Guide to AML/CTF Ongoing Customer Due Diligence (OCDD) in Australia

Reading Time: 9 minutes

Introduction

Compliance with Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) regulations is essential for businesses in Australia providing designated services. A key component of this compliance framework is Ongoing Customer Due Diligence (OCDD). Mandated by the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) and regulated by the Australian Transaction Reports and Analysis Centre (AUSTRAC), OCDD is vital for reporting entities to effectively manage the risks of money laundering and terrorism financing (ML/TF) throughout the entire customer relationship.

This guide provides essential insights and practical guidance on OCDD, including its legal framework, key components, and best practices for implementation. We will explore how OCDD differs from initial Customer Due Diligence (CDD), the importance of a risk-based approach, and the role of AUSTRAC in overseeing compliance. By understanding these aspects, businesses can better navigate their AML/CTF obligations and maintain the integrity of the Australian financial system.

Ongoing Customer Due Diligence and its Importance in AML/CTF Compliance

Defining OCDD

Ongoing Customer Due Diligence (OCDD) is a critical and continuous process that reporting entities must undertake after a customer is onboarded. Businesses in Australia are required to continuously monitor and manage the risks of money laundering and terrorism financing (MT/TF) throughout the entire business relationship.

OCDD is mandated by the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth)(AML/CTF Act 2006 (Cth)) and the Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1) (Cth) (AML/CTF Rules Instrument 2007 (No. 1) (Cth)), with the Australian Transaction Reports and Analysis Centre (AUSTRAC) as the primary regulator.

Unlike initial Customer Due Diligence (CDD) or Know Your Customer (KYC) procedures, which are conducted at the start of a business relationship to verify customer identity, the purpose of OCDD is to ensure that the initial understanding of the customer and their risk profile remains current and relevant over time. It involves ongoing activities to:

• Understand the customer relationship,
• Monitor transactions, and
• Manage the MT/TF risks posed by that customer.

Why OCDD is Crucial for AML/CTF Compliance

OCDD is crucial for several reasons related to Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) compliance:

1. Detecting Suspicious Activities: Customer behaviour and risk profiles can change over time. OCDD helps identify transactions or activities inconsistent with the reporting entity’s knowledge of the customer. These inconsistencies may indicate potential money laundering or terrorism financing activities.
2. Maintaining Accurate Customer Information: Customer details, such as address, beneficial ownership, and the nature of their business, can change. OCDD ensures that customer information remains up-to-date and accurate, essential for effective risk assessment and management.
3. Managing ML/TF Risk: OCDD allows reporting entities to reassess and adjust a customer’s risk rating based on their actual behaviour and updated information. This risk-based approach ensures that resources are appropriately allocated to mitigate and manage the ML/TF risks effectively.
4. Meeting Regulatory Obligations: OCDD measures must be implemented to meet regulatory obligations. Failure to conduct sufficient OCDD breaches the AML/CTF Act and can result in significant penalties from AUSTRAC. Therefore, compliance with OCDD requirements is not just a best practice, but a legal necessity for reporting entities.
5. Protecting Businesses from Financial Crime: By continuously monitoring customer relationships and transactions, businesses can safeguard their reputation and prevent exploitation by individuals or entities involved in money laundering, terrorism financing, and other illicit activities. A robust OCDD program is a vital component of an effective AML/CTF program, helping to protect both the business and the wider Australian community.

Legal and Regulatory Framework for OCDD in Australia

AML/CTF Act 2006 (Cth) and AML/CTF Rules Instrument 2007 (No. 1) (Cth)

The legal foundation for OCDD in Australia is primarily established by the AML/CTF Act 2006 (Cth) and the AML/CTF Rules Instrument 2007 (No. 1) (Cth). These legislative instruments mandate that reporting entities implement and maintain robust OCDD systems and controls as a core component of their AML/CTF programs.

Specifically, Part 2 (Identification Procedures) and Part 7 (AML/CTF Programs) of the AML/CTF Act outline the requirements for customer identification and ongoing monitoring. Chapter 15 of the AML/CTF Rules also provides detailed obligations for establishing and maintaining an effective OCDD program.

Reporting entities are legally obligated to:

• Conduct ongoing monitoring of their customers to manage the risks of ML/TF throughout the business relationship.
• Extend this obligation to designated services provided as occasional transactions and during ongoing business relationships.
• Monitor transactions and customer behaviour to detect unusual activities that may trigger suspicious matter reporting (SMR) obligations.
• Regularly review and update risk assessments of customers and their Know Your Customer (KYC) information as appropriate.

The Role of AUSTRAC in OCDD Oversight

The AUSTRAC is Australia’s primary regulator overseeing AML/CTF compliance. AUSTRAC is crucial in guiding and enforcing OCDD compliance among reporting entities. Their responsibilities include:

• Providing Guidance and Setting Standards:
  • AUSTRAC’s website offers extensive resources and guidance materials to assist reporting entities in understanding and implementing effective OCDD programs.
  • This includes “Regulatory Quick Guides” that offer concise overviews of key AML/CTF compliance topics, such as OCDD.
  • They also provide industry-specific guidance tailored to different sectors’ unique risks and operational contexts, including financial service providers and digital currency exchange providers.
• Enforcing Compliance:
  • AUSTRAC actively disrupts criminal abuse of the financial system through financial intelligence and regulation.
  • They emphasise a risk-based approach to OCDD, expecting reporting entities to tailor the nature, frequency, and intensity of their OCDD activities based on the ML/TF risks posed by each customer relationship.
  • AUSTRAC conducts regulatory activities to ensure reporting entities meet their OCDD obligations and take appropriate measures to mitigate and manage ML/TF risks.
• Responding to Deficiencies:
  • If AUSTRAC identifies deficiencies in OCDD processes, they can issue formal warnings, infringement notices, civil penalty orders, and, in severe cases, criminal charges.

Key Components of an Effective OCDD Program

Transaction Monitoring for Unusual Activities

Transaction monitoring is a critical aspect of OCDD and is essential in identifying, mitigating, and managing ML/TF risks. A robust transaction monitoring program enables reporting entities to detect unusual or potentially suspicious transactions, which may necessitate submitting an SMR to AUSTRAC.

To ensure effectiveness, the transaction monitoring program should be risk-based and tailored to the specific ML/TF risks identified by the business. Key elements of a robust transaction monitoring program include:

• Risk-Based Approach: The program must align with the business’s ML/TF risk assessment, ensuring that monitoring activities are proportionate to the identified risks. This approach allows businesses to prioritise their resources in areas with higher risk.
• Regular Audits and Reviews: Continuous auditing and reviewing the transaction monitoring program are essential to maintain effectiveness. These reviews confirm that the program remains risk-based, covers all transactions and designated services, and operates as intended.
• Comprehensive Coverage: The program should extend to all transactions and designated services provided by the reporting entity. This comprehensive coverage ensures that every aspect of the business is monitored for potential ML/TF risks.
• Clear Escalation Processes: Well-defined escalation procedures are necessary to manage identified issues effectively. These processes ensure alerts or suspicious transactions are promptly escalated to the appropriate personnel for further review and action.
• Defined Accountabilities: Establishing clear accountabilities ensures that guidance and typologies related to ML/TF risks are reviewed promptly. This includes assigning responsibility for the transaction monitoring program’s design, implementation, and oversight.
• Continuous Customer Monitoring: It is vital to monitor customers throughout the entire business relationship. This continuous oversight ensures that any changes in customer behaviour or risk profiles are detected promptly.

Regular Review and Updating of Customer Information

Maintaining up-to-date customer information is another key component of an effective OCDD program. Regularly reviewing and updating customer information ensures that the KYC data held by reporting entities remains current and accurate throughout the business relationship. This is crucial for accurately assessing and managing ML/TF risks continuously.

Key aspects of regularly reviewing and updating customer information include:

• Risk-Based Frequency: The frequency of updating customer information should be determined based on the risk associated with each customer. High-risk customers typically require more frequent reviews and updates compared to lower-risk customers.
• Trigger Events: Certain events should trigger an update to customer information. These events may include significant changes in the customer’s circumstances, unusual transactions, or inconsistencies in the information held.
• Types of Information to Update: It’s important to regularly review and update key identification information, beneficial ownership details, source of funds or wealth information, and the nature of the customer’s business or occupation.
• Re-verification When Necessary: In some cases, re-verifying customer information may be necessary, especially for high-risk customers or when doubts arise about the accuracy of existing information.
• Integration with AML/CTF Program: Processes for reviewing and updating customer information should be formally documented within the reporting entity’s AML/CTF program. This ensures that these activities are conducted systematically and according to regulatory requirements.

Enhanced Customer Due Diligence (ECDD) for High-Risk Scenarios

Enhanced customer due diligence (ECDD) is a critical component of OCDD that is applied in situations with a higher risk of money laundering or terrorism financing. ECDD involves additional scrutiny and enhanced measures beyond standard CDD to mitigate these elevated risks. Reporting entities must have processes to identify high-risk scenarios and apply ECDD measures accordingly.

Scenarios that typically trigger the need for ECDD include:

• High-Risk Customers: Customers identified as posing a higher ML/TF risk based on the reporting entity’s risk assessment require ECDD. Factors contributing to this classification may include the customer’s industry, geographic location, or business activities.
• Foreign Politically Exposed Persons (PEPs): Designated services provided to customers who are, or have a beneficial owner who is, a foreign politically exposed person automatically trigger ECDD. Foreign PEPs are considered at higher risk due to their potential for involvement in corruption.
• Suspicion of ML/TF: When there is a suspicion of money laundering or terrorism financing, ECDD must be applied to thoroughly investigate the potential illicit activity. This trigger is crucial for responding to red flags identified through transaction monitoring or other means.
• Transactions Involving Prescribed Foreign Countries: Transactions where a party is physically present in or incorporated in a prescribed foreign country, identified as having a higher risk of ML/TF, necessitate ECDD.
• Material Changes in Business Relationships: Significant changes in the nature or purpose of a business relationship that may increase the customer’s ML/TF risk can also trigger ECDD.

ECDD measures may include:

• Obtaining Senior Management Approval: Seeking approval from senior management to continue or establish a business relationship with a high-risk customer ensures that higher-risk relationships are subject to additional oversight.
• Enhanced Information Collection: Collecting additional information to understand the customer’s source of funds, wealth, and the nature of their business activities in greater detail.
• Increased Monitoring Intensity: Implementing more frequent and intensive transaction monitoring for high-risk customers to promptly detect suspicious activities.
• Enhanced Verification: Applying enhanced verification measures to confirm the customer’s identity and the accuracy of the information provided.

Implementing a Risk-Based Approach to OCDD

Tailoring OCDD Intensity to Customer Risk

As emphasised by AUSTRAC, OCDD requires a risk-based approach. This approach requires that the nature, frequency, and intensity of OCDD activities be specifically tailored to the ML/TF risks presented by each customer relationship. Reporting entities should avoid a one-size-fits-all strategy and instead focus resources on areas and customers that pose a higher risk of money laundering or terrorism financing.

More frequent and intensive monitoring is necessary for customers with higher risk. This may include:

• More frequent updates to customer information
• Lower thresholds for transaction monitoring alerts

In contrast, lower-risk customers can be subject to:

• Less frequent reviews
• Standard monitoring protocols

Documenting the Risk-Based Approach in the AML/CTF Program

Documenting your risk-based approach to OCDD within your AML/CTF program is not just a best practice but a crucial step in demonstrating compliance. Your AML/CTF program, particularly Part A, must clearly outline your OCDD systems and controls, including how you tailor the intensity of these controls based on customer risk. This documentation should detail the policies and procedures for:

• Transaction monitoring
• Enhanced CDD
• Regularly reviewing and updating customer information

Clear documentation of your risk-based approach provides a framework for your OCDD activities and serves as evidence of your compliance efforts for AUSTRAC audits. By explicitly outlining how your risk assessment informs your OCDD program, you demonstrate a considered and compliant approach to managing ML/TF risks.

Best Practices for AML/CTF OCDD Compliance

Integrating OCDD with Initial CDD and KYC

Integrating OCDD with initial CDD and KYC procedures is essential for a holistic approach to CDD. Initial CDD and KYC are conducted to verify customer identity at the start of a business relationship. Building upon this foundation, OCDD ensures that the initial understanding of the customer and their risk profile remains current and relevant throughout the relationship.

Integrating OCDD with initial CDD and KYC offers several benefits:

• Efficiency: Leveraging the information and processes established during initial CDD and KYC streamlines OCDD efforts. This approach avoids duplication of work and ensures a more efficient use of resources.
• Consistency: Integration maintains a consistent approach to CDD across the entire lifecycle. This consistency helps in preserving accurate and up-to-date customer profiles.
• Comprehensive Risk Management: A holistic approach provides a more thorough understanding of customer risk. Businesses can better identify and manage evolving ML/TF risks by linking initial and ongoing due diligence.
• Enhanced Data Quality: Combining these processes improves the quality of customer data. Regular updates and reviews as part of OCDD ensure that the KYC information initially collected remains accurate and reliable.

Staff Training and a Culture of Compliance

Comprehensive staff training on OCDD and fostering a strong culture of compliance are crucial for the effective implementation and adherence to OCDD procedures. Well-trained staff are the first line of defence in identifying suspicious activities and ensuring that a reporting entity meets its AML/CTF obligations.

Key aspects of staff training and fostering a compliance culture include:

• Regular Training Programs: Implement consistent training programs for all relevant staff members. These programs should cover AML/CTF obligations, OCDD requirements, and the reporting entity’s specific policies and procedures.
• Understanding ML/TF Risks: Equip staff with the knowledge to understand ML/TF risks, typologies, and red flags. This understanding enables them to effectively identify unusual transactions and behaviours.
• Roles and Responsibilities: Clearly define and communicate each staff member’s roles and responsibilities within the AML/CTF program, particularly concerning OCDD. This clarity ensures accountability and a shared understanding of compliance expectations.
• Escalation Procedures: Train staff on clear escalation procedures for reporting suspicious activities or potential compliance breaches. They should know whom to contact and how to escalate concerns promptly.
• Promoting a Compliance Culture: Foster a strong culture of compliance throughout the organisation. Leadership should demonstrate a commitment to AML/CTF compliance and encourage all employees to prioritise regulatory obligations.
• Continuous Updates: Provide ongoing training and updates to staff to reflect changes in regulations, AUSTRAC guidance, and emerging ML/TF risks. This ensures that staff remain informed and competent in their roles.
• Record Keeping: Train staff on accurate and thorough record-keeping for all CDD activities. This includes understanding what records to keep, how to maintain them, and the required retention periods.

Conclusion

Ongoing Customer Due Diligence (OCDD) is an indispensable and continuous obligation for reporting entities within the Australian Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) framework.

It is fundamentally risk-based, requiring businesses to tailor their monitoring and due diligence efforts to the specific risks their customers present and the ever-changing landscape of financial threats. A well-documented and regularly updated AML/CTF program, which includes robust OCDD procedures, is essential for compliance and effectively managing the risks of money laundering and terrorism financing (ML/TF).

To ensure your business meets its compliance obligations and effectively mitigates financial crime risks, consider leveraging expert guidance. Contact AML House today to book your consultation and explore our proven solutions, ensuring your business is fortified with an AML/CTF program incorporating best practice OCDD.e risk, businesses need tailored AML/CTF programs that address specific operational risks and meet Australian Transaction Reports and Analysis Centre (AUSTRAC) regulations. If you require assistance in developing or reviewing your organisation’s AML/CTF program, our team at AML House is ready to help, with our expertise in Australia’s anti-money laundering and counter-terrorism legislation. Contact us today to explore how our specialised knowledge can support your compliance needs.

Frequently Asked Questions