Overview of the Anti-money Laundering and Counter-Terrorism Financing Legislation

By Narelle Smythe.

Key Points:
Public comment is sought on new Commonwealth legislation to combat money laundering and terrorism financing activities.

On 16 December 2005, the Federal Government released an exposure draft of its long awaited Anti-Money Laundering and Counter-Terrorism Financing legislation ("Bill"). Public comment is sought by 13 April 2006.

The Anti-Money Laundering/Counter-Terrorism (AML/CTF) reforms will comprise the Bill, AML Regulations, the AML/CTF rules and AML/CTF Guidelines. Both the Rules and Guidelines will be issued by the Australian Transaction Reports and Analysis Centre ("AUSTRAC") and are the subject of ongoing stakeholder consultation.

All of these components, save for the Guidelines, will be legally binding. The Guidelines will be issued by AUSTRAC from time to time for the purposes of providing ongoing guidance to industry. No regulations have yet been released.

Draft Bill

The Bill in general terms is principles-based legislation that sets out the framework for the Federal Government's AML/CTF response to the Financial Action Task Force's recommendations for global AML/CTF standards.

The Bill specifies:

• What are "designated services". These are the services that attract the operation of the AML/CTF regime (see below);
• Who are "reporting entities", namely, those persons who provide "designated services"; and
• Key obligations of reporting entities including their obligations to verify the identity of new customers, monitor customers and their transactions, report specified transactions and suspicious matters, maintain appropriate records and establish and maintain AML/CTF programs.

AUSTRAC will remain the key AML/CTF regulator, will monitor reporting entities obligations under the package and be responsible for undertaking intelligence assessments for Australian government and law enforcement agencies. Essentially, AUSTRAC's position will be enhanced and expanded under these proposals.

The interaction between the existing Financial Transaction Reports Act 1988 (Cth) (" FTRA ") and related regulations, the new Anti-Terrorism Act (passed by the Senate in December 2005) and this AML/CTF package is not spelt out in detail. However, the overview released as a part of the package notes that the FTRA will eventually be replaced by the AML/CTF package but that in the meantime existing FTRA obligations remain. The overview commented that none of the existing obligations under the FTRA will be wound back by the AML/CTF package.

What is the coverage of the Bill and what are "Designated Services"?

The Bill limits the coverage of its provisions to specific types of activities known as "designated services" as specified in tables forming part of section 6 of the Bill. Comments are sought on their coverage.

At the outset it is important to note that generally whoever undertakes these activities is caught by the AML Bill, whether or not they are financial services institutions, gambling service providers or casinos. Further, in most cases specific actions involving the nominated products are caught (eg. making a loan, topping up a stored value card, allowing a transaction under an account, issuing a derivative). As a result, careful regard will need to be had to the specific actions to determine whether they fall within any of the activities specified and therefore amount to a "designated service".

The provision of a gambling service is caught where provided in the course of a business. Significantly, the definition of "gambling service" includes dealing with bets and services for the conducting of games but does not include services for the conduct of a lottery or the supply of lottery tickets.

The Bill covers all designated services provided at or though a permanent establishment in Australia. Further, it also covers the situation where the service provider is an Australian resident or subsidiary of a company that is resident and the service is provided at or through a permanent establishment in a foreign country. The AML/CTF rules are to permit certain relaxation of these requirements for overseas braches to merely meet local legal requirements.

When do customers need to be identified?

Reporting entities will generally be required to identify customers (or their agent) by carrying out an applicable procedure before providing them with a designated service. Some exceptions will apply.

The procedures to be followed to identify a customer will be set out in AML/CTF rules, which have not yet been released although it is anticipated that a draft rule will be released for comment early in 2006. However, the Government has stated that a technology-neutral, flexible approach to customer identification is to be adopted which will allow for the use of a range of options including face-to-face, third party and electronic verification procedures. The draft guidance paper on applicable customer identification procedures released with the Bill indicates that the procedures will differ for natural and non-natural persons (ie. companies and trusts) and that the procedures for natural persons will include:

• a procedure similar to the current "100 point check" under which customers must provide certain types of documentation;
• an electronic verification procedure that will allow for verification of details in an environment which is not face-to-face; and
• procedures for customers with special circumstances eg. minors.

The acceptable referee process which is currently permitted under the FTRA will not be permitted under the AML/CTF rules. The Government has indicated that transitional arrangements will be put in place to allow industry to develop alternative arrangements.

The AML/CTF rules will also include the minimum information that a reporting entity must obtain and the information that needs to be verified. Not all of the information collected will need to be verified.

The material released with the Bill indicates that reporting entities will also be required to identify the beneficial owner of funds and take reasonable measures to understand the ownership and control structure of customers such as companies, trusts and partnerships. Procedures for identifying these customers are to be set out in AML/CTF rules.

Existing customers

Existing customers at the time of commencement of the Bill do not need to be identified where the reporting entity and the customer have maintained a continuous relationship (unless certain risk triggers occur - see "Re-verification of identity" below). Otherwise these customers will need to be identified before the reporting entity commences to provide designated service. Continuous relationship is not defined, however the AML/CTF rules can contain provisions that will affect whether there has been continuous relationship. As a result, AUSTRAC will be able to specify, for example, that if a certain event or circumstance occurs, there will have been no continuous relationship meaning re-identification of affected existing customers will be required. Submissions have been sought on appropriate rules.

Low risk designated services

Certain low risk designated services will be exempt from the requirement to carry out customer identification procedures (unless certain risk triggers to be set out in the AML/CTF rules occur). These low risk services are to be specified in AML/CTF rules, a draft of which is anticipated to be released for comment in early 2006.

Re-verification of identity

The identity of a customer or agent will need to be re-verified if certain risk triggers occur. The obligation to re-verify applies to all customers and agents including existing customers and customers with low risk designated services.

The risk triggers will be described in AML/CTF rules that have not yet been released, although it is anticipated that a draft rule will be released for comment in early 2006. These risk triggers could be the happening of certain events, the existence of certain circumstances or the end of the period specified in the rules. If a risk trigger occurs, the reporting entity will have five business days to carry out the customer identification procedures. If it does not do so, it must cease providing the services until it has done so.

Use of third parties and chains

The Bill permits customer identification procedures to be carried out on behalf of the reporting entity by:

• an agent;
• another reporting entity; or
• a person accredited under the AML/CTF rules. No applicable rules have been released although submissions have been sought on this issue.

The reporting entity must authorise the other person in writing to carry out the applicable customer identification procedures and responsibility will remain with the reporting entity. In addition, any authorisation must comply with the AML/CTF rules. No rules have been released although it is anticipated that a draft rule will be released for comment early in 2006. If the reporting entity authorises an agent, each employee of that agent is also authorised to carry out the relevant procedures.

A note to the Bill specifically refers to "chains" of reporting entities. It gives the example of a licensed financial adviser giving advice to a customer about making a contribution to a superannuation fund and indicates that it is intended that a reporting entity in the chain can authorise another reporting entity in that chain to carry out the customer identification procedures on its behalf.

Exemptions

The identification requirements do not apply to services by a reporting entity at or through its foreign offices. The AML/CTF rules may also exempt a service or a service provided in certain circumstances from the requirements. No such rules have yet been released although submissions on possible exemptions have been sought.

AML/CTF Programs

Part 7 of the Bill requires reporting entities to develop, maintain and comply with their own tailored AML/CTF Program.

The Bill does not specify what transition period should be permitted to allow reporting entities to implement their Programs and asks for submissions on this issue.

The requirements of an AML/CTF program are stringent and far reaching.

The Bill provides that a program must be designed to identify and "materially mitigate" risks relating to permitting and monitoring any transactions that could amount to money laundering offences or financing of terrorism offences. Also, the program needs to ensure that the AML/CTF rules requirements are met and include a compliance system seeking to ensure that the reporting entity complies with the Bill.

No specific guidance is given as to the meaning of "materially mitigate".

The AML/CTF rules may relax some of these stringent program requirements.

What are some of the compliance implications of these program requirements?

In light of the severe consequences for reporting entities to fail to comply with their programs, it will be a delicate compliance exercise indeed to ensure that suitably robust measures are promulgated internally yet permit appropriate flexibility in approach on the "front line" while meeting AUSTRAC's expectations. Reporting entities will recall a number of recent significant and successful prosecutions in the UK where financial institutions were unable to evidence to the satisfaction of their regulator that a suitably robust AML/CTF compliance program was in existence notwithstanding that no actual breaches of the law were found.

The lack of specificity in the Guidelines, while commendably permitting flexibility, will hopefully also be supplemented by separate detailed guidance in practice as to the nature and extent of AUSTRAC's regulatory expectations. This is particularly the case when considering reporting entities' obligations to identify exactly what steps are required to "materially mitigate" risks and what are the "high" risks in the areas of customer identification, services provided, service delivery methods, jurisdictional risks, PEPs and the like. No reporting entity will want to fail to clear the bar in the event of an audit in these fundamental program design areas.

A further key compliance challenge in practice will be to seamlessly integrate these AML/CTF programs into existing compliance systems. This will particularly be the case in circumstances where externally developed supplied and maintained AML/CTF programs will need tailoring to meet the particular risk management requirements of individual reporting entities. These will then also need to be connected to the existing compliance systems such that the programs will actively interface with the host compliance system and use the same risk classifications, reporting and incident escalation procedures.

Reporting obligations

There are three types of reports which reporting entities may be required to give to AUSTRAC:

• reports about suspicious matters;
• reports about designated services in relation to transactions which exceed a specified financial threshold ("threshold transactions"); and
• reports about the provision of designated services in relation to an international funds transfer instruction.

Although each of these has analogues in the current FTRA, the reporting obligations are cast more broadly under the Bill than under the FTRA. There is also scope to greatly expand the scope of reportable threshold transactions by regulation.

Report of suspicious matters

At or at any time after:

• the reporting entity commences or proposes to provide a designated service to a customer (including a prospective customer); or
• a person requests the reporting entity to provide a designated service to the person; or
• a person queries whether the reporting entity would be willing or prepared to provide a designated service to the person,

if the reporting agency has "reasonable grounds" to suspect information it has about the provision, or prospective provision, of the designated service, the reporting agency must make a report to AUSTRAC.

Because the reporting entity's obligations relate generally to information it has about the provision, or prospective provision, of the designated service, a reporting entity may have an obligation to report a suspicious matter under the Bill even in cases where no transaction is involved.

This should be contrasted with the more narrowly focused "suspicious transaction" provisions under the Financial Transaction Reports Act.

The discussion draft of the AML/CTF rules specifies some 24 matters that are to be taken into account by a reporting entity in determining whether there are reasonable grounds for a reporting entity to form a suspicion.

Report of transactions of $10,000 or more

Division 3 of the Bill contains obligations which are broadly analogous to the FTRA obligations to report significant cash transactions of $10,000 or more.

The obligation in the Bill applies to reporting entities if they are providing a designated service to a customer that involves a threshold transaction. The reporting entity must within ten business days after the date of the transaction give AUSTRAC a report of the transaction in the approved form.

A threshold transaction means:

• the transfer of not less than $10,000 in physical currency; or
• the transfer of money in the form of e-currency of not less than $10,000.

The regulations may provide that "a specified transaction (or class of transaction) involving money (in any form) or the transfer of property" is also a threshold transaction and specify the threshold amount (which must not be more than $10,000) at and above which the specified transaction must be reported.

Until such regulations are made, this Division has much the same application as the FTRA does to transfers of physical currency and the principal extension is in respect of transfers of e-currency. "E-currency" is defined to mean an internet-based, electronic means of exchange that is backed either directly or indirectly by precious metal, bullion or a prescribed thing and is not issued by or under the authority of the government body. Examples could include a means of exchange such as e-cash or loyalty points tradeable on the internet.

However, if regulations are made, potentially an enormous range and number of transactions not limited to physical currency and e-currency could be brought within the reporting net.

International funds transfer instructions

Certain designated services performed in relation to an international funds transfer instruction must be reported to AUSTRAC within ten business days after the day on which the service commenced to be provided.

There is a detailed definition of what constitutes an "international funds transfer instruction" designed to ensure there is a relevant Australian link to the instruction. Very broadly, the funds transfer instruction must involve a permanent establishment of the originating institution or the destination institution or the transferor or transferee remitting entity in Australia or, if that is not the case, the transfer of funds from the originating entity's account in Australia to the ultimate recipient's account in Australia.

Privacy

The privacy implications including those arising from electronic verification have not yet been worked through. The Bill does not impose any obligations on reporting entities to protect customer personal information. There appears to be a concern on the part of Government that whilst the National Privacy Principles deal with the protection of personal information, they do not apply to all entities (for example they do not apply to all small businesses). The Government has invited public comment on this issue and on options for dealing with privacy concerns that customers may have.

Conclusion

The draft legislation also imposes record keeping obligations, secrecy requirements, obligations in relation to correspondent banking relationships and allows AUSTRAC to inspect records. Careful review by all involved in the banking and financial services area is required.

For further information, please contact Narelle Smythe.