FACT SHEET: Can you outsource your AML/CTF Obligations?

This Fact Sheet has been prepared based on the future requirements of the AML/CTF for Tranche 2 entities that will commence 1 July 2026. 

It is possible to outsource one or more of your AML/CTF functions to an external service provider. You may choose to do this for a range of reasons including efficiency or to access specialist expertise for your business needs.

However, before you consider outsourcing one or more of your obligations, it is important to understand:

• the risks associated with implementing an outsourcing arrangement
• the due diligence checks you should complete on the external service provider
• your ongoing obligations in relation to the outsourcing arrangement, and
• potential legal restrictions on sharing information with the external service provider.

Once implemented, you should also set up a process to monitor and review the outsourcing arrangement to ensure it is operating as required, and in accordance with the policies and procedures in your AML/CTF Program.

What are the risks of outsourcing?

There are two key risks to consider when outsourcing any of your AML/CTF functions:

1. the outsourcing arrangement may increase the risk that your business may be used to facilitate money laundering or terrorism financing activities, through the introduction of new weaknesses in your business systems, and
2. you may be liable for a breach of your AML/CTF obligations if you fail to conduct appropriate due diligence and monitoring of the external services, or if the services are not tailored to your needs or have been poorly implemented.

You consider each of the above risks, and the controls to be implemented to manage those risks, when determining which AML/CTF function/s you decide to outsource.

What due diligence checks should you complete?

Like any key business decision, you should undertake appropriate checks to be confident that a potential outsourced provider can deliver your identified AML/CTF functions.

Things you should consider include, but include but are not limited to:

• Does the external service provider have a clear understanding of your AML/CTF obligations?
• Are their qualifications and experience relevant to the specific AML/CTF functions you are seeking?
• If necessary, can they tailor their product to your business needs?
• Do they have experience servicing similar businesses (ideally in your industry sector), and can they provide references?
• What security features are embedded in their product?
• Do they undertake independent security testing?
• If you outsource your customer identification and verification checks, how can you ensure that you have ongoing access to the records kept on your behalf by the external service provider, even after the outsourcing arrangement has ended?

Data breach and cyber-attacks are now an every-day risk for all businesses.  It is therefore also important that you review the terms of agreement to understand each party’s respective responsibilities, procedures and liability in the event of a data breach or cyber-attack.

You should also request a demonstration of the product to ensure that you can be confident it can be efficiently used by your business, and if relevant, integrate with your existing software systems.

What are your obligations?

It is likely that any outsourced agreement will include several obligations that you will need to comply with, such as:

• keeping any usernames or passwords provided confidential and secure to manage access to the outsourced platform
• complying with your obligations under the Privacy Act
• how you may use information and outputs provided, and
• potential restrictions on storage and reproduction.

It is strongly recommended that if you decide to enter an outsourced arrangement, that you do so in writing to ensure there are clear expectations on both parties, including respective roles and responsibilities.

You should also ensure your written agreement includes service level agreements (SLAs), as well as regular reporting to demonstrate SLAs are being met.

Are there potential legal restrictions to consider?

It is important to understand that under the ‘tipping off’ requirements you cannot share information with the external service provider about suspicious matter reports, or any associated notices issued by AUSTRAC, unless a number of limited exceptions apply.

Criminal penalties may apply to unauthorised disclosures.

Once implemented, is there anything more I need to do?

As with any third-party arrangement, you should put in place processes to monitor:

• the performance of the external service provider against the agreed SLAs
• that the arrangement continues to comply with your AML/CTF obligations, and with the relevant procedure in your AML/CTF Program, and
• any changes to your relevant AML/CTF obligations or business, that may need to be reflected in the nature of the service provided, the terms of the outsourcing agreement or may require the appointment of a new external service provider.

Need more information?

Check out the following resources:

• AML/CTF Reforms
• Fact Sheet: What is an AML/CTF Program?
• Fact Sheet: What are the AML/CTF Governance Obligations?
• AML/CTF Glossary

Sign up to our AML/CTF updates & receive a free ‘Getting Ready’ Workbook: