What is an AML/CTF Program and do I need a Risk Assessment?

image description
Naomi Fink Special Counsel Linkedin

Do I need an AML/CTF Program?

Yes – if you are a “reporting entity” and you provide a “designated service” in connection with Australia that meets the “geographical link” test and if no exceptions apply.  The relevant law is the Australian Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) legislation.[1]

So, you’re caught?  Then, you must have in place policies and procedures which manage the risk that your business could be used, either intentionally or unintentionally, for money laundering or terrorism financing (ML/TF). The AML/CTF regulator is the Australian Transaction Report and Analysis Centre (AUSTRAC).

The AML/CTF legislation refers to the collection of compliance policies as an AML/CTF Program, and sets out, in detail, the individual procedures which must be included (see below). Creating and implementing an effective AML/CTF Program is an obligation set out in the AML/CTF legislation, and failing to adopt and maintain an effective AML/CTF Program comply could result in a civil penalty being awarded against you or your business.

The most important element of an AML/CTF Program is that it must be tailored to reflect the designated services provided by your business, as well as the ML/TF risks which are relevant to your business.

AUSTRAC takes a dim view of reporting entities who simply purchase a template AML/CTF Program from a consultant, and do not take the time to modify, amend and personalise the Program so that it reflects your operations. For example, if your AML/CTF Program sets out the procedures you have in place to deal with sending funds on behalf of customers to tax haven jurisdictions, however all of your customers are Australian and you do not send funds overseas for any purpose, the AML/CTF Program has not been created or modified with your business in mind.

What about an AML/CTF Risk Assessment? Is it part of the AML/CTF Program?

As previously explained, your AML/CTF Program must include policies and procedures which mitigate and manage the risk that your business or operations could be used for ML/TF. To work out what ML/TF risks are relevant for your business, you must conduct an AML/CTF Risk Assessment, which includes the following steps:

  • List all of the ML/TF-related situations (i.e risks) which are relevant for your business, using the risk categories set out in the AML/CTF legislation;
  • Assign a rating to each risk, which reflects the seriousness of the consequences of that risk occurring (for your business); and
  • Implement appropriate controls which are designed to manage each risk – these controls are the AML/CTF procedures you have implemented, which are then included in the AML/CTF Program.

The AML/CTF legislation sets out the categories of risk which must be considered when undertaking an AML/CTF risk assessment:

  • Customer type;
  • Type of services you provide to customers;
  • Method of delivery of your services (eg face-to-face or online only);
  • Customer’s source of wealth and funds;
  • Nature and purpose of your relationship with your customer;
  • Control structure of non-individual customers; and
  • Jurisdiction risk.

You need to create a list of risks for each of the above categories, which are relevant for your business. The AML/CTF legislation does not set out a required risk assessment process or methodology – it is up to you.  However, you must include risks which fall within each of the above categories, and have a process in place to assess, manage and control the risks.  We can assist you with providing a template AML/CTF Risk Assessment document, with a risk assessment methodology, which can be tailored for your business.

What should an AML/CTF Program include?

The completed and tailored AML/CTF Risk Assessment forms the basis of your AML/CTF Program. According to the AML/CTF legislation, AML/CTF Programs are divided into 2 Parts: Part A and Part B.

Governance and Risk Management – Part A

Part A sets out all of the business’s governance and risk management procedures which you have or will implement in order to comply with your AML/CTF obligations.

Obligations include:

  • AML/CTF Risk Assessment: explain the methodology used to conduct the ML/TF Risk Assessment, and either includes the AML/CTF Risk Assessment in the Program or referring to where it can be found;
  • AML/CTF compliance officer: appoint a person in your business to be the AUSTRAC contact person, and to keep the Board or senior management informed of any AML/CTF issues;
  • Governance and management oversight procedures: implement management oversight procedures, whereby the Board or senior management ensures that the company complies with its AML/CTF obligations (including enrolling with AUSTRAC as a reporting entity), procedures in the AML/CTF Program are implemented and reviewed to reflect any changes in the business or the services provided;
  • Training for employees and agents: ensure that employees and agents receive regular training which explains your AML/CTF obligations;
  • AML/CTF independent review: ensure that Part A of your AML/CTF Program is independently reviewed , on a regular basis;
  • Employee due diligence: conduct background and other checks on your employees, to manage the risk that they could involve the business in ML/TF activities;
  • Ongoing customer due diligence: conduct ongoing customer due diligence checks on your customers, which includes the obligation to obtain additional information about your customers, monitor their transactions or conduct enhanced customer due diligence (see Part B);
  • Reporting: depending on the designated services you provide, you are required to lodge the following reports with AUSTRAC:
    • Annual Compliance report with AUSTRAC;
    • Suspicious matter reports;
    • International Funds Transfer Instruction reports (if a customer instructs you to send funds overseas, or to bring funds in from overseas); and
    • Threshold Transaction reports (if you accept physical currency from customers); and
  • Record keeping: keep records of all customer due diligence checks and transaction monitoring checks (see Part B).

Know Your Client – Part B

Part B sets out a fundamental AML/CTF obligation – to identify your customers, and to verify their identity. This is also described as Know Your Customer, or KYC.

Identifying and verifying your clients is an important part of reducing the risk that your clients could be trying to use your business to launder funds, or fund terrorism. It is important to ensure that your KYC checks are conducted before you start providing your services to your customer.

Part B of the AML/CTF Program requires you to:

  • Undertake KYC checks for each customer type: the AML/CTF legislation sets out the minimum identification and verification checks that must be conducted for each customer type (eg individuals, companies, trusts etc).
  • Assess the ML/TF risk posed by each customer: include a process whereby you assess the level of risk that a customer could use your business for ML/TF purposes.

The level of KYC checks that you conduct on a customer must be commensurate with the risk that the client could use your services for ML/TF. This means that if the ML/TF risk allocated to customer is high, then you are required to conduct additional KYC checks to manage that increased level of ML/TF risk (also referred to as “enhanced customer due diligence”).

  • Conduct Politically Exposed Persons (PEPs) and sanctions checks on customers.

More information about complying with your KYC obligations can be found in [insert link to KYC article].

Depending on the type of services you provide, you may not be required to include all of the above procedures in your AML/CTF Program.

How can we help you to create and tailor an AML/CTF Program and a AML/CTF Risk Assessment?

We have created a comprehensive template AML/CTF Program, which must then be tailored to reflect your business’s ML/TF risk.  Our AML/CTF Program also includes an AML/CTF Risk Register and a Customer Risk Assessment and KYC Tool, which sets out a methodology for assessing the ML/TF risk posed by your customers.

Available on a subscription basis

Our AML/CTF Program is available on a monthly subscription basis or as a once off.

We can also provide you with legal advice on complying with all of your AML/CTF obligations.

Do you have more questions?

Contact Us Our Expert Team Our Training


Author: Naomi Fink (Special Counsel)

[1] The Australian AML/CTF legislation refers to the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth)(the AML/CTF Act) and the Anti-Money Laundering and Counter- Terrorism Financing Rules Instrument 2007 (No.1) (the AML/CTF Rules).