a material change in the customer relationship that results in a rating of medium or high risk. Once a pre-commencement customer has been subject to CDD they would transition to being an ordinary customer for AML/CTF purposes.
For example, you have a business relationship with a customer, Company A, at the commencement date. At that stage, you are not required to conduct CDD on Company A, but you would need to assess Company A’s risks. Six months after the commencement date, Company A provides you with new instructions for a designated service. At this point, you assess that the customer’s risk profile is medium. You are now required to conduct CDD on your pre-commencement customer.
