No more set and forget a new AML CTF third party reliance model

• A number of key amendments to the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act) were implemented recently, as part of "phase 1.5" reforms.
• The new third party reliance model contains three new categories of reliance. 
• Reporting entities currently relying, or wanting to rely on third parties to carry out customer identification and verification procedures on their behalf, will need to review and update their current arrangements to ensure compliance with the new model. Notably, licensed financial advisers who had relied on the previous section 38 and want to rely on one of the new categories will be subject to additional obligations.
• One category promises a "safe harbour" for isolated breaches, provided that a range of proactive and prescriptive steps are taken. 

In this article, we outline the three new categories for third party reliance (including the "safe harbour") and consider the practical implementation of each category for reporting entities.

A raft of AML/CTF reforms have now been implemented

As reporting entities should be aware, some of the key changes arising from the Anti Money Laundering and Counter Terrorism Financing and Other Legislation Amendment Act 2020) (Cth) (Amendment Act) include:

• the expansion of the circumstances in which reporting entities may rely on customer identification and verification procedures undertaken by a third party;
• increased requirements governing correspondent banking relationships; and
• the expansion of exceptions to the tipping off offences.

Given customer identification and verification is a fundamental component of a reporting entity's compliance with the AML/CTF Act, the focus of this article is on the first change listed above. While customer identification and verification is the reporting entity's responsibility, the law has historically recognised that in some circumstances, a reporting entity can rely on an agent (section 37) or a third party (previous section 38) to carry out this task on its behalf. These changes are significant for reporting entities currently relying on the existing model of reliance as well as for reporting entities wishing to rely on third parties going forward. 

Three new categories of reliance have been introduced: 

1. customer due diligence (CDD) arrangement (as termed by AUSTRAC, or otherwise known as "ongoing reliance under an agreement or arrangement" in the AML/CTF Rules); 
2. case-by-case reliance (other than within a corporate group or designated business group (DBG)); and
3. case-by-case reliance within a corporate group or DBG.

The amendments will require reporting entities currently relying on third parties to conduct the applicable customer identification procedures (ACIP) on their behalf to update their practices to ensure compliance with their selected category of reliance.  

Our summary of the previous third party reliance model, the three new reliance categories (including the "safe harbour") and recommend steps for practical implementation follows.

The previous third party reliance model

The law regarding agents under the existing section 37 remains untouched, except for the addition of a note clarifying that reporting entities (and not their agents) are liable for failures to perform the ACIP in respect of its customers. However, significant changes were made to the law regarding third party reliance under the previous section 38. 

Prior to the amendment, section 38 of the AML/CTF Act provided that in certain circumstances, a reporting entity could perform the ACIP on behalf of a second reporting entity, such that the second reporting entity was deemed to have carried out the ACIP themselves. These circumstances were set out in Chapter 7 of the Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1) (Cth) (AML/CTF Rules) (prior to the amendment) and allowed: 

• licensed financial advisers under Part 7.2; and
• reporting entities within a designated business group under Part 7.3, 

to carry out the ACIP on behalf of a second reporting entity.

To rely on the previous section 38, a reporting entity had to comply with some basic conditions relating to record-keeping and the making of a point-in-time assessment of the money laundering and terrorism financing (ML/TF) risk and the appropriateness of their reliance.

Additionally, under the same section, an AUSTRAC declaration permitted overseas subsidiaries of reporting entities to perform the ACIP on behalf of the reporting entity, where the reporting entity carried out the ACIP in a foreign country that was comparable to the ACIP in the Australian AML/CTF Rules. 

However, the recent amendments replace the previous section 38 and add new sections 37A and 37B, expanding the circumstances in which reporting entities may rely on the ACIP conducted by a third party, as explained below.

As seen above, licensed financial advisers relying on the previous section 38 now face new requirements under its replacement, including that all KYC information must be collected by the third party before the relying party provides a designated service and the relying entity must make written records of how it meets the requirements for reliance (under category 2). If an entity wants to rely on a member of its DBG under category 3, then assuming that their joint AML/CTF Program already contains the required components and is applied by both parties, then there is nothing required that is substantially different to what was previously required. Members of a global corporate group that are not part of a DBG can also benefit from category 3 and rely on a member of their group, provided both parties implement required group-wide AML/CTF measures and risk-based systems and controls.

Out of each new category of reliance, however, the new section 37A (category 1) imposes the most prescriptive set of requirements, while offering the potential benefits explored below.

A potentially muddy "safe harbour"

The Explanatory Memorandum (EM) to the Amendment Act explains that reporting entities relying on the new section 37A would not be liable for "isolated breaches" of section 32 (requiring the ACIP to be undertaken). Paragraph 24 of the Notes on Clauses of the EM states:

"New subsection 37A(2) gives effect to the ‘CDD arrangement’ by providing relying parties with a safe harbour from liability for breaches of section 32. Where the reporting entity [meets certain conditions under ss 37A and 37B] … then the relying party would not be held liable for isolated breaches of compliance with the ACIP (or other customer identification procedure) requirements committed by the relied on party."

This "safe harbour" from liability for isolated breaches of section 32 (the requirement to conduct the ACIP) is stated to be similar to that in New Zealand's AML/CTF regime. AUSTRAC's published guidance on the new reliance model has a page dedicated to the requirements of the safe harbour and provides examples of isolated breaches.

However, the Amendment Act and the AML/CTF Rules do not explicitly use the words "safe harbour" or mention liability at all in the context of section 37A. Instead, the safe harbour can be broadly inferred from the drafting of section 37A, as read alongside the intention of the provision. 

As detailed under the heading "Category 1" above, section 37A contains a number of prescriptive requirements, which include maintaining reasonable grounds for belief of compliance by the third party carrying out the ACIP. If the various requirements are complied with, then the relying entity is deemed to have carried out the ACIP in respect of those customers and designated services. Relevantly, where the relying entity no longer has a reasonable belief that the requirements in the AML/CTF Rules are met (after completing an assessment in section 37B), the relying entity can no longer benefit from this "deeming" provision. 

One requirement that appears particularly relevant to the issue of liability for isolated breaches is rule 7.2.2(4) or (5), which requires the third party relied upon to be a reporting entity that has measures in place to comply with their identification procedures and record-keeping obligations, or in the case of a foreign entity, equivalent measures in place to comply with their equivalent obligations. Given this is a requirement directed at a reasonable belief that the relying entity has the required "measures", an isolated breach (as opposed to a systemic breach) that comes to a relying entity's attention would not necessarily cause a relying entity to question the adequacy of a relied upon entity's measures, assuming that breach would be remediated.

While this may ultimately equate to a safe harbour for isolated breaches, the path to understanding how it operates is less than straightforward. Further, in practice when weighed against the prescriptive requirements of a CDD arrangement which may attract a civil penalty for non-compliance, the safe harbour may not actually be a major benefit, given that in the ordinary course of business, isolated breaches can typically be easily remediated and face a much lower enforcement risk.

Next steps for reporting entities wishing to rely on third parties for KYC

If reporting entities wish to rely on third parties for KYC purposes, they should consider which category suits their circumstances and take steps to update their agreements or arrangements accordingly.

While the new provisions expand the ability for reporting entities to rely on third party KYC, the new model requires a relying reporting entity to satisfy much more prescriptive requirements than under the previous model, particularly for CDD arrangements. This includes conducting regular assessments and considering whether they have "reasonable grounds to believe" certain requirements are satisfied by the third party being relied upon.

As the new section 37A will only apply to new arrangements or agreements entered into after 17 June, reporting entities who wish to rely on this category will need to create new arrangements to benefit from ongoing reliance and the safe harbour. Alternatively, going forward, entities relying on the previous section 38 will need to consider the new section 38 requirements and update their arrangements to ensure they can benefit. If appropriate, the third category of reliance for corporate group or DBG members can also be considered.

In practical terms, some key considerations which reporting entities should consider when implementing a reliance category are:

Category 1 – CDD arrangements:

• entering into new written agreements or arrangements and ensuring they include terms which document the responsibilities of parties and appropriate powers to obtain all required KYC information; and
• ensuring the agreements or arrangements have been approved by the governing board or a senior managing official;
• ensuring the relying entity has assessed relevant factors of the third party they are seeking to rely upon such as ML/TF risk and nature, size and complexity of the third party's business; and
• implementing appropriate procedures to carry out regular assessments of the agreement or arrangement and ensuring records are appropriately kept (as this could attract a civil penalty). 

Category 2 – Case by case arrangements (other than within a corporate group or DBG)

• ensuring that the relied upon entity obtains all required KYC information prior to the relying entity's provision of a designated service;
• ensuring adequate arrangements are made for prompt access to verification information held by the relied upon entity;
• ensuring the relying entity has assessed relevant factors of the third party they are seeking to rely upon such as ML/TF risk and nature, size and complexity of the third party;
• ensuring the relied upon entities are regulated by AUSTRAC or are a foreign equivalent of a reporting entity which is subject to equivalent AML/CTF obligations for CDD and record-keeping as those in Australia; and
• creating appropriate procedures to ensure written records are kept that outline how the requirements for reliance  were satisfied.

Category 3 – Within a corporate group or DBG

• ensuring that the entities being relied upon have adopted and implemented a joint AML/CTF program, or group-wide measures, as the case may be;
• implementing procedures for the sharing of customer information obtained in the course of carrying out the ACIP; and
• ensuring the relying entity has assessed the ML/TF risk they might face in the provision of that designated service and whether it is appropriate to rely.

All reliance categories

• weighing up the costs and benefits of each reliance category to select the most appropriate category;
• ensuring there is appropriate access to KYC documents, whether by written agreement or arrangement with the relied upon entity, as required; and
• updating the AML/CTF program to reflect the new reliance categories and those that may be relied upon (if any).