Insight,

AML/CTF Amendment Bill introduced into Parliament

17 September 2024

Our People
KWM Kinetic
Owl Advisory
AU | EN
Current site :    AU   |   EN
Australia
EN |
China
JP | ZH | EN |
China Hong Kong SAR
ZH | EN |
Japan
JP | ZH | EN |
Singapore
ZH | EN |
United States
EN |
Global
ZH | EN |

Summary

On 11 September 2024, the Attorney General introduced the Anti-Money Laundering and Counter-Terrorism Financing Amendment Bill 2024 into Parliament.

This Bill will implement the most significant reforms to the AML/CTF Act since its introduction. The key objectives of the reforms are to bring “Tranche 2” entities in scope (including real estate professionals, professional service providers such as lawyers and precious metal and stone dealers) and to simplify and modernise the regime.

Most changes will take effect from 31 March 2026. They are likely to require significant updates to existing AML/CTF Programs and related procedures, as well as adding significant compliance requirements to those involved in the Tranche 2 industries and the payments and virtual asset sectors.

Set out below is a high-level summary of some of the changes that are likely to have the most significant impact on existing reporting entities.

A restructured approach to the AML/CTF Program

The Bill repeals the current Part 7 which sets out the requirements for AML/CTF Programs and replaces it with a new Part 1A. It is likely that this will also result in changes to Chapters 8, 9 and 15 of the Rules that set out Program requirements.

The requirement for an AML/CTF Program to be split into a Part A and Part B has been removed.

Instead an AML/CTF Program must now include both an ML/TF Risk Assessment and AML/CTF policies. Both the ML/TF Risk Assessment and the AML/CTF Policies must be documented.

The ML/TF Risk Assessment must consider the risks of proliferation financing in addition to ML/TF risks and, if designated services are provided at or through a permanent establishment in Australia, have regard to specified matters (which largely reflect the current requirements of rules 8.1.4, 8.1.5(5) and 8.7, or of rules 9.1.4, 9.1.5(5) and 9.7 of the AML/CTF Rules (as relevant)).

The AML/CTF policies are the policies, procedures, systems and controls developed to meet requirements set out in a new section 26F. These largely reflect Chapters 8 and 9 of the current Rules (except for the requirements already listed above). The Bill also:

  • requires reporting entities to develop and maintain policies, procedures, systems and controls that:
    • ensure the reporting entity complies with all obligations imposed by the AML/CTF Act, the regulations and the AML/CTF Rules (whereas the equivalent obligation under the current Chapters 8 and 9 of the Rules only extends to reporting obligations); and
    • address how reporting entities who provide designated services at or through a permanent establishment in Australia will inform the entity’s governing body of ML/TF and proliferation financing risks;
  • changes some of the obligations owed by entities that provide designated services at or through a permanent establishment outside of Australia (for example, it appears that the requirement to appoint an AML/CTF compliance officer no longer applies to these entities, whereas the new section 26F makes clear that they must adopt policies, procedures, systems and controls that appropriately mitigate and manage their ML/TF and proliferation financing risks); and
  • imposes additional requirements for the AML/CTF policies of the lead entity of the reporting group (whose policies must, for example, cover the sharing of information and compliance obligations across the group).

Given the significant changes to customer due diligence and the requirements for AML/CTF compliance officers and the governing body it is likely that significant changes to the structure of current AML/CTF Programs and some content will be required. 

The AML/CTF Program must be reviewed on occurrence of certain trigger events and at least every 3 years.

The existing requirement for changes to the AML/CTF Program to be approved by the board will be replaced with a requirement for changes to be approved by a senior manager and notified to the governing body (see below).

The current section 82 (which requires compliance with Part A of the Program) has been replicated in a new section 26G, with the addition of an obligation to comply with customer due diligence requirements. The Bill also states that if the AML/CTF polices are not complied with there will be a separate contravention in respect of each designated service that is provided to a customer at or through a permanent establishment in Australia. The Explanatory Memorandum (EM) to the Bill clarifies that the intention is for a contravention to occur only in respect of designated services that are provided by a reporting entity “without complying with its own policies”.

Role of the governing board and AML/CTF Compliance Officers

Reporting entities will be required to designate an AML/CTF Compliance Officer. The Bill:

  • establishes eligibility requirements for who can be an AML/CTF Compliance Officer, including fit and proper requirements, as well as the need to be an Australian resident if the designated services are provided at or through a permanent establishment in Australia;
  • prescribes their role; and
  • clarifies that the AML/CTF Compliance Officer does not need to be an employee of the reporting entity as long as they meet the eligibility requirements.

As expected, the Bill imposes obligations on the governing body (the individual or group of individuals with primary responsibility for governance and executive decisions). These obligations include exercising ongoing oversight of the ML/TF Risk Assessment, the reporting entity’s compliance with its own AML/CTF policies and compliance with the AML/CTF regime and taking reasonable steps to ensure that ML/TF risks are effectively identified, assessed and mitigated (noting that these obligations carry civil penalties).

Liability for breach of these obligations will remain with the reporting entity (although those individuals could be “involved in” the entity’s contravention).

Customer due diligence standards substantially updated

The Explanatory Memorandum clarifies that that customer due diligence should be focused on the outcomes to be achieved, rather than the procedures, providing greater flexibility in the steps reporting entities take to know their customers.

The Bill moves significant aspects of the requirements for customer due diligence (including enhanced customer due diligence and refresh/update) and transaction monitoring into the Act. It is likely that this will result in significant changes to Chapters 4 and 15 of the Rules.

The Bill proposes different obligations for initial and ongoing customer due diligence.

In relation to initial due diligence, reporting entities will still be required to collect and verify information about the customer but the Act will not prescribe how this is to be done (although this could still be specified in the Rules). New obligations will also be introduced as part of initial due diligence. For example, reporting entities must establish certain matters before providing a designated service (including whether the customer is the subject of sanctions and the nature and purpose of the business relationship) and the ML/TF risk of the customer must be identified before providing a designated service. Politically exposed person (PEP) screening and identification of beneficial owners must also be undertaken before a designated service is provided.

The Rules will expand the existing relief in Chapter 79 of the Rules to permit a reporting entity to undertake initial customer due diligence after providing a designated service where the reporting entity:

  • reasonably determines that commencing the designated service is essential to avoid interrupting the ordinary course of business;
  • has policies to carry out the assessment as soon as reasonably practicable after providing the designated service (or within a time specified in the Rules);
  • reasonably determines that there is low ML/TF risk in complying after providing the designated service;
  • implements AML/CTF policies to mitigate and manage associated risks; and
  • complies with any other requirements specified in the Rules.

A reporting entity must not continue to provide existing designated services or provide new designated services if it does not carry out the initial CDD within the prescribed period.

Some ongoing customer due diligence obligations will only apply to customers in a business relationship. A business relationship will be defined as a relationship between a reporting entity and a customer involving the provision of a designated service that has or is expected to have an element of duration (for example, opening a bank account and allowing transactions). In our experience, this has a wide scope, particular for businesses that provide online services for their customers.

Transaction monitoring will still be undertaken as part of ongoing due diligence and is required even where there is no ongoing business relationship. The matters that it is intended to identify have been expanded. This is likely to require significant changes to some reporting entities systems. In addition to the behaviours identified in the existing transaction monitoring regime, the Bill requires reporting entities to have regard to transactions and behaviours inconsistent with what the reporting entity knows about:

  • the customer;
  • the nature and purpose of the business relationship;
  • the ML/TF risk of the customer; and
  • the customer’s source of funds and source of wealth (where relevant).

Enhanced customer due diligence can be undertaken as part of initial or ongoing due diligence if the triggers are met. The triggers largely reflect the current triggers, however:

  • the suspicious matter report (SMR) trigger now only applies where the reporting entity proposes to continue to provide a designated service to the customer; and
  • a new trigger has been added for designated services that are part of a “nested services relationship”. This refers to circumstances where a financial institution, remitter or virtual asset service provider (VASP) provides a designated service to a financial institution, remitter or VASP in another country, who would use those services to provide designated services to its own customers. Such relationships present ML/TF risks as the reporting entity is reliant on the overseas counterparty’s due diligence.  We expect this additional trigger will provide clarity on the regulatory expectations when engaging with such entities, to help avoid general “de-risking”.

The existing relief for pre-commencement customers has not been removed however, reporting entities are required to monitor these customers and carry out customer due diligence in certain circumstances. All pre-commencement customers must be given a risk rating and those that are medium or high ML/TF risk must be subject to initial customer due diligence. Once a reporting entity has carried out initial customer due diligence on a pre-commencement customer, they will no longer be considered a pre-commencement customer.

Tipping off prohibition clarified

The Bill proposes to extend the tipping off prohibition to employees and directors of reporting entities (rather than just the reporting entity itself).

However, the changes are generally positive:

  • the types of information that may trigger the prohibition no longer includes information from which it could reasonably be inferred that a report has been given;
  • disclosure is only prohibited if it would or could reasonably prejudice an investigation (this is narrower than the initial proposal of “likely to prejudice an investigation or potential investigation”); and
  • there is a broad exception for disclosures between reporting entities.

New payments designated services

As foreshadowed in the Consultation Paper, the existing payment designated services in items 29 - 32 will be replaced with three new designated services.

These designated services are intended to capture:

  • the person that accepts an instruction to transfer value on behalf of a payer directly or indirectly (an ordering institution);
  • the person that makes transferred value available to a payee (the beneficiary institution); and
  • any person that passes on a message in the value transfer chain (an intermediary institution). 

The term transfer of value will be defined broadly as a transfer of money, virtual assets or other property (and will include the transfer of the value of property).

The Bill includes a list of criteria to determine which institution is the ordering institution and the beneficiary. It is not clear from the Bill whether there may be multiple ordering institutions, however, it appears from the EM that the intention is that there may be depending on the scenario. We anticipate there may be considerable difficulty in establishing, on the current drafting, whether an institution is an ordering or intermediary institution.

The term intermediary institution is defined broadly to capture entities that take a more active role in passing on a message in the value transfer chain (and excludes businesses that solely provide messaging infrastructure to allow for ordering and beneficiary institutions to communicate with each other).

In addition to the usual obligations that arise from the provision of a designated service additional obligations are imposed on ordering institutions, beneficiary institutions and intermediary institutions relating to collecting, receiving and passing on of certain information in relation to the transfer of value. For example:

  • beneficiary institutions must have policies to determine whether and in what circumstances to make transferred value available when the payment message received is incomplete; and
  • intermediary institutions must take reasonable steps to monitor whether they have received certain information.

These changes also impact on international funds transfer instruction (IFTI) reporting requirements.

An exception is provided for persons who transfer value incidentally to the provision of another service (although there are some carve outs to this for financial institutions and businesses that provide services incidentally to currency exchange or gambling services). To determine whether a transfer is incidental to the provision of another service, the Explanatory Memorandum (EM) to the Bill states that entities must consider whether the other service is a type of value transfer service (if so, the exemption is irrelevant and will not apply) or a service of a different nature or type such as managing a fleet of cars (in which case the exemption will apply). It is unclear whether AUSTRAC will issue further examples or guidance on the scope of this exemption.

IFTI reporting obligations shifted and expanded to virtual assets

The current IFTI reporting provisions will be repealed and replaced with reporting requirements for international value transfer services.

Reporting obligations will now only apply to the ordering institution and the beneficiary institution (although intermediary institutions can report on their behalf) where there is a movement of value between Australia and another country. This removes the current focus on where the instruction is accepted and who is the first person to receive the instruction into Australia or the last person to send an instruction out of Australia. However, as noted above there may be difficulty in establishing whether an entity is the ordering institution.

The reporting requirement would also be extended to cover international transfers of virtual assets, including those that are incidental to virtual asset exchange designated services listed in item 50A and new item 50B of table 1 in section 6 of the AML/CTF Act. Certain incidental international remittances, such as those relating to gambling services or currency exchange, will continue to trigger reporting to AUSTRAC.

Other unexpected changes

The Bill proposes changes to key terms in the AML/CTF Act including “credit card”, “debit card”, “credit card acquirer”, “account”, “security", “derivative” and “issue”. In particular:

  • the definition of “security” will be amended to refer to the definition of “security” in Chapter 7 of the Corporations Act rather than under section 92 of the Corporations Act. This means that legal or equitable rights or interests in securities will now be considered “securities” under the AML/CTF Act; and
  • the definition of “account” will be amended to no longer list account types but rather, be given its ordinary meaning. The EM states that AUSTRAC should develop guidance on the meaning of “account”.

AUSTRAC will also have the power to examine individuals if it has reasonable grounds to believe that a person has information or a document that is relevant to compliance with the AML/CTF Act (or related legislation).

Services relating to virtual assets

At present, the AML/CTF regime only covers the exchange between digital assets and fiat currency. The Bill proposes to amend the terminology from 'digital assets' to 'virtual assets' and expand the scope of AML/CTF regulation to include additional virtual asset-related services. This is intended to achieve alignment with the recommendations of the Financial Action Task Force (FATF).

Some of the key things to know about the virtual asset amendments include the following:

Broad definition

Section 5B defines virtual asset broadly:

Core definition

Digital representation of value that:

  • functions as a medium of exchange, a store of economic value, a unit of account and/or an investment; and/or
  • enables a person to vote on the management, administration or governance of arrangements connected with a digital representation of value;

and

  • is not issued by or under the authority of a government body; and
  • may be transferred, stored or traded electronically.
Additional inclusion

Digital representation of value of a kind prescribed by the AML/CTF Rules. 

Note:  This is very important for flexibility, as is the ability for the AML/CTF Rules to exclude certain types of digital representations of value – see next row.
Exclusions
  • Money.
  • Digital representation of value used exclusively within an electronic game.
  • Customer loyalty or reward points.
  • Something similar to B or C and which is not intended by the issuer to be convertible into another digital representation of value or money.
  • Digital representation of value prescribed by the AML/CTF Rules as being excluded.

The definition broadly aligns with definitions adopted by FATF and a number of other markets.  As noted above, the built-in flexibility is valuable to aid certainty and support the ability of the AML/CTF regime to evolve with relative proximity to innovation.   However, we expect a key area that may prove challenging is the overlap of the virtual asset concept with other types of regulatory characterisations.

Expansion of designated services

There are refreshed designated services specifically relating to virtual assets.  These are:

46A

Providing a virtual asset safekeeping service, where the service is provided in the course of carrying on a business as a virtual asset service provider.

New
50A

Exchanging, or making arrangements for the exchange of:

  • a virtual asset for money (whether Australian or not); or
  • money (whether Australian or not) for a virtual asset;

for a person, in the course of carrying on a business as a virtual asset service provider.

Updated
50B

Exchanging, or making arrangements for the exchange of, a virtual asset for another virtual asset (whether or not of the same or a different kind) in the course of carrying on a business as a virtual asset service provider.

New
50C

Providing a designated service mentioned in another item of this table in connection with the offer or sale of a virtual asset, where the service is provided in the course of carrying on a business participating in the offer or sale.

New

The key upshot is that a far broader array of service providers will need to register with AUSTRAC and comply with Australia’s AML/CTF requirements.  Existing AUSTRAC-registered digital currency exchange providers are also likely to need to update their registrations and compliance controls.

As we raised in our May 2024 alert, there are several questions about how these designated services should be interpreted, although certain refinements have been made (for example, in relation to 46A which is relevant to custody) that we expect will aid clarity and alignment with FATF Recommendations and other leading markets.

Other compliance areas

As noted above, there will be other areas of the AML/CTF regime with an impact on virtual assets, including IFTI reporting.

These changes should be considered in light of other proposed reforms to the digital asset sector (see our primer here).

Next steps

Looking ahead, while there is a reasonable lead time, much work will be required between now and the proposed implementation date, including debate of the Bill itself, as well as the preparation of related sectoral and other instruments.  We also anticipate major policy, procedure and system changes will be required for institutions themselves.

We recommend considering how the Bill impacts your business and considering what changes will be required to your governance structures, personnel, compliance suite, tools and third-party services.

Please let us know if you would like to discuss any aspect of these reforms.

Categories

MEET THE AUTHORS

SHOW MORESHOW LESS
LATEST THINKING
Insight
Yes, for King & Country too: The Full Federal Court confirms broad interpretation of Crown copyright exemption
ast May, we wrote about the test case, Australian News Channel Pty Ltd v Isentia Pty Ltd [2024] FCA 363, in which the Honourable Justice Burley made findings regarding the scope of the Crown copyright exception in section 183 of the Copyright Act 1968 (Cth). Section 183 permits the use of copyright material by federal, state and territory governments for ‘the services of the Commonwealth or a State’, subject to an obligation to pay reasonable compensation.

22 May 2025

Insight
Productivity Commission Opens Consultation Period on New Energy Infrastructure
The Productivity Commission is now inviting feedback from industry stakeholders as part of the second phase of its ongoing inquiries into the five pillars of productivity.

21 May 2025

Insight
Leave unraveled: the fly-in, fly-out challenge in leave accrual
Leave entitlements can be deceptively complex. Although the average employee is well aware of their entitlement to four or five weeks off each year for annual leave, and 10 days for personal leave, operationalising that entitlement in a payroll system in the form of leave accruals can cause a headache for employers.

21 May 2025

EXPLORE LATEST THINKING
OUR PEOPLE
LOCATIONS
MEDIA CENTRE
CAREERS
ABOUT US
Explore Our Expertise
Explore insights
Explore Our Insights

Advertising and Targeting Cookies