Featured in The Inside Adviser https://insideadviser.com.au/the-ongoing-aml-ctf-obligations-many-firms-havent-considered/
AML/CTF compliance is not a one-off box-ticking exercise for advisers, lawyers and accountants, but a permanent discipline of spotting risk early, reporting fast and embedding defensible processes across the whole firm.
As advisers and other professionals get closer to the implementation of the Anti-Money-Laundering and Counter-Terrorism Financing (AML/CTF) Tranche 2 reforms, a lot of the focus has been on the upfront work. Firms are thinking about enrolment, assigning roles, building risk assessments and setting up customer due-diligence processes.
While these steps are important, they are only the starting point, as the new AML/CTF regime is designed to operate continuously. The real challenge for advice and professional services firms will be the ongoing obligations that sit behind the framework.
Suspicious matters
Advisers should already understand the obligation to report ‘suspicious matters’ as this is one that has applied to them for a while. Lawyers and accountants will need to be across this, too, as Tranche 2 entities. However, there are firms that believe this would never apply to them as their clients appear legitimate, but the legal test trigger is whether the reporting entity forms a ‘reasonable suspicion’ that something may be wrong, not whether wrongdoing has been proven.
Reasonable suspicion sits somewhere between speculation and proof. It can arise when a person may not be who they claim to be, or where information suggests a possible offence such as money laundering, tax evasion or dealing with the proceeds of crime.
In practice, suspicious matters often arise from everyday situations rather than obvious criminal activity. Examples include inconsistent instructions from a client, unusual urgency around transactions, reluctance to provide identification information, or questions around the source of funds.
Entire firm awareness
Importantly, the person who notices something unusual may not be the professional. It could be an administrator processing documentation, someone in operations receiving urgent instructions, or another team member interacting with the client. For that reason, training needs to extend across the entire firm, not just compliance or professional staff. Team members need to understand what a red flag might look like, and how to escalate it internally.
The timeframes for reporting suspicious matters are strict. Once a reporting entity forms a suspicion, a ‘suspicious matter report’ (SMR) generally needs to be lodged within three business days. If the suspicion relates to terrorism financing, the timeframe is even shorter, at 24 hours. This means firms cannot delay reporting while they gather more information or wait for a transaction to complete.
AUSTRAC has recently written to financial advice firms documenting the regulator’s concerns about the small number of SMRs lodged by the advice industry and reminding advisers about their obligations in this space.
Tipping off
Closely linked to suspicious matter reporting is the concept of ‘tipping off.’ This refers to disclosing that a suspicious matter report has been lodged, or that one may be lodged, in circumstances where the disclosure could prejudice an investigation.
Team members often want to be transparent with clients, especially when trying to do the right thing. However, reporting entities and their teams must not disclose that a report has been lodged. Internally, information should only be shared with those who genuinely need to know, to minimise the risk of accidental disclosure. If the firm chooses to stop acting for a client, neutral explanations such as internal requirements or policy reasons should be given rather than referencing any reporting obligations.
Another area advisers and other professionals providing more than just Item 54 services should expect to manage on an ongoing basis is customer due diligence. (Item 54 services, under the AML/CTF Act, refer to Australian Financial Services Licensees [AFSLs] arranging for clients to receive other designated services.) While most firms associate due diligence with the onboarding process, for most reporting entities AML/CTF obligations continue throughout the life of the client relationship. Information about clients should be reviewed periodically and updated when circumstances change or new risks emerge. Triggers for review must be risk informed.
Transaction monitoring
Transaction monitoring also forms part of these ongoing obligations. For large banks and payment institutions this can involve automated systems, but for advice and professional services firms the process will usually be more behavioural. Teams need to remain alert to unusual activity, patterns that do not align with a client’s typical behaviour, or transactions that appear structured in a way that could obscure the source of funds.
While cash can be rarer in many industries today, reporting entities need to be aware of threshold transaction reporting obligations. These reports apply where physical currency of $10,000 or more is involved and the key point is that the report must be made even if the transaction itself appears legitimate. Because of this, many professional firms choose to avoid accepting cash into trust accounts where possible, as doing so reduces both risk and administrative burden.
Each year, most reporting entities are also required to submit an AML/CTF compliance report to AUSTRAC through its online system. This report confirms whether the entity had an AML/CTF program in place, conducted its risk assessment, met reporting obligations, carried out customer due diligence and delivered appropriate staff training. Although the process itself is relatively straightforward, the report is a formal declaration and needs to align with the firm’s underlying records.
Independent evaluations are another key feature of the regime. These reviews test whether a firm’s AML/CTF framework is effective and operating in practice, not just documented in policy form. The evaluation typically involves reviewing the firm’s risk assessment, examining client files to confirm that due diligence processes have been followed, assessing reporting and escalation procedures and reviewing governance and training arrangements. In most cases, firms must undertake this evaluation at least every three years, with higher risk businesses potentially requiring more frequent reviews.
Record keeping
Record keeping is also a major component of the framework and records must be retained for at least seven years (in some cases, seven years after the client ceases to be a client). This includes documentation relating to customer due diligence, risk assessments, suspicious matter reporting, transaction records and internal governance processes. The expectation is that firms can demonstrate how decisions were made and who was responsible and not just that tasks were completed.
For advisers and other professionals, the key takeaway is that AML/CTF compliance is less about producing a single document and more about embedding consistent processes across the firm. Teams need to know how to recognise potential issues, how to escalate them, and how to document the steps taken. Firms that build practical systems and clear internal processes will find the regime far easier to manage than those trying to piece together evidence after the fact.
While the reforms represent a significant shift for many advice and professional services firms, a well-designed framework can become part of normal business operations rather than an additional layer of complexity.