The Anti-Money Laundering and Counter-terrorism Financing (AML/CTF) regime, consisting of the Anti-money Laundering and Counter-terrorism Financing Act 2006 (Cth) (AML/CTF Act) and its associated regulations and rules, seeks to reduce the risk of financial institutions and other designated service providers facilitating money laundering and terrorism financing.
The AML/CTF regime applies to providers of “designated services”. These providers, referred to as “reporting entities”, are required to implement and maintain an anti-money laundering and counter-terrorism financing program, which generally consists of two parts.
Part A of an AML/CTF program involves identifying, mitigating and managing the money laundering/terrorism financing risks inherent in the reporting entity’s services. This includes procedures for employee training to ensure awareness of money laundering and terrorism financing risks and due diligence of potential new employees.
Part A must be independently and regularly reviewed to ensure that it is working as it should. How often independent reviews should be conducted depends on the type of business involved and the money laundering and terrorism financing risk associated with it. Where the risk is identified as high, independent reviews should be conducted at least every two to three years. Independent reviews may be conducted by someone external or internal to the organisation. An external reviewer might be, for example, a lawyer or an accountant. An example of an internal reviewer may be an auditor in the company that does not have a compliance role. If using an internal reviewer it is important to take adequate measures to ensure that the reviewer is independent. In choosing an independent reviewer, regard should be had to whether they are likely to be influenced by those who were involved in developing the AML/CTF program and how well the person understands the AML/CTF obligations that apply to the organisation.
Part B involves setting out procedures for customer identification and verification to satisfy the ‘know-your-customer’ (KYC) requirements. These procedures must detail how the reporting entity collects and verifies information relating to the identity of customers and their beneficial owners. This includes the identification of new customers and ongoing due diligence of existing customers. An external service provider may be used to help meet a reporting entity’s KYC requirements, so long as relevant provisions under the privacy law are complied with.
Reporting entities are also required to report certain transactions to the Australian Transaction Reports and Analysis Centre (AUSTRAC) and lodge annual compliance reports setting out how the reporting entity has met its AML/CTF obligations.