How to Manage Australian AML/CTF Customer Due Diligence Compliance

Reading Time: 15 minutes

Introduction

Customer Due Diligence (CDD) is fundamental to compliance under Australia’s anti-money laundering and counter-terrorism financing (AML/CTF) regime. Mandated by the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), these processes require reporting entities to effectively identify, verify, and understand their customers to mitigate and manage money laundering and terrorism financing risk, thereby protecting the integrity of the Australian financial system.

This guide provides a comprehensive overview for reporting entities navigating their CDD obligations. It covers essential aspects such as initial customer identification and ongoing customer due diligence (OCDD), identifying the beneficial owner and politically exposed person (PEP) status, understanding the risk-based approach mandated by Australian Transaction Reports and Analysis Centre (AUSTRAC), and managing the overall customer risk profile before you provide a designated service.

Understanding the Risk-Based Approach and Legal Framework

Applying the Risk-Based Approach Principle

Australia’s AML/CTF regime is based on a risk-based approach (RBA). This core principle requires reporting entities to identify, assess, and understand the specific money laundering and terrorism financing (ML/TF) risks their business faces. Based on this understanding, entities must apply AML/CTF measures proportionate to those risks.

The RBA moves away from a rigid, one-size-fits-all checklist, allowing businesses flexibility to tailor their compliance efforts. This approach offers several advantages:

• It enables more efficient allocation of resources, focusing greater attention on areas identified as higher risk
• It helps minimise unnecessary compliance burdens on customers assessed as low risk
• It promotes cost-effectiveness while aiming for effective outcomes in preventing financial crime

Key AML/CTF Legislation You Must Know

The primary legislation governing CDD obligations in Australia is the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth). This Act establishes the main legal framework and mandates reporting entities to implement measures to manage ML/TF risks. It outlines the core principles, including the requirement for an RBA.

The Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1) (AML/CTF Rules) complements the Act. These subsidiary rules, issued by the AUSTRAC, provide detailed operational requirements for implementing the AML/CTF Act obligations.

Understanding AUSTRACs Compliance Role

AUSTRAC is Australia’s AML/CTF regulator and financial intelligence unit (FIU). AUSTRAC is critical in overseeing compliance with the AML/CTF Act and Rules. Its functions are multifaceted and essential to the regime’s operation.

AUSTRAC’s key responsibilities include:

• Supervision and Enforcement: Monitoring and reporting entities to ensure they meet their obligations, and taking enforcement action for non-compliance
• Guidance and Education: Providing resources, risk assessments, and guidance materials to help reporting entities understand and fulfil their compliance duties
• Financial Intelligence: Receiving, analysing, and disseminating financial intelligence derived from reports submitted by entities, such as Suspicious Matter Reports (SMRs), to support law enforcement and national security agencies

How to Conduct Your ML/TF Risk Assessment

A mandatory requirement under the RBA is for reporting entities to conduct and document a thorough ML/TF risk assessment. This assessment is the foundation of an entity’s AML/CTF program, enabling it to understand its specific vulnerabilities to financial crime.

The assessment process informs the development of appropriate systems and controls to mitigate and manage identified risks. When conducting the assessment, reporting entities must consider several key risk factors:

• Customer Types: Assessing risks associated with different customer profiles, including individuals, companies, trusts, PEPs, and beneficial owners
• Products and Services: Evaluating the inherent risks of the designated services offered, such as banking, remittance, or digital currency exchange services
• Delivery Channels: Considering the risks associated with how services are delivered, for instance, face-to-face versus online channels
• Geographic Jurisdictions: Analysing risks related to the countries the entity operates in or deals with, including customer locations and transaction destinations, paying attention to high-risk jurisdictions

This risk assessment is not a static document; it must be regularly reviewed and updated. Updates are necessary when significant business changes occur or in response to new guidance or risk information published by AUSTRAC.

Performing Initial Customer Due Diligence (CDD)

Know Your Customer Identification and Verification

The core of initial CDD involves establishing and verifying your customer’s identity through Know Your Customer (KYC) processes. Before providing any designated service, reporting entities must collect and verify specific identity information to ensure the customer is who they claim to be, forming a crucial part of AML/CTF compliance.

The information required depends on the customer type and their assessed ML/TF risk. Verification must use reliable and independent sources, including documents, electronic data, or a combination. The Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 (Cth) replaces the term ‘applicable customer identification procedures’ with ‘initial CDD’, focusing on the outcome of knowing the customer and understanding their financing risk.

Minimum requirements generally include:

• Individuals: Collect full name and either date of birth or residential address. Verify the full name and the collected date of birth or address.
• Companies (Australian): Collect full name, registration status (public/proprietary), Australian Company Number (ACN) or Australian Registered Body Number (ARBN), registered office address, and principal place of business. Verify name, ACN/ARBN, status, and existence, often via Australian Securities and Investments Commission (ASIC) records.
• Trusts (Australian Regulated): Collect the full name of the trust and trustee, as well as the trustee’s Australian Business Number (ABN) (if applicable). Verify the trust’s existence and the trustee’s identity according to their entity type.

Reporting entities need documented, risk-based systems to handle discrepancies found during verification. For medium- and low-risk individuals, ‘safe harbour’ procedures may apply, using documents or electronic data sources. Digital identity service providers can be used if the reporting entity is satisfied that the verification meets risk requirements and uses reliable data, though the reporting entity remains liable.

Identifying and Verifying Beneficial Owners

A critical requirement, especially for non-individual customers like companies and trusts, is identifying the ultimate beneficial owner(s) (UBOs). A UBO is an individual who ultimately owns or controls the customer entity. Understanding who controls this is vital for preventing the misuse of complex legal structures for illicit purposes.

Typically, a UBO is defined as an individual who:

• Owns 25% or more of the customer entity, directly or indirectly
• Exercises effective control over the customer through other means, such as significant influence or power over financial or operating policies

Reporting entities must take reasonable measures to identify these individuals by understanding the customer’s ownership and control structure. This often involves analysing documents like trust deeds or company registers. Once identified, the entity must collect the UBO’s full name and date of birth or residential address.

Furthermore, reasonable measures must be taken to verify this collected identity information using reliable and independent sources. The effort required depends on the assessed ML/TF risk. If, after reasonable attempts, no individual meets the UBO definition, steps must be taken to identify and verify a senior managing official or equivalent person exercising control.

Understanding the Relationship Nature & Purpose

Reporting entities must establish, on reasonable grounds, the nature, and purpose of the business relationship or occasional transaction as part of the initial CDD. This involves understanding why the customer needs the designated service and what activities they intend to undertake, which helps assess the initial ML/TF risk profile.

Knowing the intended nature and purpose provides a baseline for expected customer behaviour. This baseline is essential for effective OCDD, allowing the reporting entity to identify transactions or activities that deviate significantly from expectations. Such deviations could indicate unusual or suspicious activity requiring further investigation.

The level of detail required is risk-based. For simple, low-risk services, the purpose might be self-evident. However, a more thorough understanding is necessary for higher-risk or more complex relationships to effectively mitigate and manage potential financing risk.

Identifying & Screening Politically Exposed Persons

Determining whether a customer or their UBO is a PEP is a mandatory part of initial CDD. PEPs are individuals who hold, or have held, prominent public functions domestically, overseas, or in international organisations. Their family members and close associates are also included in this definition.

Reporting entities must have risk-based procedures to identify PEPs. This can involve:

• Directly asking the customer
• Conducting checks using public information sources
• Utilising commercial databases that screen against PEP lists

PEPs, particularly foreign PEPs, are considered at higher risk due to their potential susceptibility to corruption and bribery, which can be linked to money laundering. Identifying a customer or UBO as a PEP automatically triggers specific due diligence requirements. All foreign PEPs, along with high-risk domestic and international organisation PEPs (and their relevant family/associates), require the application of enhanced customer due diligence (ECDD).

Meeting Timing Requirements for Initial CDD

The general rule under the AML/CTF Act is that initial CDD, particularly identity verification, must be completed before providing a designated service to the customer. This applies whether establishing an ongoing relationship or conducting a one-off transaction. Providing a designated service is prohibited if identification cannot be completed.

Limited exceptions exist, allowing verification to occur as soon as reasonably practicable after starting to provide the service. These exceptions apply only when:

• Delaying verification is essential to avoid interrupting the ordinary course of business
• The associated risk is assessed as low
• The reporting entity has policies to manage the delay risk and complete verification promptly
• Specific requirements in the AML/CTF Rules are met

Identifying UBOs and determining PEP status can generally be done before providing the service or as soon as practicable. For pre-commencement customers (those relationships established before the entity was subject to the Act or before new CDD rules commence), initial CDD is not required unless a specific trigger occurs, such as a suspicious matter arising or a significant change increasing their ML/TF risk to medium or high.

Relying on Third Parties for Initial CDD

Reporting entities can, under specific conditions, rely on the customer identification procedures performed by another entity, known as a ‘reliable third party’. This typically requires a formal, written Customer Due Diligence (CDD) arrangement approved by senior management. The third party must be another AUSTRAC-regulated or foreign entity subject to equivalent AML/CTF laws.

Key conditions for reliance include:

• The arrangement must allow the relying entity to obtain the required KYC and verification information promptly
• The relying entity must assess the third party’s compliance measures and risk profile before relying and regularly thereafter (e.g., biennially)
• The relying entity must have reasonable grounds to believe the third party complies with relevant CDD and record-keeping obligations

Importantly, the relying entity remains ultimately responsible for meeting its own CDD obligations for the customer. It must still apply its risk assessment and may need to perform additional checks if the third party’s CDD is insufficient for the specific service or risk level. Establishing a formal arrangement may provide ‘safe harbour’ protection from liability for isolated third-party breaches, but only if proper due diligence on the third party was conducted.

Maintaining Ongoing Customer Due Diligence (OCDD)

The Requirement for Continuous Customer Monitoring

CDD extends beyond the initial onboarding phase; it necessitates ongoing vigilance throughout the customer relationship. Reporting entities must continuously monitor and manage their customers’ ML/TF risks.

This OCDD ensures that:

• Customer information remains current
• Changes in behaviour or risk profile can be detected promptly

The systems and controls for OCDD are a mandatory component documented in Part A of a reporting entity’s AML/CTF program. Effective OCDD is crucial for continually identifying, mitigating, and managing financing risk, thereby protecting the business and the community from financial crime.

Implementing Effective Transaction Monitoring Programs

A vital element of OCDD is the implementation of a transaction monitoring program. This program involves scrutinising customer transactions to identify activities that appear unusual, suspicious, or inconsistent with the customer’s known profile and the stated purpose of the business relationship.

The design of this program must follow an RBA, tailored to the reporting entity’s specific:

• ML/TF risk assessment
• Customer base
• Products and services offered

Effective transaction monitoring programs should cover all designated services and transactions and may utilise:

• Technology: Specialised software can automate monitoring, flagging potentially suspicious activities based on predefined rules and thresholds. This approach is particularly useful for businesses with high transaction volumes.
• Manual Systems: Manual methods like spreadsheet analysis might suffice for smaller entities or those with lower transaction volumes, provided they effectively identify risks.

Regardless of the method chosen, the transaction monitoring program requires regular audits and reviews. These assessments ensure the program remains appropriately risk-based, operates effectively, and stays current with emerging ML/TF trends and typologies identified by AUSTRAC.

Identifying Red Flags and Reporting Suspicious Matters

Ongoing monitoring aims to detect ‘red flags’—indicators suggesting potential money laundering, terrorism financing, or other illicit activities. Reporting entities must be alert for various warning signs, including:

• Transactions inconsistent with the customer’s known profile or income
• Sudden or unexplained changes in transaction patterns (e.g., volume, value, frequency, location)
• Dealings involving high-risk jurisdictions without clear justification
• Complex transaction structures that obscure fund origins or counterparties
• Attempts to structure transactions below reporting thresholds (e.g., A$10,000)
• Reluctance to provide requested information or documentation
• Activity matching known ML/TF indicators published by AUSTRAC

Upon detecting suspicious activity, reporting entities face specific obligations under the AML/CTF Act:

1. Suspicion automatically triggers the need to apply ECDD measures to investigate further if the business relationship is to continue.
2. If the entity forms a suspicion on reasonable grounds regarding ML/TF, proceeds of crime, tax evasion, or identity fraud, it must submit an SMR to AUSTRAC.

Timing requirements for SMRs are strict:

• SMRs concerning potential terrorism financing must be filed within 24 hours
• Most other SMRs are due within three business days

Keeping Customer Information & Risk Profiles Updated

Maintaining current and accurate customer information is a fundamental aspect of OCDD. Reporting entities must have processes to periodically review and update KYC information and reassess the customer’s ML/TF risk profile throughout the business relationship.

The frequency of these reviews should align with the customer’s risk level, with higher-risk customers necessitating more frequent updates.

Reviews and updates can also be triggered by specific events, such as:

• Significant changes observed in the customer’s transaction behaviour
• A material alteration in the nature or purpose of the business relationship
• Changes identified in the customer’s control structure or UBO
• The identification of suspicious activity or the filing of an SMR
• Information suggesting a change in the customer’s circumstances (e.g., becoming a PEP)
• Concerns arising about the adequacy or veracity of previously obtained information
• Data breaches that might compromise customer identity information

If, during OCDD, a reporting entity develops reasonable grounds to doubt the veracity of previously obtained identification information, it must take reasonable steps to re-verify the customer’s identity. These updating processes ensure the reporting entity can understand its customer or UBO and effectively manage any evolving financing risk.

Applying Enhanced vs Simplified Due Diligence

Enhanced Due Diligence Triggers & Measures

ECDD involves applying stricter checks and gathering more information than standard CDD. Reporting entities must apply ECDD when the ML/TF risk is assessed as high. The specific procedures for ECDD must be documented in Part A of the entity’s AML/CTF program.

The Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 (Cth) clarifies that ECDD must be applied proportionately to the risk during initial and ongoing CDD when certain triggers occur. These mandatory triggers include situations where:

• The ML/TF or proliferation financing risk associated with providing the designated service to the customer is assessed as high by the reporting entity.
• There is a suspicion of money laundering, terrorism financing, proliferation financing, or identity fraud, and the reporting entity intends to continue the business relationship.
• The customer, their UBO, or someone receiving the designated service on their behalf is identified as a foreign PEP.
• The customer, their UBO, or someone receiving the service on their behalf is a high-risk domestic PEP or a high-risk international organisation PEP (including their relevant family members and close associates).
• The customer, their UBO, or someone acting for them is physically present in, or is a legal entity formed in, a high-risk jurisdiction identified by the Financial Action Task Force (FATF) as requiring enhanced due diligence, or a ‘prescribed foreign country’ under Australian law (currently Iran and North Korea).
• The designated service involves a relationship between the nested services.
• The customer belongs to a category specified in the AML/CTF Rules requiring ECDD.

When ECDD is triggered, reporting entities must implement more rigorous measures than standard CDD. These measures should be appropriate for the specific high-risk situation and may include:

• Collecting additional identification or verification information about the customer or UBO.
• Conducting more thorough verification of identity using multiple reliable sources.
• Performing deeper analysis of the collected KYC information.
• Applying enhanced transaction monitoring to scrutinise past and future activities more closely.
• Obtaining a more detailed understanding of the nature and purpose of the business relationship.

ECDD Spotlight Checking Source of Funds & Wealth

A critical component of ECDD, particularly for high-risk customers, involves understanding the origin of their money. Reporting entities must take reasonable measures to establish the customer’s source of funds (SoF) and wealth (SoW). This check is mandatory when dealing with foreign PEPs and their associates.

It’s important to distinguish between the two:

• Source of Funds (SoF): This refers to the origin of the specific funds used for a particular transaction or to initiate the business relationship (e.g., salary, proceeds from selling property, business income).
• Source of Wealth (SoW): This relates to the origin of the customer’s (and potentially UBOs’) total economic resources or assets (i.e., how they accumulated their overall wealth).

Understanding SoF and SoW helps assess the legitimacy of a customer’s financial activities and identify potential links to illicit proceeds. The requirement is to take ‘reasonable measures,’ meaning the depth of inquiry should be practical and proportionate to the assessed financing risk.

Verification might involve:

• Analysing customer-provided information
• Requesting documents like tax returns or bank statements
• Consulting independent sources such as public records or commercial databases

ECDD Spotlight Obtaining Senior Management Approval

For high-risk relationships, obtaining approval from senior management is a mandatory control within the ECDD framework. This approval is required before establishing or continuing a business relationship with a foreign PEP. Based on the reporting entity’s risk assessment, it should also be considered for other customers subject to ECDD.

This requirement ensures that decisions regarding high-risk customers receive appropriate oversight and accountability at a senior level. It forces a conscious consideration of the risks involved in dealing with such customers. The decision made by senior management, based on the ECDD findings, must be documented and retained as part of the compliance records, demonstrating a strategic approach to risk acceptance.

Simplified Due Diligence Conditions & Measures

Simplified Customer Due Diligence (SDD) allows reporting entities to apply less intensive measures in specific, demonstrably low-risk situations. However, SDD does not mean ‘no due diligence’; core obligations like identifying the customer must still be met.

Under the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 (Cth), SDD measures can only be applied during initial or ongoing CDD when both of the following conditions are satisfied:

1. The money laundering, terrorism financing, or proliferation financing risk associated with the customer is assessed by the reporting entity as low.
2. None of the specific triggers for applying ECDD are present.

Reporting entities have discretion regarding when to use SDD (provided the conditions are met) and how much to simplify their standard procedures, ensuring the approach remains appropriate for the identified low-risk. AUSTRAC is expected to guide to help identify objectively low-risk scenarios.

Examples of permissible simplified measures could include:

• Requiring less documentary or electronic evidence for identity verification, while being reasonably satisfied with the identity.
• Inferring the nature and purpose of the business relationship if it is obvious from the service provided and other information collected, rather than explicitly asking.
• Applying different thresholds for transaction monitoring alerts suitable for low-risk profiles.
• Utilising existing simplified verification procedures for certain low-risk entity types (e.g., specific listed companies or regulated trusts).

The justification for assessing the risk as low and applying SDD must be documented within the reporting entity’s AML/CTF program.

Meeting AML Record-Keeping Requirements

Essential CDD & Transaction Records You Must Keep

Reporting entities have a crucial obligation under the AML/CTF Act to create and maintain comprehensive records. These records must be sufficient to demonstrate compliance with CDD obligations and allow for the reconstruction of transactions.

Keeping accurate records is fundamental to AML/CTF compliance. The following key records must be maintained:

• CDD Records: These document the identification and risk assessment process, including:
  • Procedures followed
  • KYC information collected (including UBO details and PEP status)
  • Verification documents or data used
  • Risk analysis or assessment details
  • ECDD measures applied
  • Information regarding third-party reliance arrangements
• Transaction Records: These must contain sufficient detail to reconstruct each designated service provided, typically including:
  • Dates
  • Amounts
  • Methods
  • Parties involved
  • Purpose (if known)
• AML/CTF Program Records: Documentation related to the development, implementation, and review of the entity’s AML/CTF program, including risk assessments and internal controls.
• Other Required Records: Depending on the entity’s activities, additional records may be necessary, such as:
  • Electronic funds transfer instructions (IFTIs)
  • Staff training documentation
  • Correspondent banking due diligence

It is important to note that reporting entities are not necessarily required to keep copies of identity documents used for verification. Instead, they must retain records detailing what was done to identify the customer and the specific identifying information presented (e.g., details from a passport used for verification).

Understanding the Seven-Year Record Retention Rule

The standard retention period mandated by the AML/CTF Act for most required records is seven years. However, the starting point for this seven-year period varies depending on the type of record involved.

Understanding these different triggers is essential for compliance. The seven-year clock starts at different points for various records:

• CDD Records: Must be kept for the entire duration of the business relationship, plus an additional seven years after the reporting entity ceases providing any designated service to the customer.
• Transaction Records: The retention period generally begins seven years after the transaction was completed or the record was made.
• AML/CTF Program Records: These need to be kept for seven years after the program or the relevant part of it ceases to be in force.
• Reliance Records: Records related to the assessment of third parties for reliance arrangements must be kept for seven years after the assessment record was prepared. Additionally, records obtained via reliance must be kept for seven years after the relying entity last provided a designated service.

Ensuring Secure & Accessible Records for AUSTRAC

Maintaining the security and integrity of AML/CTF records is as important as creating and retaining them. Reporting entities must store these records securely to prevent unauthorised access, modification, disclosure, loss, or misuse. This secure storage helps protect sensitive customer information and mitigates risks associated with data breaches.

Appropriate security measures depend on the record format:

• Physical Records: Secure storage might involve:
  • Locked cabinets or rooms
  • Restricted access controls
• Digital Records: Essential security measures include:
  • Secure systems
  • Access controls
  • User activity logging
  • Encryption
  • Regular backups

While security is critical, records must also remain reasonably accessible. They need to be readily available for inspection by AUSTRAC during compliance assessments and producible upon lawful request from law enforcement or other competent authorities.

Understanding the Consequences of Non-Compliance

How AUSTRAC Enforces Compliance

Failure to meet CDD and other AML/CTF obligations can result in significant enforcement actions from AUSTRAC. As the primary regulator, AUSTRAC has a range of powers to address non-compliance by reporting entities.

AUSTRAC’s enforcement toolkit includes:

• Civil Penalty Orders: AUSTRAC can seek substantial monetary penalties through the Federal Court for breaches of civil penalty provisions in the AML/CTF Act. Maximum penalties can reach millions of dollars per breach for corporations, as seen in major cases involving large financial institutions and gaming companies.
• Enforceable Undertakings (EUs): Reporting entities may enter into legally binding agreements with AUSTRAC, committing to specific actions to rectify compliance failures and prevent recurrence.
• Infringement Notices: For certain less severe breaches, such as failures in record-keeping or reporting, AUSTRAC can issue infringement notices with fixed monetary penalties.
• Remedial Directions: AUSTRAC can issue directions requiring a reporting entity to take specific steps to ensure compliance, like submitting overdue reports or fixing program deficiencies.
• External Auditor Appointments: AUSTRAC may require an entity to appoint an external auditor, at its cost, to review its AML/CTF compliance and risk management systems.
• Registration Actions: For remittance and digital currency exchange providers, AUSTRAC can refuse, suspend, cancel, or impose conditions on their registration if they pose unacceptable risks or fail to meet requirements.

Wider Impacts Financial Reputational & Criminal Risks

The consequences of non-compliance extend far beyond direct regulatory penalties imposed by AUSTRAC. Reporting entities face a broader spectrum of negative impacts that can severely affect their operations and standing.

These wider repercussions include:

• Significant Financial Costs: Beyond fines, entities incur substantial expenses for remediation programs, legal fees, system upgrades, and audits to address compliance failures.
• Severe Reputational Damage: Public enforcement actions can damage an entity’s reputation and erode trust among customers, investors, and business partners, potentially leading to long-term brand harm.
• Potential Criminal Liability: While many breaches are civil matters, serious or intentional non-compliance can lead to criminal prosecution under the AML/CTF Act or the Criminal Code Act 1995 (Cth). This can result in large fines and, for individuals involved, imprisonment.
• Operational Disruption: Enforcement actions, such as remedial directions or registration suspensions, can significantly disrupt or halt business operations.
• Societal Harm: Compliance failures contribute to the broader societal costs associated with organised crime and terrorism financing, undermining the integrity of the Australian financial system.

Conclusion

Effective CDD, encompassing initial identification, ongoing monitoring, and risk-based assessments, is crucial for reporting entities to comply with Australia’s AML/CTF obligations under the AML/CTF Act. Maintaining robust CDD processes, including proper record-keeping and applying enhanced or simplified measures as needed, is essential for mitigating financing risk and avoiding significant penalties from AUSTRAC.

Navigating these complex CDD requirements demands specialised knowledge. Contact AML House today for expert legal and consulting services tailored to help your business effectively manage compliance under the AML/CTF regime and transform these regulatory challenges into strategic opportunities.

Frequently Asked Questions