Outsourcing KYC obligations
If you are bound by the Australian Anti-Money Laundering and Counter-Terrorism Financing ( AML/CTF ) legislation1, (that is, you are a "reporting entity"), you must have in place policies and procedures which manage the risk that your business or operations could be used, either intentionally or unintentionally, for money laundering or terrorism financing (ML/TF). Your policies and procedures should be set out in your AML/CTF Program (which is divided into Part A and Part B).
A fundamental AML/CTF obligation is the requirement to identify your clients, and to verify their identity. This is also described as Know Your Client, or KYC. Identifying and verifying your clients is an important part of reducing the risk that your clients could be trying to use your business to launder funds, or fund terrorism. It is important to ensure that your KYC checks are conducted before you start providing your services to your client.
Can I outsource the obligation to conduct KYC on clients?
Currently, the AML/CTF Act allows reporting entities to authorise another person to conduct KYC checks on a client, as the reporting entity's agent. In this situation, the usual principles of agency2 will apply. For example, some AFSL holders appoint their authorised representatives to conduct the KYC checks on clients on behalf of the AFSL holder.
However, even if you have outsourced your KYC to an agent, you remain liable for the conduct of your agent, and you must also ensure that the KYC checks conducted by the agent comply with the requirements of the AML/CTF legislation, and with the procedures set out in your AML/CTF Program. This means that if you do decide to outsource your KYC checks to an agent, you will need to ensure that you pro-actively monitor the conduct of your agents, and regularly test your AML/CTF systems and processes, both at the commencement of the appoint and during the period of the appointment.
Examples of procedures you could include in your AML/CTF Program include:
- requiring the agent to complete a questionnaire, setting out details of the KYC checks and procedures they will undertake;
- scheduling regular reviews of the agent's compliance with the KYC procedures, including a review of a sample of customer files; and
- ensuring that the Board is kept updated as to the agent's performance.
In December 2020, amendments to the AML/CTF Act were passed, and are expected to take effect from 18 June 2021. The amendments relate to a range of obligations, and in particular, expand the circumstances under which reporting entities can rely on KYC procedures undertaken by third parties.
Whilst the existing section 37 remains in place, the amendments introduce a new section 37A of the AML/CTF Act, which allows you to rely on KYC procedures conducted by another reporting entity, if you:
- enter into a written agreement with the third party;
- carry out regular assessments of the third party's performance of its duties under the agreement, and keep written records of each assessment; and
- you have reasonable grounds to believe that the KYC requirements in the AML/CTF Rules are being complied with by the third party.
This agreement is referred to in the legislation as "a CDD arrangement".
If all of the above conditions are met, you would not be held liable for isolated breaches of compliance with the KYC checks (or other customer identification procedure) requirements committed by the third party.
However, if you find that the KYC checks conducted by the third party are not compliant with the KYC requirements, then the CDD arrangement will be suspended from the time that your assessment reveals that the KCY checks are not being conducted correctly, and will only be resumed when you assess that they meet the standards required by the AML/CTF Rules. If you continue to rely on a CDD arrangement when the KYC checks are not being properly conducted, then you may be liable for a breach of your obligation (as a reporting entity) to conduct KYC checks on clients, before you provide them with a designated service.
The changes also expand and clarify the third parties on whom you can rely to conduct KYC checks on your behalf.
Currently, where an AFSL holder arranges for the client to receive a designated service from another reporting entity (e.g. a bank), the second reporting entity can rely on the KYC checks conducted by the customer. Also, if you are a member of a Designated Business Group, you can rely on the KYC checks conducted on your customer by another member of the Designated Business Group.
With the implementation of the changes to the AML/CTF Act, in addition to the above, reporting entities will also be able to rely on the KYC checks conducted by members of their corporate group or Designated Business Group who are located outside Australia. However, you will need to have reasonable grounds to believe that it is appropriate to rely on the KYC checks conducted by the third party.
For example, you will need to ensure that your assessment of the ML/TF risk posed by the customer is the same level as the assessment made by the third party, and if not, ensure that appropriate KYC checks are conducted in accordance with your AML/CTF Program.
Importantly, notwithstanding the above changes, the legislation makes it clear if you, as the reporting entity, fail to enter into a compliant CDD arrangement, you remain ultimately responsible for failures by the third party in conducting the KYC checks as required by the AML/CTF regime.
How can you prepare for the changes?
You will need to consider your existing arrangements in relation to outsourcing KYC checks to agents, and implement appropriate policies and procedures which will comply with the above changes.
For example, if you decide to outsource KYC checks to a third party who is also a reporting entity (or is a member of your DBG or corporate group), ensure that you assess their compliance with the AML/CTF regime (e.g. ask for a copy of their AML/CTF Program, and/or a copy of their most recent AML/CTF independent review report) and then prepare a CDD arrangement agreement, which complies with the above requirements.
You will also need to document (in your AML/CTF Program), the policies and procedures you will implement to conduct the assessments of the third party's compliance with their obligations. Tailored training for agents and third parties could also be a way to manage compliance.
At Holley Nethercote Lawyers, we can assist you with complying with your AML/CTF obligations, by providing you with legal advice, assistance with amending your AML/CTF Program to incorporate any new procedures, as well as drafting compliance procedures which help you to oversee the performance of your third parties.
1The Australian AML/CTF legislation refers to the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth)(the AML/CTF Act) and the Anti-Money Laundering and Counter- Terrorism Financing Rules Instrument 2007 (No.1) (the AML/CTF Rules).
2 At a high level, an agency relationship between 2 parties is where one person (the principal) authorises another person (the agent) to create or affect the legal relationship between the principal and a third party. Usually, the extent of the agent's authority to act on behalf of the principal is set out in an agency agreement. The laws of agency are comprehensive – please contact Holley Nethercote Lawyers if you require legal advice in relation to this issue.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.