Small Business checklist PDF version (PDF 367KB)
Are you managing your AML/CTF obligations?
This small business checklist is a quick way to understand the breadth of your obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) and help you access other AUSTRAC resources.
Your AML/CTF program obligations
Reporting entities are required under the AML/CTF Act to have in place an anti-money laundering and counter-terrorism financing (AML/CTF) program. As per section 81 of the AML/CTF Act, reporting entities that have not adopted and maintained an AML/CTF program cannot provide any designated services listed under the AML/CTF Act (for example, making a loan in the course of carrying on a loans business).
Other AML/CTF obligations
Reporting entities also have obligations to monitor customers and transactions, take particular precautions with customers associated with high-risk or suspicious matters, provide certain reports to AUSTRAC and maintain records.
Checking your AML/CTF obligations
All reporting entities, even small ones, must give consideration to the level of money-laundering and terrorism-financing risks they face and implement an AML/CTF program that matches these risks and the size, complexity and capability of the business. There are also other obligations that may need to be complied with, for example reporting to AUSTRAC on suspicious matters.
FTR Act obligations
This checklist deals with obligations under the AML/CTF Act. However, if you had obligations under the Financial Transaction Reports Act 1988 (FTR Act), you may also have obligations under that Act. Visit the Legislation pages of the AUSTRAC website if you believe you have obligations under the FTR Act (www.austrac.gov.au/legislation.html).
To enrol as a reporting entity visit AUSTRAC Online and follow the directions for new users (www.austrac.gov.au/online/).
Refer to the AUSTRAC Regulatory Guide and AML/CTF Act Self Assessment Questionnaire available on the AUSTRAC website at www.austrac.gov.au.
For copies of the FTR Act and AML/CTF Act refer to www.austrac.gov.au/legislation.html or www.comlaw.gov.au.
Small businesses that are reporting entities will also be subject to the Privacy Act 1988 (Cth) in regard to their obligations under the AML/CTF Act. For further information please visit the website of the Office of the Privacy Commissioner at www.privacy.gov.au/
business/aml/index.html or contact them on 1300 363 992.
If you need further assistance please contact the AUSTRAC Help Desk on 1300 021 037 or email email@example.com.
What you need to do
If you are a small business you should ensure you:
- have an effective and documented AML/CTF program in place that will identify, minimise and manage money laundering and terrorism-financing (ML/TF) risks
- have developed a process that allows you to monitor and review your AML/CTF program
- have appointed an AML/CTF Compliance Officer
- where required, implement a process to screen staff and agents (if any) before they are employed, and/or when they are transferred or promoted
- train your staff and agents (if any) on an ongoing basis so they understand their responsibilities
- have procedures in place to collect and verify customer identification as required ('know your customer' or KYC)
- have procedures in place to carry out ongoing monitoring of your customers and their transactions (ongoing customer due diligence or OCDD)
- have procedures in place to provide a higher level of customer due diligence to manage customer relationships associated with high-risk or suspicious matters (enhanced customer due diligence or ECDD)
- have procedures in place to make and store relevant records (such as records of customer identification)
- have registered your business with AUSTRAC if you are a provider of designated remittance services (money transfer business)
- have procedures in place to report suspicious matters, threshold transactions and international funds transfer instructions to AUSTRAC that meet quality, accuracy
and timeliness obligations for making these reports.
To help a small business develop good practices to reduce their ML/TF risks and help them comply with their obligations under the AML/CTF Act, AUSTRAC has developed the following list of questions a business may ask itself:
- Who will be responsible for approving and overseeing the AML/CTF program?
- Who will be your AML/CTF Compliance Officer?
- Is the AML/CTF program tailored to the size of your business and its needs?
- What actions have you taken to ensure your business' AML/CTF policies and procedures have been communicated to your staff and agents (if any)?
- How does your business monitor compliance with its AML/CTF obligations?
- How does your business ensure it meets its AML/CTF obligations?
- How will you ensure you are meeting the standards of quality, accuracy and timeliness for reporting suspicious matters, threshold transactions and international funds transfer instructions to AUSTRAC?
- How regularly will your AML/CTF program be independently reviewed?
- Do you have a process to respond to feedback from AUSTRAC?
- How will you keep the necessary records?
- Does your business need to register with AUSTRAC as a provider of designated remittance services?
- If your business has to register with AUSTRAC, does it have procedures in place to notify AUSTRAC if your registrable details change?
- In identifying its ML/TF risk, a reporting entity must consider the risk posed by the following factors:-its customer types, including any politically exposed persons
- the types of designated services it provides
- the methods by which it delivers designated services
- the foreign jurisdictions with which it deals.
- What types of customers does your business have (for example, are your customers individuals, partnerships, companies, trustees of trusts or government agencies)?
- What ML/TF risks are posed by your different types of customers?
- What ML/TF risks are posed by new customers and by existing customers?
- Through what types of products and services does your business provide designated services?
- How are those products and services delivered (for example, is it online, by posting of forms or by face-to-face dealings)?
- What ML/TF risks are posed by your different products and services?
- What level of ML/TF risk do your business practices or service delivery methods present?
- What countries does your business deal with?
- What risks are posed by the different countries you do business with?
- How does your business assess the risk of any new services you may plan to provide?
- How does your business assess the risk of any new service delivery methods you may plan to use?
- How does your business assess the risk of any new technologies you may plan to use?
- How does your business record these risk assessments?
- How does your business respond to a change in risk assessment?
- How are the identified risks in your business minimised?
- How often are your risk assessments and procedures reviewed?
ML/TF risk awareness training
- How often and/or on what occasions will training occur?
- How will changes to procedures be communicated to your staff and agents (if any)?
- Does the training program for staff and agents (if any) include the following:
- Does it tell them about the obligations your business has under the AML/CTF Act?
- Does it let them know the ML/TF risks your business may face and what these risks may mean?
- Does it provide information on the processes and procedures of your AML/CTF program and how they relate to their job?
- Does it cover how to recognise and deal with suspicious matters?
- Does it detail what customer identification they have to obtain?
- Does it cover how to verify customer identity?
- Does it tell them when to seek further identification from an existing customer?
- Does it tell them who your AML/CTF Compliance Officer is?
- Does it cover how to monitor customer behaviour and activity and how to respond to changes in behaviour and activity or suspicious matters?
Employee and agent due diligence
- Is there a process to ensure your staff and agents (if any) are screened for ML/TF risk before they are employed?
- Is there a process to ensure your staff and agents (if any) are monitored for ML/TF risk on an ongoing basis?
- What happens when an employee is promoted or does a different job within the business?
Customer due diligence
- How can you be reasonably sure your customer is who they say they are?
- What type of identification will the business accept and not accept?
- What information will a customer have to provide to verify their identity?
- What additional KYC information should you collect for high-risk customers?
- How do you monitor your customers on an ongoing basis to manage the risk of your business facilitating ML/TF activity?
- How can you be sure that a change in a customer's transaction practices will be picked up if these practices should lead to reassessing the level of risk?
- How can you be sure that a change in the level of risk associated with a customer will result in a change in how the relationship is monitored and managed?
- How will your customer identity and verification procedures/documents be recorded?
Suspicious matter reporting
- Do you and your staff and agents (if any) understand what suspicious matters are?
- Do you and your staff and agents (if any) know what to do if they identify suspicious matters?
- Do you and your staff and agents (if any) understand the legal restrictions surrounding suspicious matter reporting?
- Does the AML/CTF Compliance Officer know how, when and in what timeframe to
report suspicious matters to AUSTRAC?