Legal development

No more set and forget a new AML CTF third party reliance model

Insight Hero Image
    • A number of key amendments to the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act) were implemented recently, as part of "phase 1.5" reforms.
    • The new third party reliance model contains three new categories of reliance. 
    • Reporting entities currently relying, or wanting to rely on third parties to carry out customer identification and verification procedures on their behalf, will need to review and update their current arrangements to ensure compliance with the new model. Notably, licensed financial advisers who had relied on the previous section 38 and want to rely on one of the new categories will be subject to additional obligations.
    • One category promises a "safe harbour" for isolated breaches, provided that a range of proactive and prescriptive steps are taken. 

    In this article, we outline the three new categories for third party reliance (including the "safe harbour") and consider the practical implementation of each category for reporting entities.

    A raft of AML/CTF reforms have now been implemented

    As reporting entities should be aware, some of the key changes arising from the Anti Money Laundering and Counter Terrorism Financing and Other Legislation Amendment Act 2020) (Cth) (Amendment Act) include:

    • the expansion of the circumstances in which reporting entities may rely on customer identification and verification procedures undertaken by a third party;
    • increased requirements governing correspondent banking relationships; and
    • the expansion of exceptions to the tipping off offences.

    Given customer identification and verification is a fundamental component of a reporting entity's compliance with the AML/CTF Act, the focus of this article is on the first change listed above. While customer identification and verification is the reporting entity's responsibility, the law has historically recognised that in some circumstances, a reporting entity can rely on an agent (section 37) or a third party (previous section 38) to carry out this task on its behalf. These changes are significant for reporting entities currently relying on the existing model of reliance as well as for reporting entities wishing to rely on third parties going forward. 

    Three new categories of reliance have been introduced: 

    1. customer due diligence (CDD) arrangement (as termed by AUSTRAC, or otherwise known as "ongoing reliance under an agreement or arrangement" in the AML/CTF Rules); 
    2. case-by-case reliance (other than within a corporate group or designated business group (DBG)); and
    3. case-by-case reliance within a corporate group or DBG.

    The amendments will require reporting entities currently relying on third parties to conduct the applicable customer identification procedures (ACIP) on their behalf to update their practices to ensure compliance with their selected category of reliance.  

    Our summary of the previous third party reliance model, the three new reliance categories (including the "safe harbour") and recommend steps for practical implementation follows.

    The previous third party reliance model

    The law regarding agents under the existing section 37 remains untouched, except for the addition of a note clarifying that reporting entities (and not their agents) are liable for failures to perform the ACIP in respect of its customers. However, significant changes were made to the law regarding third party reliance under the previous section 38. 

    Prior to the amendment, section 38 of the AML/CTF Act provided that in certain circumstances, a reporting entity could perform the ACIP on behalf of a second reporting entity, such that the second reporting entity was deemed to have carried out the ACIP themselves. These circumstances were set out in Chapter 7 of the Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1) (Cth) (AML/CTF Rules) (prior to the amendment) and allowed: 

    • licensed financial advisers under Part 7.2; and
    • reporting entities within a designated business group under Part 7.3, 

    to carry out the ACIP on behalf of a second reporting entity.

    To rely on the previous section 38, a reporting entity had to comply with some basic conditions relating to record-keeping and the making of a point-in-time assessment of the money laundering and terrorism financing (ML/TF) risk and the appropriateness of their reliance.

    Additionally, under the same section, an AUSTRAC declaration permitted overseas subsidiaries of reporting entities to perform the ACIP on behalf of the reporting entity, where the reporting entity carried out the ACIP in a foreign country that was comparable to the ACIP in the Australian AML/CTF Rules. 

    However, the recent amendments replace the previous section 38 and add new sections 37A and 37B, expanding the circumstances in which reporting entities may rely on the ACIP conducted by a third party, as explained below.

    Category of new third party reliance model
    Requirements
    Category 1 – "CDD arrangements"

    The new section 37A sets out the circumstances in which a reporting entity can rely on the ACIP or other procedures undertaken by a third party, namely where:

    • a written agreement or arrangement relating to the relying entity's reliance on the ACIP (or other procedures prescribed by AML/CTF Rules, currently being CDD procedures compliant with foreign laws that meet certain equivalency requirements) carried out by the third party is in force;
    • the relying entity has complied with section 37B, non-compliance for which attracts a civil penalty, which requires the reporting entity to:
      • carry out assessments both in accordance with the AML/CTF Rules (which include assessments of the type or level of ML/TF risk or serious crime risk and any material changes to those risks) and at the times required by the AML/CTF Rules (at a minimum every 2 years); and
      • prepare a written record of each assessment within 10 business days after completing the assessment;
    • the relying entity is providing, or proposing to provide, a designated service to a customer;
    • under the agreement or arrangement, the relying entity has obtained information about the identity of the customer from the other party to the agreement or arrangement; and
    • the requirements prescribed by the AML/CTF Rules are satisfied.

    Requirements prescribed by the AML/CTF Rules

    The relevant test to be applied is that, at the time of entering the agreement or arrangement, the relying entity had to have "reasonable grounds to believe" that the requirements prescribed by the AML/CTF Rules were met.

    Part 7.2 of the AML/CTF Rules set out prescriptive rules relating to such agreements or arrangements, which include requiring compliance with the following:

    • documenting the responsibilities of the parties;
    • enabling the relying entity to obtain all required "know your customer" (KYC) information relating to the identity of the customer, and any beneficial owners or agents before the relying entity commences to provide a designated service to the customer; and
    • obtaining approval of the agreement or arrangement by the governing board or senior managing official of the relying entity.

    In accordance with rule 7.2.2(2), the relying entity must determine the following:

    • the type and level of ML/TF risk or other serious crime risks that the relying entity may reasonably expect to face in its provision of designated services;
    • the nature, size and complexity of the third party's business, including its products, services, delivery channels and customer types; and
    • the level of ML/TF risk or other serious crime risks in the country or countries in which the third party operates or resides.

    Rules 7.2.2(3)-(5) specify that a third party which can be relied upon for the purposes of KYC must either be:

    • a reporting entity – if this option is relevant, the third party must have measures in place to comply with their obligations under Parts 2 (identification procedures) and 10 (record-keeping) of the AML/CTF Act; or
    • a foreign entity regulated by one or more laws of a foreign country that give effect to the Financial Action Task Force (FATF) Recommendations relating to CDD and record-keeping – if this option is relevant, the third party must have measures in place to comply with equivalent CDD and record-keeping obligations.

    If, after completing an assessment under section 37B, the relying entity no longer has "reasonable grounds to believe" that the requirements in the AML/CTF Rules are satisfied, then section 37A can no longer be relied upon. This means the CDD arrangement will need to be suspended or ceased until the requirements are met.

    Category 2 – Case by case reliance (other than within a corporate group or DBG)

    The new section 38 is a broader provision that enables a reporting entity's reliance on third parties in certain circumstances, where:

    • A reporting entity:

      • provides or proposes to provide a designated service to a customer;
      • a third party has carried out the ACIP, or another procedure prescribed by AML/CTF Rules, on that customer;
    • the relying entity has obtained, from the other entity, information about the identity of that customer that was obtained by the other entity in the course of carrying out that procedure;
    • the relying entity has reasonable grounds to believe that it is appropriate to rely on the procedure in relation to that designated service having regard to the ML/TF risk the relying entity might reasonably face (whether inadvertently or otherwise) in respect of the provision of that designated service; and
    • the requirements prescribed by the AML/CTF Rules are satisfied.

    The relevant requirements are set out in rules 7.3.1-7.3.4 of the AML/CTF Rules. These requirements enable a reporting entity to rely on the ACIP or other prescribed procedures to be carried out by a third party if the relying entity has reasonable grounds to believe that:

    • the third party satisfies the requirements in rules 7.2.2(3)-(5), as summarised above;
    • the third party has obtained all required KYC information relating to the identity of the customer and any beneficial owners or agents before the relying entity commences to provide a designated service to the customer;
    • the relying entity has reasonable grounds (formed upon considering specific factors including the ML/TF risk faced by the relying entity and the third party) to believe that the verification information will be:

      • immediately available to the relying entity under an agreement in place for the management of relevant documents and electronic data relating to identification and verification; or
      • otherwise made available to the relying entity as soon as practicable following receipt by the third party of a written request from the relying entity, but in any event within 7 calendar days of the request being received; and
    • the relying entity must make written records of how it meets these requirements.
    Category 3 – Case by case reliance within a corporate group or DBG

    The AML/CTF Rules provide that the above rules (described in category 2) will be deemed to be complied with in certain circumstances involving members of the same corporate group or a designated business group. According to rule 7.3.5, this requires the following conditions to be met:

    • the relying entity to rely on the ACIP carried out by another member of the same corporate group or DBG;
    • both entities to:
      • apply a joint AML/CTF programor other group-wide measures relating to CDD and record-keeping; and
      • have implemented a joint AML/CTF program or other group-wide AML/CTF risk-based systems and controls consistent with requirements from relevant FATF Recommendations;
    • any higher ML/TF or serious crime risks in the country in which the third party operates or resides are adequately identified, mitigated and managed by the joint AML/CTF program and risk-based systems and controls of the corporate group or DBG; and
    • the implementation of risk-based systems and controls are supervised or monitored at a group-level by a body empowered by law to supervise and enforce equivalent CDD and record-keeping obligations.

    It is important to note in this context, a joint AML/CTF program can only be formed by members of a DBG. A DBG can only be formed by entities which fall within the prescribed entities set out in rule 2.1.2(4) which includes (amongst other types of entities) related bodies corporate as defined under section 50 of the Corporations Act 2001 (Cth).

     

    As seen above, licensed financial advisers relying on the previous section 38 now face new requirements under its replacement, including that all KYC information must be collected by the third party before the relying party provides a designated service and the relying entity must make written records of how it meets the requirements for reliance (under category 2). If an entity wants to rely on a member of its DBG under category 3, then assuming that their joint AML/CTF Program already contains the required components and is applied by both parties, then there is nothing required that is substantially different to what was previously required. Members of a global corporate group that are not part of a DBG can also benefit from category 3 and rely on a member of their group, provided both parties implement required group-wide AML/CTF measures and risk-based systems and controls.

    Out of each new category of reliance, however, the new section 37A (category 1) imposes the most prescriptive set of requirements, while offering the potential benefits explored below.

    A potentially muddy "safe harbour"

    The Explanatory Memorandum (EM) to the Amendment Act explains that reporting entities relying on the new section 37A would not be liable for "isolated breaches" of section 32 (requiring the ACIP to be undertaken). Paragraph 24 of the Notes on Clauses of the EM states:

    "New subsection 37A(2) gives effect to the ‘CDD arrangement’ by providing relying parties with a safe harbour from liability for breaches of section 32. Where the reporting entity [meets certain conditions under ss 37A and 37B] … then the relying party would not be held liable for isolated breaches of compliance with the ACIP (or other customer identification procedure) requirements committed by the relied on party."

    This "safe harbour" from liability for isolated breaches of section 32 (the requirement to conduct the ACIP) is stated to be similar to that in New Zealand's AML/CTF regime. AUSTRAC's published guidance on the new reliance model has a page dedicated to the requirements of the safe harbour and provides examples of isolated breaches.

    However, the Amendment Act and the AML/CTF Rules do not explicitly use the words "safe harbour" or mention liability at all in the context of section 37A. Instead, the safe harbour can be broadly inferred from the drafting of section 37A, as read alongside the intention of the provision. 

    As detailed under the heading "Category 1" above, section 37A contains a number of prescriptive requirements, which include maintaining reasonable grounds for belief of compliance by the third party carrying out the ACIP. If the various requirements are complied with, then the relying entity is deemed to have carried out the ACIP in respect of those customers and designated services. Relevantly, where the relying entity no longer has a reasonable belief that the requirements in the AML/CTF Rules are met (after completing an assessment in section 37B), the relying entity can no longer benefit from this "deeming" provision. 

    One requirement that appears particularly relevant to the issue of liability for isolated breaches is rule 7.2.2(4) or (5), which requires the third party relied upon to be a reporting entity that has measures in place to comply with their identification procedures and record-keeping obligations, or in the case of a foreign entity, equivalent measures in place to comply with their equivalent obligations. Given this is a requirement directed at a reasonable belief that the relying entity has the required "measures", an isolated breach (as opposed to a systemic breach) that comes to a relying entity's attention would not necessarily cause a relying entity to question the adequacy of a relied upon entity's measures, assuming that breach would be remediated.

    While this may ultimately equate to a safe harbour for isolated breaches, the path to understanding how it operates is less than straightforward. Further, in practice when weighed against the prescriptive requirements of a CDD arrangement which may attract a civil penalty for non-compliance, the safe harbour may not actually be a major benefit, given that in the ordinary course of business, isolated breaches can typically be easily remediated and face a much lower enforcement risk.

    Next steps for reporting entities wishing to rely on third parties for KYC

    If reporting entities wish to rely on third parties for KYC purposes, they should consider which category suits their circumstances and take steps to update their agreements or arrangements accordingly.

    While the new provisions expand the ability for reporting entities to rely on third party KYC, the new model requires a relying reporting entity to satisfy much more prescriptive requirements than under the previous model, particularly for CDD arrangements. This includes conducting regular assessments and considering whether they have "reasonable grounds to believe" certain requirements are satisfied by the third party being relied upon.

    As the new section 37A will only apply to new arrangements or agreements entered into after 17 June, reporting entities who wish to rely on this category will need to create new arrangements to benefit from ongoing reliance and the safe harbour. Alternatively, going forward, entities relying on the previous section 38 will need to consider the new section 38 requirements and update their arrangements to ensure they can benefit. If appropriate, the third category of reliance for corporate group or DBG members can also be considered.

    In practical terms, some key considerations which reporting entities should consider when implementing a reliance category are:

    Category 1 – CDD arrangements:

    • entering into new written agreements or arrangements and ensuring they include terms which document the responsibilities of parties and appropriate powers to obtain all required KYC information; and
    • ensuring the agreements or arrangements have been approved by the governing board or a senior managing official;
    • ensuring the relying entity has assessed relevant factors of the third party they are seeking to rely upon such as ML/TF risk and nature, size and complexity of the third party's business; and
    • implementing appropriate procedures to carry out regular assessments of the agreement or arrangement and ensuring records are appropriately kept (as this could attract a civil penalty). 

    Category 2 – Case by case arrangements (other than within a corporate group or DBG)

    • ensuring that the relied upon entity obtains all required KYC information prior to the relying entity's provision of a designated service;
    • ensuring adequate arrangements are made for prompt access to verification information held by the relied upon entity;
    • ensuring the relying entity has assessed relevant factors of the third party they are seeking to rely upon such as ML/TF risk and nature, size and complexity of the third party;
    • ensuring the relied upon entities are regulated by AUSTRAC or are a foreign equivalent of a reporting entity which is subject to equivalent AML/CTF obligations for CDD and record-keeping as those in Australia; and
    • creating appropriate procedures to ensure written records are kept that outline how the requirements for reliance  were satisfied.

    Category 3 – Within a corporate group or DBG

    • ensuring that the entities being relied upon have adopted and implemented a joint AML/CTF program, or group-wide measures, as the case may be;
    • implementing procedures for the sharing of customer information obtained in the course of carrying out the ACIP; and
    • ensuring the relying entity has assessed the ML/TF risk they might face in the provision of that designated service and whether it is appropriate to rely.

    All reliance categories

    • weighing up the costs and benefits of each reliance category to select the most appropriate category;
    • ensuring there is appropriate access to KYC documents, whether by written agreement or arrangement with the relied upon entity, as required; and
    • updating the AML/CTF program to reflect the new reliance categories and those that may be relied upon (if any).

    As a general rule, reporting entities are ultimately responsible for KYC and where they have not met the prescriptive requirements set out under the Rules, they could be taken to have failed to conduct KYC and be exposed to a civil penalty. While the new section 37A may include a safe harbour for isolated breaches when read alongside its intention, it also comes with prescriptive ongoing requirements and a potential civil penalty for non-compliance. In contrast, the law relating to agents performing KYC have remained relatively untouched and do not currently have equivalent requirements under the Rules and are left to operate in accordance with common law principles of agency. A significant difference and potential risk to be considered under the latter agency model is that reporting entities remain liable for isolated breaches, no matter how minor they may be. 

    As such, reporting entities should consider their need for and the suitability of various outsourcing models involving agents (section 37), CDD arrangements (new section 37A) or other case-by-case circumstances (new section 38), including the costs, benefits and associated risks. In particular, reporting entities should consider whether they have the necessary resources, controls and systems in place to ensure they can effectively implement an outsourcing model that meets their needs and their AML/CTF obligations.

    Authors: Samantha Carroll, Counsel; Helen Yu, Senior Associate; Rojeene Shadfar, Associate.
     

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.