Prepared by Catherine Evans and Rosie Jervis.
There are changes to the AML/CTF Act and Rules that came into effect on 18 June 2021 that:
- clarify obligations to re-verify KYC information when you have doubts about the identity of the customer, beneficial owner or person purporting to be acting on behalf of a customer or the veracity or adequacy of KYC information previously obtained
- clarify that KYC must be completed before designated services can be provided
- expand the exceptions to tipping off to allow suspicious matter reports to be shared with external auditors or foreign members of the same designated business group (but only where they are regulated by laws of a foreign country that give effect to some or all of the FATF recommendations); and
- expand on when you can rely on KYC performed by another person (must be a reporting entity or foreign equivalent)
This does not impact on arrangements where you outsource part of your KYC process to a third party who is not a reporting entity. For any of these outsourcing arrangements you are still required to comply with your own KYC procedures and ensure the outsourced provider is acting as your agent in undertaking the relevant the services.
Re-verification of KYC information
The updated Act/Rules clarify that:
- where you suspect on reasonable grounds that a customer is not the person that the customer claims to be; or
- you have doubts about the veracity or adequacy of documents or information previously obtained for the purpose of identifying or verifying the customer, any beneficial owner of the customer; or any person purporting to act on behalf of the customer,
you must, as soon as practicable, take reasonable measures to:
- obtain and verify additional KYC information; or
- update and verify existing KYC information
so that you are reasonably satisfied that the customer, beneficial owner or person purporting to act on behalf of the customer is the person that the customer, beneficial owner or person purporting to act on behalf of the customer claims to be.
The changes also clarify that, where full customer identifications procedures have not been applied because a customer was deemed to be a low-risk service customer, and a suspicious matter arises in relation to the customer, you must undertake full KYC procedures and collect and verify additional information as soon as practicable after the suspicious matter reporting obligation arose.
KYC before a designated service is provided
The changes to the Act explicitly prohibit you providing a designated service to a customer if customer identification procedures have been not been carried out (whether a one-off transaction or an ongoing business relationship) except in very limited circumstances (described in s33 of the Act).
Tipping off
As you know, strict tipping off prohibitions apply where you submit or are required to submit a SMR about one of your customers. You must not disclose any information about the report except in limited circumstances (including engagement with Australian law enforcement agencies, disclosure to a court or tribunal for purposes of AML/CTF Act (after first consulting with AUSTRAC), requesting legal advice from a lawyer).
From 18 June the exceptions are expanded to allow you to share SMRs and related information with external auditors and foreign members of the same corporate or designated business group with which you have a shared customer but only if the foreign members are regulated by laws of a foreign country that give effect to some or all of the FATF recommendations.
Reliance on third parties
The amendments allow you to rely on customer identification procedures undertaken by other reporting entities (entities enrolled with AUSTRAC) or AML/CTF regulated foreign equivalents in some circumstances (both referred to as a Reliable Third Party).
There are two (2) options for this – an ongoing arrangement with a Reliable Third Party or reliance on a “case by case” basis. We have provided a detailed overview of both of these scenarios in an article for our clients, if you would like to access this information please get in touch.
Next Steps
If you wish to rely on Customer Due Diligence (CDD) performed by any third party, please take steps to ensure that the arrangement meets the safe harbour requirements as there are detailed requirements to be satisfied.
Any procedures or checklists used within your business should be adapted to the updated Act and Rules, for clients of Kit these have been updated within the DCP.