- Collecting and verifying customer identification information
- Identifying customers who do not have conventional forms of identification (including customers of Aboriginal and/or Torres Strait Islander heritage)
- Identifying and verifying the beneficial owner of a customer
- Responding to discrepancies that arise while verifying customer and beneficial owner information
- Document Verification Service - individual customer and beneficial owner identification
- Politically exposed persons
- Special circumstance and exemptions that apply for CDD obligations
The primary purpose of Part B is to ensure the reporting entity knows its customers and understands their customers' financial activities. The reporting entity must establish a framework and document its customer due diligence (CDD) procedures in detail. All AML/CTF programs (standard, joint and special) must include Part B.
A reporting entity must be reasonably satisfied that:
- an individual customer is who they claim to be
- for a non-individual customer, the customer exists and their beneficial ownership details are known.
By knowing its customers a reporting entity should be better able to identify and mitigate ML/TF risks in the conduct of their financial transactions, particularly where the activity or transactions are unusual or uncharacteristic.
The CDD requirements include:
- collecting and verifying customer identification information - for example, documents, data or other information obtained from a reliable and independent source
- identifying and verifying the beneficial owner(s) of a customer
- identifying whether a customer is a PEP (or an associate of a PEP) and taking steps to establish the source of funds used during the business relationship or transaction
- obtaining information on the purpose and intended nature of the business relationship.
When does a reporting entity need to undertake CDD?
Most CDD obligations must be completed before the provision of a designated service, regardless of whether it involves a one-off transaction or an ongoing business relationship (such as an account or a loan).
The reporting entity must comply with its obligations to identify the beneficial owner of a customer and determine whether the customer or a beneficial owner is a PEP before it provides the designated service, or as soon as practicable after the service has been provided.
There are exemptions which allow the CDD requirements to be met after the provision of the designated service. See 'Special circumstance and exemptions that apply for CDD obligations' below.
Risk-based customer due diligence procedures
A reporting entity is required to have risk-based CDD procedures. To develop these procedures, reporting entities should consider the risk posed by each of the following factors:
- customer types, including beneficial owners of customers and PEPs
- customers' sources of funds and wealth (for example, by enquiring into the expected source and origin of the funds to be used in the provision of the designated service)
- nature and purpose of the business relationship (for example, the customer's business or employment)
- control structure of non-individual customers (for example, complex corporate structures and the underlying beneficial owners)
- types of designated services the reporting entity provides
- how the reporting entity provides its designated services (for example, over-the-counter or online)
- foreign jurisdictions in which the reporting entity deals (for example, customers that live or are incorporated in a foreign country).
An AML/CTF program must:
- provide for the collection of certain minimum ‘know your customer’ (KYC) information;
- provide for the collection of certain minimum information about beneficial owners of customers
- include certain requirements in relation to customers who are ‘politically exposed persons’ (PEPs), or who have beneficial owners that are PEPs
- include appropriate risk-based systems and controls to determine whether further customer information should be collected
- provide for the verification of customer information
- include appropriate risk-based systems and controls to determine whether further customer information collected from the customer should be verified
- provide for the collection of information about the agent of a customer, and include appropriate risk-based systems and controls to determine whether to verify information about the agent.
What are the minimum customer identification and verification requirements?
The 'Ready reckoner' summarises the minimum customer information (including, where applicable, beneficial owner and PEP information) a reporting entity must collect and verify for the following customer types:
- individuals (including beneficial owners and PEPs)
- incorporated and unincorporated associations
- registered cooperatives
- government bodies
- agents acting on behalf of a customer.
Verification is the process the reporting entity uses to confirm that the customer information provided by, or about, a customer is accurate. A reporting entity's AML/CTF program must outline appropriate risk-based procedures and controls for the reporting entity to verify the customer information collected using reliable and independent documentation, reliable and independent electronic data, or both.
Does the identification information collected and verified need to be in the English language?
If a customer provides identification documents to a reporting entity in a language other than English, it is AUSTRAC’s expectation that the reporting entity obtain a translation of the document into the English language by an accredited translator.
In circumstances where the identification documents are in another language that personnel of the reporting entity understands, the reporting entity may not need to obtain a translation of the document into the English language by an accredited translator. However, AUSTRAC considers that it is good practice for a reporting entity to require that the person conducting the verification translate the documents into the English language, to:
- facilitate reference by all employees of the reporting entity, and
- to be able to demonstrate to AUSTRAC that the reporting entity has conducted the verification.
Reporting entities may adopt 'safe harbour' procedures to verify customer information for individuals where the relationship with the customer is of medium or lower ML/TF risk.
Reporting entities adopting the documentation-based safe harbour procedures (specified in paragraph 4.2.11 of the AML/CTF Rules) must verify customer information using an original or certified copy of a primary photographic, or primary non-photographic, or secondary document. For example, a reporting entity could verify the customer’s name by referring to their driver’s licence that shows the customer’s first name, middle initial, and family name.
Chapter 1 of the AML/CTF Rules defines 'certified copy', including the list of authorised persons who may certify a document as a true copy of an original.
Reporting entities adopting the electronic-based safe harbour procedures (specified in paragraph 4.2.13 of the AML/CTF Rules) must use reliable and independent electronic data from at least one or two separate data sources, depending on the type of information needing to be verified.
The Document Verification Service managed by the Commonwealth Attorney-General’s Department provides access to several independent electronic data sources. Reporting entities may also verify an individual's identity electronically by using records held by a credit reporting agency.
Note: Even where safe harbour procedures are applicable, it is not compulsory for reporting entities to adopt these procedures for customers with a medium or lower ML/TF risk (see paragraphs 4.2.10 and 4.2.12 of the AML/CTF Rules).
A reporting entity may adopt simplified verification procedures for certain types of companies and trusts.
Simplified company verification procedure
To use the simplified company verification procedure the reporting entity must confirm the company is one of the following:
- a domestic listed public company
- a majority owned subsidiary of a domestic listed public company
- licensed and subject to the regulatory oversight of a Commonwealth, state or territory statutory regulator in relation to its activities as a company.
A reporting entity may confirm the above information by undertaking one or more of the following:
- a search of the relevant domestic stock exchange
- obtaining a public document issued by the relevant company
- a search of the relevant Australian Securities and Investments Commission (ASIC) database
- a search of the licence or other records of the relevant regulator.
Simplified trust verification procedure
The reporting entity must verify that the trust is one of the following:
- a managed investment scheme registered by ASIC
- a managed investment scheme that is not registered by ASIC that:
- only has wholesale clients; and
- does not make small scale offerings (under section 1012E of the Corporations Act 2001)
- registered and subject to the regulatory oversight of a Commonwealth statutory regulator in relation to its activities as a trust
- a government superannuation fund established by legislation.
Some sections of the Australian community may have, for a diverse range of reasons, practical difficulties in meeting the identification requirements as specified in Chapter 4 of the AML/CTF Rules – Applicable Customer Identification Procedure.
For example, some customers may not have identification documents that reporting entities most commonly use to establish and verify the identity of their customers (such as a driver’s licence or birth certificate), or the information contained in the documents may no longer be accurate or up to date. This may include some customers of Aboriginal and/or Torres Strait Island heritage that live in remote areas, and customers who have resettled in Australia as refugees.
If these people do not have conventional forms of identification, they may face barriers in accessing financial services.
AUSTRAC recommends that, where appropriate, reporting entities consider adopting a flexible approach to the identification and verification of customers that do not have conventional forms of identification, while having regard to the entity’s risk assessment and profile. This may include using alternative identification that is ‘reliable and independent’.
The AML/CTF Act and Rules provide reporting entities with flexibility in terms of using alternative identification that is ‘reliable and independent’. Chapter 1 of the AML/CTF Rules states that reliable and independent documentation includes but is not limited to:
- an original primary photographic identification document;
- an original primary non-photographic identification document; and
- an original secondary identification document.
Note: This is not an exhaustive definition. A reporting entity may rely upon other documents not listed in paragraphs (1) to (3) above as 'reliable and independent documents', where that is appropriate having regard to ML/TF risk.
In applying this flexible approach, reporting entities are expected to apply a risk-based assessment in determining the suitability of the documentation submitted for identification and verification purposes.
For more information, recommendations and examples, please visit the Aboriginal and/or Torres Strait Islander people page. The guidance and worked examples, which specifically focus on customers of Aboriginal and/or Torres Strait Islander heritage, can also be applied for other customers who have difficulties in complying with customer identification requirements.
Part 4.15 of the AML/CTF Rules provide that, in limited and exceptional circumstances, a reporting entity can accept a self-attestation by a person as to their own identity. Reporting entities already have flexibility in the types of ‘reliable and independent’ documents they can use when carrying out an ACIP. Where the ACIP cannot be applied, paragraph 4.15.1 permits reporting entities to use ‘alternative identity proofing processes’. Self-attestation can only be used as a last resort when it is not possible to complete the ACIP, or to use ‘alternative identity proofing processes’. Examples include:
- where a customer does not have any independent and reliable identity documents, including no secondary identification documents, such as people affected by natural disasters, the homeless, or undocumented arrivals in Australia; or
- where a customer is unable to nominate an independent referee that meets the reporting entity’s customer identification requirements.
However, the reporting entity must continue to apply appropriate levels of ongoing customer due diligence to identify, mitigate and manage the ML/TF risk associated with customer identities established using self-attestation. Reporting entities must not rely on self-attestation where they know, or have reason to believe, that it would be incorrect or misleading to do so.
A reporting entity must implement procedures to collect and verify identification information about the beneficial ownership and control of its customers.
What is a beneficial owner?
A beneficial owner of a customer is defined as an individual (a natural person or persons) who ultimately owns or controls (directly or indirectly) the customer.
Ownership for the purposes of determining a beneficial owner means owning 25 per cent or more of the customer.
The definition of 'control' includes whether the control is exerted by means of trusts, agreements, arrangements, understandings or practices and whether or not the individual has control based on legal or equitable rights. It includes where an individual can exercise control through making decisions about financial and operating policies.
What beneficial owner information must be collected and verified?
Once a reporting entity has established who is a beneficial owner or owners of a customer, a reporting entity must collect at least the following information in relation to each individual beneficial owner:
- full name; and
- date of birth or full residential address.
The reporting entity must take reasonable measures to verify the information it collects about the beneficial owner. Reasonable measures means it must take some measures to verify the information, and the steps taken must be appropriate given the level of ML/TF risk.
How does a reporting entity identify the beneficial owner of a customer?
To identify the beneficial owner of a customer, a reporting entity should establish and understand the ownership or control structure of the customer. In most cases, the reporting entity can request information from the customer. A reporting entity may also need to enquire further into a complex ownership or control structure.
Examples of information that may assist a reporting entity in identifying a beneficial owner of a customer include:
- a certificate of incorporation of a company with ASIC and/or an annual statement including the amendments submitted to ASIC
- a trust deed
- a partnership agreement
- the constitution and/or certificate of incorporation for an incorporated association
- the constitution of a registered co-operative.
The following are examples of the processes a reporting entity may undertake to identify a beneficial owner of a company and a trust.
Example: identifying the beneficial owner of a company
ABC Pty Ltd applied to receive a designated service from a reporting entity. To identify the beneficial owner of ABC Pty Ltd, the reporting entity requests the customer to provide certified copies of its most recent ASIC annual statement including any amendments. This statement includes information regarding ABC Pty Ltd's ultimate holding company, office holders, company share structure and members.
The company structure and shareholders listed in the ASIC annual return for ABC Pty Ltd are as follows:
Mr Smith owns more than 25 per cent of the issued share capital in ABC Pty Ltd and therefore is a beneficial owner of the entity.
In the event that the company ownership was not concentrated with one person holding 60%, and it could not be identified that a single person owned (or controlled, such as through voting rights or other means) 25% or more of the shares, then under the provisions in 4.12.9, Mr Jones may be the beneficial owner by virtue of his control of the company through making decisions about the financial and operating policies on a day-to-day basis. In that instance, Mr Jones should be identified as the beneficial owner, according to the customer identification procedures for individuals. In some cases, it may be appropriate to ascertain both ownership and control (for example with higher risk customers or where there are concerns relating to ownership information).
The reporting entity must identify:
- ABC Pty Ltd, in accordance with the customer identification procedures for a company.
- Mr Smith, according to the customer identification procedures for individuals.
Example: Identifying the beneficial owner of a trust
JJG Pty Ltd applied to receive a designated service from a reporting entity. To identify the beneficial owner of JJG Pty Ltd (which is the customer), the reporting entity may request that the customer provide certified copies of its most recent ASIC annual statement and any amendments. These documents show that Brian Jones and Margaret Jones are the directors and the two equal shareholders of JJG Pty Ltd.
Because JJG Pty Ltd is the corporate trustee on behalf of the Jones Family Trust, the reporting entity must identify and verify certain information about JJG Pty Ltd’s trust arrangement with the Jones Family Trust in accordance with the trustee requirements under Part 4.4. JJG Pty Ltd provides the reporting entity with a certified copy of the trust deed which outlines the arrangements for the trust, as follows:
- The beneficiaries of the Jones Family Trust are:
- Margaret Jones
- Constance Jones
- Horatio Jones
- The settlor of the trust is Mr William Smith, the accountant for the Jones family.
According to the trust deed, Margaret Jones is the 'appointor' of the Jones Family Trust. In this case, the reporting entity has assessed Margaret Jones as being the beneficial owner of the Jones Family Trust because she can exercise control in her capacity as the appointer. An appointor holds the power to appoint or remove the trustees who exercise the various trust powers.
Reporting entities should note that in the absence of an appointor, another person may be the beneficial owner if that person owns or controls (directly or indirectly) the customer of the reporting entity, in this case JJG Pty Ltd.
The reporting entity must, at a minimum:
- collect and verify certain information from JJG Pty Ltd, as the trustee on behalf of the Jones Family Trust, in accordance with the reporting entity’s customer identification procedures for a company under Part 4.3
- collect the full names of all beneficiaries of the Jones Family Trust (that is, Margaret Jones, Constance Jones and Horatio Jones)
- identify Margaret Jones, as the beneficial owner of the Jones Family Trust, in accordance with the beneficial owner customer identification procedures at 4.12.1.
- collect and verify the full name of Mr William Smith, as the settlor of the trust – unless:
- the material asset contribution to the trust by Mr Smith (as the settlor) at the time the trust is established is less than $10,000; or
- at the time of undertaking customer identification procedures Mr Smith is deceased; or
- the trust is verified using the simplified trustee verification procedure (see paragraph 4.4.8 of the AML/CTF Rules).
What process should a reporting entity take if it is unable to identify the beneficial owner of a customer?
In some cases, a reporting entity may not be able to determine the beneficial owner of a customer, such as where no person owns 25 per cent or more of the customer or where there is not an individual exercising control of the customer.
In these cases, a reporting entity is required to identify and take reasonable steps to verify an alternative individual as described below (also refer to paragraph 4.12.9 of the AML/CTF Rules).
The customer is a company or a partnership:
A reporting entity should attempt to identify an individual in the following order:
- an individual who can exercise 25 per cent or more of the voting rights, including the power to veto. The power to exercise voting rights may be direct or indirect, including where the individual is entrusted with, or has significant influence over, the exercise of the voting rights.
If the reporting entity cannot identify the above individual:
- any individual who holds the position of senior managing official (or equivalent).
The customer is a trust:
A reporting entity should attempt to identify any individual who holds the power to appoint or remove the trustees of the trust. This role is usually described as the appointor, but may also be called the 'custodian' or 'principal', and should be noted in the trust deed.
The customer is an association or a registered co-operative:
- A reporting entity should attempt to identify an individual in the following order:
- It should attempt to identify any individual who can exercise 25 per cent or more of the voting rights, including a power to veto.
- If the reporting entity cannot identify the above individual, it should attempt to identify any individual who would be entitled to 25 per cent or more of the property of the association or registered cooperative if it were dissolved.
- If the reporting entity cannot identify an individual described in 1 or 2 above, it should attempt to identify any individual who holds the position of senior managing official.
What are the exceptions to the beneficial ownership obligations?
A reporting entity is not required to determine the beneficial owner of a customer if the customer is:
- a company which has been verified under the simplified company verification procedure under paragraph 4.3.8 of the AML/CTF Rules
- a trust which has been verified under the simplified trustee verification procedure under paragraph 4.4.8 of the AML/CTF Rules
- an Australian Government Entity
- a foreign-listed public company that is subject to beneficial ownership disclosure requirements that are comparable to the requirements in Australia.
Where a customer is an individual, the reporting entity is entitled to assume that the customer and the beneficial owner are the same - that is, there is no other individual that controls the customer, unless the reporting entity has reasonable grounds to consider otherwise. For example, if the reporting entity learns that the customer is being influenced or controlled by a third party, the reporting entity will need to identify and verify the identity of the third party (because they are a 'beneficial owner' of the individual).
Note : The exceptions to the beneficial ownership obligations only apply to the customer of the reporting entity.
If the customer is not one of the four customer types listed above, the reporting entity must identify the beneficial owner of the customer in accordance with the requirements of Part 4.12 of the AML/CTF Rules.
The exceptions to the beneficial ownership obligations do not apply to the beneficial owner(s) of a customer.
What are the safe harbour procedures for verifying the beneficial owner of a customer?
A reporting entity may follow the documentation or electronic based safe harbour procedures to verify the beneficial owner of a customer assessed as being of medium or lower ML/TF risk.
The safe harbour procedures do not include sufficient verification procedures for high ML/TF risk customers, including foreign PEPs.
The documentation-based safe harbour procedures involve:
- verifying the beneficial owner's full name and full residential address or date of birth (or both) using
- an original or certified copy of a primary photographic identification document, or
- an original or certified copy of a primary non-photographic identification document; and
- an original or certified copy of a secondary identification document; and
- verifying that the documentation has not expired (other than a passport, which may be used if it expired within the preceding two years).
Alternatively, a reporting entity may rely on an electronic-based safe harbour procedure where:
- a beneficial owner's full name; and
- their full residential address or their date of birth, or both
have been verified from reliable and independent electronic data from at least two separate data sources. Reporting entities may verify an individual's identity electronically by using records held by a credit reporting agency.
Using disclosure certificates to identify the beneficial owner of a customer
In addition to the verification procedures set out above, a reporting entity may be able to rely on a 'disclosure certificate' to verify information about a beneficial owner of a customer where such information is not otherwise available.
A disclosure certificate is provided by the customer and must contain the information set out in chapter 30 of the AML/CTF Rules.
Reporting entities must have risk-based systems and controls in place to respond to any discrepancies that may arise while verifying customer or beneficial ownership information. This may include collecting additional information from the customer.
For example, a discrepancy may arise where:
- the name on a customer's passport does not match the name the customer provides to the reporting entity
- the name of a director provided by the company does not match any current director's name appearing on the company search extract.
The Document Verification Service (DVS) is a secure, national, real-time, on-line, electronic document verification system managed by the Commonwealth Attorney-General’s Department (AGD).
The DVS provides authorised organisations, such as reporting entities, with a means to electronically match identifying information or credentials on certain government-issued identity documents directly with the issuing government organisation (whether Commonwealth, State or Territory). This allows reporting entities to check that the identity document presented by an individual is current or valid (for example, the document has not expired, been cancelled, is lost or stolen).
For more information please go to the Document Verification Service and individual customer and beneficial owner identification page.
Who is a politically exposed person?
Politically exposed persons (PEPs) are individuals who occupy a prominent public position or function in a government body or international organisation, both within and outside Australia. This definition also extends to their immediate family members and close associates.
Chapter 1 of the AML/CTF Rules defines three categories of PEPs:
- Domestic PEPs are individuals who hold a prominent public position or function in an Australian government body
- Foreign PEPs are individuals who hold a prominent public position or function in a government body of a foreign country.
- International organisation PEPs are individuals who hold a prominent public position or function in an international organisation.
The AML/CTF Rules definition of PEPs is not intended to be an exhaustive list of the type of PEPs that should be subject to identification and verification and risk management by reporting entities. Individuals not listed in the definition may be considered to be a PEP by reporting entities if they are entrusted with a prominent public position or function in a government body or international organisation.
This guide also includes detailed explanations of many of the key terms used in the AML/CTF Rules in relation to PEPs – see Key terms used in the AML/CTF Rules definition of PEPs page.
When does a person cease to be considered a PEP?
As described above, a PEP is someone who occupies a prominent public position. Once a person no longer holds that position, they are no longer considered a PEP. However, a reporting entity should continue to apply a risk-based approach to determine whether an existing customer who is no longer a PEP should continue to be treated as a high-risk customer.
Higher risk PEPs are also more likely to continue to pose a ML/TF risk after they cease holding a public position. As such, reporting entities may choose to undertake enhanced customer due diligence (ECDD) for a longer period for a former PEP under the ECDD provisions in Chapter 15 of the AML/CTF Rules.
Money laundering and terrorism financing risk associated with PEPs
Due to their position and influence it is recognised that many PEPs are in positions that potentially can be abused for money laundering and related predicate offences, including corruption and bribery, as well as activity related to terrorism financing. The potential risks associated with PEPs justify the application of additional AML/CTF measures to prevent and detect this conduct.
However, it is noted that if a person is a PEP, this does not mean that there is an automatic link to criminal activities or abuse of the financial system. The additional AML/CTF measures applied in the case of PEPs are preventative, and should not be interpreted as stigmatising PEPs as being involved in criminal activity; rather these measures recognise the increased risk, including opportunity, associated with holding this type of role.
Risks associated with different categories of PEPs
Reporting entities must automatically treat all foreign PEPs as high-risk customers.
Domestic PEPs and 'international organisation' PEPs may also be considered to be high risk depending on the circumstances. Reporting entities should conduct a risk assessment on domestic and international organisation PEPs before deciding whether to apply their ECDD program to these customers.
Effective due diligence and risk assessment processes enable reporting entities to identify customers who are PEPs. These processes also support the entity's ongoing transaction monitoring. A reporting entity is better able to detect suspicious transactions or behaviour if it is aware that a customer is a PEP and is aware of the increased AML/CTF risks associated with PEPs. This knowledge will also enable a reporting entity to better understand what is normal, legitimate financial behaviour for a PEP customer and identify unusual or suspicious activity by that customer.
Not all PEPs present the same AML/CTF risk. If a PEP undertakes transactions of the type that would normally be undertaken by non-PEP customers, and there is no evidence to suggest the funds came from an unusual source, a reporting entity's normal procedures may be sufficient to mitigate the ML/TF risk. For example, normal procedure may involve asking the customer general questions about the transaction and documenting the responses as normal.
In some circumstances reporting entities should consider obtaining further information from a PEP and seek more documentary evidence to verify the information provided. For example:
- where the jurisdiction that appointed the PEP is a higher risk jurisdiction
- where the funding for the transaction is substantial or from an unusual source
- where the type of transaction is a higher risk transaction; for example, a large cash transaction.
A reporting entity must have procedures to identify whether any individual customer or beneficial owner is a PEP, or an associate of a PEP. The reporting entity must undertake this identification process before it provides the customer with a designated service, or as soon as practicable afterwards (refer to Part 4.13 of the AML/CTF Rules).
The term 'as soon as practicable' has not been defined in the AML/CTF Rules in order to allow reporting entities to carry out the procedures in a manner which is appropriate to the particular circumstances of each customer.
The AML/CTF Rules have different requirements for:
- medium or lower ML/TF risk domestic and international organisation PEPs; and
- all foreign PEPs, and high ML/TF risk domestic and international organisation PEPs.
Determine whether a customer or beneficial owner is a PEP
A reporting entity must have risk-based procedures to determine whether a customer is a PEP.
These procedures may include:
- checking the customer's background through an internet search
- consulting reports and databases released by various organisations that specialise in analysing corruption risks.
If the reporting entity needs to conduct more thorough checks, or if there is a high likelihood of a reporting entity having customers who are PEPs, the reporting entity may find that subscribing to a specialist PEP database is an appropriate risk mitigation tool.
AUSTRAC notes, however, that over-reliance on such databases may increase the risk that reporting entities will wrongly assume that if a customer's name is not in the database, then the customer is not a PEP. Reporting entities should also be aware that commercial databases can have limitations – for example, these databases:
- may not be as comprehensive or reliable as is believed
- may not align with the PEP definition used in Australia if it is a 'global' database
- may not include certain names or may exclude certain categories of PEPs
- may contain inconsistent transliterations and spellings of names which may affect a reporting entity's ability to match names.
If a customer is a medium or lower ML/TF risk domestic or international organisation PEP
For domestic PEPs or international organisation PEPs that are beneficial owners of a customer, a reporting entity must carry out the customer identification and verification procedures which apply to individuals.
Generally, domestic or international organisation PEPs may be considered to be of lower ML/TF risk, but this cannot be assumed – reporting entities must use their risk-based procedures to decide whether a PEP is of higher ML/TF risk.
If a customer is a foreign PEP or a high ML/TF risk domestic or international organisation PEP
For foreign PEPs or high ML/TF risk domestic PEPs who are beneficial owners, a reporting entity must carry out the customer identification and verification procedures which apply to individuals.
A reporting entity is also required to:
- obtain senior management approval before establishing or continuing a business relationship with the customer and before providing, or continuing to provide, a designated service to the customer
- take reasonable measures to establish the customer's source of wealth and source of funds
- comply with enhanced customer due diligence requirements under Chapter 15 of the AML/CTF Rules.
Responding to any discrepancies
Regardless of whether a PEP is a domestic, international organisation or foreign PEP, a reporting entity must have risk-based systems and controls to respond to any discrepancies they discover while verifying a PEP's identity. These systems and controls should enable the reporting entity to be reasonably satisfied that the PEP is the person they claim to be.
Ongoing transaction monitoring
For all foreign PEPs and high risk domestic or international organisation PEPs, reporting entities should closely monitor the transactions conducted by that customer. If a reporting entity suspects that a transaction undertaken by a PEP involves funds that are the proceeds of corruption or other criminal activity, it must submit an SMR to AUSTRAC.
A reporting entity's ongoing customer due diligence (OCDD) procedures should consider whether any of its existing customers have become PEPs since they originally became a customer. If an existing customer does become a PEP, the reporting entity is required to update the customer's status, undertake enhanced customer due diligence and adjust its transaction monitoring processes. A reporting entity may be alerted to a customer's change in status by changes to the customer's business or occupation.
Effective due diligence and risk assessment procedures put in place by reporting entities not only identify persons who are PEPs, but will also assist reporting entities to detect any suspicious transactions or customer behaviour related to money laundering and related predicate offences.
Further guidance on monitoring transactions and customer behaviour is available in the FATF Guidance, Politically Exposed Persons (Recommendations 12 and 22), and in the AUSTRAC strategic analysis brief, PEPs, corruption and foreign bribery.
In some cases, reporting entities may consider that the AML/CTF Rules requirements relating to PEPs are inconsistent with obligations imposed upon them by other legislation, in particular, the provision of a designated service.
For example, Part 4.13 of the AML/CTF Rules requires 'senior management approval' where the risk is high for domestic and international PEPs and for all foreign PEPs, in regard to whether a business relationship should commence or continue or whether a designated service should be provided or continue to be provided.
In this instance, the AML/CTF Rules impose an obligation (the involvement of senior management), but the decision to discontinue or not provide a designated service to the PEP is made by the reporting entity.
In situations where a reporting entity is required to perform an action under legislation that, for example, relates to the acceptance or cashing out of superannuation contributions to a high-risk domestic or international PEP or a foreign PEP, the reporting entity, after it has obtained management approval to accept or cash out the superannuation contributions to the PEP, and complied with its other AML/CTF Program obligations, may consider providing a suspicious matter report to AUSTRAC about that customer.
As the AML/CTF Rules do not prevent a reporting entity from providing a designated service AUSTRAC considers that there is no conflict between the Rules and a Commonwealth law which requires the provision of a designated service.
The definition of 'sensitive information' in the Privacy Act 1988 includes information or an opinion about an individual's political opinions or membership of a political association (see section 6(1) of that Act). In identifying or verifying a customer who is a PEP, a reporting entity may find that it collects this type of sensitive information about the PEP.
Sensitive information is generally afforded a higher level of privacy protection under the Australian Privacy Principles than other personal information. This recognises that inappropriate handling of sensitive information can have adverse consequences for an individual or those associated with the individual.
Special circumstances and exemptions may apply for customer identification procedures for:
- pre-commencement customers
- customer identification procedures carried out by another reporting entity
- low-risk services
- the gambling sector.
Pre-commencement customers are customers who received a designated service before identification procedures became mandatory (that is, before 12 December 2007). Reporting entities are not required to identify and verify these pre-commencement customers for any new or existing designated services they receive. However, these customers are subject to OCDD requirements, including transaction monitoring and enhanced customer due diligence.
If a suspicious matter reporting obligation arises for a pre-commencement customer, a reporting entity must, within 14 days, take one or more of the following actions so it can be reasonably satisfied the customer is the person they claim to be:
- carry out the customer identification procedure for the customer, unless the reporting entity previously carried out the procedure or a comparable procedure for the customer
- collect any customer information about the customer
- verify from a reliable and independent source, customer information obtained about the customer.
Reliance on customer identification procedures carried out by another reporting entity
A reporting entity may rely on a customer identification procedure carried out by another reporting entity about a common customer. Currently, there are two situations when this can occur:
- if a licensed financial adviser, who provided an item 54 designated service to the customer (table 1, section 6 of the AML/CTF Act), arranges for the customer to receive a designated service from a second reporting entity
- if a customer of one member of a DBG:
- becomes a customer of another member of the DBG; and
- is required to undergo the applicable customer identification procedure.
In both cases, the second reporting entity can rely on the customer identification procedures conducted by the first reporting entity if the second reporting entity:
- obtains a copy of the record of the customer identification made by the first reporting entity or has access to the record under an agreement about managing identification records; and
- determines it is appropriate for it to rely on the customer identification procedure conducted by the first reporting entity, given the ML/TF risk of the designated service it will provide the customer.
Customer identification procedures for low-risk designated services
The AML/CTF Rules can specify a designated service as 'low risk'. In this case, a reporting entity is not required to conduct customer identification procedures for a customer receiving that service unless a suspicious matter reporting obligation arises for that customer.
The AML/CTF Rules do not currently specify any such low risk services.
Exemptions for the gambling sector
Exemptions from the normal customer identification requirements for the gambling sector apply to:
- oncourse bookmakers
- totalisator agency boards (TABs)
- controllers of gaming machine venues
- providers of accounts for online gambling services.
Under the AML/CTF Rules, certain gambling designated services are exempt from the normal customer identification procedures. Depending on the services provided, the exemptions include total exemptions from the identification procedures, or exemptions that apply to transactions valued below certain threshold amounts.
Other exemptions in relation to customer procedures
Exemptions from the customer requirements may be:
- general exemptions provided under the AML/CTF Act (table 2); or
- enacted by AML/CTF Rules (table 3).
The tables below summarise these exemptions and refers to the relevant section of the AML/CTF Act or chapter of the AML/CTF Rules.
Table 2: General exemptions from the customer requirements
|AML/CTF Act provision||
Description of exemption
Foreign permanent establishment
The customer identification/verification procedures and OCDD requirements do not apply to a designated service provided by a reporting entity at or through a permanent establishment of the entity in a foreign country.
Purchase of a new pension or annuity
Superannuation contribution, roll-over or transfers
Retirement Savings Account (RSA) contribution roll-over or transfer
The customer identification/verification procedures do not apply to a designated service covered by items 40, 42 or 44 (table 1, section 6 of the AML/CTF Act).
Note that the OCDD obligations (under Division 6 of the AML/CTF Act) do apply to designated services offered under items 40, 42 and 44 of the AML/CTF Act.
Item 54 providers arranging for item 40, 42 or 44 designated services
The applicable customer identification/verification procedures and OCDD requirements do not apply to a designated service covered by item 54 (table 1, section 6 of the AML/CTF Act) if the service relates to arrangements for a person to receive a designated service covered by items 40, 42 or 44 (table 1, section 6 of the AML/CTF Act).
Table 3: AML/CTF Rules that provide exemptions from customer identification requirements
Chapter of the AML/CTF Rules
Title of chapter
Thresholds for certain designated services:
Applicable customer identification procedures in certain circumstances - assignment, conveyance, sale or transfer of business
Applicable customer identification procedure for purchases and sales of bullion valued at less than $5,000
Exemption from applicable customer identification procedures for correspondent banking relationships
Exemption from applicable customer identification procedures for the sale of shares for charitable purposes
Exemption from applicable customer identification procedures - premium funding loans for a general insurance policy
Cashing out of superannuation funds low balance accounts
International Uniform Give-up Agreements
Exemption from applicable customer identification procedures in certain circumstances:
Applicable customer identification procedures in certain circumstances - compulsory partial or total transfer of business made under the Financial Sector (Business Transfer and Group Restructure) Act 1999