Sweeping reforms to Australia's AML/CTF Act introduced

The Australian Government has proposed amendments to the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act) which, if enacted, will constitute the most significant changes to Australia’s anti-money laundering and counter-terrorism financing (AML/CTF) regime since the introduction of the AML/CTF Act itself.

The Anti-Money Laundering and Counter-Terrorism Financing Amendment Bill 2024 (AML/CTF Bill or Bill) has four key objectives:

• simplifying the AML/CTF regime to improve its effectiveness;
  
  
• modernising the regime to reflect changing business structures and emerging technologies, as well as illicit financing methodologies;
  
  
• extending the AML/CTF regime to additional services provided by high-risk ‘gatekeeper’ professions, including real estate professionals and service providers such as lawyers, accountants, insolvency and restructuring practitioners, consultants, and precious metal and stone dealers (Tranche 2 Entities); and
  
  
• providing new powers to AUSTRAC to compel the production of information and conduct examinations.

The Bill seeks to achieve these objectives by amending existing legislation and introducing new concepts and requirements that reporting entities (new and old) will need to assess and, where necessary, implement. The Bill will be supplemented by an updated set of AML/CTF Rules (Rules), which will provide more detail on the proposed requirements. The proposed updates to the Rules are not yet available and are expected to be released for consultation before the end of 2024.

In this Insight, we examine the reforms that seek to simplify the current AML/CTF regime for reporting entities.

Overview of simplification reforms

The Bill introduces significant amendments that will replace the prescriptive, procedural AML/CTF compliance requirements with a set of outcomes-focused obligations. These obligations will include an explicit requirement to undertake a money laundering, terrorism financing and proliferation financing risk assessment and implement robust policies that ensure effective AML/CTF compliance.

For existing reporting entities, most of the changes will take effect on 31 March 2026. For Tranche 2 Entities, the changes will take effect on 1 July 2026.

The Bill also expands AUSTRAC’s powers to effectively monitor, investigate and enforce compliance with the AML/CTF regime. In particular, the Bill increases AUSTRAC’s information and examination powers, with those new powers effective 28 days after the Bill receives Royal Assent. These new enforcement powers could well indicate that AUSTRAC will adopt a more proactive approach to enforcement in the near term.

Key amendments 

AML/CTF programs

The Bill revises the structure of AML/CTF programs and requires programs to consist of two main components:

• the reporting entity’s ML/TF risk assessment; and
  
  
• its AML/CTF policies.

Though the concept of ‘AML/CTF policies’ is not defined, we consider these will include matters that are currently dealt with in Part A and Part B of an AML/CTF program. Reporting entities are free to maintain the current division of programs into Part A and Part B and are permitted to organise the documentation of their AML/CTF program as they see fit, as long as the policies comply with the obligations set out in the Bill.

Importantly, the Bill extends the number of policies and procedures subject to a civil penalty provision. Under the current regime, non-compliance with Part A of an AML/CTF Program is a civil penalty provision. Under the Bill, non-compliance with any of the reporting entity’s AML/CTF policies would constitute a civil penalty offence. Accordingly, the precise boundaries of a reporting entity’s AML/CTF policies becomes critical.

The amended AML/CTF Act will also set out a non-exhaustive list of risk management and mitigation policies that a reporting entity should implement to ensure compliance with its AML/CTF policies, including:

• how the entity will identify significant changes that would trigger a review of its ML/TF risk assessment;
  
  
• how the entity will conduct customer due diligence; and
  
  
• how the entity will review and update its AML/CTF policies when required.

This shifts the emphasis away from the mere existence of AML/CTF policies to an assessment of whether those policies are actually effective. In practice, this requires reporting entities to engage in active ML/TF risk management.

Requirement to conduct a risk assessment

While the current AML/CTF Act does not set out an express obligation to conduct a risk assessment, under the amended AML/CTF Act, reporting entities will be required to identify the level of ML/TF risk faced by their business. As part of the new outcome-based approach, and in order to adequately inform their AML/CTF policies, reporting entities will be explicitly required to assess the risk of money laundering, terrorism financing or proliferation financing that they may reasonably face in the provision of a designated service. To discharge this obligation, reporting entities will have to:

• carefully consider the nature, size and complexity of their business in determining the level of risk; and
  
  
• incorporate any relevant risks identified and communicated by AUSTRAC.

As a baseline, reporting entities will be required to consider risks related to customer types, the designated services provided, methods of delivery and the jurisdiction in which they operate. Additional factors may be specified in the Rules. In carrying out this assessment, reporting entities will also need to record the risk assessment methodology used.

Reporting entities will be obliged to review their ML/TF risk assessment when there is a material change in any of the factors in their ML/TF risk assessment, or periodically, at least every three years. This also applies to the AML/CTF policies.

Subject to the forthcoming Rules, it is unlikely that entities that have already conducted thorough enterprise-wide risk assessments, in line with AUSTRAC’s existing guidance, will have to substantially rewrite their assessment methodology. However, they will need to modify and align process details – at least in relation to the new documentation expectations and consider whether they have assessed proliferation financing risk adequately. Failure to comply, even with minor requirements, will be considered a civil liability contravention.

Governance and key roles and functions

The Bill introduces an explicit obligation requiring a reporting entity to establish internal practices that ensure the business, its managers, employees and agents comply with AML/CTF obligations.

Board or governing body oversight

Currently, there is very little guidance on the oversight to be exercised. In the future, Board or equivalent senior management monitoring of the AML/CTF program will be considered a key internal control for a reporting entity.

This means that the Board, or equivalent governing body, will need to ensure that it:

• exercises appropriate ongoing oversight of the ML/TF risk assessment and the reporting entity’s compliance with AML/CTF legislation; and
  
  
• has taken reasonable steps to ensure that the reporting entity is appropriately identifying, assessing and managing its ML/TF risks and complying with its AML/CTF policies.

Concept of ‘senior manager’

The Bill introduces the concept of ‘senior manager’, being an individual who makes or participates in the making of decisions about the operational, day-to-day management of a reporting entity’s business. A senior manager, at least in larger entities, is intended to be distinct from the governing body that makes strategic decisions.

Under the Bill, it will now be the senior manager’s responsibility to approve any changes to the AML/CTF risk assessment or the AML/CTF policies. However, the governing body will need to be updated on any changes to the AML/CTF risk assessment or the AML/CTF policies to ensure that it is able to provide effective strategic oversight and to manage and mitigate ML/CF risks.

Role of AML/CTF Compliance Officer

The Bill moves the requirement for reporting entities to have an AML/CTF Compliance Officer from the Rules to the AML/CTF Act and sets out eligibility criteria, including that the person must be fit and proper, and employed or otherwise engaged by the reporting entity at management level.

Under the reforms, reporting entities must ensure that their AML/CTF Compliance Officer can perform their functions effectively by providing them with sufficient authority, independence and access to information and resources. Where the designated services are provided through a permanent establishment in Australia, the AML/CTF Compliance Officer must be an ‘Australian resident’.

Reporting Group concept

The Bill moves away from the concept of a Designated Business Group (DBG) towards the concept of a Reporting Group, comprising a lead entity and ordinary members. It is the lead entity’s governing body, i.e. the board, that will be required to maintain oversight across the Reporting Group and to take reasonable steps to ensure that the reporting entities in the group adequately identify, assess, manage and mitigate their ML/TF risks and otherwise comply with their AML/CTF obligations.

How the lead entity of a Reporting Group is identified will be specified in the AML/CTF Rules. It is possible that the Rules will, for example, recognise a listed parent company that does not itself provide designated services, such as in financial services businesses where a holding company typically controls its subsidiaries, as such an entity.

For the lead entity, greater responsibility comes with greater exposure. Under the Bill, designated services provided by a reporting entity member of a reporting group are deemed to have been provided by the lead entity, and if a reporting entity member of a group fails to comply with an obligation under the AML/CTF Act, both the contravening member and the lead entity will be liable for the contravention.

Customer due diligence

Repealing the previous procedural approach, the Bill requires a reporting entity to develop its own sliding scale of customer risk that allows it to categorise its customers as high, medium or low risk. The risk rating will drive the customer due diligence applied by a reporting entity. Among other things, before delivering designated services, the reporting entity will have to establish the initial customer’s risk rating and establish on reasonable grounds the following matters about the customer:

• the identity of the customer;
  
  
• the identify of any person on whose behalf the customer is receiving the designated service;
  
  
• the identify of any person acting on behalf of the customer;
  
  
• the beneficial owners of the customer;
  
  
• whether the customer, any beneficial owner, any person on whose behalf the customer is receiving the designated service, or any person acting on behalf of the customer is:
  
  
  • a politically exposed person (PEP); or
    
    
  • a sanctioned person;
    
    
• the nature and purpose of the business relationship; and
  
  
• any additional matters specified in the AML/CTF Rules.

Initial Customer Due Diligence

The proposed requirement to sanctions screen at the outset of the relationship is new.

Exceptions to the obligation to conduct Initial Customer Due Diligence (ICDD), including in relation to PEPs, will be clarified in the Rules. The Bill also notes that simplified customer due diligence may be undertaken for certain low risk customers.

Similarly, Ongoing Customer Due Diligence (OCDD) measures will follow a risk-based approach. Although the Rules that will set out the details of the OCDD have not yet been published, it is likely that AUSTRAC will require entities to adopt a nuanced and tailored approach. Transaction monitoring will still be undertaken as part of OCDD, but the matters it is intended to identify, such as whether there are inconsistencies with what the reporting entity knows about the customer, have been broadened. Depending on whether the designated services are provided as an occasional transaction or as part of a business relationship, not all OCDD measures will need to be applied.

Enhanced Customer Due Diligence (ECDD) must be undertaken if (among other things) the customer is high risk, suspicious matter reports (SMR) have been filed for the customer, the customer is a PEP or is physically present or incorporated in a high risk jurisdiction. The ECDD can be part of ICDD or OCDD. A new trigger for ECDD has also been introduced where the designated services are part of a “nested services relationship”. Such relationships present heightened risks because the Australian entity is reliant on their overseas counterpart’s due diligence of the overseas counterpart’s own customers.

Non-compliance with the ICDD and OCDD requirements set out in the legislation would be a breach of a civil penalty provision.

Transfers of value

The current AML/CTF Act distinguishes between electronic funds transfer instructions (EFTIs) executed by financial institutions and remittances that are undertaken by remittance service providers, resulting in different obligations applying to different service providers. This framework will be amended by introducing the concept of “transfers of value”, which uniformly covers the transfer of money, virtual assets or other property but excludes transfers of physical currency or tangible property.

The institutions that facilitate the ”transfer of value” will be defined as constituting the “value transfer chain” comprising the ordering, intermediary and beneficiary institution.

Businesses whose sole role is to provide the messaging infrastructure through which transfer messages are transmitted do not constitute intermediary institutions. The method to identify whether an institution in the value transfer chain is the ordering, or the beneficiary institution, is determined by reference to a set of criteria, in descending order of priority, whereby the “first person to satisfy” the higher-ranking criterion is designated as the relevant institution.

As stated in the Explanatory Memorandum, transfers of value can take many forms, some of which may be difficult to trace, and can involve several parties. Some entities are likely to therefore find it challenging to identify their respective role in the transfer value chain.

The Bill also proposes to expand the travel rule obligation for each institution in the “value transfer chain” leaving a significant degree of the detail to the Rules. The Bill repeals the existing concepts of ”required transfer information”, “complete payer information” and ”tracing information”, and instead refers in each proposed section to “the information in the AML/CTF Rules”.

Under the reforms, ordering institutions will need to collect, verify and pass on prescribed information and beneficiary institutions will be required to take reasonable steps to monitor whether it has received the travel rule information and whether the information received about the payee is accurate. The intermediary institution’s obligations will be similar to those of the beneficiary institution.

International Funds Transfer Instruction regime overhauled

Currently, a reporting entity has an International Funds Transfer Instruction (IFTI) reporting obligation if it is the sender of an instruction to transfer funds out of Australia or it is the recipient of an instruction to transfer funds into Australia. On this ‘first in, last out’ basis, the person with the obligation to report an IFTI may not be the remittance transfer provider or financial institution with the direct relationship with the customer.

The Bill replaces IFTI reporting obligations with an obligation to report international value transfer services (IVTS) and shifts the reporting obligation from the movement of the instruction to the movement of the value. The Bill also shifts the reporting obligation from the ‘first in’ institution (or ‘receiver’) to the beneficiary institution, and from the ‘last out’ institution (or ‘sender’) to the ordering institution. In other words, the obligation applies to the institution with the closest relationship to the payer or payee.

Intermediary institutions may also have IVTS reporting obligations where there is a written agreement or arrangement in place for it to discharge the reporting obligations for the reporting entity. The Rules may set out further circumstances in which the reporting obligation will sit with the intermediary institution.

As the new legislation shifts the trigger for IFTI reporting from the sending or receiving of an instruction to the sending of value, businesses will no longer be required to file an IFTI report if the transaction is aborted, cancelled or declined. However, where a transfer of value is cancelled due to a reasonable suspicion of criminal activity, the reporting entity will be required to submit an SMR instead.

Further details are likely to emerge, particularly in relation to the extension of the 'travel rule’, which will be detailed in the updated Rules.

Tipping off provisions

The Bill makes amendments to the existing ‘tipping off’ offence and narrows the information that needs to be disclosed to trigger the prohibition. In particular, disclosure is only prohibited if it would or could reasonably prejudice an investigation. The current application of the ‘tipping off’ prohibition to information from which it could reasonably be inferred that an SMR has been made has been removed. The Bill also provides for broad exceptions for:

• disclosures between reporting entities; and
  
  
• crime prevention - allowing disclosure of certain information by specified persons (including legal practitioners and accountants) to dissuade a customer from engaging in unlawful conduct.

There are no changes to allow disclosure of relevant information to a court.

In addition, the Bill broadens liability for the offence from the reporting entity to employees and former employees.

Enhanced AUSTRAC powers

Finally, the Bill expands AUSTRAC’s enforcement arsenal by:

• introducing an examination power that gives AUSTRAC the ability to obtain information and documents, including by requiring a person to appear before an examiner;
  
  
• giving AUSTRAC broader intelligence-gathering powers; and
  
  
• amending AUSTRAC’s existing compulsory information-gathering powers to information relevant to offences under the Crimes Act 1914 (Cth) or the Criminal Code (to the extent they relate to the AML/CTF Act).

As currently drafted, during an examination, an individual cannot refuse or fail to answer a question, produce a document or sign a record on the basis of self-incrimination. However, the Bill currently proposes “use immunity” provisions, which provide that an oral statement in answer to a question is not admissible in evidence in civil or criminal proceedings if, before making the statement, the individual claims that it might incriminate them.

Outlook 

Although the reforms are intended to simplify the regime for existing reporting entities, the Bill’s provisions will require substantive revisions to existing AML/CTF Programs, and associated controls and processes. Though each reporting entity will be different, the changes to the AML/CTF Program requirements, customer due diligence and IFTI reporting obligations will likely require the most significant uplift.

Notwithstanding the fact that the Federal Government has not yet released a revised version of the Rules, existing and future reporting entities should prepare as best they can to adapt to the new regime and identify the policies, processes, systems and controls that will need to be uplifted to comply when the Bill passes.

As a starting point, and not to be intended as a comprehensive action plan, reporting entities should consider the following non-exhaustive list of proactive measures:

• informing the board, senior management and key stakeholders of the proposed changes and discussing whether and to what extent the reporting entity will affected by them;
  
  
• reviewing the reporting entity’s ML/TF risk assessment and considering whether it meets the requirements in the Bill (and any associated Rules, once published);
  
  
• identifying the AML/CTF procedures, systems and controls that the reporting entity will need to update and adapt, with a particular focus on:
  
  
  • the AML/CTF program;
    
    
  • customer due diligence processes and risk ratings;
    
    
  • value transfer / IFTI reporting controls; and

• considering the proposed fit and proper requirements for the AML/CTF Compliance Officer, how these will be assessed and whether the AML/CTF Compliance Officer has sufficient authority, independence and access to information and resources.

It is important to note that existing AML/CTF statutory requirements will remain in place until at least 31 March 2026. Reporting entities must ensure that any proactive measures taken in anticipation of the implementation of the Bill do not compromise compliance with the current regime.