Reliance provisions overview

You can use reliance either: 

• under an ongoing agreement or arrangement
• on a case-by-case basis.

The third party you rely on must be either a:

• reporting entity
• person regulated under laws in a foreign country that give effect to the Financial Action Task Force (FATF) recommendations relating to customer due diligence (CDD) and record keeping.

Reliance must be appropriate to the money laundering, terrorism financing, and proliferation financing risks (we refer to these as ‘ML/TF risks’) you may reasonably face in providing designated services, considering the:

• nature, size and complexity of the third party’s business
• products and services the third party provides
• delivery channels the third party uses to provide services
• kinds of customers they provide services to
• countries where they operate or are a resident.

Why you might choose to use reliance

There may be instances where your customer is also dealing with another reporting entity in relation to a designated service. For example, your customer may be using services from you and another reporting entity in the same transaction, such as a: 

• conveyancer and a bank in a real estate transfer
• lawyer and an accountant when setting up a company
• customer holding accounts with multiple financial institutions.

In these scenarios, the requirement to collect and verify information multiple times can be inconvenient for customers, particularly when several entities are requesting the same information. 

Reliance in appropriate situations can also help reduce the costs of undertaking initial customer due diligence (CDD).

Reviewing existing CDD arrangements with a third party

Any agreements or arrangements in place prior to the amendments to the Act coming into effect on 1 July 2026 will need to be reviewed to make sure they meet the requirements of the Act and Rules.

Reliance and outsourcing

Reliance isn’t the same as outsourcing or agency arrangements.

Reliance doesn’t include a KYC or outsourced service provider because these entities aren’t subject to oversight and supervision under Australia’s AML/CTF laws. 

You may outsource some of your functions to third parties to help you comply with your AML/CTF obligations. These third parties don’t need to be reporting entities. 

In an outsourcing arrangement, you’ll remain liable for any breaches of CDD and record keeping obligations. 

Learn more about outsourcing to help meet your obligations.

Dealing with reliance in your AML/CTF policies

If you use reliance, we expect your AML/CTF policies set out:

• how you’ll use reliance
• when it’s appropriate to use reliance
• how you will conduct assessments of any reliance arrangements to ensure they continue to meet the requirements of the Rules. 

We expect that your AML/CTF policies set out the steps you’ll take to ensure the third party:

• has appropriate measures in place to comply with its AML/CTF obligations
• implements these measures in practice. 

It’s important that you have sufficient evidence to show it was appropriate to rely on that third party, such as keeping written records.

Examples: Reliance in practice

Example: entering and resolving issues under a CDD arrangement within Australia

Eclipse Services Pty Ltd (Eclipse) and Luna Limited (Luna) are unrelated reporting entities located in Australia. Eclipse often refers customers to Luna. 

To create a more efficient referral service and streamline the customer experience, they agree to enter into a CDD arrangement. This allows Luna to rely on KYC information that’s been collected and verified by Eclipse.

Before entering into the arrangement, Luna’s AML/CTF compliance officer assesses the risks associated with the CDD arrangement. They review Eclipse’s ML/TF risk assessment, and CDD and record keeping policies. They also review its latest independent evaluation which found no concerns in these areas.

The assessment concludes that there’s a moderate risk of relying on Eclipse because they identify some kinds of customers as lower ML/TF risk than Luna does. The compliance officer makes a recommendation to a senior manager in Luna to enter into a CDD arrangement with Eclipse, with the following controls in place:

• Luna will request fortnightly samples of KYC information collected and verified by Eclipse of customers that fit certain risk profiles and validate them for accuracy
• Luna will review the arrangement after one year, unless other circumstances trigger an earlier review.

Under the arrangement, Eclipse will provide the fortnightly samples within 24 hours of them being requested.

After the first month of sample reviews, Luna notices that most samples take several days to be provided and at least 2 aren’t provided at all. Luna conducts an immediate assessment to make sure Eclipse are meeting CDD requirements. Luna observes that Eclipse:

• didn’t meet the requirements to collect and verify KYC information for corporate customers
• couldn’t locate all its records for 5 of its individual customers.

Luna immediately stops relying on KYC information collected and verified by Eclipse. They also implement: 

• steps to conduct their own initial CDD for all future referrals
• a remediation program to ensure initial CDD is adequate for all affected referrals.

Given the good relationship between Eclipse and Luna and the commercial benefits of the arrangement, the 2 businesses work together to develop systems and controls to make sure they can meet the CDD and record keeping requirements. They also aim to enter into a new CDD arrangement in the coming months.

Example: resolving issues under a CDD arrangement with an entity outside Australia

Tallow Services (Tallow) is an offshore reporting entity that wants to refer its customers to Maroona, an Australian-based reporting entity. To support efficiencies in its referral service and streamline the customer experience, Tallow and Maroona agree to enter into a CDD arrangement. Maroona relies on KYC information that’s been collected and verified by Tallow.

Before entering into the arrangement, Maroona assesses the risks associated with the reliance. They review a range of resources, including the most recent FATF mutual evaluation report of the country Tallow operates in, which assesses the:

• standard of AML/CTF laws and regulation Tallow is subject to
• nature, scale and scope of ML/TF risks of the jurisdiction in which Tallow operates.

They also get copies of Tallow’s ML/TF risk assessment and AML/CTF policies, and results of a recent audit. They use this to consider what measures Tallow has in place to comply with CDD and record keeping requirements.

Maroona assesses the information and concludes that there’s a low risk of relying on Tallow. Maroona gets senior manager approval to enter into the arrangement.

Over the first 6 months of the arrangement, Maroona requests copies of the documentation associated with several new customers of which Tallow has collected and verified KYC information. Maroona received all of them promptly and they included all the required information.

One month later, Maroona notices through its news subscription with Tallow’s regulator that it just fined Tallow for historical systemic breaches of AML/CTF obligations. This includes breaches relating to CDD.

Maroona immediately suspends the CDD arrangement with Tallow. Maroona implements steps to collect and verify KYC information for all future referrals. They review the KYC information of all customers covered under the arrangement to make sure their identity information is up to date. 

Maroona also conducts an immediate assessment of whether the arrangement continues to meet the requirements of the Rules for reliance arrangements. Maroona also takes steps to understand the nature and breadth of the enforcement action against Tallow and finds that:

• the last breach occurred 3 years ago
• Tallow has since uplifted their CDD capabilities and has undertaken assurance processes to confirm that they’re compliant with their obligations.

Tallow and Maroona decide to modify the existing CDD arrangement, to only use reliance for new Maroona customers. Maroona decides to conduct interim reviews every 3 months to make sure breaches aren’t occurring. 

Example: rectifying issues identified under the CDD arrangement processes 

Glastonbury Services Limited (Glastonbury) and Salisbury Plains Pty Ltd (Salisbury) are unrelated reporting entities. Glastonbury often refers customers to Salisbury. To support efficiencies in its referral service and streamline the customer experience, they decide to enter into a CDD arrangement. This allows Salisbury to rely on the KYC information collected and verified by Glastonbury.

Before entering into the arrangement, Salisbury assesses the risks associated with the reliance, including the standard of Glastonbury’s measures to comply with its CDD and record-keeping requirements. The assessment concludes that there’s a low risk of relying on Glastonbury, so Salisbury gets senior manager approval to enter into the arrangement.

After the first year of the agreement, Salisbury decides to conduct a comprehensive review of the agreement. They conclude that no issues of non-compliance are found, except for an isolated breach involving a customer using an expired driver’s licence.

Glastonbury immediately conducts a refresh of that customer’s identity with no issues of concern identified. Meanwhile, Salisbury reviews its systems and controls and provides additional training to the team responsible for KYC processes.

Example: identifying an isolated breach under case-by-case reliance

Centenary Pty Ltd (Centenary) and Worcester Pty Ltd (Worcester) are unrelated reporting entities. Centenary wants to refer a small number of customers to Worcester to receive a designated service.

They don’t expect these referrals to be ongoing so they don’t enter into an agreement. Instead, they decide to rely on KYC information collected and verified by Centenary on a case-by-case basis. Before they do this, Centenary provides Worcester with its:

• AUSTRAC enrolment details as evidence that it’s a reporting entity
• relevant sections of its AML/CTF policies relating to how it complies with the Act’s CDD and record keeping requirements
• latest independent evaluation which found no concerns in these areas
• ML/TF risk assessment which concludes that Centenary doesn’t operate in a high ML/TF risk environment.

Centenary also confirms that it:

• stores all KYC information electronically
• can provide any available documentation upon request by Worcester within 24 hours.

Worcester opens individual accounts for this group of customers after relying on the collection and verification of KYC information carried out by Centenary.

Three months later a law enforcement agency advises Centenary and Worcester that one of the customers is being investigated for tax evasion. This agency also reports that the customer has opened an account in a false name.

Both Centenary and Worcester provide AUSTRAC with suspicious matter reports. Worcester decides to review the KYC information of all the other referred customers and finds no issues of concern. Centenary reviews its KYC information collection and verification processes to establish how a person’s identity was verified when they used a false name. They discover that collection and verification wasn’t carried out for that customer and make changes to make sure it doesn’t happen again.

Related pages

• Reliance under customer due diligence arrangements
• Reliance on a case-by-case basis
• Managing risk and assessing foreign jurisdictions for reliance.