Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 (110 of 2024)

Schedule 1 AML/CTF programs and business groups

Anti-Money Laundering and Counter-Terrorism Financing Act 2006

24 After Part 1

Insert:

Part 1A - AML/CTF programs

Division 1 - Introduction

26A Simplified outline

The following is a simplified outline of this Part:

• A reporting entity must have and comply with an AML/CTF program. An AML/CTF program comprises the reporting entity's ML/TF risk assessment and AML/CTF policies.

• The ML/TF risk assessment is an assessment of the risks of money laundering, financing of terrorism and proliferation financing that the reporting entity may reasonably face in providing its designated services.

• The AML/CTF policies must appropriately manage and mitigate those risks and ensure the reporting entity complies with this Act and instruments under this Act.

• The AML/CTF program must be appropriate to the nature, size and complexity of the reporting entity's business. For a lead entity of a reporting group, it must be appropriate to the nature, size and complexity of the business of each reporting entity in the reporting group.

• The governing body of the reporting entity has responsibilities relating to the AML/CTF program, including relating to overseeing and ensuring the reporting entity complies with the AML/CTF policies, this Act and instruments under this Act.

• The reporting entity must have an AML/CTF compliance officer. The AML/CTF compliance officer has various functions, including to oversee and coordinate the effective operation of, and compliance with, the AML/CTF policies.

26B What is an AML/CTF program?

An AML/CTF program of a reporting entity comprises:

(a) the reporting entity's ML/TF risk assessment; and

(b) the reporting entity's AML/CTF policies.

Division 2 - ML/TF risk assessment

26C Reporting entities must undertake an ML/TF risk assessment

(1) A reporting entity must undertake an assessment (an ML/TF risk assessment ) that identifies and assesses the risks of money laundering, financing of terrorism and proliferation financing that the reporting entity may reasonably face in providing its designated services.

(2) The steps taken by a reporting entity in relation to undertaking the reporting entity's ML/TF risk assessment must be appropriate to the nature, size and complexity of the reporting entity's business.

Note: See also section 26U (business of a lead entity of a reporting group).

Additional obligations that apply to reporting entities that provide designated services at or through permanent establishments in Australia

(3) If the reporting entity provides designated services at or through a permanent establishment of the reporting entity in Australia, the reporting entity must have regard to the following matters in undertaking an ML/TF risk assessment:

(a) the kinds of designated services provided, or proposed to be provided, by the reporting entity, including any new or emerging technologies relating to those services;

(b) the kinds of customers to whom the reporting entity's designated services are or will be provided;

(c) the delivery channels by which the reporting entity's designated services are or will be provided, including any new or emerging technologies relating to those delivery channels;

(d) the countries with which the reporting entity deals, or will deal, in providing its designated services;

(e) information communicated either directly or indirectly by AUSTRAC to the reporting entity that identifies or assesses the risks associated with the reporting entity's provision of its designated services;

(f) the matters (if any) specified in the AML/CTF Rules.

(4) Subsection (3) does not limit subsection (1).

26D Reporting entities must review and update ML/TF risk assessment

Review of ML/TF risk assessment

(1) A reporting entity must review its ML/TF risk assessment for the purpose of identifying and assessing any new or changed risks of money laundering, financing of terrorism and proliferation financing that the reporting entity may reasonably face in providing its designated services:

(a) if any of the following occur:

(i) there is a significant change to any of the matters mentioned in subsection 26C(3);

(ii) AUSTRAC communicates to the reporting entity information that identifies or assesses risks associated with the reporting entity's provision of its designated services;

(iii) circumstances specified in the AML/CTF Rules; and

(b) in any event - at least once every 3 years.

(2) The review must be undertaken:

(a) for a significant change that is within the control of the reporting entity - before the significant change occurs; or

(b) for a significant change that is not within the control of the reporting entity - as soon as practicable after the significant change occurs; or

(c) for information communicated for the purposes of subparagraph (1)(a)(ii) - as soon as practicable after the information is communicated to the reporting entity; or

(d) for circumstances specified in the AML/CTF Rules - at the time, or within the period, specified in the AML/CTF Rules.

(3) The review must be appropriate to the nature, size and complexity of the reporting entity's business.

Note: See also section 26U (business of a lead entity of a reporting group).

Updating ML/TF risk assessment

(4) A reporting entity must update its ML/TF risk assessment to address any issues identified by a review:

(a) for a significant change that is within the control of the reporting entity - before the significant change occurs; or

(b) in any other case - as soon as practicable after the review is completed.

26E Reporting entities must have up-to-date ML/TF risk assessment before providing designated services

(1) A reporting entity must not commence to provide a designated service to a customer if the reporting entity does not comply with section 26C or 26D in relation to the designated service.

(2) Subsection (1) is a civil penalty provision.

(3) A reporting entity that contravenes subsection (1) commits a separate contravention of that subsection in respect of each designated service that the reporting entity provides to a customer at or through a permanent establishment of the reporting entity in Australia.

(4) A reporting entity that contravenes subsection (1) commits a separate contravention of that subsection on each day that the reporting entity provides designated services at or through a permanent establishment of the reporting entity in a foreign country.

Division 3 - AML/CTF policies

26F Reporting entities must develop and maintain AML/CTF policies

(1) A reporting entity must develop and maintain policies, procedures, systems and controls ( AML/CTF policies ) that:

(a) appropriately manage and mitigate the risks of money laundering, financing of terrorism and proliferation financing that the reporting entity may reasonably face in providing its designated services; and

(b) ensure the reporting entity complies with the obligations imposed by this Act, the regulations and the AML/CTF Rules on the reporting entity; and

(d) comply with any requirements specified in the AML/CTF Rules.

Note: See also section 26U (business of a lead entity of a reporting group).

Additional obligations that apply to reporting entities that provide designated services at or through permanent establishments in Australia

(2) Subsections (3) and (4) apply if the reporting entity provides a designated service at or through a permanent establishment of the reporting entity in Australia.

(3) Without limiting paragraph (1)(a), the AML/CTF policies of a reporting entity must deal with the following:

(a) identifying significant changes to any of the matters mentioned in subsection 26C(3);

(b) carrying out customer due diligence in accordance with Part 2;

(i) in response to a review of the reporting entity's ML/TF risk assessment under section 26D;

(ii) circumstances specified in the AML/CTF Rules;

(d) reviewing the AML/CTF policies of the reporting entity at the intervals or with the frequency specified in the AML/CTF Rules (and in any event at least once every 3 years);

(e) any other matters specified in the AML/CTF Rules.

(4) Without limiting paragraph (1)(b), the AML/CTF policies of a reporting entity must deal with the following:

(a) if the reporting entity is not an individual - ensuring its governing body is sufficiently informed of the risks of money laundering, financing of terrorism and proliferation financing that the reporting entity may reasonably face in providing its designated services;

(b) designating an AML/CTF compliance officer for the reporting entity;

(i) the AML/CTF policies of the reporting entity; and

(ii) the ML/TF risk assessment of the reporting entity;

(d) undertaking due diligence in relation to persons who are, or will be, employed or otherwise engaged by the reporting entity and who perform, or will perform, functions relevant to the reporting entity's obligations under this Act;

(e) providing training to persons who are employed or otherwise engaged by the reporting entity and who perform, or will perform, functions relevant to the reporting entity's obligations under this Act in relation to:

(i) the risk of money laundering, financing of terrorism and proliferation financing that the reporting entity may reasonably face in providing its designated services; and

(ii) the obligations imposed by this Act, the regulations and the AML/CTF Rules on the reporting entity;

(f) the conduct of independent evaluations of the reporting entity's AML/CTF program, including the frequency with which such evaluations must be conducted, which must:

(i) be appropriate to the nature, size and complexity of the reporting entity's business; and

(ii) be at least once every 3 years;

(g) any other matters specified in the AML/CTF Rules.

Note: See also section 26U (business of a lead entity of a reporting group).

Additional obligations that apply to lead entities of reporting groups

(5) Without limiting paragraph (1)(a), if a reporting entity is the lead entity of a reporting group, the AML/CTF policies of the reporting entity must deal with the following:

(a) ensuring the appropriate sharing of information between members of the reporting group for the following purposes:

(i) carrying out customer due diligence under Part 2;

(ii) appropriately identifying, assessing, managing and mitigating the risks of money laundering, financing of terrorism and proliferation financing that each reporting entity that is a member of the reporting group may reasonably face in providing its designated services;

(b) any other matters specified in the AML/CTF Rules.

(6) Without limiting paragraph (1)(b), if a reporting entity is the lead entity of a reporting group, the AML/CTF policies of the reporting entity must deal with the following:

(a) ensuring the sharing of information between members of the reporting group that is necessary for the members of the reporting group who are reporting entities to comply with:

(i) their obligations imposed by this Act, the regulations and the AML/CTF Rules; and

(ii) the AML/CTF policies of the lead entity;

(b) if any member of the reporting group discharges an obligation imposed on another member of the reporting group by this Act, the regulations or the AML/CTF Rules:

(i) which members of the reporting group may discharge which obligations of which other member; and

(ii) ensuring that each member of the reporting group that is a reporting entity makes, or has access to, records to demonstrate any discharge by another member of the reporting group of any such obligations imposed on the reporting entity;

(c) ensuring the confidentiality and appropriate use of any information shared between members of the reporting group, including to prevent any contravention of subsection 123(1) by any member of the reporting group;

(d) any other matters specified in the AML/CTF Rules.

Note: For other rules about how this Part applies in relation to reporting groups, see sections 26U and 236B.

AML/CTF Rules

(7) The AML/CTF Rules may do either or both of the following:

(a) specify requirements that must be complied with in relation to a matter mentioned in subsection (3), (4), (5) or (6);

(b) set out circumstances in which the AML/CTF policies of a reporting entity are taken to comply with a matter mentioned in those subsections.

Reporting entities must develop and maintain AML/CTF policies before providing designated services

(8) A reporting entity must not commence to provide a designated service to a customer if the reporting entity does not comply with subsection (1).

Civil penalty

(8A) Subsection (8) is a civil penalty provision.

(9) A reporting entity that contravenes subsection (8) commits a separate contravention of that subsection in respect of each designated service that the reporting entity provides to a customer at or through a permanent establishment of the reporting entity in Australia.

(10) A reporting entity that contravenes subsection (8) commits a separate contravention of that subsection on each day that the reporting entity provides designated services at or through a permanent establishment of the reporting entity in a foreign country.

Exception

(11) Despite subsection (1), a reporting entity is not required to develop or maintain policies, procedures, systems and controls that specifically deal with the risk of proliferation financing if:

(a) the reporting entity reasonably assesses, under section 26C or 26D, the risk of proliferation financing that the reporting entity may reasonably face as low; and

(b) the reporting entity reasonably assesses that its risk of proliferation financing can be appropriately managed and mitigated by its policies, procedures, systems and controls that manage and mitigate the risks of money laundering or financing of terrorism.

(12) A person who wishes to rely on subsection (11) bears a legal burden in relation to that matter.

26G Reporting entities must comply with AML/CTF policies

(1) A reporting entity must comply with the AML/CTF policies of the reporting entity.

(2) If:

(a) a reporting entity is a member of a reporting group; and

(b) the reporting entity is not the lead entity of the reporting group;

the reporting entity must also comply with the AML/CTF policies of the lead entity of the reporting group that apply to the reporting entity.

Note: The lead entity of the reporting group must comply with its own AML/CTF policies under subsection (1).

(3) Subsections (1) and (2) are civil penalty provisions.

Division 4 - AML/CTF responsibilities of governing bodies

26H AML/CTF responsibilities of governing bodies

(1) The governing body of a reporting entity must:

(a) exercise appropriate ongoing oversight of:

(i) the reporting entity's identification and assessment of risk for the purposes of its ML/TF risk assessment; and

(ii) the reporting entity's compliance with its AML/CTF policies, the Act, the regulations and the AML/CTF Rules; and

(b) take reasonable steps to ensure that the reporting entity:

(i) is appropriately identifying, assessing, managing and mitigating the risks of money laundering, financing of terrorism and proliferation financing that the reporting entity may reasonably face in providing its designated services; and

(ii) is otherwise complying with its AML/CTF policies, the Act, the regulations and the AML/CTF Rules.

(2) A reporting entity contravenes this subsection if the governing body of the reporting entity contravenes subsection (1).

(3) Subsection (2) is a civil penalty provision.

Division 5 - AML/CTF compliance officers

26J Reporting entities must designate an individual as the AML/CTF compliance officer for the reporting entity

(1) The reporting entity must designate an individual as the compliance officer (the AML/CTF compliance officer ) for the reporting entity.

AML/CTF compliance officers must have sufficient authority etc.

(2) A reporting entity must ensure that the individual designated as the AML/CTF compliance officer for the reporting entity:

(a) is a person employed or otherwise engaged by the reporting entity at management level; and

(b) has sufficient authority, independence and access to resources and information to ensure the individual can perform the functions of an AML/CTF compliance officer effectively.

AML/CTF compliance officers must meet certain requirements

(3) An individual is not eligible to be designated as the AML/CTF compliance officer for a reporting entity unless the individual:

(a) if the reporting entity provides its designated services at or through a permanent establishment of the reporting entity in Australia - is a resident of Australia; and

(b) is a fit and proper person; and

(4) The AML/CTF Rules may specify matters to which a reporting entity must have regard in determining whether an individual is a fit and proper person for the purposes of paragraph (3)(b).

Civil penalties

(5) Subsection (2) is a civil penalty provision.

(6) A reporting entity contravenes this subsection if:

(a) the reporting entity designates an individual as its AML/CTF compliance officer; and

(b) the individual is not eligible under subsection (3) to be designated as the AML/CTF compliance officer for the reporting entity.

(7) Subsection (6) is a civil penalty provision.

26K Reporting entities must have an AML/CTF compliance officer

(1) If:

(a) a reporting entity commences to provide a designated service; and

(b) an individual is not designated as the AML/CTF compliance officer for the reporting entity;

the reporting entity must, no later than 28 days after the day on which the reporting entity commences to provide the designated service, designate an individual as the AML/CTF compliance officer for the reporting entity.

(2) If:

(a) a reporting entity commences to provide a designated service; and

(b) the individual designated as the AML/CTF compliance officer for the reporting entity ceases to be eligible under subsection 26J(3) to be so designated;

the reporting entity must, no later than 28 days after the day on which the individual ceases to be eligible, designate another individual as the AML/CTF compliance officer for the reporting entity.

(3) If:

(a) a reporting entity is required under subsection (1) or (2) to designate an individual as the AML/CTF compliance officer for the reporting entity by a particular time; and

(b) the reporting entity does not do so by that time;

then the obligation to comply with the requirement continues until:

(d) the reporting entity ceases to be a reporting entity;

whichever occurs first.

(4) A reporting entity that contravenes subsection (1) or (2) by failing to designate an individual as the AML/CTF compliance officer for the reporting entity by a particular time (the deadline ) is taken to commit a separate contravention of that subsection on each day that occurs during the period:

(a) beginning on the day on which the deadline occurs; and

(b) ending on the day on which the reporting entity's obligation to comply with the requirement ends (see subsection (3)).

(5) To avoid doubt, a reporting entity does not contravene subsection (1) or (2) more than once on any particular day, even if the reporting entity commences to provide a designated service more than once on a particular day or during a particular period.

(6) Subsections (1) and (2) are civil penalty provisions.

26L AML/CTF compliance officer's functions

The functions of the AML/CTF compliance officer for a reporting entity are:

(a) to oversee and coordinate the reporting entity's day-to-day compliance with this Act, the regulations and the AML/CTF Rules; and

(b) to oversee and coordinate the effective operation of and compliance with the reporting entity's AML/CTF policies; and

(d) to do anything incidental to or conducive to the performance of any of the above functions; and

(e) any other functions specified in the AML/CTF Rules.

26M Reporting entities must notify AUSTRAC of entity's AML/CTF compliance officer

(1) A reporting entity must notify AUSTRAC of the individual who is designated as the reporting entity's AML/CTF compliance officer within 14 days after the individual is designated as the AML/CTF compliance officer for the reporting entity.

(2) A notice under subsection (1):

(a) must be in the approved form; and

(b) must contain such information, and be accompanied by such documents, as is required by the approved form.

(3) Subsection (1) is a civil penalty provision.

Division 6 - AML/CTF program documentation and approvals

26N AML/CTF program documentation

(1) A reporting entity must document the following, within the period (if any) specified in the AML/CTF Rules:

(a) its AML/CTF program;

(b) any other matter relating to the AML/CTF program of the reporting entity specified in the AML/CTF Rules.

(2) A reporting entity must comply with subsection (1).

(3) Subsection (2) is a civil penalty provision.

(4) If a reporting entity is the responsible entity of a registered scheme (within the meaning of the Corporations Act 2001), the reporting entity's AML/CTF program may be documented in the same document as the registered scheme's compliance plan under that Act.

26P AML/CTF program approvals

(1) A reporting entity's ML/TF risk assessment and AML/CTF policies, including any updates to either, must be approved by a senior manager of the reporting entity.

(2) Any updates to a reporting entity's ML/TF risk assessment must be notified, in writing, to the governing body of the reporting entity as soon as practicable after the update is made.

(3) A reporting entity must comply with a requirement under this section.

(4) Subsection (3) is a civil penalty provision.

26Q Requests for AML/CTF documentation

(1) The AUSTRAC CEO may, by written notice, request a reporting entity to produce one or more of the documents required by subsection 26N(1) within the period specified in the notice.

(2) A reporting entity must comply with a notice given under subsection (1).

(3) Subsection (2) is a civil penalty provision.

Division 7 - Other matters

26R AUSTRAC CEO may require reporting entity to undertake ML/TF risk assessment etc.

Scope

(1) This section applies if the AUSTRAC CEO is satisfied that:

(a) a reporting entity does not have an AML/CTF program; or

(b) the AML/CTF program of a reporting entity is not up to date; or

(c) the AML/CTF program of a reporting entity does not appropriately identify, assess, manage or mitigate the risk of money laundering, financing of terrorism and proliferation financing that the reporting entity may reasonably face in providing its designated services.

Requirement

(2) The AUSTRAC CEO may, by written notice given to the reporting entity, require the reporting entity to:

(a) do one or more of the following:

(i) undertake and document an ML/TF risk assessment of the reporting entity;

(ii) review and update the ML/TF risk assessment of the reporting entity;

(iii) develop and document AML/CTF policies of the reporting entity;

(iv) review and update the AML/CTF policies of the reporting entity; and

(b) provide a copy of the documentation within:

(i) the period specified in the notice; or

(ii) if the AUSTRAC CEO allows a longer period - that longer period.

(3) A person commits an offence if:

(a) the person is subject to a requirement under subsection (2); and

(b) the person engages in conduct; and

Penalty: Imprisonment for 6 months or 30 penalty units, or both.

Civil penalty

(4) A reporting entity must comply with a requirement under subsection (2).

(5) Subsection (4) is a civil penalty provision.

26S Registered remittance affiliates of a registered remittance network provider

(1) A reporting entity that is a registered remittance network provider must make available an AML/CTF program to its registered remittance affiliates.

(2) Subsection (1) is a civil penalty provision.

(3) To avoid doubt, subsection (1) does not prevent any of the registered remittance affiliates from:

(a) undertaking a risk assessment for the remittance affiliate; or

(b) developing AML/CTF policies for the remittance affiliate.

(4) If a senior manager of a remittance affiliate of a registered remittance network provider approves the registered remittance network provider's:

(a) ML/TF risk assessment; and

(b) AML/CTF policies;

the remittance affiliate is taken to have complied with the remittance affiliate's obligations under section 26C and 26F in respect of the remittance affiliate's designated services to which the registered remittance network provider's AML/CTF program applies.

26T Application of Part to holders of Australian financial services licences

(1) This section applies if all of the designated services provided by a reporting entity are covered by item 54 of table 1 in section 6.

Note: Item 54 of table 1 in section 6 covers a holder of an Australian financial services licence who arranges for a person to receive a designated service.

(2) Paragraph 26F(1)(a) applies in relation to the reporting entity as if it instead required policies, procedures, systems and controls that:

(a) relate to undertaking initial customer due diligence in accordance with section 28; and

(b) are appropriate to the risks of money laundering, financing of terrorism and proliferation financing that the reporting entity may reasonably face in providing its designated services.

(3) The following provisions of this Part do not apply to the reporting entity:

(a) paragraphs 26F(1)(b) and (3)(a) to (d) and subsection 26F(4);

(b) section 26H;

(d) Division 5.

26U Business of a lead entity of a reporting group

In applying this Part in relation to a reporting entity that is the lead entity of a reporting group, a reference to the nature, size and complexity of the reporting entity's business is taken to be a reference to the nature, size and complexity of the business of the lead entity and each other reporting entity that is a member of the reporting group.

Note: For other rules about how this Part applies in relation to a lead entity of a reporting group, see section 236B.

26V General exemptions

(1) This Part does not apply to a designated service that is of a kind specified in the AML/CTF Rules.

(2) The AML/CTF Rules may provide that a specified provision of this Part does not apply to a designated service that is of a kind specified in the AML/CTF Rules.

(3) This Part does not apply to a designated service that is provided in circumstances specified in the AML/CTF Rules.

(4) The AML/CTF Rules may provide that a specified provision of this Part does not apply to a designated service that is provided in circumstances specified in the AML/CTF Rules.

Copyright notice

You are free to copy, adapt, modify, transmit and distribute material on this website as you wish (but not in any way that suggests the ATO or the Commonwealth endorses you or any of your services or products).