Who can enter into a CDD arrangement

The third party you enter into a CDD arrangement with must be either a:

• reporting entity
• person regulated under laws in a foreign country that give effect to the Financial Action Task Force (FATF) recommendations relating CDD and record keeping.

What to consider before entering into a CDD arrangement

An ongoing reliance agreement or arrangement must be appropriate to the money laundering, terrorism financing and proliferation financing risks (we refer to these as ML/TF risks) you may reasonably face in providing designated services, considering the:

• nature, size and complexity of the third party’s business
• products and services the third party provides
• delivery channels the third party uses to provide services
• kinds of customers the third party provides services to
• countries where the third party operates or are a resident.

It’s important to consider whether the third party:

• has appropriate measures in place to comply with its AML/CTF obligations
• implements these measures in practice. 

 You can assess this based on information reasonably available to you, such as:

• responses to questions you ask the third party about their record keeping and CDD systems and controls
• the findings of any independent evaluations
• the existence of any adverse media reporting
• any published disciplinary action by regulators.

Before entering into a CDD arrangement, we expect that both parties agree on the standards of CDD to be carried out and relied upon, as appropriate to a customer’s ML/TF risk.

You must also make sure you are complying with your privacy obligations before disclosing KYC information to a third party. Learn more about your obligations under the Privacy Act at the Office of the Australian Information Commissioner.

Relying on a third party in a foreign country

If you want to rely on a reliable third party that’s not located in Australia and isn’t a reporting entity under the Act:

• the third party must be regulated under laws in a foreign country that give effect to the FATF recommendations relating to CDD and record keeping (equivalent obligations)
• you must consider the country where the third party operates or is a resident.

We expect you to consider the ML/TF risks of that country when deciding if a CDD arrangement is appropriate. 

The Financial Action Task Force (FATF) is responsible for setting the international standards that aim to prevent ML/TF and the harm these activities cause to society. The FATF monitors countries to make sure they implement the FATF standards fully and effectively. They hold countries to account that don’t comply.

Learn more about managing risk and assessing foreign jurisdictions for reliance.

What must be included in a CDD arrangement

Your CDD arrangement for reliance must include provisions that:

• set out the responsibilities of each party, including for record keeping
• enable you to obtain all the KYC information collected by the third party before you begin to provide a designated service or, if applicable, within the required timeframe for delayed initial CDD to be completed
• enable you to get copies of the independent and reliable data the other party used to verify the customer’s KYC information immediately or as soon as practicable after you request it. 

What is ‘as soon as reasonably practicable’ will depend on factors such as the nature of the product and delivery channels. However, we would not expect to see delays beyond one business day for providing information following a request.

If customers can rapidly conduct several higher-risk transactions, it may be appropriate for information to be available: 

• immediately (such as under IT systems permitting real-time access)
• within minutes of a request. 

For an ordinary lower-risk service, such as a personal savings account used for day-to-day transactions, your CDD arrangement could provide for up to one business day for the reliable third party to respond to a request. 

Documenting CDD arrangements

Your CDD agreement or arrangement must be in writing. You can decide how it’s documented, for example in: 

• a legally binding contract
• a memorandum of understanding (MOU)
• standard operating procedures
• another written document. 

Whichever format your CDD arrangement takes, you must make sure it complies with the Rules. 

A senior manager must approve any CDD agreement or arrangement you enter into.

It’s important that you have sufficient evidence, such as by keeping written records, to show that:

• it was appropriate to rely on that third party
• your CDD arrangement received the appropriate level of approval.

Reliance and more than one third party

There are no restrictions on the number of CDD arrangements you can enter into. You may enter into a CDD arrangement with more than one other reporting entity or foreign equivalent, for example through a multi-party arrangement.

A group of relying reporting entities under a multipartite arrangement may agree on a process for assessing CDD arrangements. However, each reporting entity remains individually responsible for:

• identifying the ML/TF risk of the customer seeking the designated service
• making sure the CDD arrangement complies with the Act and Rules
• determining that the CDD is appropriate. For example, making sure the CDD requirements in the Act and Rules are met and continue to be met by each reliable third party
• conducting regular assessments of the CDD arrangement
• documenting this assessment.

We expect that a significant change affecting reliance on one or both of the reliable third parties will trigger a review of the CDD arrangement.

Regular assessments of CDD arrangements

If you enter into a reliance agreement or arrangement, while it’s in force you must:

• conduct regular assessments of the agreement or arrangement
• prepare a written record within 10 business days after the day you complete each assessment.

You must conduct your own initial CDD on a customer if, after completing an assessment, you’re not satisfied that the agreement or arrangement complies with the Rules.

The assessment is to make sure that the arrangement still meets the requirements of the Rules. 

Assessments of CDD arrangements must be conducted:

• at least every 2 years or more regularly as appropriate, considering the type and level of ML/TF risks you face
• if there’s a significant change in circumstances that may affect whether the CDD arrangement meets the requirements of the Rules. 

If you become aware (or should reasonably have been aware) of new developments that materially affect the basis of your most recent assessment, we expect you immediately begin to review the arrangement to make sure it continues to meet the requirements of the Rules. 

Information which may indicate a significant change include:

• publication of adverse regulatory findings against the third party
• adverse media against the third party
• any significant changes in the third party’s ML/TF risk profile
• the outcomes of a recent independent evaluation
• failure to complete remedial action on CDD issues
• open-source information indicating a significant change in the domestic ML/TF or other serious crime environment in the country where the third party is based
• changes in ownership or control of the third party that may affect its risk profile. For example, if it’s likely that a new owner is a politically exposed person in a jurisdiction with higher bribery and corruption risks or could be an entity designated for targeted financial sanctions. 

If the relied-on third party is in a foreign country, you can identify any changes in the country profile using available information such as:

• updates of FATF countries Mutual Evaluation Reports
• FATF public statements
• other reliable and independent country assessments such as Transparency International’s Corruption Perceptions Index
• relevant reports and databases on corruption risk published by specialised national, international, nongovernmental and commercial organisations
• other open-source information such as reputable news reports and information about developments in the country.

Learn more about managing risk and assessing foreign jurisdictions for reliance.

The outcomes of your assessment will help you decide whether to continue, suspend or terminate the agreement or arrangement.

Failure to conduct regular assessments may result in civil penalties.

Related pages

• Overview of reliance on customer identification by a third party
• Reliance on a case-by-case basis
• Managing risk and assessing foreign jurisdictions for reliance