Banking & Finance Update – March 2006

• Anti-money laundering and counter-terrorism financing bill

• NPP 1.3 alert issued to brokers

In December 2005 a draft of the Anti-Money Laundering and Counter-Terrorism Financing Bill was released together with sample rules and related information. Submissions are to be received by 13 April 2006. This report focuses on the impact of the proposals on the mortgage industry.

• Any entity who makes a loan in the course of carrying on a business is a reporting entity providing a designated service and must comply with the proposals. The scope of transactions triggering the identification requirements is much wider than the existing regime which applies to "cash dealers" who open an "account".

• The identification can be conducted by the reporting entity, its agent, its sub-agent, another reporting entity, or an accredited identifier. We will submit that MIAA member intermediaries should be accredited identifiers.

• Details of the proposed identification procedures are yet to be released.

• There will be an ongoing obligation to carry out risk based customer due diligence. This will require updating Know Your Customer (KYC) information throughout the course of the business relationship.

• All reporting entities must establish and maintain an Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Program.

• Company, trusts, partnerships, and bodies politic and associations will also have to be identified.

A business will be a reporting entity if it provides a designated service which has a substantive geographical link with Australia.

Initially, designated services are financial services and gambling services.

Reporting entities will be required to verify the identity of new customers before providing a designated service. Where prior identification would disrupt the ordinary course of business, identity verification can take place within five days after the provision of the service.

There will be an obligation to verify the identity of existing customers or re-verify customers if a prescribed event occurs. These events are yet to be prescribed.

The proposals require reporting entities to:

• establish, maintain, and update an AML/CTF Program;

• keep records of identification verification procedures. The period for which these records need to be kept is yet to be determined.

Mortgage managers, finance brokers, and fund/program managers (all "intermediaries")

Unless an intermediary is providing a financial service, there is no requirement on the intermediary to conduct an identification. Despite this, intermediaries should still act prudently to identify their customers and should obtain their own privacy consent to enable the intermediary to collect, store, and use customer information – ie, the Privacy Act imposes a separate regime.

In mortgage transactions, usually only the lender will be providing a financial service and so have an obligation to identify.

There are many new businesses brought within the identification and reporting regime, including, for example, trustees of securitised and mortgage trust programs who act as lenders.

The proposals contemplate restrictions on who can conduct the identification for the lender. Contrast this with the current situation where there is a relatively loose arrangement of ADIs appointing loan writers even though the loan writer is removed several steps by the interposition of aggregators, sub-aggregators and so on.

The proposal is that the person conducting the identification must be:

• an internal agent – you must be an "officer or employee of the company";

• an external agent who must be either:

1. the primary agent of the reporting entity; or
2. a sub-agent of the reporting agent;

• another reporting entity; or

• an accredited identifier.

Where the person conducting the identification is an external agent of the reporting entity, there must be a written agreement:

• between the lender and the primary agent to provide the designated services; or

• between the primary agent and the sub-agent.

There are no provisions in the Act to allow a sub-agent to appoint a further sub-agent to carry out identification verification on behalf of the lender. The rules as to who can be an accredited identifier are also yet to be prescribed.

Both the primary agent and the sub-agent must only disclose the information it receives to:

1. the lender;
2. AUSTRAC;
3. as authorised by law.

We will be submitting that the sub-agent should be able to report and disclose information to:

1. the primary agent (who might be the aggregator or fund manager); and
2. any manager of the lender’s affairs (in case the program/fund manager is not appointed as the primary agent).

In addition to a broad range of "banking" transactions (eg, fund transfers etc), the requirement to identify the customer is triggered when:

• a lender makes a loan in the course of carrying on a business;

• a lessor enters a finance lease or a hire purchase in the course of carrying on a business;

• cheque books, debit cards, or stored value cards are provided;

• a life policy (including bundled CCI) is provided;

• an AFS licensee or an authorised representative gives advice intended to influence the person (ie, "personal advice") to take out a life policy or take out or rollover a superannuation fund or Retirement Savings Account.

The identification must be conducted before providing the designated service, and so there is no need to conduct the identity check on first contact. In certain cases the procedure may be carried out after the provision of the designated service. So long as an existing customer has had a continuing relationship with the financier, there is generally no need to re-identify. Existing customers must be re-identified when certain risk triggers occur.

Are all identification procedures the same?

Certain pre-commencement customers and certain low risk services are subject to modified identification procedures. These procedures are yet to be prescribed.

Draft guidelines have been issued that list the matters that are to be taken into account in determining whether there are reasonable grounds to consider that a transaction is suspicious. After forming that view the reporting entity must report promptly (there are specified time limits).

A customer may be identified after the commencement of the provision of the service where:

1. to identify the customer prior to providing the service would disrupt the normal course of business; and
2. the service either:
1. is not provided on a face-to-face basis; or
2. consists of acquiring or disposing of a security or derivative on behalf of a customer; or
3. consists of issuing or undertaking liability as to the insurer under a life or sinking fund policy; and [probably a typo in the drafts, and should be "or"]
3. the service is specified in the AML/CTF rules.

The AML/CTF program must include appropriate risk based systems and controls to effectively identify and materially mitigate the risk that the provision by the reporting entity of a designated service might involve or facilitate a transaction that might be connected with the commission of a money laundering offence or a finance of terrorism offence.

The program must establish systems to effectively identify:

• high risk customers;

• high risk services;

• high risk delivery methods;

• high jurisdictional risks;

• customers who may be politically exposed persons;

• changes to the level or composition of AML/CTF risks over time;

• KYC information – including when it is appropriate to obtain additional information;

• transaction monitoring;

• methods of reporting suspicious transactions;

• AML/CTF risk awareness training programs;

• third party due diligence program;

• compliance program;

• record keeping;

• board oversight; and

• independent review.

It is expected that early in 2006 draft rules will be released for discussion relating to:

• the identification procedures;

• the risk triggers for reverifying;

• special circumstances where a customer may be identified after commencing to provide a designated service;

• designated low risk services; and

• authorised third parties to conduct the identification procedures.

This is a timely reminder to the mortgage industry of the need to comply with National Privacy Principle 1.3.

Although the Privacy Act originally impacted the mortgage industry primarily in relation to obtaining and using credit reports, since December 2001 dealing in personal information is also regulated.

Although there is an exemption for companies with a turnover of less than $3m, most mortgage brokers and managers will not fall within this small business exemption because the exemption does not apply to businesses which disclose personal information for a benefit, service, or advantage - which mortgage intermediaries do.

• Besides obtaining a privacy consent to enable obtaining, use, and disclosure of credit reports, mortgage intermediaries need to obtain a privacy consent for collection, storage, and use of personal information.

• Generally the consent form obtained for the lender will not cover the broker’s needs. This is because the lender’s consent authorises the lender to store and use information, but does not authorise the broker to do so.

• In addition to obtaining the consent, brokers need to comply with National Privacy Principle No. 1.3 (NPP 1.3). NPP 1.3 requires an organisation collecting personal information to take reasonable steps to ensure that the individual is aware of:

1. the identity of the organisation and how to contact it;
2. the fact that he or she is able to gain access to the information;
3. the purposes for which the information is collected;
4. the organisations (or the types of organisations) to which the organisation usually discloses information of that kind;
5. any law that requires the particular information to be collected; and
6. the main consequences (if any) for the individual if all or part of the information is not provided.

These steps must be taken at or before the time the information is collected or, if that is not practicable, as soon as practicable thereafter.

Usually, the NPP 1.3 notice will be given in the privacy consent. If a broker obtains personal information and has not first obtained a privacy consent, a separate notice should be sent to satisfy NPP 1.3.

1. Do you have a privacy consent form that authorises you to collect, use and disclose credit information and personal information?
2. All organisations governed by the Act need to have a privacy policy. Do you have a privacy policy?

The MIAA website and Gadens website contain a Privacy Act module providing further information click here...
By Jon Denovan

This publication is provided to clients and correspondents for their information on a complimentary basis. It represents a brief summary of the law applicable as at the date of publication and should not be relied on as a definitive or complete statement of the relevant laws.