Getting to know your customer: new anti-money laundering know your customer and customer due diligence rules
Amendments to the Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1) (AML Rules) imposing new know your customer (KYC) and customer due diligence obligations, will commence on 1 June 2014. These new AML Rules will require significant changes both to KYC procedures and procedures for assessing money laundering/terrorism financing (ML/TF) risk.
What do you need to do?
Organisations will need to review and update their AML/CTF programs and client onboarding processes to reflect the changes to the AML Rules by 1 June 2014. There is no transition period and both new and existing customers will be impacted. There are complicated issues in relation to how these rules apply to existing customers that will need to be carefully considered. However, AUSTRAC will not enforce non-compliance in certain circumstances until 1 January 2016.
Summary and comparison of changes
The following is a table showing the changes to the rules and the impact of these changes.
|Before the amendments||After the amendments||Impact|
|Assessing ML/TF risk|
|Organisations must identify their ML/TF risk by considering: their customer types including politically exposed persons; types of designated services; methods of delivering designated services; and foreign jurisdictions they deal with.||The following ML/TF risk considerations are to be added to the existing matters: customers’ beneficial owners; customers’ sources of funds and wealth; the nature and purpose of the business relationship; and the control structure of non-individual customers.||ML/TF risk assessment procedures should be revised to include the purpose of transactions; who is ultimately funding or benefiting from them; and the source of those funds.|
|Beneficial owners and settlors of trusts|
|Organisations must identify the beneficial owner of a customer which is a proprietary or private company and verify this information where warranted by the ML/TF risk. A beneficial owner is a person who owns more than 25% of a company.||The definition of beneficial owner has been expanded to include control. Organisations are required to identify and verify the ultimate beneficial owners for most types of customers; and identify and verify information about the settlor of trusts.Beneficial owner information has also been incorporated into the ongoing and enhanced customer due diligence requirements.||KYC procedures for customers should be amended to include, for example: reviewing the parties to the trust deed; identifying major shareholders; understanding the customer’s management structure; and understanding the rights and responsibilities of senior managers.|
|Politically exposed persons (PEP)|
|There is no requirement to take specific additional due diligence measures for customers who are PEPs.||Organisations must determine whether any customer or beneficial owner is a PEP, and if so, collect and verify KYC information.
Additional due diligence measures and risk management systems must be implemented where the PEP is high ML/TF risk or a foreign PEP.
|PEPs not only need to be identified and considered when assessing ML/TF risk; but in addition to the normal due diligence procedures, there will need to be processes for classifying a PEP as domestic, foreign, or high risk and conducting the relevant additional due diligence or risk management processes.|
|Ongoing customer due diligence|
|Systems must be in place to determine when further KYC information should be collected, or when KYC information should be updated or verified.||There must be systems in place to determine when further KYC or beneficial owner information should be collected or verified to review and update information. All customer records should be reviewed and updated where the ML/TF risk warrants this.Â This applies to both new and pre-existing customers.||There is a stronger emphasis on reviewing and updating customer records, although the approach may nevertheless be based on the ML/TF risk. There are difficult issues around how these rules apply to existing customers.|
Assessing ML/TF risk
Under the new AML Rules, there has been an expansion of the factors that must be considered in determining the ML/TF risk of the organisation. These new factors are: the source of funds and wealth of customers; the nature and purpose of the business relationships with customers; control structures of non-individual customers, and the beneficial owners of customers. As a result, the new AML Rules specify that AML/CTF programs must enable the organisation to understand these details about customers; and identify and assess risks posed by changes to these details.
Identifying beneficial owners and settlors of trusts
Under the new AML Rules reporting entities will be required to:
- Identify the beneficial owner of most types of customers
- Collect and take reasonable measures to verify the full name and residential address or date of birth of each beneficial owner
- Identify and verify the details of settlors of trusts
However, for customers who are individuals, organisations may assume the customer and the beneficial owner are one and the same unless there are reasonable grounds for considering otherwise.
The definition of beneficial owner has also been expanded from what it is now. It includes a person who directly or indirectly owns 25% or more of an entity or who controls another person. If there is a chain of ownership, the relevant beneficial owner is the person who ultimately owns or controls the customer. According to an AUSTRAC Explanatory Statement, there is
no need to collect and verify details at each level in a chain of ownership.
Organisations with a global AML policy that deals with United States requirements may already have a similarly broad definition. However, for other organisations this will be a material change and additional identification and verification steps will need to be added to on boarding processes for certain clients.
In addition, there have been amendments to the ongoing customer due diligence and enhanced customer due diligence requirements incorporating further measures to be taken in respect of beneficial owner information. These are discussed in more detail below.
Politically exposed persons
Under the new AML Rules, certain measures must be taken before (or as soon as practicable after) providing a designated service to a customer who is a PEP. A PEP is an individual who is, or is an immediate family member or close associate of, a person who holds a prominent public position in a government body or international organisation.Â
Organisations must ensure that their AML/CTF program has systems for determining whether any customer or beneficial owner of a customer is a PEP, and if so, take additional measures in certain circumstances such as:
- If the PEP is a beneficial owner, collecting KYC information and verifying it if appropriate
- Determining whether the PEP poses a high ML/TF risk.
If a customer is a foreign PEP or a domestic or international organisation PEP who is assessed as being a high ML/TF risk, reporting entities must take additional measures such as taking reasonable measures to establish the source of wealth and funds; and obtaining senior management approval before providing the PEP with designated services or establishing or continuing the business relationship with them.
There are additional due diligence measures that must be implemented if a customer is, or has a beneficial owner who is, a foreign PEP. These include applying the Enhanced Customer Due Diligence program to the foreign PEP. The Enhanced Customer Due Diligence program must now include systems and controls to ensure, where appropriate, measures such as clarifying, analysing, verifying or updating beneficial owner information collected from the customer; or collecting further beneficial owner information (such as the source of the beneficial owner’s funds and wealth) are taken.
Ongoing customer due diligence
Under the new AML Rules, there have been amendments to the ongoing customer due diligence obligations. Organisations must have appropriate systems and controls for determining when further beneficial owner information should be collected or verified to review and update existing records as well as the existing requirement to obtain further KYC information in certain circumstances.
The new AML Rules also place a general obligation on organisations to take reasonable measures, commensurate with the ML/TF risk, to keep, update and review the documents, data or information collected under customer and beneficial owner identification procedures.
This requirement was introduced to ensure the AML Rules were consistent with the Financial Action Task Force (FATF) recommendations (worldwide AML standards recommended by an inter-governmental body). The FATF recommends that organisations keep all customer information up to date and relevant by undertaking reviews of existing records. The FATF also recommends conducting ongoing due diligence on the business relationship and scrutinising transactions to ensure that the transactions are consistent with the organisation’s knowledge of the customer, and their business and risk profile.
Consistent with the FATF approach, and an AUSTRAC explanatory statement which states that the amendments to ongoing customer due diligence aim to clarify that these rules relate to ‘ongoing customers rather than new customers’; the obligation to review and update records applies to both existing customers and those who commence with the organisation after the new AML Rules commence. This raises complex issues that will need to be worked through carefully for existing customers. An explanatory statement to the draft rules also states that this approach is consistent with the requirements in the Privacy Act 1988 (Cth) to keep customer records up to date.
When will the new AML Rules be enforced?
AUSTRAC has released the Policy (Additional Customer Due Diligence Requirements) Principles 2014 to accompany the new AML Rules. These are issued under section 213 of the AML/CTF Act, which allows the Minister to make policy principles which are binding on AUSTRAC in the performance of its functions. The policy principles effectively allow some time for organisations to transition to the new AML Rules.
From 1 June 2014 to 31 December 2015 AUSTRAC will not apply for a civil penalty order or an injunction, issue a remedial direction, or require an external compliance audit for non-compliance with the new customer due diligence requirements if an organisation or its designated business group took reasonable steps to comply.
In determining whether reasonable steps were taken, AUSTRAC will consider all relevant matters including whether:
- The organisation complied with the new obligations as soon as could be reasonably accommodated through existing operations
- Between 1 June 2014 and 1 January 2016, for new clients assessed by the organisation as high ML/TF risk, the organisation complied with the new obligations as soon as practicable
- The organisation developed a transition plan before 1 November 2014 which: has actions and timelines for compliance with the new AML Rules in respect of new high ML/TF risk clients and full compliance with the new AML Rules prior to 1 January 2016; is sufficiently resourced; is approved by the board of the organisation (there are alternatives for designated business groups and entities without boards); is regularly monitored; and made available to AUSTRAC on request