Financial services for customers that financial institutions assess to be higher risk

In recent years, some financial institutions have declined, withdrawn or limited banking services to customers in certain industry sectors due to factors such as commercial considerations, reputational risk and regulatory risk exposure. This is known as ‘debanking’ (or ‘derisking’) and it can have a devastating impact on legitimate businesses. 

It also reduces the capacity of Australia’s anti-money laundering and counter-terrorism financing (AML/CTF) framework to prevent and detect money laundering, terrorism financing and proliferation financing (we refer to these as ML/TF) and other serious crimes by discouraging transparency and potentially forcing customers into unregulated channels.

About this guidance

This guidance outlines a common understanding of the risk-based approach to AML/CTF regulation and the roles of financial institutions when providing banking services to businesses that financial institutions assess as higher risk. It also outlines approaches that affected businesses can consider when seeking or using banking services. For brevity, this guidance refers to both prospective customers and existing customers as ‘customers’.

Who this guidance is for

For financial institutions this guidance will:

• reassure you that within the AML/CTF framework, financial institutions may provide services to businesses when you assess that the sector the business operates in is higher risk
• clarify our regulatory expectations of financial institutions when assessing and providing services to these businesses
• support financial institutions to apply appropriate risk identification, mitigation and management systems and controls when providing services to these businesses.

For businesses that financial institutions assess to be higher risk, including remitters, VASPs and financial technology (fintech) businesses, this guidance will help you to:

• understand the types of information financial institutions may request when considering if your business is within their risk appetite
• ensure that you’re prepared with the appropriate information when engaging with financial institutions whose services you wish to use.

Who is affected by debanking

Sectors affected by debanking include businesses providing services for the transfer or storage of value for underlying customers such as remitters, virtual asset service providers (VASPs) and some fintech businesses (for example, payment service providers).

Financial institutions may also consider other businesses, such as some not-for-profit organisations, the sex work industry, adult stores, gun shops and some cash-intensive businesses, to be higher risk for other reasons.

Without access to the formal financial system, customers may seek out unregulated channels. The risk of debanking may cause some customers to provide financial institutions with less information about the true nature of their business activities, which limits transparency and increases risk.

For the risk-based approach to work effectively, we expect both financial institutions and their customers to communicate openly and in good faith to ensure that the financial institution can be confident it understands the risks presented by the customer.

Transparency and a risk-based approach

Businesses seeking banking services must be transparent with financial institutions about the nature of their business. This can assist financial institutions to better understand the risks of dealing with the business, and more effectively mitigate the risks.

Ultimately, financial institutions’ engagement with customers reinforces the risk-based approach to combating ML/TF across the Australian economy more effectively than disengagement from risk.

We’re committed to financial inclusion and working with financial institutions to ensure that AML/CTF regulation appropriately and effectively mitigates ML and TF risks.

Read our statement on debanking. 

The role of financial institutions

The Anti-Money Laundering and Counter-Terrorism Finance Act 2006 (the Act) requires financial institutions to develop tailored AML/CTF policies that are proportionate to the level of ML/TF and serious crime risk they face in providing services to particular businesses. 

Use a risk-based approach

Using a risk-based approach doesn’t require disengagement from risk or prevent financial institutions from establishing business relationships with higher-risk customers.

ML/TF risks associated with individual businesses in a given industry sector can vary significantly, even if the sector as a whole presents higher inherent risks. We expect financial institutions to assess and understand ML/TF risks presented by each customer. By using a risk-based approach with appropriate systems and controls in place, a financial institution can satisfy their AML/CTF obligations when providing designated services to customers across the range of ML/TF risk profiles.

A risk-based approach doesn’t imply a ‘zero failure’ approach to combating financial crime. Even if a financial institution implements appropriate risk-based systems and controls, we recognise that no reporting entity can reduce financial crime risk to zero.

Relevantly, it’s a defence to civil penalty proceedings for contravening the Act (including for ancillary contraventions set out in section 174 of the Act), if a reporting entity proves that it took reasonable precautions, and exercised due diligence, to avoid the contravention (section 236 of the Act).

Declining services

We recognise that financial institutions are commercial enterprises and may, subject to any other applicable laws, decline to provide designated services for commercial or other reasons, for example, where the financial institution’s business model is to provide specialised financial services targeted to specific sectors. However, there is no requirement in the Act or Rules to decline to provide designated services to whole industry sectors, notwithstanding a financial institution’s assessment of the industry sector’s relative risk.

Learn more about mitigating and managing your risks through AML/CTF policies. 

Application of privacy, human rights and other laws

Financial institutions are subject to a range of other laws that may be relevant to decisions about providing banking services to a customer, and throughout the course of the business relationship.

We encourage open communication between financial institutions and their customers. Customers will often provide sensitive information to financial institutions as part of financial institutions’ customer due diligence (CDD) including, in some circumstances, information that can materially affect a customer’s personal wellbeing if further disclosed. Some customers may be reticent in providing details to frontline staff or in an open environment due to these concerns. 

Privacy laws

In recognition of the potentially sensitive nature of the information disclosed as part of AML/CTF systems and controls, all reporting entities have obligations under the Privacy Act 1988. This includes the requirement to comply with the Australian Privacy Principles, even if they would otherwise be exempt from the Privacy Act. Open communication with customers about adherence with these obligations, and considerations of the channels available to provide information, may improve willingness to provide this information without omissions.

Anti-discrimination laws

Federal, state and territory anti-discrimination legislation may also apply to decisions about whether to start, continue or stop providing designated services. For example, as noted in the Replacement Explanatory Memorandum for the AML/CTF Act, the protection from liability under section 235 of the AML/CTF Act—where a reporting entity complies with the AML/CTF Act in good faith—isn’t intended to override anti-discrimination legislation, such as the Racial Discrimination Act 1975.

In keeping with our regulatory mandate, this guidance focuses on the AML/CTF Act and Rules. However, in applying this guidance, financial institutions should comply with all applicable obligations under other relevant legislation.

Assess the risks posed by each customer

Financial institutions must identify the ML/TF risks presented by each customer based on a reasonable understanding of the customer. Financial institutions must consider:

• the nature of your business relationship with the customer
• risks associated with the product or service being provided
• the methods of delivering the designated service to the customer
• any relevant foreign jurisdiction or geographic risks.

Your assessment of a customer’s ML/TF risk profile should be informed by:

• your up-to-date enterprise-wide or group-level ML/TF risk assessment
• any risk assessments and other relevant AUSTRAC guidance
• ongoing monitoring of your customers’ activities
• where applicable, any direct feedback you’ve received from us.

Risk is dynamic: where new or increased ML/TF risks are identified after the implementation of risk-based systems and controls, this should trigger a review to update the risk assessment and related systems and controls in your AML/CTF policies as appropriate. 

Taking a customer-specific approach to risk doesn’t require a unique process for each customer. Developing standard templates and processes for engaging with businesses in relevant sectors based on this guidance, to help gather the key information relevant to a customer’s specific risks, may assist financial institutions with keeping the costs of engagement to a reasonable level.

Third-party reviews

Some businesses may be in a position (or may be willing) to provide a third-party review and/or certification of their ML/TF risks, and AML/CTF systems and controls to a financial institution to assist with understanding the business’s risk profile. This isn’t a requirement of the AML/CTF regime, but could be discussed between the financial institution and business where a review by an agreed third party may make a difference in a decision to provide designated services.

Learn more about assigning customer risk ratings.

Conduct customer due diligence 

Generally, financial institutions must complete initial customer due diligence (CDD) or applicable customer identification procedures (ACIP) before providing designated services to customers (section 28 of the Act).  The financial institution must establish on reasonable grounds that the customer is who they claim to be and knows who the customer’s beneficial owners are.

The level of due diligence financial institutions undertake should be appropriate to the assessed risk. Not all customers need to be subject to the same level of CDD, even if they operate in a sector that may present higher ML/TF risks.

Your AML/CTF program must enable you to:

• understand the nature and purpose of your business relationship with your customers
• consider the ML/TF risks arising from providing the designated service to the customer to determine whether to collect and verify additional know your customer (KYC) information.

Conduct ongoing and enhanced customer due diligence

Financial institutions must identify, mitigate and manage ML/TF risks throughout the course of a business relationship. The customer’s ML/TF risk profile may change over time, with changes in business models, management or the availability of new information.

Higher ML/TF risk doesn’t automatically mean that a financial institution must discontinue a business relationship. CDD measures, including transaction monitoring, should be proportionate to the ML/TF risks and done in accordance with the financial institution’s enhanced CDD policies and transaction monitoring policies.

Financial institutions must undertake ongoing CDD for all customers, including keeping KYC information up to date, as well as transaction monitoring (sections 30 of the AML/CTF Act and 6-35 of the Rules).

Enhanced customer due diligence

You must apply enhanced CDD, when you determine that providing a designated service involves high ML/TF risk. As part of enhanced CDD, you:

• may be required to seek senior manager approval to provide designated services to the customer, and
• should record the final decision of senior management and the rationale.

The Rules don’t prescribe particular enhanced CDD measures to be undertaken in all cases. Your AML/CTF policies should set out the risk-based systems and controls to determine the appropriate measures to apply in the circumstances.

You also need to apply enhanced CDD when you suspect on reasonable grounds that you hold information relevant to the investigation of an offence, or have another suspicion referred to in section 41 of the Act. You must also submit a suspicious matter report (SMR). However, when you submit an SMR, the Act doesn’t automatically require you to stop providing services to a customer.

Protections for reporting entities

The Act also provides protections for reporting entities that comply with reporting obligations. When you’ve reported information to us in an SMR (as well as a threshold transaction report, international funds transfer instruction report or in response to a section 49 notice) you’re taken not to be in possession of that information at any time for the purposes of ML/TF and certain other offences against the Criminal Code (section 51 of the Act).

Special considerations for customers regulated by us

AUSTRAC-regulated businesses, including remitters, VASPs and some fintech businesses, can have particular inherent ML/TF risks due to: 

• their underlying customers
• the services they provide
• the jurisdictions they facilitate money transfers to or from. 

However, as reporting entities themselves, they’re required to implement systems and controls to mitigate their ML/TF risks. Therefore, looking at the inherent risk associated with these industry sectors alone isn’t a complete picture of an individual business’s risk profile.

Residual ML/TF risks

It’s important that you consider the residual ML/TF risks presented by AUSTRAC-regulated businesses such as remitters, VASPs and some fintech businesses. Residual ML/TF risk is the ML/TF risk the business poses after you take into account the risk-based systems and controls that the business has put in place to mitigate its ML/TF risks. 

Financial institutions may also take into account any measures implemented by businesses that aren’t subject to AML/CTF regulation, either voluntarily or under other regulatory regimes, that are relevant to reducing their residual ML/TF risk.

What you do and don’t need to do

We don’t expect you to undertake a full compliance audit of your customer’s AML/CTF program (which sets out the risk-based systems and controls). You are also not required to redo the customer’s own ML/TF risk assessment. The level of due diligence you undertake should be appropriate to your understanding of the residual risk, developed during the establishment of the business relationship with the customer and throughout the course of the business relationship. 

The key question in assessing residual risk is: do the business’s measures to identify, mitigate and manage ML/TF risks appear to be reasonable?

ML/TF risk assessment

You must consider your ML/TF risk assessment and the risk of each customer individually in accordance with your AML/CTF program including the standard ML/TF risk factors set out in section 28(4) of the Act:

• the kind of customer you will provide designated services to
• the kinds of designated services you will provide, or propose to provide to the customer
• the delivery channels you will use to provide designated services to the customer
• the countries you deal with, or will deal with, in providing designated services to the customer
• the matters (if any) specified in the AML/CTF Rules.

The specific factors set out in the following sections may also assist you to understand the residual ML/TF risks of remittance arrangements, VASPs, and AUSTRAC-regulated fintech businesses.

Registration with us

Remitters and VASPs, including fintech businesses, where they provide relevant designated services, are legally required to register with us unless specifically exempted.

When deciding whether to register or refuse an application we consider if registering a business would involve a significant ML/TF or other serious crime risk. Factors impacting this consideration include:

• the operational readiness of the business to comply with the Act, the proposed resourcing in relation to the provision of the registerable services and the level of AML/CTF experience of key personnel
• criminal offences key personnel have been charged or convicted with
• history of compliance or non-compliance with Commonwealth, state or territory, or foreign laws the business and its beneficial owners or other associated persons
• if a business has consented to becoming an affiliate of an RNP
• the likelihood of conducting a business involving the provision of the registrable services.

Your customer’s AUSTRAC registration doesn’t remove the requirement for you to undertake initial and ongoing CDD. Registration must be renewed every 3 years but doesn’t represent a continual assessment of risk by us. In the absence of any significant ‘red flags’ which would suggest otherwise, you should consider the customer’s registration with us as one mitigating factor when assessing its ML/TF risks. ‘Red flags’ may include:

• adverse media or information about key personnel associated with the business
• evidence of phoenixing, for example, a business appears to have the same key personnel as a recently shut down business in the same sector
• evidence that a business has changed ownership or key personnel shortly after AUSTRAC registration without a reasonable explanation.

Financial institutions may wish to ask a remitter or VASP for evidence of registration with Aus. In the case of remitters, you can verify that they appear on our Remittance Sector Register. If the business has recently changed owners or other key personnel, you could request evidence from the business that we’ve been notified of the change.

AUSTRAC-regulated businesses, including some fintech businesses, which don’t provide remittance or virtual asset services aren’t required to register with us. However, they must be enrolled on the Reporting Entities Roll. Foreign businesses without a permanent establishment in Australia aren’t required to register or enrol unless they operate a remittance network in Australia.

Up-to-date and tailored ML/TF risk assessment

All AUSTRAC-regulated businesses must have an enterprise-wide ML/TF risk assessment. Having an up-to-date risk assessment, tailored to the specific circumstances of the business, is essential to mitigating and managing ML/TF risks. Risk assessments must identify and document the ML/TF risks associated with the services they provide, recognising that not all services will present the same risks. 

Financial institutions may wish to request and review a copy of the customer’s ML/TF risk assessment to consider if it:

• is up to date
• on its face, reasonably reflects the business’s current business model and practices
• is tailored to the particular services provided by the business.

If you have questions about a business’s ML/TF risk assessment after reviewing the documentation provided by the business, you may wish to speak to the business’s AML/CTF compliance officer or other senior manager to gauge their understanding of the ML/TF risks in their risk assessment. However, you only need to consider this on a risk basis, and it’s not required in all cases.

Appropriate AML/CTF systems and controls

All AUSTRAC-regulated businesses must have an AML/CTF program. AML/CTF programs must include AML/CTF policies to manage and mitigate the risks identified in the business’s ML/TF risk assessment. The steps a business takes to mitigate and manage its inherent ML/TF risks are central to determining the residual risk for a business.

We don’t expect relationship managers or frontline staff in financial institutions to have the expertise to review and assess a customer’s AML/CTF program. However, as part of CDD, it’s reasonable to ask if a regulated business has an AML/CTF program, how it was developed and to seek to understand the priority the business places on implementing it.

In some cases, you may wish to request a copy of the business’s AML/CTF program to consider if their systems and controls appear to be what you might reasonably expect to see based on the customer’s ML/TF risks.

AML/CTF program good practice

Examples of good practice could include AML/CTF programs that outline:

• how a remitter’s transaction monitoring program applies to transactions involving higher-risk jurisdictions,
• what due diligence remitters and VASPs undertake when establishing relationships with counterparty businesses in other jurisdictions, or
• how a VASP uses blockchain analysis tools where they permit virtual asset deposits from, and withdrawals to, external wallets.

This list is illustrative only. It isn’t exhaustive and doesn’t imply that the underlying activities such as dealing with counterparties in foreign jurisdictions or permitting withdrawals to external wallets is inherently of concern where appropriate risk-based systems and controls are in place.

However, if you decide in accordance with your AML/CTF policies to review a business’s AML/CTF program, and it’s found to be a generic AML/CTF program template or a copy and paste of text from the Rules, these shouldn’t be considered reasonable measures to identify, mitigate and manage ML/TF risks.

Some remitters are affiliates in networks operated by remittance network providers that apply additional AML/CTF policies and oversight. This additional level of scrutiny may assist with reducing the ML/TF risks presented by an individual affiliate. You could seek further information to understand the nature of oversight by the remittance network provider.

The types of customers and services the business provides

Financial institutions aren’t required to know your customer’s customers. However, where required by risk, CDD requires that financial institutions understand the nature of the business relationship with your customer. This includes taking a risk-based approach to understanding the types of services the business provides and the types of customers they have including:

• the usual and expected values of typical remittances, VASPs or other transactions
• for remitters, the payment corridors the remitter serves and whether its AML/CTF systems and controls are proportionate to the risks presented by the foreign jurisdictions it deals with. For example, a remitter that primarily facilitates lower-value remittances between family members in lower-risk payment corridors will likely have a lower ML/TF risk profile. Other remittance corridors may require the remitter to have additional systems and controls to mitigate and manage increased ML/TF and/or sanctions risks
• for affiliates of remittance network providers, the remittance network providers’ monitoring of, and support for, the affiliate’s implementation of AML/CTF systems and controls. You should also seek to understand whether an affiliate also provides independent remittance services
• for VASPs, the types of virtual assets they deal with. Different virtual assets may present different risks. For example, if a VASP deals in significant volumes of privacy coins which may be withdrawn from the VASP, this will present specific risks that could require additional risk mitigation by the VASP
• for fintech businesses providing other designated services, the nature of the services, the methods by which the fintech business delivers these services and the types of customers that typically use the services.

Collecting information

There is no prescribed way to collect information about these factors. You may use a combination of approaches that could include:

• incorporating relevant questions in your standard customer onboarding forms
• a dedicated form with standard questions for onboarding customers who are remitters, VASPs or fintech businesses
• direct engagement and discussion with the business, including its AML/CTF compliance officer.

You may consider supporting these measures with targeted training for relevant product owners as part of your AML/CTF risk awareness training program. Whatever approach is adopted, you must have a reasonable understanding of the residual ML/TF risks presented by the remitter, VASP or fintech business and document your assessment and the outcomes.

Enhanced customer due diligence

Where you determine that a customer that’s an AUSTRAC-regulated business presents high ML/TF risk, you should consider:

• undertaking a more detailed analysis of the expected level of transaction behaviour, including future transactions
• periodically reviewing whether:
  • the customer continues to comply with relevant regulatory requirements, including registration with AUSTRAC if the customer is a remitter or VASP
  • the customer’s ML/TF risk assessment remains up to date, and the business continues to set out reasonably appropriate AML/CTF systems and controls in its AML/CTF policies
  • you have a current understanding of the types of services the business provides, the types of customers the business provides them to, and the foreign jurisdictions the business deals with.

Learn more about enhanced customer due diligence.

Ending the business relationship

Whether you continue to provide financial services to a customer will ultimately be a commercial decision, subject to any other applicable laws. However, given the significant impacts for the customer that can arise from a decision to decline to provide services to them, we encourage financial institutions to ensure that their systems and controls support decisions about providing services that are both objective and proportionate to the ML/TF risk identified for each customer. This includes documenting your risk appetite and providing appropriate training for staff to ensure that it’s applied consistently.

Recommendations for ending a business relationship

If you decide not to provide services, or decide to discontinue providing services to a customer after engaging with that customer and considering possible systems and controls to mitigate any ML/TF risks, we strongly recommend you to:

• in all cases, record the rationale in writing for declining to provide services to the customer if done to comply with your AML/CTF policies. We may review such records as part of its supervision of your implementation of risk-based systems and controls
• where possible, give existing customers sufficient notice of your intention to discontinue providing services to allow them to find an alternative financial institution. We recognise that there may be exceptional situations where this is not possible
• where possible, provide genuine reasons to customers for deciding not to provide financial services that don’t indicate you’re suspicious of the customer’s conduct. While financial institutions must avoid tipping off customers, informing a customer that a decision to end a business relationship has been taken due to the nature of the customer’s activities falling outside the financial institution’s risk appetite, will generally not constitute tipping off. On the other hand, citing vague ‘AML/CTF obligations’ or ‘tipping off’ when speaking to the customer as the reason for declining to provide reasons may, itself, increase the risk of tipping off
• restrict any decision to decline or discontinue providing services to the individual customer only. Don’t discontinue the provision of services to associated individuals or their family members unless you undertake a separate risk assessment in relation to each person.

AML/CTF obligations shouldn’t be cited as a reason for declining to provide services where a decision has principally been taken on other grounds, for example, due to reputational considerations.

While not a direct regulatory requirement under the Act, we note that the Banking Code of Practice and the Customer Owned Banking Code of Practice may also be relevant to decisions to decline to provide services to a customer.

Scenarios

These scenarios demonstrate how you can apply a risk-based approach to different customers you may assess as higher risk.

Scenario 1: Sex worker customer

In Australia, states and territories regulate the sex work industry. Sex work is largely legal or decriminalised across Australia and subject to regulation.

K is a sex worker and applies for a bank account with Eastern States Credit Union. K discloses their occupation as part of the application process.

Eastern States Credit Union asks for further details, including:

• whether K is self-employed, a contractor with other businesses such as a brothel or escort agency, or both
• an estimate of K's revenue, and what forms of payment K is likely to trade in.

K provides an estimate and confirms that a large proportion of clients use cash, but that others may use online third-party payment platforms or online banking.

Eastern States Credit Union undertakes routine customer screening and determines that there’s no information to suggest that K presents a ML/TF risk.

As K is a new customer with a cash-intensive business model, Eastern States Credit Union decides to apply enhanced CDD with transaction monitoring tools to detect unexpectedly large fluctuations in deposits, and unusual deposits with no apparent economic or visible lawful purpose. Eastern States Credit Union decides that it will review this risk rating after one year once K has established a transaction history.

Scenario 2: Accepting a VASP customer

Zecchino Exchange Pty Ltd, a VASP in the process of setting up business in Australia, applies online for a business transaction account at Serenissima Bank. Serenissima Bank offers general business banking services to Australian customers as an authorised deposit-taking institution (ADI).

As part of its application, Zecchino states that:

• it’s a VASP in the process of registering with us – it doesn’t yet provide VASP services
• it has undertaken an ML/TF risk assessment and developed AML/CTF policies
• its business model is providing VASP services to Australian resident retail customers who it anticipates will purchase moderate amounts of virtual assets for investment purposes, focusing on 10 popular digital currencies.

Serenissima Bank seeks further information from Zecchino and receives clarification that Zecchino:

• won’t offer VASP services for privacy coins
• will only accept deposits / withdrawals of Australian dollars to customers’ bank accounts held with Australian financial institutions, and
• will permit customers to withdraw and deposit virtual assets to and from external wallets, as it anticipates many customers wish to do so to safeguard their virtual asset investment. However, Zecchino has analysed the risk and has engaged the services of a blockchain analytics company to detect dealings by customers with high risk and sanctioned wallets.

Serenissima Bank decides that as Zecchino is a new business that’s still going through the process of registering with us, that it will request a copy of Zecchino’s ML/TF risk assessment and AML/CTF policies. From an initial review of the documents, Serenissima Bank is satisfied that they appear to be professionally developed and align with Zecchino’s stated business model. On this basis, no further analysis of the documents is undertaken. Serenissima Bank adds the information to Zecchino’s customer file and records its rationale that the documents were reviewed and appeared to be reasonable and aligned to the ML/TF risk faced by Zecchino.

Serenissima Bank’s standard adverse media and adverse information screening reveals no ML/TF risk concerns about Zecchino’s key personnel.

Serenissima Bank agrees to accept Zecchino as a customer, contingent on Zecchino being successful in its application for AUSTRAC registration and providing evidence of this to Serenissima Bank. Until Zecchino confirms that it’s registered, Serenissima Bank sets rules in its transaction monitoring system to assure itself that Zecchino hasn’t commenced providing services to retail customers. Upon confirmation of registration, Serenissima Bank adjusts its transaction monitoring rules for Zecchino to reflect that Zecchino has moved to normal operation as a VASP.

Scenario 3: Declining a bank account due to adverse information

The Bank of Edwardia receives an application by a recently formed company HoenixPay Business Solutions. The Bank of Edwardia offers general business banking services to Australian customers as an authorised deposit-taking institution (ADI).

As part of its application, HoenixPay describes its business in vague terms connected with import and export.

In reviewing the application, the Bank of Edwardia:

• seeks further information from HoenixPay about the nature of its business, and receives vague answers despite several requests for clarification
• asks about the types of customers and geographic locations HoenixPay services and receives evasive answers citing ‘commercial sensitivities’
• identifies from social media that one of the managers of HoenixPay, Alice, is the sister of Bob who appears to be connected with a remittance business
• undertakes standard adverse media and information screening and discovers that Bob was recently charged with fraud and our website lists his remittance business’s registration as recently cancelled.

The Bank of Edwardia escalates the application internally and determines that it won’t take on HoenixPay as a customer. It records the rationale for this decision in writing. The Bank of Edwardia also submits an SMR to us due to suspicions that HoenixPay may be attempting to engage in unregistered remittance activity related to phoenixing.

The role of business customers

You can increase the chances that financial institutions will provide services to you by being open about the nature of your business and the purposes for which you’re seeking to use the financial institution’s services. This helps financial institutions to meet their AML/CTF obligations when providing services to you.

If you’re unable or unwilling to provide relevant information, your financial institution may be unable to satisfy itself that you’re not engaging in illicit activity or that your business practices are robust enough to prevent criminals misusing your services.

Information you can provide

To access the financial services you require to run your business, ensure you provide your financial institution with the information they need to know who you are and to understand the ML/TF risks that may be associated with your business so they can meet their CDD obligations. This includes being prepared to provide information and relevant documentary or electronic evidence to:

• help the financial institution understand the legal structure of your business, and the individuals who ultimately own or control your business
• describe in sufficient detail the types of services you provide to your customers
• show that you understand, and have met, all licensing and other regulatory requirements applicable to your business under Commonwealth, state, territory or local laws and any relevant overseas laws
• share the results of any reviews of your own regulatory and risk management systems and follow-up actions (where permitted)
• share information about the types of customers you provide services to (you don’t need to disclose identifying information about individual customers)
• provide details of the geographical locations in which your customers reside and/or the locations to which they transfer value using your services
• indicate the expected volumes of transactions you are likely to engage in using the financial institution’s services.

Protecting your business, Australia’s financial system and the community from criminal abuse is a collective responsibility. You can play your part by providing the information necessary for your financial institution to properly assess, manage and mitigate the risks your business poses for ML/TF. Building a relationship of trust with your financial institution can ensure that your business can operate within the legitimate economy and enjoy the protections of the AML/CTF framework.

The role of remitters, VASPs and fintechs, and other reporting entities

If you’re an AUSTRAC-regulated business, for example, because you operate a remitter, VASP or a fintech business providing a designated service, financial institutions will seek assurance that you’re undertaking appropriate due diligence on your customers when providing banking services to you.

Financial institutions don’t a have a direct relationship with your customers and will therefore consider if your business is taking the required steps to identify, mitigate and manage the ML/TF risks that arise when you provide services to your customers.

You can support financial institutions to be comfortable that you’re taking appropriate steps to address the risks associated with your business by being prepared to provide evidence that you’re complying with your AML/CTF obligations and are implementing the systems and controls in your AML/CTF policies effectively.

If your business provides remittance or virtual asset services, you must register with us. Providing remittance or VASP services while unregistered is a criminal offence. We have a range of guidance to assist you to determine if you’re required to register and what you need to do to meet your obligations as a registered remitter or VASP:

• remittance service providers
• virtual asset service providers.

Assess and understand your business’s specific ML/TF risks

Your ML/TF risk assessment must be tailored to your business, including the specific products and services you provide, the types of customers you have, the jurisdictions in which you operate and the different ways you deliver your services. For example, your services will likely involve higher inherent ML/TF risks if your services involve:

• transmitting value into or out of Australia on behalf of customers
• providing the means for your customers to transmit value anonymously or pseudo-anonymously, for example, by allowing them to withdraw large amounts of cash or to withdraw virtual assets to self-hosted wallets.

Risk-based systems and controls

These risks can be mitigated by appropriate risk-based systems and controls and other factors (such as serving low risk remittance corridors), but it’s important that your ML/TF risk assessment identifies that the risks exist. You should read our risk assessments and other guidance applicable to your sector when identifying the risks faced by your business.

Using an off-the-shelf risk assessment that isn’t tailored to your business, or assessing that all of the services you provide are low risk, will likely raise questions about if you:

• truly understand the ML/TF risks of the services you provide
• can effectively mitigate those risks.

We have resources to help you assess your ML/TF risks:

• Step 2: Identify and assess your risks
• Independent remittance dealers in Australia risk assessment 2022
• Remittance network providers and their affiliates in Australia risk assessment 2022
• Preventing the criminal abuse of digital currencies

Implement AML/CTF policies tailored to your assessed ML/TF risks

Your AML/CTF policies must include risk-based systems and controls to manage and mitigate the risks identified in the business’s ML/TF risk assessment.

You can assist financial institutions to understand the residual ML/TF risks presented by your business if you’re prepared to demonstrate, if asked, that:

• your AML/CTF program was designed specifically for your business and isn’t an off-the-shelf template or a simple cut and paste of the Rules
• senior management oversee and support implementation of your AML/CTF program
• relevant staff in your business, including all customer-facing staff, understand and implement your AML/CTF program and receive appropriate introductory and ongoing training
• you have an AML/CTF compliance officer with the seniority, competency and resources to oversee compliance with your AML/CTF program, and who is able to understand, and speak with confidence to a financial institution about the systems and controls you implement.

Learn more about developing your AML/CTF program and ensuring appropriate oversight.

If you use AML/CTF advisers or consultants, you should ensure that they are suitably qualified and experienced. AUSTRAC has prepared guidance to assist you when engaging an AML/CTF adviser.

Ensure your customer due diligence is adequate

Financial institutions don’t have a direct relationship with your customers. When they provide services to you, they’re placing trust in your capacity to identify, mitigate and manage the ML/TF risks presented by your customers.

Financial institutions may therefore seek to understand the types of customers you provide services to, and the types of services you provide. This could include understanding the foreign jurisdictions you deal with. This information, together with information about your internal systems and controls, is used to understand the ML/TF and other financial crime risks presented by your business model.

We recognise that this information may be commercially sensitive. However, it can also be essential to help a financial institution determine if your business is within its risk appetite. Anything you do to increase the transparency of your business, including the types of customers and services you have, will assist financial institutions to assure themselves that your business doesn’t present unacceptable risks.

Be responsive when financial institutions request further information

Financial institutions may seek further information from you throughout the course of your business relationship with them. This information assists financial institutions to have an up-to-date understanding of your business, and the associated ML/TF risks. Being responsive to such requests will assist financial institutions to meet their obligations.

If you’re considering significant changes in your business model, such as a change in ownership or management or providing new services with a different ML/TF risk profile, you could consider proactively discussing this with your financial institution. These discussions could include outlining your assessment of the ML/TF risks associated with the change and the systems and controls you plan to implement to mitigate those risks.

Related pages

• AUSTRAC’s statement on debanking
• Financial Action Task Force clarifies risk-based approach: case-by-case, not wholesale de-risking
• Financial Action Task Force guidance: Anti-money laundering and terrorist financing measures and financial inclusion (PDF, 2.21 MB)
• Office of the Australian Information Commissioner
• Australian Human Rights Commission