What is ongoing customer due diligence (OCDD)?
Under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) and AML/CTF Rules, 'reporting entities' have obligations to monitor customers and their transactions on an ongoing basis. This ‘ongoing customer due diligence’ (OCDD) will help reporting entities to identify, mitigate and manage money laundering or terrorism financing (ML/TF) risks that may arise from providing one or more designated services to their customers.
The AML/CTF Rules specify three mandatory components of OCDD:
- collection and verification of additional ‘know your customer’ (KYC) information
- a transaction monitoring program
- an enhanced customer due diligence program.
Reporting entities should have appropriate risk-based systems and controls in place to assist in meeting these obligations. Such systems and controls are based on the nature, size and complexity of the reporting entity's business and the ML/TF risks faced.
Who needs to conduct OCDD?
Reporting entities are required to conduct OCDD. A reporting entity is an individual, company or other entity that provides a ‘designated service’ as defined in the AML/CTF Act. Reporting entities include banks and other financial institutions, non-bank financial service providers, remittance service providers, bullion dealers and gambling service providers.
When do the OCDD provisions commence?
The OCDD provisions commence on 12 December 2008, under Part 2, Division 6 of the AML/CTF Act.
Mandatory component one: collecting and verifying additional KYC information
Before providing a designated service to a customer, a reporting entity must collect and verify information about the customer's identity. As part of the OCDD obligations, reporting entities must also determine when it may be necessary to collect further KYC information, or update or verify existing KYC information. This must be included in reporting entities' AML/CTF programs.
Mandatory component two: transaction monitoring program
The purpose of a transaction monitoring program is to identify transactions that appear to be suspicious, within the terms of the AML/CTF Act's 'suspicious matter' reporting provisions. The transaction monitoring program must be included in Part A of a reporting entity's AML/CTF program.
A transaction monitoring program should be able to detect complex, unusual large transactions and unusual patterns of transactions, which have no apparent economic or lawful purpose. It is up to reporting entities to decide on the most appropriate form of transaction monitoring for their business - for example, it does not have to be a computer-based software package. However, if a reporting entity has an automated system in place, the entity should assess the ‘flags’ produced by the system to ensure they are relevant to the entity's business and customers, prior to using the system.
See also 'Reporting entities who have been reporting to AUSTRAC as cash dealers under the FTR Act' below.
Mandatory component three: an enhanced customer due diligence program
Part A of a reporting entity's AML/CTF program must include an enhanced customer due diligence program, which is applied when the reporting entity determines there is high ML/TF risk, or a reportable suspicious matter has arisen.
When applying the enhanced customer due diligence program, the reporting entity must consider issues including whether to analyse, verify, re-verify, clarify, update, or obtain any KYC information about a customer, analyse and monitor the customer's transactions, clarify the nature of the customer's ongoing business with the reporting entity, and/or report a suspicious matter to AUSTRAC.
Does OCDD apply to all customers?
OCDD obligations apply to all customers to whom a reporting entity provides a designated service, including pre-commencement customers (see below) and customers whose KYC information was initially collected and/or verified by another entity (for example, an agent).
Does OCDD apply to pre-commencement customers?
Pre-commencement customers are those to whom a reporting entity provided a designated service before 12 December 2007. There may be circumstances where pre-commencement customers need to be identified or have their details updated or verified as part of OCDD.
How does privacy legislation affect OCDD?
Reporting entities need to be aware of and comply with their obligations under the Privacy Act 1988 when setting up OCDD processes and collecting information. Further information is available from the Office of the Privacy Commissioner on 1300 363 992 or visit www.privacy.gov.au.
Are there any general OCDD exemptions?
OCDD obligations do not apply to reporting entities who only provide the designated service covered by item 54 of table 1 in section 6 of the AML/CTF Act. This involves an Australian financial services (AFS) licence holder who arranges for a person to receive another designated service. However, OCDD obligations do apply to AFS licence holders when they provide any other designated services (that is, other than an item 54 service).
AUSTRAC's position on OCDD non-compliance
For reporting entities who find they will be non-compliant with OCDD obligations when they commence on 12 December 2008, AUSTRAC’s view on this matter is:
- The OCDD-related AML/CTF Rules were finalised and communicated to industry in December 2007, providing reporting entities with 12 months to develop and implement their systems and controls.
- The Policy (Civil Penalty Orders) Principles 2006 (the Principles) and associated guidance note do not alter the commencement date of Part 2 of the AML/CTF Act. Reporting entities are obliged to comply with Part 2 irrespective of the Principles.
- To avoid the possibility of enforcement action - including civil penalty orders - in respect of Division 6 of Part 2 of the AML/CTF Act, a reporting entity must:
- by 12 March 2010, at the very latest, be compliant with Division 6 of Part 2; and
- have applied their transaction monitoring program from 12 December 2008. This applies regardless of the date during the 15-month period at which the reporting entity reached full compliance with these requirements.
- Notwithstanding the application of the Principles and the guidance note, AUSTRAC has a number of regulatory powers available to it beyond the application of civil penalty orders.
- A reporting entity is required to continue to maintain compliance with Part 2, Division 6 of the AML/CTF Act after 12 March 2010. Failure to do so will risk enforcement action by AUSTRAC including civil penalty orders.
AUSTRAC expects reporting entities who are implementing complex OCDD tools including computerised transaction monitoring systems and will not be fully functional on 12 December 2008, to utilise manual or other existing technological tools during the interim period.
Where a reporting entity fails to implement any transaction monitoring program on 12 December 2008, AUSTRAC will require those entities to apply their transaction monitoring program, once implemented, to those transactions that occurred between 12 December 2008 and when the entity began complying with the transaction monitoring requirements. This may require the reporting entity to carry out additional KYC and/or enhanced customer due diligence measures. This must be completed no later than 12 March 2010.
Reporting entities who are also 'cash dealers' under the Financial Transaction Reports Act 1988 (FTR Act), who have in place processes and procedures to detect suspicious transactions under the FTR Act, may continue to use these systems after 12 December 2008 and before reaching compliance with the AML/CTF reporting requirements prior to 12 March 2010. Reporting entities who continue to use these FTR Act processes and procedures will not be required to apply their transaction monitoring program, once implemented, to transactions that occurred between 12 December 2008 and when the entity began complying with the transaction monitoring requirements.
Reporting entities are reminded that from 12 December 2007 they were required to have and comply with an AML/CTF program, which must be designed to identify, manage and mitigate a reporting entity’s ML/TF risk. An AML/CTF program must include, among other requirements, customer identification procedures and an AML/CTF risk awareness training program for staff which enables employees to understand those processes and procedures that are relevant to the work carried out by the employee.
The above view is based on AUSTRAC’s role in promoting compliance with the AML/CTF Act and to ensure competitive neutrality between reporting entities. In particular, it is important that AUSTRAC does not provide a competitive disadvantage to entities which reach full compliance at an earlier date and provide an incentive to delay implementation of systems and commencement of OCDD requirements.
Where a reporting entity believes that it has a particular set of circumstances that will result in a significant non-compliance with the OCDD provisions of the AML/CTF Act, it should approach AUSTRAC with a specific proposal for consideration of these matters. This proposal would need to address a range of issues including:
- details of any unique circumstances which would prevent it from complying with the OCDD requirements of the AML/CTF Act
- the nature of the relevant service or product
- details of what aspects of OCDD will not be carried out or the process that will not be completed
- an estimate of the likely number of customers affected and their profile
- an estimate of the cost in complying with the OCDD requirements
- a proposal from the entity for managing the risks (in terms of the AML/CTF Act) associated with non compliance.
Further information about OCDD
AUSTRAC has produced various educational tools and publications to assist reporting entities with their OCDD and AML/CTF program obligations. These include:
- AML/CTF programs brochure
- AUSTRAC guidance note Risk management and AML/CTF programs
- AUSTRAC Regulatory Guide (in particular, chapters 2, 3, 4 and 8)
- e-learning course 'AML/CTF programs'
- Ongoing customer due diligence (OCDD) brochure.
The above can be accessed from the quicklinks on this page.