Australia: Our Submission to Consultation Paper: Modernising Australia's AML/CTF regime

RE: Modernising Australia's AML/CTF regime

Thank you for the opportunity to provide feedback on proposed reforms to Australia's anti-money laundering and counter-terrorism financing (AML/CTF) regime.

We support improvements to the AML/CTF regulatory regime in Australia. In particular, we support proposed changes that would simplify or clarify the AML/CTF compliance requirements for regulated entities. In our view, this would assist regulated entities to understand and comply with their AML/CTF obligations.

Our approach in this submission is to highlight areas of potential regulatory uncertainty and confusion, identify potential implementation issues and make practical suggestions about how to minimise regulatory overlap and complexity.

We have provided our feedback in response to several of the questions in the Attorney-General's Department consultation paper (the Consultation Paper) below.

ABOUT US

Established in 1995, Holley Nethercote Lawyers are experts in financial services law and regulation. We are also experts in credit, financial crime and commercial law. Employing 34 staff across our Melbourne and Sydney offices, our firm has a preventative-law focus and deep regulatory expertise. We are one of Australia's leading law firms in AML/CTF law, and we act for some of the world's largest digital currency exchanges, payments business and derivatives issuers. We were also heavily involved in consulting with AUSTRAC on the creation of Australia's current Digital Currency Exchange regime.

Holley Nethercote also provides non-legal services, including Australian Financial Services Licence (AFSL) and Australian Credit Licence (ACL), Authorised Deposit-taking Institution licence (ADI) application support, training, template compliance documents and regulatory updates via the HN Hub.¹

RESPONSE TO CONSULTATION QUESTIONS

1. How can the AML/CTF regime be modernised to assist regulated entities address their money laundering and terrorism financing risks?

Streamlining Part A and Part B requirements

The Consultation Paper sets out a proposed model whereby Part A and Part B requirements would be streamlined into a single program. Regulated entities would need to develop, implement and maintain an AML/CTF program that is effective in identifying, mitigating and managing a regulated business' money laundering and terrorism financing risks. However, the Consultation Paper notes that existing exemptions for those businesses that are only required to have a 'special AML/CTF program' would be maintained.

If this proposal is accepted, it will be important to clarify the requirements for independent reviews. Currently, independent reviews are only required in relation to Part A of a program - and not where a reporting entity must have in place a special AML/CTF program. In practice our independent reviews of AML/CTF programs already consider, at a high level, how a reporting entity complies with its Part B obligations, in order to determine whether Part A is operating effectively. However, if Part A and Part B are to be streamlined into a single program, consequential amendments to the independent review provisions are also likely to be required. If the scope of independent reviews is significantly expanded, this could increase the cost of independent reviews for regulated entities.

Also, businesses required to have a special AML/CTF program (eg. financial planning businesses who provide designated service item 54), have a "carve-out" from complying with Part A requirements, but in practice need to meet the risk-assessment requirements contained in a Part A program in order for their customer identification procedures to be properly risk-based. This is unclear and confusing to the sector. So, whilst this exemption is intended to be retained according to the Consultation Paper, the law should clarify what is expected of businesses who only require a special AML/CTF program.

International Funds Transfer Instruction (IFTI) reporting

The Consultation Paper notes that the Department is considering a range of matters, including streamlining IFTI reporting requirements.² We support improvements to the IFTI reporting system, including clarification of definitions of the IFTI report fields, and the nature of the information to be included in the report. In our experience, there is sometimes a mismatch between the contents of the IFTI report and the requirements and defined terms in the Act and Rules. There is also a lack of defined terms, so completing the fields requires statutory interpretation, as well as guidance from the AUSTRAC Schema which includes inconsistent terminology. Aligning the contents of the IFTI report with the Act or Rules (or alternatively, amending the Rules to reflect the information to be included in the report using the same defined terms) would reduce complexity and assist regulated entities to better comply with their obligations.

2. What are your views on the proposal for an explicit obligation to assess and document money laundering and terrorism financing risks, and update this assessment on a regular basis?

Currently, the obligation to assess and document money laundering and terrorism financing (ML/TF) risks, and to update this assessment, is implied in the Act³ and the Rules.⁴ AUSTRAC has said that it expects that regulated entities should already determine their risk level having regard to their business, document their risk assessment methodology, and review and update their risk assessment.

We support making these existing requirements more explicit in the legislation. It would be simpler for regulated entities to understand and comply with explicit requirements than with the current implied requirements. However, amendments should clarify and simplify existing obligations, rather than add further requirements. In terms of specific detail on each risk assessment requirement, in our view this should not be overly prescriptive. Risk assessments should not become 'tick box' exercises, whereby regulated entities are required to consider numerous factors that are not relevant to the actual ML/TF risks facing their business.

Internal controls

In terms of internal controls to mitigate risk, the Consultation Paper notes that 'The Act could articulate a high level obligation to develop, implement and maintain appropriate systems and controls to ensure that employees and agents of regulated entities comply with AML/CTF obligations.'⁵ It is unclear whether this proposal is intended to clarify the existing requirements relating to employee due diligence programs and training, or would impose additional obligations on responsible entities. The policy intent in this regard should be clarified.

It should also be clarified that this proposal relates to a regulated entity having measures in place to ensure that its agents and employees and agents of regulated entities comply with the regulated entity's AML/CTF obligations. We have seen some confusion under similar 'reasonable steps' obligations for financial services and credit licensees,⁶ where it's unclear whether licensees are required to take reasonable steps to ensure employees and agents comply with their personal obligations, comply with the licensee's obligations, or both.

The Consultation Paper also suggests that the reforms could require 'AML/CTF compliance officers to be appointed at the senior management level, standards of fitness and propriety, and expectations around adequate resourcing and independence.'⁷ It is unclear to whom the standards of fitness and propriety are intended to relate, as it is possible that this standard could apply to the AML/CTF compliance officer, the directors of the regulated entity and/or the regulated entity itself. It is also unclear to whom the independence requirement would relate, or how it could be applied to an employee or director of a regulated entity. Further clarification on these points would be useful.

3. How will a flexible approach that allows an AML/CTF program to incorporate all related entities within a designated business group affect your AML/CTF compliance and risk mitigation measures?

It is difficult for us to comment on the likely impact of this reform on our clients' AML/CTF compliance and risk mitigation measures without further information about how this reform would work in practice. Further information about what obligations, if any, would be imposed on unregulated related entities is needed in order for us to provide further feedback on this proposal. We note that it will be particularly important to clarify how the obligation to lodge Suspicious Matter Reports (SMRs) would apply (if at all) to unregulated related entities.

Under the current designated business group (DBG) restrictions in the AML/CTF Rules, each member of the designated business group must be related to each other member of the group within the meaning of section 50 of the Corporations Act 2001 (Corporations Act) or provide designated services under a joint venture agreement.⁸ In our view, this definition is too narrow.

4. What guidance would you like to see from AUSTRAC in relation to AML/CTF programs?

In our view, additional guidance and resources are needed for start ups and small businesses to help them to comply with their AML/CTF obligations. This would avoid small businesses being required to spend significant time and expense creating their own AML/CTF programs and associated documents, rather than focussing on minimising ML/TF risks in their business. We believe there could be value in AUSTRAC publishing a template AML/CTF Program and risk assessment tool for small businesses, which could be tailored to reflect the ML/TF risks facing a particular business.

Further guidance on terminology and definitions (for example, 'transfer' and 'remittance') and filling out AUSTRAC forms (such as guidance on IFTI fields) would also be helpful.

5. What are your views on the proposed simplification of the customer due diligence obligations as outlined?

We support the proposal to realign obligations in the Act, the Rules and guidance materials on each of the core customer due diligence obligations. Setting out the core obligations in the Act, with the Rules specifying how obligations are to be met and guidance materials providing practical, implementable advice is a similar approach taken with respect to the Corporations Act.

Understanding customer risk

The Consultation Paper suggests that the Rules could provide specific risk factors to be considered as part of a customer's ML/TF risk rating, and AUSTRAC's guidance could set out how to assess risks associated with different types of business relationships and examples of customers with different risk profiles.⁹ We already provide this type of guidance to our clients, based on our interpretation of the Act, Rules and AUSTRAC guidelines and updates. However, many of these requirements are implied, rather than explicit. In our view, it would be useful to get specific, clearer guidance from AUSTRAC, which would in turn assist regulated entities to understand and comply with their obligations.

Enhanced customer due diligence

The Consultation Paper also proposes that the Act could require a regulated entity to apply enhanced customer due diligence measures where the customer or its beneficial owner is from a high-risk jurisdiction for which the FATF has called for enhanced due diligence to be applied.¹⁰ To make it simpler for regulated entities to navigate this obligation, we recommend that AUSTRAC publish and maintain an up-to-date list on its website of these jurisdictions.

Simplified due diligence

In relation to the proposal to permit simplified due diligence measures where an entity has reasonably assessed that the ML/TF risk associated with the business relationship is low,¹¹ we note the risk that this could encourage regulated entities to classify every business relationship as 'low'. Requiring regulated entities to consider specific factors before applying simplified due diligence, and prohibiting simplified due diligence in some circumstances in the Rules, would help to mitigate this risk. However, different industries will have different factors relevant to the ML/TF risks posed by their business and customer types. This would need to be addressed in the Rules in order for this proposal to be effective and adequately risk-based.

If the safe harbour provisions are retained, we recommend that a more technology-neutral approach to document verification is adopted. For example, as a scanned version of a certified copy is not truly a certified copy, regulated entities rarely rely only the 'certified copies' safe harbour provisions. Allowing the use of privacy enhancing technologies (PETs) should be considered.

Holding customer data

Increasingly, regulated entities do not wish to retain copies of client identification, such as passports or driver's licenses, due to the heightened cyber and data protection risks that this presents. Ironically, by holding this information, this increases the risk of a hacker obtaining that information and laundering money or financing terrorism, using stolen identification documents. Electronic verification requirements should be widened, and allow for various PETs to be used. Further guidance should be provided about retention and permitted destruction of government issued identification and other documents that are used for client verification purposes.

6. Are there aspects of the tipping-off offence that prevent you from exchanging information, which would assist in managing your risks?

An issue that is often raised with us by regulated entities is whether they must continue to provide designated services to a customer where they have lodged a SMR. Generally, regulated entities do not want to continue to provide services but are somewhat hamstrung by the prohibition on tipping off. Furthermore, where a business decides to exit the customer for AML/CTF purposes, they are unable to explain this to the customer, without breaching the tipping off prohibition. This has led to complaints being made to the Australian Financial Complaints Authority (AFCA), where the regulated entity is a member of AFCA. It would be useful for AUSTRAC (and potentially AFCA) to provide some specific guidance on this issue.

7. What are the benefits and challenges of expanding the AML/CTF obligations to a broader range of digital currency-related services?

We support the views of the Australian Digital Financial Standards Advisory Council in its submission in relation to questions 14, 16 and 17.

8. How can definitions under the Act be amended to integrate digital currency activity in payment-related obligations, such as activities associated with credit, debit and stored value cards and general transfers?

Given the borderless nature of the crypto ecosystem, it is critical that Australia aligns its approach as best as possible with other jurisdictions. At a minimum, the current definition of digital currency should be replaced with the FATF definition of 'virtual asset':

Virtual assets (crypto assets) refer to any digital representation of value that can be digitally traded, transferred or used for payment. It does not include digital representation of fiat currencies.¹²

That definition is very similar to the Financial Stability Board's (FSB)'s definition of Digital Asset. The FSB also has a definition of Crypto Asset¹³, as do other standards setters. ¹⁴

We note that significant consultation and review is underway in relation to crypto regulation across Government. In particular, we note Treasury's recent token mapping exercise¹⁵ and consultation on crypto asset secondary service providers.¹⁶ The Australian Law Reform Commission's recommendations in relation to the simplification of the financial services regime are also relevant.¹⁷ We support a whole-of-government approach to determining crypto-related definitions, and strongly encourage coordination across Government to ensure that definitions are consistent, to the extent possible.

9. What are the benefits and challenges for financial institutions in applying the existing travel rule obligations?

See response to question 14.

10. Would the proposed model assist in addressing these challenges?

See response to question 14.

11. If you are a solicitor, does your business accept any cash payments? Does your business set any limits on cash payments?

We do not accept cash payments.

12. What guidance could be provided to assist those providing proposed legal, accounting, conveyancing, and trust/company services in managing these AML/CTF obligations?

It is proposed that lawyers preparing or carrying out transactions for clients relating to the creation, operation or management of legal persons or legal arrangements, and buying and selling of business entities would be captured by the new AML/CTF regime.¹⁸ We would appreciate guidance on whether this would also apply to the provision of legal advice in relation to business structures, or the sale of businesses.

The Consultation Paper notes that AML/CTF laws would apply to lawyers who 'prepare for or carry out transactions for clients relating to... providing a registered office, business address or accommodation, correspondence or administrative address for a company, a partnership or other legal person or arrangement.' We query whether this would be relevant to the ACL and AFSL licence applications that we prepare for clients under our non-legal business Holley Nethercote Compliance.

Footnotes

¹ hnhub.com.au/

² Consultation Paper, page 5.

³ Anti-Money Laundering and Counter Terrorism Financing Act 2006.

⁴ Anti-Money Laundering and Counter Terrorism Financing Rules Instrument 2007 (No. 1).

⁵ Consultation Paper, page 8.

⁶ Section 47(1)(e) of the National Consumer Credit Protection Act 2009; section 912A(1)(ca) of the Corporations Act 2001.

⁷ Consultation Paper, page 8.

⁸ AML CTF Rules 2.1.2(4)(a).

⁹ Consultation Paper, page 10.

¹⁰ Consultation Paper, page 11.

¹¹ Consultation Paper, page 12.

¹² https://www.fatf-gafi.org/en/topics/virtual-assets.html#:~:text=Virtual%20assets%20(crypto%20assets)%20refer,digital%20representation%20of%20fiat%20currencies.

¹³ Financial Stability Board, (2020), 'Regulation, Supervision and Oversight of "Global Stablecoin" Arrangements'-

¹⁴ For example, see: International Organisation of Securities Commission, (2020) 'Issues, Risks and Regulatory Considerations Relating to Crypto-Asset Trading Platforms'. IOSCO offers a slightly less formal but different definition more recently here: https://www.iosco.org/library/pubdocs/pdf/IOSCOPD734.pdf

¹⁵ See https://treasury.gov.au/consultation/c2023-341659. Holley Nethercote's submission available here: https://www.hnlaw.com.au/our-submission-to-treasury-on-token-mapping/.

¹⁶ https://treasury.gov.au/consultation/c2022-259046; Holley Nethercote's submission: https://www.hnlaw.com.au/wp-content/uploads/2019/08/Holley-Nethercote-CASSPr-submission-2022.pdf

¹⁷ https://www.alrc.gov.au/inquiry/review-of-the-legislative-framework-for-corporations-and-financial-services-regulation/

¹⁸ Consultation Paper, page 22.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.