Second stage of the consultation on the reform of Australia’s AML/CTF regime – Part 2: Further details released on proposed reforms to simplify, clarify, and modernise Australia’s AML/CTF regime

06 June 2024

The long awaited second stage of consultation on the proposed reforms to Australia’s anti-money laundering and counter-terrorism financing (AML/CTF) laws has commenced, with the release of five consultation papers.

The reforms aim to:

  • improve the effectiveness of the AML/CTF regime and ease the regulatory burden on reporting entities by simplifying and clarifying the regime, and modernising the regime to reflect changing business structures and technologies; and
  • expand Australia’s AML/CTF regime to ‘tranche 2’ entities – lawyers, accountants, trust and company service providers, real estate professionals, and dealers in precious stones and metals.

The proposed reforms are also intended to ensure that Australia meets international standards set by the global financial crime watchdog, the Financial Action Task Force (FATF). This is particularly important as Australia’s AML/CTF regime will next be assessed by the FATF over 2026-27.

Consultation papers 1 to 3 deal with proposed reforms relating to the new tranche 2 reporting entities. You can read our article on those proposed reforms here.

In this article, we discuss the various ways it is proposed that the AML/CTF regime be simplified and modernised in Paper 4: Further information for digital currency exchange providers (DCEPs), remittance service providers and financial institutions (Paper 4) and Paper 5: Broader reforms to simplify, clarify and modernise the regime (which will apply to current and new proposed reporting entities) (Paper 5).

In summary, Paper 4 sets out the following proposals:

  • Expand the range of regulated digital currency-related services: to include new categories of designated services (the provision of which brings an entity within the AML/CTF regime) relating to digital assets, including exchanges between digital assets for fiat currency and vice versa, exchanges between one or more forms of digital assets, providing custodial services of a digital asset and providing a financial service relating to an issuer’s offer or sale of a digital asset.
  • Amend the definition of ‘digital currency’: to replace the current term ‘digital currency’ in the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act) to ‘digital assets’ or possibly ‘crypto asset’ or ‘virtual asset’.
  • Extend the travel rule: to update and extend the travel rule obligations (which will involve the collection of information, record keeping and the transmitting of information obligations) to remittance and digital asset sectors for both domestic and cross-border transfers.
  • Simplify international funds transfer instructions (IFTIs) reporting: to simplify IFTI reporting obligations and extend the requirement to report IFTIs in relation to digital asset transfers above a certain threshold. The key proposed reforms in relation to IFTIs include:
    • the reporting entity closest to the Australian customer will have the obligation to report the IFTI. The obligation will rest with the institution that ‘initiate[s] the outgoing transaction, or make[s] the incoming payment available, for their customers‘;
    • the trigger for reporting IFTIs would be the sending of value, or making value available to the customer, rather than ‘by the sending or receipt of an instruction which could subsequently not be given effect’;
    • replacing the distinction between IFTI-Es and IFTI-DRAs and merge the two report types into a single IFTI report; and
    • an express obligation to provide that IFTI obligations will be triggered where the reporting entity, in providing a foreign exchange or gambling service, ‘transfers or arranges to transfer value out of Australia on behalf of the payer‘ or ‘makes available, or arranges with the payee to make available, value transferred into or out of Australia to a payee‘.

The first consultation paper, released in 2023, sets out the various ways in which the Government considered that the current AML/CTF regime could be simplified, clarified, and modernised. Paper 5 now contains more details on those reforms and proposes that:

  • AML/CTF Programs: the current obligation that an AML/CTF Program have a Part A and a Part B be streamlined into a single program rather than a program with two parts;
  • Risk assessments: an express obligation be introduced for reporting entities to undertake risk assessments that are to then inform proportionate risk mitigation measures and internal controls;
  • Customer due diligence: the current customer due diligence framework be replaced by a more outcome focused and flexible regime that is intended to empower reporting entities to ‘mitigate, manage and respond to their risks in ways that best reflect their unique risks and that of their customers‘;
  • Tipping off: the tipping off offence be modified to better balance the need to disclose information to mitigate money laundering and terrorism financing risks without compromising law enforcement investigations;
  • Due Diligence exemption for gambling service providers: the threshold exempting reporting entities from conducting customer due diligence measures when providing certain gambling services to customers involving transactions be lowered from less than $10,000 to less than $5,000;
  • Exception for assisting an investigation of a serious offence: eligible law enforcement agencies be empowered to issue a ‘keep open notice’ directly to a reporting entity without asking AUSTRAC for approval. It is proposed that the AML/CTF Act would be amended to:
    • permit a reporting entity not to perform certain customer due diligence measures if they have received a ‘keep open notice’ and consider that performing those measures would alert the customer to law enforcement interest; and
    • exempt it from liability for keeping a customer’s account open if it acts in accordance with the notice.
  • Moving exemptions: several enduring exemptions, which includes exemptions related to gambling services, customer due diligence thresholds, registration and services that are not intended to be captured by the AML/CTF regime, be moved from the Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1) (AML/CTF Rules) to the AML/CTF Act; and
  • Financial Transaction Reports Act 1988 (Cth): this Act be repealed, as foreshadowed in the first round of consultation.

In the following table, we discuss some of the detail set out in Paper 5 as it relates to the proposed amendments to AML/CTF Program obligations, customer due diligence obligations and the tipping off offence.

ObligationProposed changes
AML/CTF ProgramThe following key elements are proposed to be included as part of AML/CTF Program obligations.
1. An overarching risk assessment obligation
It is proposed that the AML/CTF Act will require a reporting entity to:
• conduct a risk assessment (currently an implied obligation), which would then inform the policies, systems and controls that form the AML/CTF Program;
• consider the nature, size, and complexity of its business in determining risk level, incorporate relevant risks identified and communicated by AUSTRAC, and document its risk assessment methodology as part of its AML/CTF Program; and
• review and keep its risk assessment up to date. Paper 5 suggests that there will be a requirement for risk assessments to be reviewed every 4 years, at a minimum, and triggers for reviewing could include changes to the business risk profile or if new technologies are adopted to manage AML/CTF obligations.
2. Proportionate risk mitigation measures
A reporting entity would need to develop, implement, and maintain enterprise-wide policies, systems and controls proportionate to the nature, size, and complexity of its business.
Paper 5 provides that this obligation would be supported by specific types of risk mitigation measures that an AML/CTF Program will need to incorporate, including:
• enterprise-wide risk management practices, to ensure that risk is considered across the reporting entity’s day-to-day operations;
• clear documentation of how the policies, systems and controls mitigate and manage the risks identified in the risk assessment;
• details about customer due diligence;
• requirement for risk mitigation measures to be reviewed when risk assessments are updated; and
• the identification and reporting of suspicious matters.
3. Specific internal controls
A reporting entity would need to establish internal practices that ensure the business, its managers, employees, and agents comply with AML/CTF obligations.
The AML/CTF Act would specify categories of internal controls, which are broadly consistent with current obligations (including senior management and board oversight, employee due diligence, screening and training and independent audits of AML/CTF Program), that must be included in an AML/CTF Program, with additional details to be set out in the AML/CTF Rules.
The Board or equivalent senior management of reporting entities would not be required to approve the implementation of day-to-day operational measures. It is proposed that the AML/CTF Compliance Officer will be responsible for overseeing and co-ordinating changes to the AML/CTF Program for approval by a role like the Chief Risk Officer.
As for the AML/CTF Compliance Officer, it is proposed that the requirement for this role be moved from the AML/CTF Rules to the AML/CTF Act, which would:
• clarify that the AML/CTF Compliance Officer is an employee at the management level responsible for overseeing and co-ordinating the day-to-day operation and effectiveness of a reporting entity’s AML/CTF Program, and the reporting entity’s compliance with the AML/CTF Act, Rules, and Regulations;
• require that the AML/CTF Compliance Officer have sufficient authority, independence, and resourcing to fulfil their function (proportionate to the business);
• require a reporting entity to certify to AUSTRAC that their AML/CTF Compliance Officer is a fit and proper person, and
• allow for the AUSTRAC CEO to make rules in relation to the requirements of the AML/CTF Compliance Officer position.
4. Simplified business group concept
The Department is also proposing that the concept of 'designated business group’ be replaced with a simplified ‘business group’ concept, which would extend to all related entities, including non-AML/CTF reporting entities where appropriate.
A business group head would be responsible for assessing risk across the group and its members, and for developing a group AML/CTF Program. The business group head will need to ensure that its AML/CTF Program applies to all business group branches and subsidiaries (including non-AML/CTF reporting entities where appropriate). This is intended to allow for greater information sharing between related entities within a group and allow for 'appropriate group-wide risk management and sharing of AML/CTF obligations'.
5. Simplified obligations for foreign branches and subsidiaries
Lastly, it is proposed that the AML/CTF Act will simplify and clarify requirements for reporting entities with foreign branches and subsidiaries.
It is proposed that a business group head will have flexibility in determining how obligations under Australia’s AML/CTF regime are met by foreign branches. The intention here is to align the current regime with FATF Recommendation 18, which provides that 'foreign branches and subsidiaries of Australian companies to apply home country AML/CTF requirements, where the requirements of the host country are less strict than the home country, to the extent permitted by local laws'.
Customer Due DiligenceThe Department also proposes important changes to the customer due diligence (CDD) obligations. These include the following:
1. Initial CDD
It is proposed that the existing ‘applicable customer identification procedures’ will be replaced with the term ‘initial CDD’.
Initial CDD to verify the customer's identity and information will generally be required before a designated service is first provided to the customer. However, it is proposed that in certain circumstances (including for example where the risk is low), verification of identify documents can be completed after the customer is provided a designated service.
2. Ongoing CDD
A reporting entity will continue to be required to conduct ongoing CDD for each customer. The customer risk rating and duration of the relationship will determine what type of ongoing CDD is required (i.e. simplified, standard or enhanced DD).
Paper 5 provides that ongoing CDD must include 'transaction monitoring and, for customers in ongoing business relationships, keeping KYC information up to date and verified and, when required, updating the customer risk rating'. If a risk rating is updated, this may mean that a reporting entity will need to re-verify KYC information or collect and verify additional information.
3. Risk Rating
Each customer would need to be assigned a risk rating that 'reflects the risks presented by the provision of a designated service to that customer'. The customer risk rating will then determine what type of initial CDD and ongoing CDD is required.
4. Enhanced CDD
Similar to the current regime, it is proposed that a reporting entity be required to apply enhanced CDD measures where:
• the customer has been rated as 'higher risk';
• there is a suspicion of money laundering, terrorism financing or identity fraud and the reporting entity proposes to continue the business relationship;
• the customer or its beneficial owner is a foreign PEP; or
• the customer or its beneficial owner is physically present in, or is a legal entity formed in, a high-risk jurisdiction in respect of which the FATF has called for enhanced due diligence to be applied.
5. Simplified CDD
A reporting entity will be able to apply simplified CDD measures to customers rated as low risk or where none of the triggers for enhanced CDD arise. It is also proposed that a reporting entity will have the discretion to determine the simplified due diligence measures.
Tipping OffThe Department is proposing to replace the current tipping off offence with a new offence that will focus on preventing the disclosure of suspicious matter report (SMR) information where it is 'likely to prejudice an investigation or potential investigation'. For example, this would occur where SMR information is disclosed directly to the person of interest or an associate.
By amending the offence in this way, it is intended that the new framework would clarify that reporting entities can disclose information for legitimate purposes, which would include the sharing of information within business groups.
The Department is also considering framing the offence in a way that could, in the future, help facilitate private-to-private information sharing, subject to appropriate protections being in place.
Reporting entities will also need to implement controls and protections relating to the disclosure of SMR information.

The proposed reforms have not been finalised. The Government is seeking feedback on the practical impact of the proposed reforms to inform decisions on the reforms. You can submit your feedback via the Department’s Consultation Hub by 5:00pm AEST Thursday, 13 June 2024. The Department will also conduct roundtable discussions with key stakeholders.

If you require assistance with making a submission or would like to discuss the proposed reforms, please contact our team.

This article was written by Polat Siva, Partner, and Vesa Prekazi, Special Counsel.

Subscribe to HWL Ebsworth Publications and Events

HWL Ebsworth regularly publishes articles and newsletters to keep our clients up to date on the latest legal developments and what this means for your business.

To receive these updates via email, please complete the subscription form and indicate which areas of law you would like to receive information on.

Contact us