• Legal database
Legal database
House of Representatives

Anti-Money Laundering and Counter-Terrorism Financing Amendment Bill 2024

Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024

Explanatory Memorandum

(Circulated by authority of the Attorney-General, the Hon Mark Dreyfus KC MP)

SCHEDULE 1 - AML/CTF PROGRAMS AND BUSINESS GROUPS

Anti-Money Laundering and Counter-Terrorism Financing Act 2006

8. This Schedule would replace current Part 7 of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) with a set of outcomes-focused obligations for an effective anti-money laundering and counter-terrorism financing (AML/CTF) program. These obligations ensure reporting entities undertake appropriate measures that focus on mitigating money laundering/terrorism financing (ML/TF) risk.

9. Current Part 7 of the AML/CTF Act requires a reporting entity to adopt an AML/CTF program with a 'primary purpose' of identifying, mitigating and managing ML/TF risk, rather than explicitly requiring the entity to identify, assess and mitigate their illicit financing risks. The amendments shift this focus to ensure reporting entities prioritise mitigating the risks they identify as being relevant to their business, in line with the Financial Action Task Force's (FATF's) risk-based approach.

10. While the amendments remove the explicit division of previous Parts A and B of an AML/CTF program, reporting entities may organise the documentation of their AML/CTF program at their discretion, as long as it complies with the high-level obligations set out in the AML/CTF Act. This means existing reporting entities may retain the division of their program in to Parts A and B if they choose to do so.

11. This Schedule also replaces the current concept of a 'designated business group' with a simple 'reporting group' concept. A reporting group will be required for traditional corporate groups and, unlike the current designated business group concept, applies a more flexible framework for related entities, including non-reporting entities that may fulfil AML/CTF obligations on behalf of reporting entities in the reporting group.

Items 1 and 2 – Section 4

12. These Items amend the simplified outline in existing section 4 of the AML/CTF Act. Item 1 removes 'financial institution' from the description of a reporting entity due to the expansion of the AML/CTF regime to non-financial businesses (see Schedule 3 of the Bill).

Item 3 – Section 5

13. This Item inserts definitions of 'AML/CTF compliance officer', 'AML/CTF policies', and 'AML/CTF program' into section 5 of the AML/CTF Act.

14. The requirement to designate an AML/CTF compliance officer is currently contained in the AML/CTF Rules, however the functions of the AML/CTF compliance officer are not set out and the term is not otherwise defined. The intention is to move the requirement to the AML/CTF Act and define the responsibilities of the AML/CTF compliance officer to reflect the importance of the position in identifying, assessing, mitigating and managing a reporting entity's risk of money laundering, terrorism financing and proliferation financing associated with providing a designated service. These concepts and definitions are discussed in more detail in Item 24 of this Schedule.

15. For 'AML/CTF policies', the definition at (a) is given as meaning the policies, procedures, systems and controls as per new section 26F of the AML/CTF Act.

16. For 'AML/CTF programs', the definition refers to the new section 26B of the AML/CTF Act.

Item 4 – Section 5 (definition of anti-money laundering and counter-terrorism financing program )

17. This Item repeals the current definition of an AML/CTF program.

Item 5 – Section 5

18. This Item inserts a new definition of 'business group' to be detailed in new subsection 10A(3) of the AML/CTF Act.

19. Item 5 also clarifies that the meaning of 'control', which is used in relation to 'business groups' and 'reporting groups', will take its meaning from section 11 of the AML/CTF Act.

Item 6 – Section 5 (definition of control test )

20. Item 6 repeals the existing definition of 'control test'. The AML/CTF Act currently relies on the definition of 'control test' from the Social Security Act 1991. This definition is no longer appropriate due to its broad nature. The 2016 Statutory Review of the AML/CTF Act, AML/CTF Rules and the Associated Regulations (the 2016 Statutory Review) found the current application of 'control test' is too expansive for AML/CTF purposes. For example, if an individual passes the Social Security Act 1991 control test for a company, so do all of their 'associates', which is defined broadly. When applied to the AML/CTF Act, this interpretation could lead to the conclusion that a company is considered to reside in each jurisdiction in which an 'associate' of the controlling individual resides.

21. As per Item 5, the AML/CTF Act will instead use the concept of 'control'. A definition will be provided in section 11 (see Item 19 of this Schedule).

Item 7 – Section 5 (definition of designated business group )

22. This Item removes the current concept of a 'designated business group', to be replaced with a modernised 'business group' and 'reporting group' concept. The new definition of 'business group' and 'reporting group' will be provided in section 10A of the AML/CTF Act, as detailed in Item 19 of this Schedule.

Item 8 – Section 5

23. Item 8 inserts a definition of a 'governing body' of a reporting entity. This is intended to define the person or persons responsible for the strategic management and oversight of a reporting entity. New section 26H of the AML/CTF Act (to be inserted by Item 24 of this Schedule) describes the responsibilities of governing bodies.

24. The term 'governing body' is intended to be a general term applicable to the management of all businesses regulated under the AML/CTF Act, from small businesses to large multinational enterprises, and includes both corporate structures and other forms of business structures. The broad term 'governing body' reflects that not all reporting entities have boards. For example, a reporting entity without a board may have one or more directors or senior employees who have primary responsibility for governance and executive decisions within the reporting entity.

25. Paragraph (a) of the definition provides that a sole trader operating a business that provides a designated service will be a reporting entity for the purposes of the AML/CTF Act and the individual comprising the business will be the governing body of that reporting entity.

Item 9 – Section 5 (definition of joint anti-money laundering and counter-terrorism financing program )

26. This Item removes the current concept of a joint AML/CTF program. In order to simplify the regime, there will only be one concept of an AML/CTF program, which is defined at new 26B (to be inserted by Item 24 of this Schedule). Under the new 'reporting group' concept, reporting groups will be able to implement group-wide AML/CTF programs. The AML/CTF Act will not prescribe the form of that program.

27. The redesign of the AML/CTF program requirements will comprise a set of outcomes-focused obligations that remove the prescriptive and overlapping requirements set out in the currently separate concepts of 'standard', 'joint' and 'special' AML/CTF programs. This allows for varying types of AML/CTF programs for individual reporting entities, reporting entities in a group, and reporting entities who only provide a designated service covered by item 54 of table 1 of section 6 of the AML/CTF Act.

Item 10 – Section 5

28. This Item inserts key terminology for the updated business group and reporting group concepts. This includes inserting the definitions of a 'lead entity' of a reporting group and a 'member' of a reporting or business group. These definitions are expanded upon in new section 10A of the AML/CTF Act (to be inserted by Item 19 of this Schedule).

29. Item 10 also provides that a new definition of a 'ML/TF risk assessment' will replace the current definition of an ML/TF risk assessment, which will be detailed in new section 26C of the AML/CTF Act (to be inserted by Item 24 of this Schedule).

Item 11 – Section 5 (definition of money laundering and terrorism financing risk assessment )

30. This Item removes the current definition of a 'money laundering and terrorism financing risk assessment' in the AML/CTF Act. A new definition is provided in new section 26C of the AML/CTF Act (to be inserted by Item 24 of this Schedule).

31. The current definition of a 'money laundering and terrorism financing risk assessment' is only used for the purpose of the section 165 notice power in the AML/CTF Act (which will be replaced by the new definition inserted by Item 10, which takes its meaning from new section 26C of the AML/CTF Act.

Item 12 – Section 5

32. This Item inserts a new definition of 'proliferation financing' in section 5 of the AML/CTF Act. The definition at paragraph (a) is intended to align with the FATF Standards, which cover any potential breach, non-implementation or evasion of United Nations Security Council targeted financial sanctions related to the proliferation of weapons of mass destruction. The definition at paragraphs (b) and (c) also extends this definition to other offences against Australian counter-proliferation laws including relevant Australian autonomous sanctions and other Australian laws giving effect to international conventions relating to the proliferation of weapons of mass destruction, for example, the Weapons of Mass Destruction (Prevention of Proliferation) Act 1995. Paragraph (g) enables relevant laws to be prescribed in regulations to assist reporting entities and allow for these laws to be updated, where appropriate, in response to international developments.

Item 13 – Section 5 (definition of reporting entity )

33. Item 13 updates the current definition of a 'reporting entity' in section 5 of the AML/CTF Act to also include the lead entity of a reporting group, which is specified at paragraph (b). As detailed at Item 19 of this Schedule, a reporting group may be formed when at least one member of a business group provides designated services. One entity in this reporting group will carry the role and functions of lead entity for the reporting group, and will be known as the lead entity.

34. Where obligations relate to the 'reporting entity', this should be understood to apply to both an individual reporting entity and the lead entity of a reporting group. Lead entities are responsible for developing the ML/TF risk assessment and the AML/CTF policies with respect to their reporting group.

35. Currently, the AML/CTF Act repetitively details the requirements for a joint AML/CTF program to be developed by the lead entity of a designated business group. This new approach in the Bill would streamline the general obligations so that they can be read as applicable to either a sole reporting entity, or to the lead entity of a reporting group. Where the lead entity develops and maintains a compliant AML/CTF program that covers the entire group, this may discharge the obligation of another member reporting entity in the reporting group to undertake its own ML/TF risk assessment or develop and maintain its own AML/CTF policies.

Item 14 – Section 5

36. This Item inserts a new definition of 'reporting group' in section 5 of the AML/CTF Act, which is to be given meaning by the new subsection 10A(1) of the AML/CTF Act (to be inserted by Item 19 of this Schedule).

37. This Item also inserts a new definition of 'senior manager' in section 5 of the AML/CTF Act, which is defined to mean an individual who makes or participates in making decisions about the operational management of a reporting entity's business. This concept is intended to be different from the definition of 'governing body' (to be inserted in section 5 by Item 8 of this Schedule), which is focused on strategic-level responsibility of a reporting entity. In a large organisation, a senior manager may be an employee who does not sit on the board of directors but is responsible for relevant activities of the reporting entity. A smaller reporting entity may not have a similar formal title, but the senior manager would make or participate in making decisions about business.

Item 15 – Section 5 (definition of shell bank )

38. This Item amends the definition of 'shell bank' in section 5 of the AML/CTF Act to reflect that the detailed definition has been moved from existing section 15 of the AML/CTF Act to new section 94A (to be inserted by Item 31 of this Schedule).

Item 16 – Section 5 (definition of special anti-money laundering and counter-terrorism financing program )

39. This Item removes the definition of a 'special' AML/CTF program as this will no longer be required. Special AML/CTF programs are currently only available to Australian Financial Services Licence (AFSL) holders that exclusively provide the designated service covered by item 54 of table 1 in section 6 (making arrangements for a customer to receive another AML/CTF designated service, for example, financial planners).

40. Reporting entities that only provide item 54 designated services will retain their exemption from certain AML/CTF program obligations. This exemption is provided in new section 26T of the AML/CTF Act (to be inserted by Item 24 of this Schedule). Any business that provides a designated service in addition to providing an item 54 service must comply with the full range of AML/CTF obligations for those services.

Item 17 – Section 5 (definition of standard anti-money laundering and counter-terrorism financing program )

41. This Item removes the concept of a 'standard' AML/CTF program as it will no longer be required. There will only be one concept of an AML/CTF program to be defined in new 26B (to be inserted by Item 24 of this Schedule).

Item 18 – After subsection 6(6)

42. This Item inserts a new subsection 6(6A) in the AML/CTF Act, which enacts the exemption currently provided for in Chapter 36 of the AML/CTF Rules. The exemption clarifies at subparagraph 6(6A)(a)(i) that any of the services provided by one business in a business group to another related business are not considered to be designated services.

43. This recognises that there is little value in applying AML/CTF measures such as customer due diligence (CDD) to services between related businesses. Where all such services provided by a business fall within the exemption, they will not be a reporting entity for the purposes of the AML/CTF Act, unless they are the lead entity in a business group that includes reporting entity members.

44. Further, subparagraphs 6(6A)(a)(ii) and (iii) specify where a reporting entity provides a designated service at items 48 or 49 of table 1 in section 6 of the AML/CTF Act (guaranteeing a loan and making a payment to the lender) and both the guarantor and borrower are members of the same reporting group, reporting entities will not be required to apply AML/CTF obligations to these services. These services are referred to specifically as they are defined in section 6 of the AML/CTF Act to have multiple customers.

45. This Item provides at subparagraph 6(6A)(a)(iv) that AML/CTF Rules may be made to apply the exemption to other designated services with multiple customers, such as trustee services being introduced in Schedule 3 of the Bill. The Item also provides at paragraph 6(6A)(b) and (c) that AML/CTF Rules may exclude designated services from the exemption, or set requirements to be met for the exemption to be applicable.

Item 19 – Section 11

46. This Item repeals existing section 11 of the AML/CTF Act, inserts new section 10A and provides key terms for reporting entities that organise themselves into groups for the purposes of group-wide risk management. The amendments replace the concept of a 'designated business group' with the concept of a 'reporting group' to refer to a group of entities that includes one or more reporting entities with common risk management and compliance arrangements. In line with FATF Recommendation 18, this Item will facilitate:

Group ML/TF risk management—this involves providing for the appropriate sharing of ML/TF risk-related information within reporting groups, including non-reporting entities. Many reporting entities, including larger multinational enterprises, use related entities within their group structures, including non-reporting entities, to fulfil AML/CTF compliance requirements such as transaction monitoring.
Group-level compliance management—Currently, designated business groups allow for the adoption of a common AML/CTF program and discharge of a limited number of AML/CTF obligations, with no requirement for group-level compliance management. Under the reforms, group-level compliance management will be required for reporting groups, with provisions for the sharing of ML/TF risk, and AML/CTF compliance-related information subject to appropriate safeguards to protect that information. It will provide more flexibility for the centralisation of AML/CTF compliance functions in one or more reporting group members in an efficient way with scope to adapt this to each reporting group's own business model.

47. The default reporting group will be a business group of related companies or other entities in a corporate structure or other control structure, where at least one entity is a reporting entity, as defined at paragraph 10A(1)(a).

48. The definition of 'reporting group' at paragraph 10A(1)(b) encompasses groups that have elected to organise themselves into groups to take advantage of group risk and compliance management within non-corporate structures such as various groupings of partnerships, or franchise arrangements. AUSTRAC will be empowered to make AML/CTF Rules allowing for other types of groups to be recognised as reporting groups, which will allow reporting entities in any sector, but tranche two entities in particular, to share or centralise compliance functions and ML/TF risk information across a group of entities. In this way, reporting groups may reduce regulatory burden for reporting entity members.

49. New subsection 10A(3) provides that reporting entities who are organised in the typical parent/subsidiary corporate structure (where a parent entity controls one or more subsidiary bodies corporate) will be recognised as a business group. The definition of business group is used to assist in defining the membership of reporting groups formed under subsection 10A(1). It is also the basis for the intra-group designated services exemption at Item 18 of this Schedule, which ensures that members of business groups that only provide designated services within the business group will not be reporting entities.

50. New subsections 10A(4) and (5) clarify the levels of membership of a reporting or business group. Each person in the reporting or business group is considered a member. These are referred to as 'ordinary members'.

51. Group risk and compliance management functions will be fulfilled by a 'lead entity' in the reporting group, which is defined at subsection 10A(5). Due to the diversity of corporate and other structures, and the need for flexibility in the concept of a 'lead entity', the AML/CTF Rules will specify how the lead entity in any reporting group is to be identified.

52. The AML/CTF Rules made under subsection 10A(5) will ensure that the lead entity is connected to Australia, for example, as an Australian resident entity or foreign company registered in Australia.

53. The lead entity will have broad responsibility for:

the identification, assessment, mitigation and management of ML/TF risk across compliance of all reporting entity members in a reporting group, and
compliance management to ensure all reporting entities in the business group comply with their obligations under the AML/CTF regime and the group AML/CTF program.

54. Subsections 236B(1), (2) and (3) (to be inserted by Item 50 in this Schedule) gives effect to the above by deeming designated services provided by a reporting entity member of a reporting group to have also been provided by the lead entity. This will trigger the lead entity's ML/TF risk assessment obligations under new section 26B such that the lead entity will be responsible for identifying and assessing risk across the designated services provided by the reporting group as a whole. It will also trigger the requirement for the lead entity to develop and maintain AML/CTF policies for risk management and mitigation, and compliance management across the group.

55. Lead entities will also have specific AML/CTF program requirements that relate to information sharing within reporting groups, which are set out at new subsection 26F(5) (to be inserted by Item 24 of this Schedule). These will require the development and maintenance of AML/CTF policies to provide for the appropriate sharing of information for ML/TF risk management and mitigation purposes, AML/CTF compliance management, and to ensure the appropriate safeguarding of information shared within the reporting group (including to prevent 'tipping off').

56. Lead entities' governing bodies will be required to exercise appropriate ongoing oversight across the reporting group and take reasonable steps to ensure that reporting entities in the reporting group are appropriately identifying, assessing, managing and mitigating their ML/TF risks and otherwise complying with AML/CTF obligations. This is given effect by new section 26U (to be inserted by Item 24 of this Schedule). The lead entity's AML/CTF compliance officer will support the leady entity's governing body to fulfil these requirements.

57. New subsection 236B(5) (to be inserted by Item 50 in this Schedule) provides that any member of a reporting group may discharge an obligation of a reporting entity under the AML/CTF Act, AML/CTF Rules or regulations. The member discharging the obligation need not be a reporting entity, however, AML/CTF Rules may set out requirements requiring reporting obligations to be discharged by reporting entity members of a reporting group. The lead entity itself (as a reporting entity) may have obligations discharged by other members of the reporting group, for example, an offshore parent entity where the reporting lead entity is an Australian subsidiary of a global bank. This framework will provide flexibility for reporting groups to structure their AML/CTF compliance operations in a way that best suits the group. Non-reporting entity members of reporting group will not be liable for failing to discharge an obligation on behalf of a reporting entity member of the group—in all cases, liability for discharging an obligation will remain with the original reporting entity.

58. New subsection 236B(6) provides that where a reporting entity member of a group fails to comply with an obligation under the AML/CTF Act, both the contravening member and the lead entity will be liable for the contravention. This reinforces the group ML/TF risk management and group compliance management approach set out above. It will also reduce the risk that reporting groups will be misused to structure out of liability for civil penalty contraventions.

59. Item 19 also replaces 'control test' with a meaning of 'control' by inserting a new section 11 in the AML/CTF Act. This intends to clarify what kind of corporate structure qualifies as a business group. Reporting entities are required to form a business group if they are related to each other as bodies corporate under the Corporations Act 2001 (the Corporations Act). This structure is common in traditional financial services businesses where one entity typically controls the subsidiary entities, that is, the parent entity either wholly owns its subsidiaries, or has the capacity to control the body corporate's board and has the maximum number of votes or shares to form a majority.

60. Subsection 11(2) relates to control of a person other than a body corporate and states that control is the capacity to control the composition of the entity's board, or having the capacity to determine decisions regarding financial and operating policies. Subparagraphs 11(2)(b)(i) and (ii) provide that in relation to the second limb, practical influence and patterns of behaviour will be considered.

Items 20 and 21

61. These Items make consequential amendments to existing subparagraphs 14(2)(b)(i) and 14(3)(b)(i) of the AML/CTF Act following the removal of the concept of 'control test' from the AML/CTF Act in Item 19 of this Schedule.

Item 22 – Section 15

62. This Item repeals the current section 15 of the AML/CTF Act that defines 'shell bank.' This Item is related to Item 15 of this Schedule, which moves the definition of 'shell bank' to new section 94A (to be inserted by Item 31 of this Schedule).

Item 23 – Subsection 21(3)

63. Item 23 amends existing subsection 21(3) of the AML/CTF Act to allow for the making of AML/CTF Rules, instead of regulations, to clarify when a designated service provided via electronic communications is considered to be provided in Australia or in another country, which may affect what AML/CTF measures must be implemented under the AML/CTF regime. The use of AML/CTF Rules for defining technical matters is more consistent with the broader approach across the AML/CTF Act, and allows appropriate flexibility to respond to changing circumstances.

Item 24 – After Part 1

64. This Item inserts a new Part 1A in the AML/CTF Act that outlines the general obligations a reporting entity must meet to develop and implement an effective AML/CTF program. These obligations are expressed as statements to guide reporting entities.

65. Given the centrality of AML/CTF programs to risk-based AML/CTF regulation, and the effectiveness of reporting entities' efforts to detect and deter misuse of their services by criminals, the AML/CTF program requirements have been moved to be some of the first obligations in the AML/CTF Act.

66. These general obligations will remove the current prescriptive obligation for AML/CTF programs to be structured with a separate Part A and Part B. Instead, an AML/CTF program will consist of the reporting entity's ML/TF risk assessment (new section 26C) and the reporting entity's AML/CTF policies (new section 26F). This reflects the common structure found globally, as reflecting the FATF Standards and the legislation of comparable jurisdictions.

67. The new framework of streamlined AML/CTF program requirements does not require reporting entities to consequently merge Part A and Part B of their existing AML/CTF programs. A reporting entity may retain its existing program structure if it is effectively identifying, mitigating and managing their risks. Reporting entities should review whether amendments to the substance of the program are required to address the requirements of Part 1A.

Application of new Part 1A to services provided overseas, including foreign branches and subsidiaries

68. Where appropriate, the provisions of Part 1A make clear which provisions apply to reporting entities providing designated services generally, and which apply only to those designated services provided at or through a permanent establishment in Australia.

69. Under FATF Recommendation 18, the home country of a reporting entity is required to ensure that foreign branches and majority-owned subsidiaries apply AML/CTF measures consistent with home country requirements, where the minimum AML/CTF requirements of the foreign country are less strict than those of the home country. This is subject to an exception where the foreign country does not permit compliance with the home country's AML/CTF requirements. The approach adopted in this Bill seeks to avoid two complications that can arise in complying with the relevant FATF Standards:

determining relative 'strictness' of laws is challenging both for reporting entities and regulators, and
the more prescriptive the obligations for foreign branches and subsidiaries, the more likely there is to be a conflict of laws.

70. To minimise these challenges for reporting entities and AUSTRAC, the Bill generally takes the following approach throughout Parts 1A (AML/CTF programs) and 2 (Customer Due Diligence):

High-level principles about the outcome to be achieved apply to all designated services under the AML/CTF Act. For example, the identification, assessment, mitigation or management of ML/TF risk. These high-level principles are consistent with the FATF Standards that are the foundation of AML/CTF regimes around the world.
More specific obligations apply to designated services provided in Australia and not to those provided overseas. For example, factors to be considered in undertaking risk assessments, specific AML/CTF policies to be included in AML/CTF programs, and specific CDD requirements. This will minimise the chances of a conflict of laws between specific Australian requirements and those of other countries in which a reporting entity operates.

Division 1 – Introduction

71. New section 26A provides a simplified outline of Part 1A. The simplified outline notes that a reporting entity must have and comply with an AML/CTF program, it should include the reporting entity's ML/TF risk assessment and AML/CTF policies that appropriately mitigate and manage the entity's risks. It also sets out the roles of the governing body and compliance officer. The simplified outline provides that the AML/CTF policies of a reporting entity should be appropriate to the nature, size and complexity of the reporting entity's business. While this simplified outline is included to assist a reader's understanding of the substantive provisions to follow, it is not intended to be comprehensive. Readers are advised to rely on the substantive provisions for full comprehension.

72. Division 1 of Part 1A amends the current approach to, or concept of, an AML/CTF program, so that it moves away from the primary obligation of simply having an AML/CTF program in place. The new intent is to shift the focus for reporting entities on to the identification, assessment, mitigation and management of money laundering, terrorism financing and proliferation financing risk itself in fulfilling AML/CTF program requirements.

73. As such, new section 26B provides that an AML/CTF program comprises a ML/TF risk assessment (subsection 26B(a)) and the AML/CTF policies that are developed and implemented to mitigate and manage the ML/TF risk and to ensure compliance with the AML/CTF regime (new subsection 26B(b)).

Division 2 – ML/TF risk assessment

74. Division 2 of Part 1A at new subsection 26C(1) requires a reporting entity to undertake a risk assessment. As part of the risk assessment, a reporting entity must identify, assess and document the risks that their designated services may be exploited to launder money, or finance either terrorism or the proliferation of weapons.

75. The AML/CTF Act currently does not clearly express the expectation for a reporting entity to undertake a risk assessment prior to commencing to provide a designated service. Reporting entities have had to infer this requirement from disparate parts of the legislation.

76. Subsection 26C(2) details that the steps taken in undertaking the ML/TF risk assessment must be appropriate to the nature, size and complexity of its business, consistent with the FATF Standards. In practice, this reflects that reporting entities that are larger, or have more complex operations, may be required to undertake their ML/TF risk assessment in a different manner as compared to a smaller reporting entity.

77. The AML/CTF Act does not prescribe the manner in which a reporting entity must undertake its ML/TF risk assessment, or the format in which a ML/TF risk assessment must be documented. Whichever approach is taken, a reporting entity's ML/TF risk assessment should be useable by the governing body in fulfilling its functions under the AML/CTF Act, and by employees and other staff of the reporting entity to implement AML/CTF policies effectively.

78. New subsection 26C(3) provides the four main factors a reporting entity must have regard to when assessing their risk, representing the risk factors set out in the FATF Standards. This new subsection also reflects current terminology in the AML/CTF Rules. These are the kinds of services being provided (paragraph 26C(3)(a)), the kinds of customers of a business (paragraph 26C(3)(b)), how these services are delivered (paragraph 26C(3)(c)), and the countries that a reporting entity does business in (paragraph 26C(3)(d)).

79. 'Countries' is defined in existing section 5 of the AML/CTF Act to include Australia and a foreign country, while the term 'foreign country' is defined to have an extended meaning to include a range of different types of regions within or associated with a foreign country.

80. Subsection 26C(4) provides that a reporting entity is not limited to the factors outlined in subsection 26C(3) and may consider more factors if appropriate to the nature, size and complexity of the business.

81. These factors will not be mandatory for the provision of designated services provided at, or through, a foreign permanent establishment of the reporting entity. This will allow flexibility for reporting entities to comply with any applicable foreign laws relating to ML/TF risk assessment.

82. Paragraph 26C(3)(e) also includes a requirement to consider any written guidance issued by AUSTRAC. AUSTRAC may communicate information in a number of ways including through publications on its website, by communication with industry peak bodies or direct communication with the reporting entity. This requirement to consider AUSTRAC communications is narrower than the existing requirement in the AML/CTF Rules for reporting entities to consider any AUSTRAC guidance or feedback relevant to the reporting entity's identification, mitigation and management of money laundering and terrorism financing risk.

83. The AUSTRAC communication as per subparagraph 26D(1)(a)(ii) must identify or assess money laundering, terrorism financing and proliferation financing risks to trigger this obligation. General guidance or other communications will not trigger this requirement. This addresses an ongoing concern from the financial sector about the breadth of the current obligation and its associated regulatory burden and brings Australia into closer alignment with the FATF Standards.

84. New section 26D provides an obligation for reporting entities to review their ML/TF risk assessments in certain circumstances to ensure that the reporting entity has identified and assessed any new or changed risks of ML/TF.

85. Subparagraph 26D(1)(a)(i) stipulates that a review should be triggered when there is a significant change to any of the factors in its ML/TF risk assessment. The term 'significant change' is intended to ensure that a reporting entity is not expected to review and update its ML/TF risk assessment in response to minor changes in risk which do not have a significant impact on the reporting entity.

86. An example of a significant change may be that a reporting entity that has provided services solely face-to-face begins delivering its services online. This would necessitate a review of the reporting entity's risk assessment before it begins using the new, online delivery channel as its services will now be available and accessible to a wider range of customers and may be vulnerable to new threats of exploitation by criminals. This review may be an internal review undertaken by the business itself.

87. If the review is conducted in response to a significant change in a risk factor, the review may not result in an update of the entire ML/TF risk assessment, but only those parts which are relevant to the significant change.

88. New subsection 26D(2) provides for two distinct kinds of changes that would trigger a review. These are changes that are within the control of the reporting entity (paragraph 26D(2)(a)) and those that are not within the control of the reporting entity (paragraph 26D(2)(b)).

89. New subsection 26D(4) provides that where the change is within the entity's control (for example, a new form of designated service), the reporting entity is required to review their risk assessment prior to the change taking place (paragraph 26D(4)(a)). Where the change is outside of the reporting entity's control (for example, a business provides services to a foreign jurisdiction which has recently been affected by targeted financial sanctions), the review and update should occur as soon as practicable after the change (paragraph 26D(4)(b)).

90. New subparagraph 26D(1)(a)(iii) provides the AML/CTF Rules may provide further detail on other kinds of circumstances that would trigger reviews of ML/TF risk assessments. New subparagraph 26D(1)(b) provides that the minimum frequency for these reviews is every 3 years, which appropriately balances the need to ensure accuracy of information with the burden to reporting entities.

91. New subsection 26E(1) further stipulates that a reporting entity must not commence to provide a designated service without an ML/TF risk assessment or if its risk assessment is not up to date. Contravening this provision carries a civil penalty as per new subsection 26E(2). This conveys the importance of the risk assessment in the effective identification, mitigation and management of money laundering, terrorism financing and proliferation financing risks.

92. Subsection 26E(3) provides that a separate contravention of that subsection is committed for each designated service that the reporting entity provides in Australia. Subsection 26E(4) says a separate contravention occurs each day the reporting entity provides designated services in a foreign country.

93. These penalties are outlined in Division 2 of Part 15 of the AML/CTF Act. The maximum civil penalty under the AML/CTF Act is set at the highest amount allowed, which is 100,000 penalty units for a corporation and 20,000 penalty units for individuals. While the penalties can be substantial, AML/CTF enforcement actions can involve serious systemic failures by a reporting entity where the number of contraventions is immeasurable. The amount of any civil penalty will be determined by the court. Courts will decide the appropriate penalty (subject to the statutory maximum) based on the circumstances of a contravention. In determining the appropriate amount for a civil penalty, the courts will consider the impact of these violations on the Australian community, the financial system, and law enforcement efforts.

Division 3 – AML/CTF policies

94. Division 3 of Part 1A details the requirement for a reporting entity to develop and maintain policies, procedures, systems and controls that achieve two outcomes. The first outcome is to manage and mitigate the ML/TF risks that the reporting entity may reasonably face in providing its designated services (paragraph 26F(1)(a)). The second outcome is internal compliance management to ensure the reporting entity complies with the AML/CTF Act, Rules and regulations (paragraph 26F(1)(b)). This internal compliance management function extends to compliance with the reporting entity's AML/CTF policies themselves, given that this is a requirement of the AML/CTF Act in section 26G. Reporting entities do not need to have separate policies to achieve these two purposes—a given policy, procedure, system or control may be relevant to both.

95. These policies, procedures, systems and controls will be known collectively as 'AML/CTF policies' and form part of the AML/CTF program. AML/CTF policies will largely include the matters that are currently dealt with in Part A and Part B of an AML/CTF program.

96. Where a reporting entity has identified and assessed its money laundering, terrorism financing and proliferation financing risks in accordance with subsection 26C(1), its ML/TF risk assessment will form the basis of the reporting entity's AML/CTF policies.

97. Subsection 26F(8) makes the obligation in subsection 26F(1) subject to a civil penalty. These penalties are outlined in Division 2 of Part 15 of the AML/CTF Act. The maximum civil penalty under the AML/CTF Act is set at the highest amount allowed, which is 100,000 penalty units for a corporation and 20,000 penalty units for individuals. While the penalties can be substantial, AML/CTF enforcement actions can involve serious systemic failures by a reporting entity where the number of contraventions is immeasurable. The amount of any civil penalty will be determined by the court. Courts will decide the appropriate penalty (subject to the statutory maximum) based on the circumstances of a contravention. In determining the appropriate amount for a civil penalty, the courts will consider the impact of these violations on the Australian community, the financial system, and law enforcement efforts.

98. Without limiting the core obligation in new subsection 26F(1), subsection 26F(3) provides a non-exhaustive list of what the risk management and mitigation policies must cover:

how the reporting entity will identify significant changes that would trigger a review of its ML/TF risk assessment (paragraph 26F(3)(a))
how the reporting entity will conduct CDD (paragraph 26F(3)(b)), and
how the reporting entity will review and update its AML/CTF policies when required (paragraphs 26F(3)(c) and (d)).

99. New paragraph 26F(3)(e) also empowers the AUSTRAC CEO to make Rules that may specify other matters related to managing and mitigating the risks of money laundering, terrorism financing and proliferation financing. This recognises the rapid evolution of financial crime threats and methodologies and the need for the regime to adapt accordingly.

100. Without limiting the core obligation in paragraph 26F(1)(b) for internal compliance management, subsection 26F(4) provides a non-exhaustive list of what the internal compliance management policies must cover:

how the reporting entity will inform its governing body of the money laundering, terrorism financing and proliferation financing risks faced by the reporting entity in its provision of designated services (paragraph 26F(4)(a))
designating an AML/CTF compliance officer (paragraph 26F(4)(b))
designating a senior manager responsible for approving any changes to the ML/TF risk assessment or AML/CTF policies (paragraph 26F(4)(c))
how the reporting entity will undertake due diligence on staff engaged by the reporting entity whose role in the reporting entity may allow them to facilitate serious financial crimes or whose role is relevant to AML/CTF compliance (paragraph 26F(4)(d))
how a reporting entity will provide risk awareness and management training to staff engaged by the reporting entity (paragraph 26F(4)(e))
how, and when, to conduct an independent review of its AML/CTF program (paragraph 26F(4)(f)), and
any other matters that may be provided in the AML/CTF Rules (paragraph 26F(4)(g)).

101. The internal compliance management policies reflect the obligations in the FATF Standards, and matters which support the operation of other provisions of the AML/CTF Act. Additional matters will be specified in AML/CTF Rules. The risk mitigation polices at subsections 26F(3) and (4) are limited in their application to entities that provide designated services at or through permanent establishments in Australia, to allow flexibility for reporting entities to comply with foreign applicable laws for designated service provided overseas. However, the overarching general requirement to develop and maintain AML/CTF policies that achieve both the ML/TF risk mitigation and management and AML/CTF compliance management outcomes in new subsection 26F(1) applies to designated services provided at or through foreign permanent establishments.

102. While the matters described above apply to all reporting entity members of a reporting group, subsections 26F(5) and (6) provide the additional matters that must be dealt with by the lead entity's AML/CTF policies. These matters include:

appropriate information sharing between members of the group (paragraph 26F(5)(a))
how and which members can discharge AML/CTF functions on behalf of other members of the group (paragraph 26F(6)(b)), and
ensuring that information shared between reporting entities is appropriately used and handled to avoid triggering the tipping off offence (paragraph 26F(6)(c)).

103. The policies for information sharing between members of a reporting group can include the ability for a reporting entity's foreign branch or subsidiary to 'passport' a customer to receive designated services in Australia where initial CDD has already been undertaken.

104. Subsections 26F(8), (9) and (10) make the obligations in subsection 25F(1) subject to civil penalties. These penalties are outlined in Division 2 of Part 15 of the AML/CTF Act. The maximum civil penalty under the AML/CTF Act is set at the highest amount allowed, which is 100,000 penalty units for a corporation and 20,000 penalty units for individuals. While the penalties can be substantial, AML/CTF enforcement actions can involve serious systemic failures by a reporting entity where the number of contraventions is immeasurable. The amount of any civil penalty will be determined by the court. Courts will decide the appropriate penalty (subject to the statutory maximum) based on the circumstances of a contravention. In determining the appropriate amount for a civil penalty, the courts will consider the impact of these violations on the Australian community, the financial system, and law enforcement efforts.

105. Subsection 26F(11) provides that a reporting entity is not required to develop or maintain specific AML/CTF policies to mitigate and manage proliferation financing risk if it has assessed under subsection 26C and 26D that risk to be low and that it can be appropriately managed by existing policies for ML/TF. Reporting entities will be supported in forming this assessment by AUSTRAC's Proliferation Financing in Australia National Risk Assessment, published in December 2022.

106. Subsection 26F(12) provides that the reporting entity bears the legal burden of proof in order to rely on this exception. Imposing the legal burden of proof on the reporting entity will require the reporting entity to prove that they have considered proliferation financing in their ML/TF risk assessment and reasonably assessed their risk as low. This will be within the reporting entity's knowledge, making the reversal of the burden of proof appropriate.

107. Section 26G provides that the AML/CTF policies developed by the reporting entity must be complied with, or the reporting entity is liable to a civil penalty for each designated service that is provided without complying with its own policies. This section provides a requirement for a reporting entity to not only have AML/CTF policies, but also to ensure that they are implemented by the reporting entity.

108. Subsection 26G(3) makes the obligations in new subsections 26G(1) and (2) subject to a civil penalty. These penalties are outlined in Division 2 of Part 15 of the AML/CTF Act. The maximum civil penalty under the AML/CTF Act is set at the highest amount allowed, which is 100,000 penalty units for a corporation and 20,000 penalty units for individuals. While the penalties can be substantial, AML/CTF enforcement actions can involve serious systemic failures by a reporting entity where the number of contraventions is immeasurable. The amount of any civil penalty will be determined by the court. Courts will decide the appropriate penalty (subject to the statutory maximum) based on the circumstances of a contravention. In determining the appropriate amount for a civil penalty, the courts will consider the impact of these violations on the Australian community, the financial system, and law enforcement efforts.

Division 4 – AML/CTF responsibilities of governing bodies

109. Division 4 sets out the strategic oversight responsibilities of the governing body, which is separate from the responsibilities of the AML/CTF compliance officer and other members of senior management.

110. New section 26H of the AML/CTF Act provides the governing body is responsible for exercising ongoing oversight of the ML/TF risk assessment (subparagraph 26H(1)(a)(i)), the reporting entity's compliance with its own AML/CTF policies (subparagraph 26H(1)(a)(ii)), and compliance with the AML/CTF regime (paragraph 26H(1)(b)).

111. While the governing body will not be required to exercise oversight of the day-to-day implementation of the AML/CTF program, they must take reasonable steps to ensure that the reporting entity is effectively identifying, assessing, mitigating and managing the money laundering, terrorism financing or proliferation financing risks it may reasonably face, as per paragraph 26H(1)(b).

112. The effect of new section 26H is that a reporting entity's board or governing body will not be required to approve iterative changes to the risk assessment and will only be required to be informed of these changes. This will ensure that governing bodies maintain strategic oversight of the effective implementation of the AML/CTF program that is informed by the entity's ML/TF risk assessment. Approvals for the ML/TF risk assessment are detailed in new section 26P.

113. Subsection 26H(3) makes the obligation in new subsection 26H(2) subject to a civil penalty. These penalties are outlined in Division 2 of Part 15 of the AML/CTF Act. These penalties are outlined in Division 2 of Part 15 of the AML/CTF Act. The maximum civil penalty under the AML/CTF Act is set at the highest amount allowed, which is 100,000 penalty units for a corporation and 20,000 penalty units for individuals. While the penalties can be substantial, AML/CTF enforcement actions can involve serious systemic failures by a reporting entity where the number of contraventions is immeasurable. The amount of any civil penalty will be determined by the court. Courts will decide the appropriate penalty (subject to the statutory maximum) based on the circumstances of a contravention. In determining the appropriate amount for a civil penalty, the courts will consider the impact of these violations on the Australian community, the financial system, and law enforcement efforts.

Division 5 – AML/CTF compliance officers

114. Division 5 provides that a reporting entity must designate an AML/CTF compliance officer (in new section 26J) and sets out eligibility requirements. This is an existing role in the AML/CTF Rules. Moving this role and its functions to the primary legislation highlights the important role an AML/CTF compliance officer fulfils in the effective operation of, and continued compliance with, a reporting entity's AML/CTF program.

115. To provide flexibility for different business models, the requirement to 'designate' an AML/CTF compliance officer does not require that the AML/CTF compliance officer be an employee of the reporting entity and may be engaged externally by the reporting entity (26J(2)(a)). However, an AML/CTF compliance officer who is not an employee will only be eligible for designation if they can meet the requirements of the role as set out below.

116. Section 26J provides the requirements for the AML/CTF compliance officer. The individual must be at the management level (paragraph 26J(2)(a)), or engaged by the reporting entity with sufficient authority, independence and access to resources and information to ensure they can perform their functions effectively (paragraph 26J(2)(b)).

117. Management level may be interpreted differently for different forms and sizes of reporting entities. For example, for a large reporting entity the relevant manager may exercise day-to-day operational management relevant to AML/CTF compliance, as opposed to the strategic oversight exercised by members of the board or executive committee. For smaller reporting entities, the compliance officer may be the owner or director of a business, or a management-level employee who is responsible for managing broader risks or operations within the business.

118. Subsection 26J(2) provides the AML/CTF compliance officer must have has sufficient authority, independence and access to resources and information to ensure they can perform their functions effectively. Independence means the AML/CTF compliance officer must be in a position to form their own judgements in exercising their AML/CTF functions.

119. Subsection 26J(3) further provides that the AML/CTF compliance officer must be a resident of Australia (if the reporting entity is based in and provides services through a permanent establishment in Australia) (paragraph 26J(3)(a)), be a fit and proper person (paragraph 26J(3)(b)), and meet any further requirements specified in the AML/CTF Rules (paragraph 26J(3)(c)).

120. 'Fit and proper' is intended to be understood with its ordinary meaning, including concepts of honesty and competency and is intended to provide sufficient flexibility to recognise different business models. A fit and proper AML/CTF compliance officer for a small domestic business will necessarily differ from the same role in a major multinational enterprise. A reporting entity may leverage AFSL or other professional fit and proper person checks, pursuant to any AML/CTF Rules made regarding this requirement.

121. New subsection 26J(5) provides that subsection 26J(2) is a civil penalty provision. These penalties are outlined in Division 2 of Part 15 of the AML/CTF Act. The maximum civil penalty under the AML/CTF Act is set at the highest amount allowed, which is 100,000 penalty units for a corporation and 20,000 penalty units for individuals. While the penalties can be substantial, AML/CTF enforcement actions can involve serious systemic failures by a reporting entity where the number of contraventions is immeasurable. The amount of any civil penalty will be determined by the court. Courts will decide the appropriate penalty (subject to the statutory maximum) based on the circumstances of a contravention. In determining the appropriate amount for a civil penalty, the courts will consider the impact of these violations on the Australian community, the financial system, and law enforcement efforts.

122. New subsection 26K(1) clarifies that a reporting entity must designate a compliance officer within 28 days of providing a designated service.

123. Failing to designate an AML/CTF compliance officer within the required time period and failing to notify AUSTRAC of the individual who is the compliance officer both give rise to civil penalties under new subsection 26K(6). These penalties are outlined in Division 2 of Part 15 of the AML/CTF Act. The maximum civil penalty under the AML/CTF Act is set at the highest amount allowed, which is 100,000 penalty units for a corporation and 20,000 penalty units for individuals. While the penalties can be substantial, AML/CTF enforcement actions can involve serious systemic failures by a reporting entity where the number of contraventions is immeasurable. The amount of any civil penalty will be determined by the court. Courts will decide the appropriate penalty (subject to the statutory maximum) based on the circumstances of a contravention. In determining the appropriate amount for a civil penalty, the courts will consider the impact of these violations on the Australian community, the financial system, and law enforcement efforts.

124. Subsection 26K(2) provides if an AML/CTF compliance officer ceases to be eligible for that role for the reporting entity, the reporting entity will also have 28 days to designate a new compliance officer. The reporting entity may continue to provide designated services during this time. Failing to designate an appropriate individual within the specified timeframes leaves a reporting entity liable to a civil penalty for each day the reporting entity provides a designated service without a compliance officer after the 28-day deadline.

125. Section 26L provides the functions specific to the AML/CTF compliance officer as separate to the those of the governing body. The AML/CTF compliance officer is responsible for overseeing and coordinating the operational implementation of the AML/CTF program. In addition, the AML/CTF compliance officer is to be the main point of contact with AUSTRAC. The AML/CTF Rules may also specify additional functions for the AML/CTF compliance officer.

126. After a reporting entity has designated their compliance officer, the reporting entity must notify AUSTRAC of the individual within 14 days, using an approved form under section 26M. Subsection 26M(1) is a civil penalty provision under subsection 26M(3). These penalties are outlined in Division 2 of Part 15 of the AML/CTF Act. The maximum civil penalty under the AML/CTF Act is set at the highest amount allowed, which is 100,000 penalty units for a corporation and 20,000 penalty units for individuals. While the penalties can be substantial, AML/CTF enforcement actions can involve serious systemic failures by a reporting entity where the number of contraventions is immeasurable. The amount of any civil penalty will be determined by the court. Courts will decide the appropriate penalty (subject to the statutory maximum) based on the circumstances of a contravention. In determining the appropriate amount for a civil penalty, the courts will consider the impact of these violations on the Australian community, the financial system, and law enforcement efforts.

Division 6 – AML/CTF program documentation and approvals

127. Division 6 sets out the requirements for a reporting entity to document and seek approvals for the reporting entity's AML/CTF program.

128. New section 26N of the AML/CTF requires that a reporting entity must document its AML/CTF program, which includes both the ML/TF risk assessment and the AML/CTF policies. The AML/CTF Rules may specify other related matters that must be documented.

129. New section 26P provides that the ML/TF risk assessment and its AML/CTF policies, and any updates to either, must be approved by a senior manager in the reporting entity. The governing body of the reporting entity must be notified of approved updates to ensure that it is able to provide effective strategic oversight of the reporting entity's money laundering, terrorism financing and proliferation financing risks and ability to manage and mitigate them.

130. This removes the previous requirement for the governing body to approve updates to most policies, procedures, systems and controls in an AML/CTF program, and instead requires this be done by a senior manager in the reporting entity. It further aligns with the intent of alleviating burden of approving minor procedural updates from the governing body.

131. The distinction between governing body, senior manager and AML/CTF compliance officer may be redundant for small businesses or sole traders.

132. New section 26Q provides that the AUSTRAC CEO may issue a written notice requesting a reporting entity to produce AML/CTF program documents and any related documents required to be made and kept from a reporting entity.

133. Subsections 26N(2), 26P(3) and 26Q(2) are civil penalty provisions. These penalties are outlined in Division 2 of Part 15 of the AML/CTF Act. The maximum civil penalty under the AML/CTF Act is set at the highest amount allowed, which is 100,000 penalty units for a corporation and 20,000 penalty units for individuals. While the penalties can be substantial, AML/CTF enforcement actions can involve serious systemic failures by a reporting entity where the number of contraventions is immeasurable. The amount of any civil penalty will be determined by the court. Courts will decide the appropriate penalty (subject to the statutory maximum) based on the circumstances of a contravention. In determining the appropriate amount for a civil penalty, the courts will consider the impact of these violations on the Australian community, the financial system, and law enforcement efforts.

Division 7 – Other matters

134. New section 26R replicates the relevant parts of the previous section 165 regarding ML/TF risk assessments and its civil penalties in new Part 1A of the AML/CTF Act, where they are more appropriate. This retains the existing provision for a civil penalty for breaching the requirements.

135. New section 26S provides that a registered remittance network provider must develop and share an AML/CTF program with its affiliates. This is due to the remittance network not being expressly captured by the streamlined 'business group' or 'reporting group' concepts. In practice, the remittance network provider must enact the functions of a lead entity in a reporting group for the purposes of the affiliates' AML/CTF compliance. This continues an existing obligation in section 84 of the AML/CTF Act.

136. New section 26T maintains the existing exemption for holders of an AFSL that only provide designated services covered by item 54 of table 1 in section 6 (for example, financial planners). These reporting entities are only required to undertake an AML/TF risk assessment, and develop and implement AML/CTF policies that deal with how the reporting entity undertakes initial CDD. This maintains the effect of the previous 'Special Anti-Money Laundering and Counter-Terrorism Financing Programs' under section 86 of the AML/CTF Act.

137. New section 26U clarifies that a reference to the nature, size and complexity of the business of a lead entity of a reporting group is taken to be a reference to consider the nature, size and complexity of the business of the lead entity, and of each member of the reporting group when complying with its obligations under Part 1A. Item 50 of this Schedule inserts a new section 236B, which provides further detail for lead entities.

138. New section 26V provides a Rule-making power to exempt specific designated services or circumstances involving designated services from Part 1A of the AML/CTF Act. This Rule-making power may be required if the amendments in this Bill unintentionally capture services that present little to no risk of ML/TF.

Item 25 – Subsection 35F(5)

139. This Item repeals existing subsection 35F(5). This is a consequential repeal of the subsection that is made redundant by the removal of the 'designated business group' concept.

Item 26 – Paragraph 38(d)

140. Item 26 adds a reference to proliferation financing in paragraph 38(d), which currently only covers money laundering and terrorism financing.

Items 27 to 29

141. These Items are consequential to the amendments required to create the new Part 1A of the AML/CTF Act.

Item 30 – Part 7

142. This Item repeals existing Part 7 of the AML/CTF Act, the current Part in the AML/CTF Act that sets out the AML/CTF programs obligations. This Part will be replaced with the Items in this Schedule.

Item 31 – After section 94

143. This Item moves the current definition of a 'shell bank' to the relevant Part 8 of the AML/CTF Act that deals with correspondent banking.

Item 32 – Section 104

144. This Item updates the simplified outline in Part 10 of the AML/CTF Act to provide that a reporting entity must retain records related to its AML/CTF program to align with the new understanding that an AML/CTF program is a collection of documented policies, procedures, systems and controls.

Items 33 and 34

145. These Items make contingent amendments for the replacement of the record keeping provisions by this Schedule, and for the repeal of the Financial Transaction Reports Act 1988 (FTR Act) (in Schedule 11 of the Bill).

Item 35 – Division 5 of Part 10

146. Item 35 replaces the AML/CTF program record-keeping requirements in existing Division 5 of Part 10 of the AML/CTF Act with a new obligation for a reporting entity to keep records that demonstrate compliance with the new Part 1A of the AML/CTF Act, in recognition that the AML/CTF program is to be understood as a collection of documented policies, procedures, systems and controls (paragraph 116(1)(a)).

147. The new Part 1A of the AML/CTF Act retains the previous record keeping requirements for reporting entities.

148. Paragraph 116(3)(b) provides that the documents and records detailed in Part 1A must be kept for 7 years after the records are no longer relevant to the reporting entity's compliance. This aligns with existing requirements and supports AUSTRAC's monitoring of reporting entities' compliance with the AML/CTF regime.

149. This means that a reporting entity must keep a record of its AML/CTF program (its ML/TF risk assessment, AML/CTF policies, any updates and the steps taken to review and update the program) for 7 years after the record is no longer relevant.

150. This continues the current 7-year document retention obligations in the AML/CTF Act. The 7-year period has been retained to align with other relevant pieces of legislation which currently already have their own 7-year document retention obligations (for example, the Corporations Act).

151. Subsections 116(1) and (3) are civil penalty provisions. These penalties are outlined in Division 2 of Part 15 of the AML/CTF Act. The maximum civil penalty under the AML/CTF Act is set at the highest amount allowed, which is 100,000 penalty units for a corporation and 20,000 penalty units for individuals. While the penalties can be substantial, AML/CTF enforcement actions can involve serious systemic failures by a reporting entity where the number of contraventions is immeasurable. The amount of any civil penalty will be determined by the court. Courts will decide the appropriate penalty (subject to the statutory maximum) based on the circumstances of a contravention. In determining the appropriate amount for a civil penalty, the courts will consider the impact of these violations on the Australian community, the financial system, and law enforcement efforts.

Items 36 and 37 – Paragraph 124(2)(a)

152. These Items update paragraph 124(2)(a) where it refers to other sections of the AML/CTF Act.

Items 38 to 44

153. These Items update sections 161 and 162 to align with the terminology introduced in the new Part 1A of the AML/CTF Act. The intent of these subsections remains the same.

Item 45 – Division 8 of Part 13

154. Item 45 repeals Division 8 of Part 13 as it will be made redundant by the inclusion of an express ML/TF risk assessment requirement in the new Part 1A.

Items 46 and 47 – Subsection 184(4)

155. These Items add the relevant new subsections to the existing list of designated infringement notice provisions.

156. The designation and notification of an AML/CTF compliance officer, and the provisions dealing with AML/CTF program documentation and approvals are designated infringement notice provisions.

Item 48 – Paragraphs 207(3)(a) and (b)

157. This Item makes a consequential amendment to terminology to align with the new terminology of a 'reporting group' that has replaced the previous 'designated business group' concept.

Item 49 – Section 234

158. This Item amends the existing simplified outline in section 234 of the AML/CTF Act to reflect the defence from civil penalty liability where a reporting entity's foreign branch or subsidiary is unable to comply with Australian AML/CTF laws due to a conflict with the laws in the host country.

Item 50 – After section 236

159. Item 50 adds two new sections to Part 18 of the AML/CTF Act pertaining to:

a defence from civil penalties for foreign branches and subsidiaries (section 236A), and
clarity on the application of the AML/CTF Act to reporting groups (section 236B).

160. New section 236A provides a defence from the civil penalty provisions in Part 1A and Part 2 where a reporting entity is prevented from complying with their Australian AML/CTF obligations by the laws of a foreign country.

161. As per paragraph 236A(1)(c), a foreign branch or subsidiary of a reporting entity is required to notify AUSTRAC that there is a conflict of laws that prevent the implementation of Australian AML/CTF Act obligations in the host country, and is taking reasonable steps to identify, assess, mitigate and manage the money laundering and terrorism financing risk arising from being prevented from compliance.

162. Subsection 236(2) provides the reporting entity bears a legal burden of proof if it intends to rely on this defence. The reversed onus is appropriate here because the elements of section 236A that would give rise to the defence will be particularly within the knowledge of the reporting entity. The reporting entity's foreign branch or subsidiary would be required to provide proof of the conflicting laws in order to rely on this defence in civil penalty proceedings.

163. New section 236B gives effect to the obligations of a lead entity in a reporting group. Subsection 236B(2) deems a designated service provided by an ordinary member of a reporting group to have been provided by the lead entity. This will trigger the lead entity's ML/TF risk assessment obligations under new section 26C (inserted by Item 24 of this Schedule) such that the lead entity will be responsible for identifying and assessing risk across the designated services provided by the reporting group as a whole. It will also trigger the requirement for the lead entity to develop and maintain AML/CTF policies for risk management and mitigation, and compliance management, across the group.

164. New subsection 236B(5) also provides that any member of a reporting group may discharge an obligation of a reporting entity under the AML/CTF Act, AML/CTF Rules, or regulations. The AML/CTF Rules may specify requirements related to the discharge of AML/CTF obligations by one member of a reporting group on behalf of another.

165. The note following subsection 236B(5) states that the member discharging the obligation need not be a reporting entity. The lead entity itself (as a reporting entity) may have obligations discharged by other members of the reporting group. This framework will provide significant flexibility for reporting groups to structure their AML/CTF compliance operations in a way that best suits the group.

166. Non-reporting entity members of reporting group will not be liable for failing to discharge an obligation on behalf of a reporting entity member of the group—in all cases, liability for discharging an obligation will remain with the original reporting entity and the lead entity.

167. Subsection 236B(6) also provides that where a member of a reporting group contravenes civil penalty provisions in the AML/CTF Act, the lead entity of the reporting group is deemed to have contravened the same provisions of the AML/CTF Act as well. Both the ordinary member and the lead entity may be liable for the civil penalty. This ensures that the lead entity is appropriately aware of and accountable for the compliance of the reporting group members.


View full documentView full documentBack to top