House of Representatives

Explanatory Memorandum

(Circulated by authority of the Attorney-General, the Hon Mark Dreyfus KC MP)

SCHEDULE 2 - CUSTOMER DUE DILIGENCE

168. CDD is one of the primary ways in which reporting entities identify, assess, mitigate and manage their money laundering, terrorism financing and proliferation financing risk. CDD involves reporting entities achieving two related outcomes:

•

identifying, and verifying the identity, of their customers and certain associated persons, and

•

understanding the ML/TF risks associated with providing designated services to the customer, and taking appropriate steps to mitigate and manage these risks.

169. The amendments in Schedule 2 of the Bill clarify the fundamental requirements of the CDD framework, and address deficiencies identified in FATF's 2015 mutual evaluation of Australia's compliance with the FATF Standards. In particular, the amendments simplify the existing AML/CTF regime by clearly stating the outcomes to be achieved by initial CDD, rather than focusing on the procedures. This provides greater flexibility to reporting entities in the steps they take to know their customers.

170. The amendments in Schedule 2 clearly outline that a reporting entity must apply initial and ongoing CDD measures that are appropriate to the ML/TF risk of each customer, rather than applying a one-size-fits-all approach. This provides reporting entities greater flexibility to apply simplified CDD in low risk scenarios. Consistent with FATF Recommendations 10 and 12, the Bill also requires a reporting entity to apply enhanced CDD in high risk scenarios under new section 32 inserted by Item 6 of this Schedule.

171. The amendments in Schedule 2 also empower the AUSTRAC CEO to create AML/CTF Rules to set out more specific obligations for services provided in Australia. It is expected that AUSTRAC would develop comprehensive guidance, with examples, on how a reporting entity can implement the obligations.

Part 1—Main Amendments

Anti-Money Laundering and Counter-Terrorism Financing Act 2006

Items 1 to 3 – Section 4

172. Items 1 to 3 amend the existing simplified outline in section 4 of the AML/CTF Act to repeal or omit phrases or terms that are no longer applicable or required. These phrases and terms are replaced with updated terminology inserted in the AML/CTF Act by this Bill. While this simplified outline is included to assist a reader's understanding of the substantive provisions to follow, it is not intended to be comprehensive. Readers are advised to rely on the substantive provisions for full comprehension.

Item 4 – Section 5 (definition of applicable customer identification procedure )

173. Item 4 repeals the existing definition of 'applicable customer identification procedure'(ACIP) in section 5 of the AML/CTF Act. This helps to shift the focus of CDD from process and prescriptive requirements (such as carrying out ACIP under the existing framework) to clearer and risk-based outcomes (identifying and verifying who your customer is and the ML/TF risks associated with providing services to them).

Item 5 – Section 5

174. Item 5 inserts several new definitions in section 5 of the AML/CTF Act.

175. 'Beneficial owner' is defined as meaning a person who ultimately owns (either directly or indirectly) 25 per cent or more of the person, or controls (directly or indirectly) the person. This definition reflects the definition of beneficial owner as outlined in FATF Recommendations 24 and 25. The inclusion of 'ultimately owns or controls' is intended to refer to situations in which ownership or control is exercised through a chain of ownership or by means of control other than direct control. The ultimate beneficial owner is always one or more natural persons.

176. 'Business relationship' is defined as meaning a relationship between a reporting entity and a customer involving the provision of a designated service or designated services that has, or could reasonably be expected to have, an element of duration. The definition is intended to help reporting entities:

•

determine which types of ongoing CDD are appropriate

•

determine when CDD obligations cease to apply to a customer (that is, at the end of the business relationship), and

•

for reporting entities that would be regulated as a result of Schedule 3 of this Bill, help identify which customers are considered pre-commencement customers, in connection with new section 36 of the AML/CTF Act inserted by Item 7 of this Schedule.

177. For example, a business relationship is intended to include:

•

a bank opening an account for a customer and allowing transactions in relation to that account over time (multiple point in time designated services)

•

a safe deposit box provider holding items in a safe deposit box over time (a single designated service with an element of duration)

•

a legal practitioner acting as a nominee director for a company for a period of time, or

•

a real estate agent that has an agency agreement with a vendor to sell a property over a period of time.

178. 'Child' is defined to include:

•

a stepchild or an adopted child of the person

•

someone who would be the stepchild of the person except that the person is not legally married to the person's partner, or

•

someone who is a child of a person within the meaning of the Family Law Act 1975.

179. This list is non-exhaustive and provides clarity on who is considered a child for the purposes of the AML/CTF Act.

180. 'De facto partner' is defined to have the same meaning as in the Acts Interpretation Act 1901.

181. 'Domestic politically exposed person' is defined as meaning:

•

an individual who holds an office or position, in or for an Australian government body, specified in the AML/CTF Rules

•

an individual who is a member of the legislature of the Commonwealth of a State or Territory

•

a family member of an individual covered by the categories above, or

•

certain other known associates, having regard to information that is public or readily available.

182. The rule-making power in this definition would only be used to specify prominent and high-level positions in Australian government bodies.

183. 'Family member' of an individual covered by the new definitions of 'domestic politically exposed person', foreign politically exposed person below or international organisation politically exposed person below, is defined to include:

•

a spouse, de facto partner, or other person who is equivalent to a spouse of de facto partner under any applicable law of a foreign country, of the individual

•

a child of the individual

•

a spouse or de facto partner, or other person who is equivalent to a spouse or de facto partner under any applicable law of a foreign country, of a child of the individual, and

•

a parent of the individual.

184. 'Foreign politically exposed person' (foreign PEP) is defined as meaning an individual who holds a prominent office or position or public function in or for the legislature, executive or judiciary of a foreign country, including an individual who holds any the specified offices or positions. The definition also includes a family member of an individual covered by this category, or certain other known associates, having regard to information that is public or readily available. The amendment also provides a rule-making power that allows the AUSTRAC CEO to specify additional positions that must be included in the application of the definition. The approach to this definition recognises different international contexts may have different legislative, executive, judicial, military and other political frameworks.

185. 'International organisation politically exposed person' (international organisation PEP) is defined as meaning:

•

an individual who is entrusted with a prominent public function, position or office of a public international organisation, including a head, deputy head or board member in a public international organisation

•

a family member of an individual covered by the category above, or

•

certain other known associates, having regard to information that is public or readily available.

186. 'KYC information' is defined as information about the customer that provides reasonable grounds for a reporting entity to establish the matters set out in new subsection 28(2) inserted by Item 6 of this Schedule and assists in identifying and assessing the ML/TF risk of the customer. KYC information is short for 'Know Your Customer' information. Pursuant to new subsection 28(6) (to be inserted by Item 6 of this Schedule), the AML/CTF Rules may specify certain KYC information must be collected and/or verified in order for the reporting entity to establish those matters on 'reasonable grounds' for different kinds of customers in Australia.

187. 'ML/TF risk' of a customer is defined as meaning the risks of money laundering, financing of terrorism and proliferation financing that a reporting entity may reasonably face in providing the designated service, or designated services, to the customer. This differs from the definition of 'ML/TF risk assessment' inserted by Item 10 of Schedule 1 of this Bill, which identifies and assesses broader illicit financing risks associated with the reporting entity or reporting group providing designated services across its entire business.

188. The definition of 'ML/TF risk' of a customer is intended to clarify the understanding of customer risk and how it interacts with the CDD obligations. A risk-based approach to CDD requires a reporting entity to identify and assess its entity-specific or group-wide ML/TF risks, as well as the ML/TF risks present through the provision of a designated service to a particular customer. While the requirement to identify customer risk is not explicit in the current AML/CTF Act and AML/CTF Rules, it has always been an implicit expectation that underpins existing CDD obligations. The AML/CTF Rules would specify a range of further factors that reporting entities must consider when identifying the ML/TF risk of the customer, particularly where a reporting entity plans to undertake simplified CDD for the customer.

189. A reporting entity may adopt its own method to identify and assess the ML/TF risk of a customer, so long as it complies with the requirements of the new Part 2 of the AML/CTF Act and may determine its own risk categories. However, categories adopted by a reporting entity must be compatible with requirements in the AML/CTF Act or AML/CTF Rules that are applicable to customers presenting either low, medium or high risk and, as such, could undertake simplified or must undertake enhanced initial and ongoing CDD instead of undertaking standard CDD.

190. For example, a reporting entity may implement additional risk ratings within these three broad categories—low risk may be distinguished from moderately low risk. In this scenario, a reporting entity may implement graduated simplified CDD measures so long as they remain appropriate to the ML/TF risk of the customer and meet any requirements specified in the AML/CTF Rules. However, it should be clear what the cut-offs are for low, medium and high risk in any ML/TF risk rating scale adopted for the purposes of complying with the AML/CTF Act and Rules. For example, a reporting entity may consider that customers of high and extreme risk meet the mandatory conditions for applying enhanced CDD measures, but with additional enhanced due diligence measures applied to those customers rated as 'extreme' risk.

191. The ML/TF risk requirements for initial CDD and ongoing CDD are set out in new sections 28 and 30 (to be inserted by Item 6 of this Schedule). The ML/TF risk of the customer is not static, and should develop and become more informed as a customer goes through initial CDD and is monitored through ongoing CDD.

192. 'Nested services relationship' refers to circumstances where a financial institution, remitter or virtual asset service provider (VASP) provides its designated services to a customer who is also either a financial institution, remitter or VASP in another country, who would then use those services to provide its own designated services to its own customers. This definition exempts correspondent banking relationships between two financial institutions but covers relationships such as a bank providing services to a VASP in another country, which would then be used for the VASP to provide services to their customers. This amendment clarifies when this trigger for enhanced CDD must be applied for these relationships. Such relationships present particular risks because the Australian financial institution, remitter or VASP is reliant on their overseas counterpart's due diligence with respect to overseas counterpart's own customers. Under new subsection 28(6) (to be inserted by Item 6 of this Schedule), the AML/CTF Rules may provide specific details which must be collected and/or verified by a reporting entity in respect of undertaking enhanced CDD on a customer within a nested services relationship.

193. 'Occasional transaction' is defined as meaning the provision of a designated service by a reporting entity to a customer other than as part of a business relationship. For example, an occasional transaction could include a currency exchange business exchanging foreign currency over the counter where the customer does not have an account and there are no other indications of an enduring relationship. As above for 'business relationship', this definition is intended to help reporting entities determine which ongoing CDD measures need to be applied. For occasional transactions, not all components of ongoing CDD need to be applied. However, the provision of the designated service(s) provided as occasional transactions must still be monitored to identify possible suspicious matters.

194. 'Parent' is defined to include the parent of another person if the other person is the parent's child because of the definition of child in this section. This definition does not limit who is a parent of another person for the purposes of the AML/CTF Act.

195. 'Person designated for targeted financial sanctions' is defined as meaning a designated person or entity within the meaning of regulations made under the Charter of the United Nations Act 1945 or the Autonomous Sanctions Act 2011.

196. 'Politically exposed person' (PEP) is defined as meaning a 'domestic politically exposed person', a foreign PEP or an international organisation PEP. These categories are defined elsewhere in this Item, and set out what positions are covered for each category of PEP.

197. Individuals captured by the PEP definition often hold positions that can be abused for the purposes of money laundering or other predicate offences such as corruption or bribery. Due to these heightened risks, reporting entities must take reasonable measures to determine whether a customer or associated person is a PEP, as well as the other factors outlined in new section 28. For foreign PEPs, enhanced CDD must be applied. Similarly, for domestic and international organisation PEPs who have been identified as having high ML/TF risk, enhanced CDD must be applied. Enhanced CDD must also be applied to family members and other close associates of foreign PEPs and high ML/TF risk domestic and international organisation PEPs due to the increased risk these customers pose.

198. Under new paragraph 28(2)(g) inserted by Item 6 of this Schedule, the AML/CTF Rules will specify requirements applicable to former PEPs based on ML/TF risk of the customer. Under the current regime, PEP status ceases with the position or function which does not accurately reflect the ML/TF risks that former PEPs may pose. FATF Recommendation 12 requires that the duration of enhanced CDD measures applicable to current and former PEP is to be risk-based. It is not intended to be indefinite.

199. 'Pre-commencement customer' refers to new subsection 36(1) of the AML/CTF Act (to be inserted by Item 8 of this Schedule). This Item outlines who is a pre-commencement customer for the purposes of the AML/CTF Act, and associated CDD requirements related to pre-commencement customers.

200. 'Public international organisation' is defined to have the same meaning as in section 70.1 of the Criminal Code. This term is defined for the purposes of identifying an international organisation PEP and new subsection 6(5D) of the professional service provider designated services.

201. Section 70.1 of the Criminal Code defines 'public international organisation' as:

•

an organisation of which 2 or more countries, or the governments of 2 or more countries, are members, or that is constituted by persons representing 2 or more countries, or representing the government of 2 or more countries

•

an organisation established by, or a group of organisations constituted by organisations of which 2 or more countries, or the governments of 2 or more countries, are members, or organisations that are constituted by the representatives of 2 or more countries, or the governments of 2 or more countries, or

•

an organisation that is an organ of, or office within, an organisation described in the categories above, or a commission, council or other body established by an organisation so described or such an organ, or a committee, or subcommittee of a committee, of an organisation described in the categories above, or of such an organ, council or body.

202. 'Spouse' is defined to include a de facto partner of the person within the meaning of the Acts Interpretation Act 1901. This clarifies that a de facto partner is within the meaning of a 'family member' of an individual for the purposes of the AML/CTF Act.

Item 6 – Part 2 (heading)

203. Item 6 repeals the heading 'Part 2 - Identification procedures' and substitutes it with 'Part 2 - Customer Due Diligence'.

Item 7 – Divisions 1 to 5 of Part 2

Division 1 – Introduction

204. Item 7 repeals and substitutes existing Divisions 1 to 5 of Part 2 of the AML/CTF Act. These Divisions currently focus on identification and verification procedures for pre-commencement customers, low risk services, and ACIP for various customer types. The Bill replaces aspects of these Divisions with new outcomes-focused provisions for initial CDD, ongoing CDD and pre-commencement customers, detailed below. As the existing power to list low-risk designated services in Division 3 of Part 2 of the AML/CTF Act has never been used, and it is unlikely that a designated service will ever be low risk in every circumstance, the Bill repeals these provisions.

205. New section 27 contains a simplified outline of CDD. While this simplified outline is included to assist a reader's understanding of the substantive provisions to follow, it is not intended to be comprehensive. Readers are advised to rely on the substantive provisions for full comprehension.

Division 2 – Initial customer due diligence

206. New section 28 establishes the principle obligation for undertaking initial CDD. Principle obligations are established for initial CDD, ongoing CDD, enhanced CDD and simplified CDD to provide a clear overarching purpose for these obligations. Foreign branches and subsidiaries will be required to meet these high-level, principles-based obligations. If a reporting entity's AML/CTF policies, procedures, systems and controls as they apply in a foreign country achieve, in practice, the high-level outcome in the AML/CTF Act, there will be no additional requirements under Australian law.

207. New subsection 28(1) requires that a reporting entity must not commence to provide designated services to a customer until it establishes a number of matters on reasonable grounds. It also inserts new notes referencing new sections 31 (simplified CDD), 32 (enhanced CDD), and 36 (pre-commencement customers).

208. New subsection 28(2) sets out the matters that must be established on reasonable grounds. These matters reflect the requirements of FATF Recommendations 10 and 12. They are:

•

the identity of the customer

•

the identity of any person on whose behalf the customer is receiving the designated service (for example, a trustee receiving a service on behalf of beneficiaries)

•

the identity of any person acting on behalf of the customer and their authority to act (for example, an agent of a customer)

•

the identity of any beneficial owners

•

whether the customer, any beneficial owner, any person on whose behalf the customer is receiving the designated service, or any person acting on behalf of the customer is a PEP or designated for targeted financial sanctions

•

the nature and purpose of the business relationship or occasional transaction, and

•

any other matters in the AML/CTF Rules.

209. The reporting entity may begin to provide designated services to the customer once the reporting entity has established the matters in new subsection 28(2) on reasonable grounds to an extent that is appropriate for the ML/TF risk of the customer. 'Reasonable grounds' is an objective test and new subsection 28(3) sets out particular requirements that must be done to establish the relevant matters in new subsection 28(2). This includes:

•

if the customer is an individual, taking reasonable steps to establish that the customer is who they claim to be (for example, ensuring that the individual's identity is not being used by someone else—while an identity may be verified as valid it must also be connected to the customer to mitigate the risk of identity fraud)

•

identifying the ML/TF risk of the customer based on KYC information that is reasonably available to the reporting entity before commencing to provide a designated service (as outlined in new subsection 28(2))

•

collecting KYC information about the customer that is appropriate to ML/TF risk of the customer (for example, the type and extent of information collected may depend on the level of ML/TF risk associated with the customer), and

•

verifying the KYC information to an appropriate extent based on the ML/TF risk of the customer using independent and reliable data. The information verified may be a subset of the information collected, where appropriate to the ML/TF risk.

210. The amendments in the Bill do not prescribe a particular order or process for fulfilling these requirements. Instead they could be completed simultaneously, or in any order that allows the reporting entity to meet the 'reasonable grounds' test before it commences to provide a designated service. For example, information collected for the purpose of establishing that a customer is who they claim to be may also assist in identifying the ML/TF risk of a customer and understanding whether enhanced CDD measures must be applied.

211. As an example, a reporting entity is approached by a prospective customer:

•

If the customer is an individual, the reporting entity needs to take steps to ensure that the individual is who they claim to be, which may involve comparing the photo on a primary photographic identification document (for example, a driver's licence or passport) to the individual who is presenting to the reporting entity either in person or through an internet-based delivery channel.

•

At the same time, the reporting entity identifies where the customer fits into its broader ML/TF risk assessment by considering the details it knows about the customer against the following factors: the kind of customer (for example, an individual), the services the reporting entity would provide, the channels they propose to deliver the designated services through, and the country where the individual is located, to identify the ML/TF risk of the customer.

•

This identification of the ML/TF risk of the customer determines the appropriate amount of KYC information that is collected and verified by the reporting entity to establish the matters in new subsection 28(2). A low-risk customer may require less information to be collected and verified to establish the matters on reasonable grounds as compared to a medium or high-risk customer. However, whatever level of CDD is undertaken, the reporting entity must still be able to establish the required matters to the objective standard of on 'reasonable grounds'.

212. A reporting entity determines the appropriate level of initial CDD to undertake, based on the information reasonably available to them before commencing to provide a designated service.

•

For an individual, for example, the reporting entity may determine based on the customer's occupation and residency that the customer is a high-risk domestic politically exposed person and, as such, they would be required to undertake appropriately enhanced CDD measures from their AML/CTF policies, and as specified in the applicable AML/CTF Rules, in order to meet the requirements for reasonable grounds. As required by FATF Recommendation 12, specific enhanced CDD measures are required for foreign PEPs, and high-risk domestic and international organisation PEPs.

•

Conversely, the reporting entity may determine that the company is wholly owned by a publicly listed company and may determine that the ML/TF risk is low, enabling the use of simplified CDD measures from their AML/CTF policies to establish the required matters such as beneficial ownership on reasonable grounds.

213. When identifying the ML/TF risk of the customer for initial CDD under new subsection 28(3), a reporting entity must consider KYC information, such as the kind of customer, the designated service being provided, delivery channels and jurisdictional risk. It is not expected that a reporting entity undertake a bespoke 'risk assessment' for each customer. Instead, when undertaking initial CDD, the reporting entity would utilise KYC information that is reasonably available to them before commencing to provide a designated service to determine where the customer fits into in the reporting entity's ML/TF risk assessment. This KYC information would then inform what level or type of initial CDD is required.

214. New subsection 28(4) provides that if a reporting entity provides its designated services at or through a permanent establishment of the reporting entity in Australia, it must take certain matters into account for the purposes of identifying the ML/TF risk of the customer. The matters are detailed in new paragraphs 28(4)(a)–(f). However, new subsection 28(5) outlines that new subsection 28(4) does not limit the matters a reporting entity may take into account for the purposes of identifying the ML/TF risk of the customer.

215. The reporting entity may begin to provide designated services to the customer once the reporting entity has established the matters in new subsection 28(2) on reasonable grounds to an extent that is appropriate for the ML/TF risk of the customer.

216. New subsection 28(6) enables AML/CTF Rules to be made regarding specific requirements for any part of initial CDD.

217. New subsection 28(7) clarifies that rules made under any of the provisions in this section may specify different requirements for classes of customers, including those to whom simplified CDD measure may be taken in accordance with new section 31, and those to whom enhanced CDD measures must be taken in accordance with new section 32.

218. New subsection 28(8) makes the obligation in new subsection 28(1) subject to a civil penalty. These penalties are outlined in Division 2 of Part 15 of the AML/CTF Act. The maximum civil penalty under the AML/CTF Act is set at the highest amount allowed, which is 100,000 penalty units for a corporation and 20,000 penalty units for individuals. While the penalties can be substantial, AML/CTF enforcement actions can involve serious systemic failures by a reporting entity where the number of contraventions is immeasurable. The amount of any civil penalty will be determined by the court. Courts will decide the appropriate penalty (subject to the statutory maximum) based on the circumstances of a contravention. In determining the appropriate amount for a civil penalty, the courts will consider the impact of these violations on the Australian community, the financial system, and law enforcement efforts.

219. New subsection 28(9) provides that a reporting entity that fails to undertake initial CDD in accordance with new subsection 28(1) commits a separate contravention in respect of each designated service that the reporting entity provides to a customer at or through a permanent establishing of the reporting entity in Australia. That is, a reporting entity commits a separate contravention for each instance of providing a designated service without undertaking initial CDD.

220. New subsection 28(10) provides that a reporting entity that fails to undertake initial CDD in accordance with new subsection 28(1) commits a separate contravention each day that they provide designated services at or through a permanent establishment of the reporting entity in a foreign country.

221. New section 29 outlines when reporting entities may delay initial CDD, or parts of initial CDD, until after commencing to provide a designated service, in certain circumstances specified in the AML/CTF Rules. Subsections 29(1)(a)-(f) clarify that this section applies if:

•

the circumstances in the rules apply

•

the reporting entity determines on reasonable grounds that commencing to provide the designated service prior to undertaking initial CDD is essential to avoid interrupting the ordinary course of business

•

the reporting entity has policies to comply with initial CDD requirements in relation to the customer as soon as reasonably practicable after commencing to provide the designated service, and within any period specified in the AML/CTF Rules

•

the difference in ML/TF risk arising from any delay in completing initial CDD is low (as opposed to the customer being identified as low ML/TF risk)

•

the reporting entity implements AML/CTF policies to mitigate and manage the associated risks, and

•

the reporting entity complies with any requirements specified in the AML/CTF Rules.

222. New section 29 of the AML/CTF Act enables AML/CTF Rules to be made to continue existing provisions for delayed CDD, including for financial institutions opening accounts. Further, recognising the operational challenges of verifying whether a customer is a PEP or designated for targeted financial sanctions before commencing to provide a designated service, the AML/CTF Rules may include provision allowing verification of PEP status or whether the person is designated for targeted financial sanctions on 'day 2', where appropriate to the ML/TF risk of the customer and the additional risk from delay is managed and mitigated.

223. New subsection 29(2) clarifies that if a reporting entity has delayed initial CDD under subsection 29(1), they must not continue to provide the designated service to the customer or commence to provide any other designated service to the customer unless they undertake initial CDD as soon as reasonably practicable and, if applicable, within any deadline set in the AML/CTF Rules.

224. New subsection 29(3) makes the obligation from new subsection 29(2) subject to a civil penalty provision for this obligation. These penalties are outlined in Division 2 of Part 15 of the AML/CTF Act. The maximum civil penalty under the AML/CTF Act is set at the highest amount allowed, which is 100,000 penalty units for a corporation and 20,000 penalty units for individuals. While the penalties can be substantial, AML/CTF enforcement actions can involve serious systemic failures by a reporting entity where the number of contraventions is immeasurable. The amount of any civil penalty will be determined by the court. Courts will decide the appropriate penalty (subject to the statutory maximum) based on the circumstances of a contravention. In determining the appropriate amount for a civil penalty, the courts will consider the impact of these violations on the Australian community, the financial system, and law enforcement efforts.

Division 3 – Ongoing customer due diligence

225. New subsection 30(1) inserts a principle obligation outlining that reporting entities must monitor their customers to appropriately identify, assess, manage and mitigate the ML/TF risks the reporting entity may reasonably face in the provision of designated services. This section continues the existing substantive requirements of section 36 in the AML/CTF Act. Reporting entities must be able to detect any suspicious activities, unusual transactions, and material changes in their customer's behaviour. A reporting entity must apply ongoing CDD measures proportionate to the ML/TF risk of the customer throughout the course of a business relationship, as well as in relation to the provision of designated services provided as occasional transactions.

226. New subsection 30(1) also inserts new notes referencing new sections 31 (simplified CDD), 32 (enhanced CDD), and 36 (pre-commencement customers).

227. New subsection 30(2) outlines ongoing CDD requirements for reporting entities who provide its designated services at or through a permanent establishment of the reporting entity in Australia.

228. New paragraph 30(2)(a) requires reporting entities to monitor for unusual transactions and behaviours of customers that may give rise to a suspicious matter report (SMR) obligation. This requirement is similar to the current requirement for a transaction monitoring program and applies to all reporting entities regardless of whether they have a business relationship with a customer or are undertaking an occasional transaction. For example, a reporting entity may monitor customers' transactions for signs of structuring below the cash reporting threshold and to assess whether this transaction or behaviour gives rise to a suspicious matter reporting obligation.

229. New paragraph 30(2)(b) requires reporting entities to review and, where appropriate, updating the reporting entity's identification and assessment of the ML/TF risk of the customer. This requirement only applies to reporting entities that have a business relationship with a customer. Whilst the ML/TF risk of the customer is identified through initial CDD based on KYC information that is reasonably available at the time, ongoing CDD requires the reporting entity to assess and update that risk over the course of the business relationship. For example, as a customer begins to undertake transactions in respect of designated services, the behaviour exhibited may indicate that the ML/TF risk of the customer is different to what was previously identified. For occasional transactions, the ML/TF risk of the customer will need to be identified under new section 28 each time the reporting entity provides a designated service.

230. New paragraph 30(2)(c) requires reporting entities to review and, where appropriate, updating and reverifying KYC information relating to the customer. This requirement only applies to reporting entities that have a business relationship with a customer. As per new paragraph 30(2)(c), reporting entities will have flexibility to review KYC information based on a frequency that is appropriate to the ML/TF risk of the customer. This also includes a requirement to undertake CDD and update KYC information where there are doubts about the adequacy or veracity of KYC information that the reporting entity has in relation to the customer—this continues an existing requirement under Chapter 6 of the AML/CTF Rules and consistent with FATF Recommendation 10.

231. New paragraph 30(2)(d) requires reporting entities to monitor for significant changes in the nature and purpose of the business relationship for pre-commencement customers that may result in the ML/TF risk of the customer being medium or high. For example, if a pre-commencement customer begins to receive a new designated service which indicates that the customer may be using the reporting entity for a different purpose, and the circumstances may result in the business relationship being medium or high risk (for example, as indicated by the reporting entity's ML/TF risk assessment). This monitoring obligation contains a trigger for carrying out initial CDD for a pre-commencement customer under new section 36.

232. New subsection 30(3) empowers the AUSTRAC CEO to make AML/CTF Rules specifying ongoing CDD requirements that must be complied with, or setting out circumstances in which CDD requirements will be deemed to have been complied with. This may include varying the extent of transaction monitoring required for customers as part of simplified CDD measures or enhanced CDD measures, during ongoing CDD

233. New subsection 30(4) clarifies that rules made under any of the provisions in this section may specify different requirements for classes of customers, including those to whom simplified CDD measure may be taken in accordance with new section 31, and those to whom enhanced CDD measures must be taken in accordance with new section 32.

234. New subsection 30(5) clarifies what constitutes unusual transactions and behaviours. This definition expressly articulates the ongoing CDD requirement to monitor for unusual behaviour, not just transactions, that give rise to a SMR obligation under the AML/CTF Act. This may be relevant to behaviours exhibited by a customer which are not part of a transaction but are relevant to the provision of a designated service. For example, if a prospective customer is acting suspiciously when at a reporting entity's premises in regards to how they answer questions regarding their source of wealth; it may not necessarily be an unusual transaction but may constitute an unusual behaviour.

235. New subsection 30(6) makes the principle ongoing CDD obligation in subsection 30(1) subject to a civil penalty provision. These penalties are outlined in Division 2 of Part 15 of the AML/CTF Act. These penalties are outlined in Division 2 of Part 15 of the AML/CTF Act. The maximum civil penalty under the AML/CTF Act is set at the highest amount allowed, which is 100,000 penalty units for a corporation and 20,000 penalty units for individuals. While the penalties can be substantial, AML/CTF enforcement actions can involve serious systemic failures by a reporting entity where the number of contraventions is immeasurable. The amount of any civil penalty will be determined by the court. Courts will decide the appropriate penalty (subject to the statutory maximum) based on the circumstances of a contravention. In determining the appropriate amount for a civil penalty, the courts will consider the impact of these violations on the Australian community, the financial system, and law enforcement efforts.

236. New subsection 30(7) provides that a reporting entity that fails to monitor their customers in accordance with new subsection 30(1) commits a separate contravention in respect of each designated service that the reporting entity provides to a customer at or through a permanent establishment of the reporting entity in a foreign country. That is, a reporting entity commits a separate contravention for each instance of providing a designated service without monitoring their customers in accordance with subsection 30(1).

237. New subsection 30(8) provides that a reporting entity that fails to monitor their customers in accordance with new subsection 30(1) commits a separate contravention each day that they provide designated services at or through a permanent establishment of the reporting entity in a foreign country.

238. New subsection 30(9) provides that if an ongoing CDD obligation arises for a reporting entity in its capacity as a registered remittance affiliate of a registered remittance network providers, the obligation may be discharged by the registered remittance network provider.

239. New subsection 30(10) provides an exemption from ongoing CDD for a reporting entity in Item 54 of table 1 in section 6 of the AML/CTF Act. This item covers a reporting entity, in the capacity of a holder of an AFSL, making arrangements for a person to receive a designated service, other than a service covered by that Item. This continues an existing exemption under subsection 36(3) of the AML/CTF Act.

Division 4 – Simplified and enhanced customer due diligence

240. New section 31 provides that a reporting entity may apply simplified CDD measures during initial CDD under new subsection 28(1) and/or ongoing CDD under new subsection 30(1) if the ML/TF risk of the customer is low, none of the triggers for enhanced CDD apply (as set out in new section 32), and the reporting entity complies with the requirements specified in the AML/CTF Rules.

241. Simplified CDD refers to simplified measures that reporting entities may apply to the provision of designated services when collecting and verifying KYC information or undertaking ongoing CDD in respect of a customer. However, a reporting entity must not apply simplified CDD unless it has collected sufficient information enabling them to identify the ML/TF risk of the customer as low. A reporting entity cannot assume that the ML/TF risk of a customer is low until it knows enough about the customer and the designated services to be provided. Whether or not a customer's ML/TF risk is low will be an objective test. AUSTRAC will develop comprehensive guidance to support reporting entities in determining the objective level of ML/TF risk. Further, a reporting entity must ensure that simplified CDD still allows them to meet all CDD obligations in respect of the customer, including establishing all of the matters required on reasonable grounds in new subsection 28(2), and monitoring for unusual transactions or behaviours that may give rise to a suspicious matter reporting obligation under new section 30.

242. Simplified CDD is intended to give reporting entities more discretion, within clearly defined parameters, to decide when to use simplified measures and the extent to which CDD measures will be simplified. For example, under Chapter 4 of the current AML/CTF Rules, simplified due diligence for trusts is limited to Australian Securities and Investments Commission (ASIC)-regulated managed investment schemes, trusts regulated by the Australian Government, or government superannuation funds established by legislation. Under the Bill and AML/CTF Rules to be made, it is envisaged that a reporting entity may apply simplified initial CDD, for example, to foreign equivalents of these types of trusts, where the reporting entity reasonably identifies that the ML/TF risk of the customer is low.

243. The AUSTRAC CEO is empowered to make Rules regarding the simplified CDD measures that may be used by a reporting entity during either initial CDD (pursuant to new subsection 28(6)) and ongoing CDD (pursuant to new subsection 30(3)). For example, simplified CDD measures during initial CDD may involve less intensive collection and verification requirements for KYC information than would be required otherwise. During ongoing CDD, simplified CDD measures may involve undertaking less intensive transaction monitoring in respect of a customer (supported by an alert mechanism setup by the reporting entity when an unusual transaction occurs, for example, an unusually large transaction), or less frequent updates to KYC information.

244. New section 32 establishes that reporting entities must apply enhanced CDD measures appropriate to the ML/TF risk of the customer if one or more of the triggers in paragraphs 32(a)-(f) apply. The triggers for applying enhanced CDD measures include circumstances when the ML/TF risk of the customer is high, which will be an objective test. AUSTRAC will develop comprehensive guidance to support reporting entities in determining the objective level of ML/TF risk. Enhanced CDD measures also automatically apply to some specified customers regardless of assessed risk due to the inherent risks associated with prominent public positions, jurisdictions and relationships. This includes foreign PEPs, where specific forms of enhanced CDD are required by FATF Recommendation 10. It also includes designated services provided as part of a nested services relationship, where CDD is required by FATF Recommendation 13.

245. New paragraph 32(b) provides that a reporting entity must also apply enhanced CDD measures if a SMR obligation arises in relation to the customer, and the reporting entity proposes to continue to provide a designated service or services to that customer. That is, reporting entities do not have to exit customers because a SMR obligation has arisen, but must undertake enhanced CDD measures in order to continue with the business relationship. New section 39D inserted by Item 7 of Schedule 10 below provides an exception for a reporting entity to not be required to satisfy initial CDD (under new section 28) and ongoing CDD (under new section 30) in respect of the provision of a designated service a customer, where a SMR reporting obligation arises and the reporting entity reasonably believes that compliance with those sections would or could reasonably be expected to alert the customer to the reporting entity's suspicion.

246. New paragraph 32(f) establishes that the AML/CTF Rules are able to prescribe certain types of customers as high-risk, thus triggering enhanced CDD. New paragraph 32(f) is intended to allow flexibility and certainty to ensure the rules can respond to current and emerging risks. For example, if a global event results in significantly heightened risk for a particular jurisdiction, then amendments to the AML/CTF Rules can respond swiftly to such events. When that heightened risk passes, the relevant rules can be revoked.

247. Enhanced CDD measures must be applied to both initial CDD and ongoing CDD. Reporting entities must apply enhanced CDD measures that still enable them to fulfil their obligations under new subsections 28(1) and 30(1), as well as allow them to collect and verify additional KYC information relevant to mitigating and managing the identified higher risk. The types of enhanced CDD measures used will be determined by the reporting entity in accordance with its AML/CTF program and should be based on the context of the customer and the services provided, unless the AML/CTF Rules require specific measures to be used. For example, obtaining source of funds information for enhanced CDD on a customer as part of providing a loan may be less relevant to ML/TF risk as the reporting entity will be providing funds to the customer. Senior management approval or collecting more KYC information in respect of the matters in subsection 28(2) are other forms of enhanced CDD measures that could also be considered.

248. In some cases, the AML/CTF Rules may specify enhanced CDD measures that must be applied during either initial CDD (pursuant to subsection 28(6)) or ongoing CDD (pursuant to subsection 30(3)). For example, under FATF Recommendation 12, if a reporting entity proposes to provide a designated service to a foreign PEP, it must obtain senior management approval, establish the customer's source of wealth and source of funds, and apply enhanced CDD measures during ongoing CDD. These requirements are currently implemented in Chapters 4 and 15 of the AML/CTF Rules and would be continued in new AML/CTF Rules to be made.

Item 8 – Division 6 of Part 2

249. Item 8 repeals Division 6 of Part 2 and substitutes it with Division 6 – Pre-commencement customers. New subsection 36(1) outlines what constitutes a pre- commencement customer for both current and newly regulated reporting entities. For newly regulated reporting entities under this Bill, pre-commencement customers would be those in a business relationship with the reporting entity when the CDD obligations enter into force for those reporting entities on 1 July 2026. For clarity, a customer who enters into a business relationship with the reporting entity on, or from, 1 July 2026 would not be a pre-commencement customer. For example, pre-commencement customers may include:

•

a real estate professional that has an active agency agreement with a vendor to sell a property on 30 June 2026

•

a solicitor or conveyancer that is in the process of finalising the settlement for a property on 30 June 2026

•

an accountant that is in the process of setting up a company for a customer on 30 June 2026, or

•

a solicitor who has an active retainer with a client which involves the provision of newly regulated designated services on 30 June 2026.

250. New subsection 36(2) provides that once a pre-commencement customer has been subject to initial CDD, as set out at new subsection 28(1), they will cease to be a pre-commencement customer and instead transition to being an ordinary customer for the purposes of the AML/CTF Act. Over time, this should reduce the number of pre-commencement customers, improving the integrity of the AML/CTF regime without imposing a significant upfront burden on reporting entities. Pre-commencement customers can be subject to new subsection 28(1) as a result of one of the triggers outlined below or through a reporting entity's own initiative.

251. New subsection 36(3) clarifies that for pre-commencement customers, reporting entities are not required to comply with the initial CDD obligation as set out new subsection 28(1) and its supporting provisions, or with the ongoing CDD obligation at new paragraph 30(2)(b) which requires them to review and, where appropriate, update the identification and assessment of the ML/TF risk of the customer. However, for pre-commencement customers, reporting entities must still:

•

monitor for unusual transactions and behaviours of customers that may give rise to a suspicious matter reporting obligation as set out under new paragraph 30(2)(a)

•

review and, where appropriate, update the KYC information relating to the customer as set out under new paragraph 30(2)(c), and

•

monitor for significant changes in the nature and purpose of the business relationship that may result in the ML/TF risk of the customer being medium or high as set out under new paragraph 30(2)(d). For example, if a pre- commencement customer who currently has a savings account with a financial institution enquires to obtain a safety deposit box from the reporting entity. As the provision of this new designated service would shift the nature of the business relationship, and if the bank has assessed the inherent risk of the safety deposit service as medium or high risk (or there are other factors pointing to medium or high risk), then the reporting entity would be obliged to undertake initial CDD in respect of the customer, prior to providing the new designated service.

252. New subsection 36(4) confirms, in line with ongoing CDD obligations, a reporting entity must also comply with new subsection 28(1) in relation to a pre-commencement customer if a SMR obligation arises or if the ML/TF risk of the customer becomes medium or high. While reporting entities must review and, where appropriate, update KYC information relating to pre-commencement customers, they are not obliged to undertake initial CDD under new subsection 28(1) unless the ML/TF risk of the customer changes to medium or high, or a suspicious matter reporting obligation arises.

Items 9 to 20

253. Items 9 to 20 make consequential amendments to Division 7 of Part 2 of the AML/CTF Act to omit references to 'applicable customer identification procedure(s)' and substitute terminology and phrases to reflect the reframed initial CDD obligations. Division 7 of Part 2 provides for an agent to carry out initial CDD on a reporting entity's behalf. It also provides a framework for a reporting entity to rely on initial CDD undertaken by a third party in certain circumstances.

254. Item 9 omits the phrase 'applicable customer identification procedures' in the heading of section 37, and substitutes 'collection and verification of KYC information'.

255. Item 10 omits the phrase 'the carrying out by a reporting entity of an applicable identification procedure or an identity verification procedure' in subsection 37(1), and substitutes 'a reporting entity complying with paragraphs 28(3)(c) and (d)'.

256. Item 11 omits the phrase 'carrying out the applicable customer identification procedures' in the note in subsection 37(1), and substitutes 'complying with paragraphs 28(3)(c) and (d)'.

257. Item 12 omits the phrase 'carrying out applicable customer identification procedures or identity verification procedures' in subsection 37(2), and substitutes 'complying with paragraphs 28(3)(c) and (d)'.

258. Item 13 omits the phrase 'carrying out the applicable customer identification procedure or an identity verification procedure' in subsection 37(3), and substitutes 'complying with paragraphs 28(3)(c) and (d)'.

259. Item 14 omits the phrase 'applicable customer identification procedures' in the heading of subsection 37A, and substitutes 'collection and verification of KYC information'.

260. Item 15 omits the phrase 'applicable customer identification procedures' in paragraph 37A(1)(a), and substitutes 'the collection and verification of KYC information relating to a customer in accordance with paragraphs 28(3)(c) and (d)'.

261. Item 16 omits the phrase 'applicable customer identification procedure' in subsection 37A(2), and substitutes 'complied with paragraphs 28(3)(c) and (d)'.

262. Item 17 omits the phrase 'applicable customer identification procedures' from the heading in section 38, and substitutes 'collection and verification of KYC information'.

263. Item 18 omits the phrase 'carried out an applicable customer identification procedure' in paragraph 38(b), and substitutes 'complied with paragraph 28(3)(c) or (d)'.

264. Item 19 omits the phrase 'carried out the applicable customer identification procedure' in section 38, and substitutes 'complied with paragraph 28(3)(c) or (d)'.

265. Item 20 omits the term 'Division 6' in subsection 39(6), and substitutes 'Divisions 3 and 4'.

Items 21 and 22

266. Items 21 and 22 make consequential amendments to section 104 in Division 1 of Part 10 of the AML/CTF Act to omit references to 'applicable customer identification procedure(s)' and substitute terminology and phrases to reflect the reframed CDD obligations. Section 104 provides a simplified outline for record-keeping requirements under the AML/CTF Act.

Item 23 – Division 3 of Part 10 (heading)

267. Item 23 omits the phrase 'the carrying out of identification procedures' from the heading in Division 3 of Part 10 of the AML/CTF Act, and substitutes the phrase 'customer due diligence and other procedures'.

Item 24 – Sections 111 to 113

268. Item 24 repeals sections 111 to 113 of the AML/CTF Act and inserts a new section 111 that requires reporting entities who comply with new section 28 (undertaking initial CDD) or new section 30 (undertaking ongoing CDD) to retain the specified records set out under new subsection 111(2).

269. New subsection 111(2) outlines the records the CDD records a reporting entity must retain. In keeping with existing requirements, these records must be kept for 7 years after the business relationship is ended, or after the completion of the occasional transaction. Reporting entities must retain records that are reasonably necessary to demonstrate compliance with the reporting entity's obligations under Part 2 of the AML/CTF Act. Records must be in the English language or in a form in which the records are readily accessible and convertible into writing in the English language.

270. New subsection 111(3) provides that without limiting paragraph 111(2)(a), the reporting entity must retain:

•

sufficient and accurate records which demonstrate the type and content of the data collected by the reporting entity in relation to the customer for the purposes of complying with initial CDD and ongoing CDD, and

•

records or any analysis, identification or assessment of ML/TF risk, or decision making, undertaken by the reporting entity in relation to the customer for the purposes of complying with initial CDD and ongoing CDD.

271. These amendments do not mandate that reporting entities must keep copies of identity documents that are used throughout the CDD process. Instead, reporting entities are required to retain records of what they did to identify a customer and the identifying information the customer presented (for example, reporting entities are required to make records of the details found on a passport that were used for verification purposes rather than taking a copy of the passport itself). This requirement is also designed to be flexible in its application to new and emerging forms of identification, and methods of sharing identifying information. They are also required to keep records of any analysis, identification or assessment of ML/TF risk that supported them to determine what level of initial or ongoing CDD was required in relation to a customer.

272. New subsection 111(4) makes the obligation from subsection 111(2) subject to a civil penalty. These penalties are outlined in Division 2 of Part 15 of the AML/CTF Act. The maximum civil penalty under the AML/CTF Act is set at the highest amount allowed, which is 100,000 penalty units for a corporation and 20,000 penalty units for individuals. While the penalties can be substantial, AML/CTF enforcement actions can involve serious systemic failures by a reporting entity where the number of contraventions is immeasurable. The amount of any civil penalty will be determined by the court. Courts will decide the appropriate penalty (subject to the statutory maximum) based on the circumstances of a contravention. In determining the appropriate amount for a civil penalty, the courts will consider the impact of these violations on the Australian community, the financial system, and law enforcement efforts.

Items 25 to 33

273. These Items make consequential amendments to the AML/CTF Act to omit references to 'applicable customer identification procedure(s)' and instead substitute terminology and phrases to reflect the reframed CDD obligations.

274. Item 25 omits the phrase 'identification procedures' from the heading in section 114, and substitutes 'initial customer due diligence'.

275. Item 26 omits the phrase 'carried out an applicable customer identification procedure' in paragraph 114(1)(b), and substitutes 'complied with paragraph 28(3)(c) or (d)'. This section relates to the retention of information if a third party has conducted initial CDD on a reporting entity's behalf.

276. Item 27 omits the phrase 'an applicable customer identification procedure' from paragraph (c) in the simplified outline in section 135, and substitutes 'customer due diligence under Part 2'. This section provides that it is an offence to forge a document for use in CDD under Part 2.

277. Item 28 omits the phrase 'an applicable customer identification procedure' in paragraph 138(1)(a), and substitutes 'customer due diligence'. This paragraph provides that it is an offence to make a false document with the intention that it will be used for the purposes of CDD.

278. Item 29 repeals paragraph 138(1)(b), and substitutes 'the customer due diligence is under section 28 (undertaking initial customer due diligence) or 30 (undertaking ongoing customer due diligence'. This paragraph provides that it is an offence to make a false document with the intention that it will be used for the purposes of CDD under the AML/CTF Act.

279. Item 30 omits the phrase 'applicable customer identification procedure is under this Act' in subsection 138(2), and substitutes 'customer due diligence is under section 28 or 30'. This subsection provides that in a prosecution for an offence against subsection 138(1), it is not necessary to prove that the defendant knew that the CDD is under the AML/CTF Act.

280. Item 31 omits the phrase 'an applicable customer identification procedure' in paragraph 138(3)(b), and substitutes 'customer due diligence'. This paragraph provides that it is an offence to possess a false document with the intention that it will be used for the purposes of CDD.

281. Item 32 repeals the paragraph at 138(3)(c), and substitutes 'the customer due diligence is under section 28 or 30'. This paragraph provides that it is an offence to possess a false document with the intention that it will be used for the purposes of CDD under the AML/CTF Act.

282. Item 33 omits the phrase 'applicable customer identification procedure is under this Act' in subsection 138(4), and substitutes 'customer due diligence is under section 28 or 30'. This subsection provides that in a prosecution for an offence against subsection 138(3), it is not necessary to prove that the defendant knew that the CDD is under the AML/CTF Act.

Item 34 – Subsection 184(4) (paragraph (a) of the definition of designated infringement notice provision )

283. Item 34 repeals paragraph (a) of the definition of designated infringement notice provision

Item 35 – Subsection 184(4) (before paragraph (fl) of the definition of designated infringement notice provision )

284. Item 35 inserts new text in section 184 of the AML/CTF Act to add new subsection 111(2) to the existing list of designated infringement provisions in the AML/CTF Act by inserting new text at section 184 of the AML/CTF Act to provide that new subsection 111(2) is a 'designated infringement notice provision' for the purpose of the AML/CTF Act.

285. Subsection 111(2) deals with record-keeping requirements for CDD.

Item 36 – Paragraph 235(1)(c)

286. Item 34 makes consequential amendments to the AML/CTF Act to omit references to 'applicable customer identification procedure(s)' and instead substitute terminology to reflect the reframed CDD obligations.

Part 2 – Consequential Amendments Banking Act 1959 (Banking Act)

Item 37 – Subsection 16AH(7) (heading)

287. This Item will make a minor consequential amendment to subsection 16AH(7) (heading) of the Banking Act to omit reference to 'section 32' of the AML/CTF Act, which relates to carrying out an 'applicable customer identification procedure', and instead substitute with 'section 28' which relates to undertaking initial CDD.

Item 38– Subsection 16AH(7)

288. This Item will make a minor consequential amendment to subsection 16AH(7) of the Banking Act to omit reference to 'section 32' of the AML/CTF Act, which relates to carrying out an 'applicable customer identification procedure', and instead substitute with 'section 28' which relates to undertaking initial CDD.

Commonwealth Electoral Act 1918 (Electoral Act)

Item 39 – Subsection 90B(4) (table item 6, column headed "Person or organisation",

paragraph (b))

289. This Item makes a minor consequential amendment to subsection 90B(4) (table item 6, column headed 'Person or organisation', paragraph (b)) of the Electoral Act to omit 'carries out applicable customer identification procedures under' and substitute it with 'collects and verifies information relating to a customer in accordance with section 28 of'. Section 28 relates to undertaking initial CDD.

Item 40 - Subsection 90B(4) (table item 7, column headed "Person or organisation")

290. This Item makes a minor consequential amendment to subsection 90B(4) (table item 7, column headed 'Person or organisation') of the Electoral Act to omit 'carrying out of applicable customer identification procedures under' and substitute it with, 'collection or verification of information relating to a customer in accordance with section 28 of'. Section 28 relates to undertaking initial CDD.

Item 41 - Subsection 90B(10) (definition of applicable customer identification procedure )

291. This Item repeals the definition of 'applicable customer identification procedure' in subsection 90B(10) of the Electoral Act.

Item 42 – Subsection 91A(2D)

292. This Item makes a minor consequential amendment to subsection 91A(2D) of the Electoral Act to omit 'carry out an applicable customer identification procedure under' and substitute it with, 'collect and verify information relating to a customer in accordance with section 28 of'. Section 28 relates to undertaking initial CDD.

Item 43 - Subsection 91A(2E)

293. The Item makes a minor consequential amendment to subsection 91A(2E) of the Electoral Act to omit 'carrying out of an applicable customer identification procedure under' and substitute it with, 'collection or verification of information relating to a customer in accordance with section 28 of'. Section 28 relates to undertaking initial CDD.

Item 44 - Subsection 91A(3) (definition of applicable customer identification procedure )

294. This Item repeals the definition of 'applicable customer identification procedure' in subsection 91A(3) of the Electoral Act.