Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1) (2024)

I, NEIL J JENSEN, Chief Executive Officer, Australian Transaction Reports and Analysis Centre, make this Instrument under section 229 of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006.

1 Name of Instrument

This Instrument is the Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1).

2 Commencement

This Instrument commences as follows:

(a) on 12 June 2007 — Schedule 1;

(b) on 12 December 2007 — Schedule 2.

3 Rules

(1) I revoke the Anti-Money Laundering and Anti-Money Laundering and Counter-Terrorism Financing Rules (Rules) made on 29 March 2007 set out in the Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1).

(2) I make the Rules set out in Schedules 1 and 2.

Schedule 1 Rules commencing on 12 June 2007

CHAPTER 1

Part 1.1 - Introduction

1.1.1 These Anti-Money Laundering and Counter-Terrorism Financing Rules (AML/CTF Rules) are made pursuant to section 229 of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act). Section 229 of the AML/CTF Act empowers the AUSTRAC CEO to make rules prescribing matters required or permitted by the AML/CTF Act to be prescribed by AML/CTF Rules.

Note: reporting entities should note that the activities they carry out in order to comply with the AML/CTF Rules are also subject to the provisions of the Privacy Act 1988, even if the reporting entity is generally exempt from that Act.

Part 1.2 - Key terms and concepts

1.2.1 In the Rules in chapters 3 to 10 inclusive:

the AML/CTF Act means the Anti-Money Laundering and Counter-Terrorism Financing Act 2006.

AML/CTF program means an anti-money laundering and counter-terrorism financing program as defined in section 83 of the AML/CTF Act.

beneficial owner, in respect of a company, means any individual who owns through one or more share holdings more than 25 per cent of the issued capital in the company.

certified copy means a document that has been certified as a true copy of an original document by one of the following persons:

(1) a person who is enrolled on the roll of the Supreme Court of a State or Territory, or the High Court of Australia, as a legal practitioner (however described);

(2) a judge of a court;

(3) a magistrate;

(4) a chief executive officer of a Commonwealth court;

(5) a registrar or deputy registrar of a court;

(6) a Justice of the Peace;

(7) a notary public (for the purposes of the Statutory Declaration Regulations 1993);

(8) a police officer;

(9) an agent of the Australian Postal Corporation who is in charge of an office supplying postal services to the public;

(10) a permanent employee of the Australian Postal Corporation with 2 or more years of continuous service who is employed in an office supplying postal services to the public;

(11) an Australian consular officer or an Australian diplomatic officer (within the meaning of the Consular Fees Act 1955);

(12) an officer with 2 or more continuous years of service with one or more financial institutions (for the purposes of the Statutory Declaration Regulations 1993);

(13) a finance company officer with 2 or more continuous years of service with one or more finance companies (for the purposes of the Statutory Declaration Regulations 1993);

(14) an officer with, or authorised representative of, a holder of an Australian financial services licence, having 2 or more continuous years of service with one or more licensees.

(15) a member of the Institute of Chartered Accountants in Australia, CPA Australia or the National Institute of Accountants with 2 or more years of continuous membership.

certified extract means an extract that has been certified as a true copy of some of the information contained in a complete original document by one of the persons described in paragraphs (1)-(15) of the definition of ‘certified copy’ in paragraph 1.2.1 of these Rules.

correspondent banking risk means the money laundering or terrorism financing risk a financial institution may reasonably face in respect of a correspondent banking relationship.

domestic company means a company that is registered under the Corporations Act 2001 (other than a registered foreign company).

domestic listed public company means a domestic company that is a listed public company.

domestic stock exchange means a financial market prescribed by regulations made for the purposes of the definition of ‘prescribed financial market’ in the Corporations Act 2001.

domestic unlisted public company means a domestic company that is not a listed public company.

foreign company means a body corporate of the kind described in paragraph (a) of the definition of ‘foreign company’ in the Corporations Act 2001.

foreign listed public company means a foreign company that is a listed public company.

KYC information means ‘know your customer information’ and may include information in relation to matters such as:

(1) In relation to a customer who is an individual:

(a) the customer’s name;

(b) the customer’s residential address;

(c) the customer’s date of birth;

(d) any other name that the customer is known by;

(e) the customer’s country(ies) of citizenship;

(f) the customer’s country(ies) of residence;

(g) the customer’s occupation or business activities;

(h) the nature of the customer’s business with the reporting entity – including:

(i) the purpose of specific transactions; or

(ii) the expected nature and level of transaction behaviour;

(i) the income or assets available to the customer;

(j) the customer’s source of funds including the origin of funds;

(k) the customer’s financial position;

(l) the beneficial ownership of the funds used by the customer with respect to the designated services; and

(m) the beneficiaries of the transactions being facilitated by the reporting entity on behalf of the customer including the destination of funds.

(2) In relation to a customer who is a company:

(a) the full name of the company as registered by ASIC;

(b) the full address of the company’s registered office;

(c) the full address of the company’s principal place of business (if any);

(d) the ACN issued to the company;

(e) whether the company is registered by ASIC as a proprietary company or a public company;

(f) the name of each director of the company;

(g) the full business name (if any) of the company as registered under any State or Territory business names legislation;

(h) the date upon which the company was registered by ASIC;

(i) the name of any company secretary;

(j) the nature of the business activities conducted by the company;

(k) (without limiting the possible application of other items in this definition to a registered foreign company) if the company is a registered foreign company:

(i) the full address of the company’s registered office in Australia;

(ii) the full address of the company’s principal place of business in Australia (if any) or the full name and address of the company’s local agent in Australia;

(iii) the ARBN issued to the company;

(iv) the country in which the company was formed, incorporated or registered;

(v) whether the company is registered by the relevant foreign registration body and if so whether it is registered as a proprietary or private company;

(vi) the name of the relevant foreign registration body;

(vii) any identification number issued to the company by the relevant foreign registration body upon the company’s formation, incorporation or registration;

(viii) the date upon which the company was formed, incorporated or registered in its country of formation, incorporation or registration;

(ix) the full address of the company in its country of formation, incorporation or registration as registered by the relevant foreign registration body;

(l) (without limiting the possible application of other items in this definition to an unregistered foreign company) if the company is an unregistered foreign company:

(i) the full name of the company;

(ii) the country in which the company was formed, incorporated or registered;

(iii) whether the company is registered by the relevant foreign registration body and if so:

(A) any identification number issued to the company by the relevant foreign registration body upon the company’s formation, incorporation or registration;

(B) the full address of the company in its country of formation, incorporation or registration as registered by the relevant foreign registration body; and

(C) whether it is registered as a proprietary or private company;

(iv) the full address of the company’s principal place of business in that country;

(v) the name of the relevant foreign registration body;

(vi) the date upon which the company was formed, incorporated or registered in its country of formation, incorporation or registration;

(vii) the full address of the company’s principal place of business in that country; and

(m) the name and address of any beneficial owner of the company.

(3) In relation to a customer who is a trustee of a trust:

(a) the full name of the trust;

(b) the full business name (if any) of the trustee in respect of the trust;

(c) the type of the trust;

(d) the country in which the trust was established;

(e) if any of the trustees is an individual – in respect of any of those individuals, the information required to be collected from an individual under the reporting entity’s customer identification program in respect of individuals;

(f) if any of the trustees is a company – in respect of any those companies, the information required to be collected from a company under the reporting entity’s customer identification program in respect of companies;

(g) the full name and address of any trustee in respect of the trust;

(h) the full name of any beneficiary in respect of the trust;

(i) if the terms of the trust identify the beneficiaries by reference to membership of a class – details of the class;

(j) the State or Territory in which the trust was established;

(k) the date upon which the trust was established;

(l) a certified copy or certified extract of the trust deed; and

(m) the full name of the trust manager (if any) or settlor (if any) in respect of the trust.

(4) In relation to a customer who is a partner of a partnership:

(a) the full name of the partnership;

(b) the full business name (if any) of the partnership as registered under any State or Territory business names legislation;

(c) the country in which the partnership was established;

(d) in respect of any partner - the information required to be collected from an individual under the reporting entity’s customer identification program in respect of individuals;

(e) the full name and residential address of any partner;

(f) the respective share of each partner in the partnership;

(g) the business of the partnership;

(h) the State or Territory in which the partnership was established;

(i) the date upon which the partnership was established; and

(j) a certified copy or certified extract of the partnership agreement.

(5) In relation to a customer who is an incorporated association:

(a) the full name of the association;

(b) the full address of the association’s principal place of administration or registered office (if any) or the residential address of the association’s public officer or (if there is no such person) the association’s president, secretary or treasurer;

(c) any unique identifying number issued to the association upon its incorporation by the relevant registration body;

(d) the full name of the chairman, secretary and treasurer or equivalent officer in each case of the association;

(e) the State, Territory or country in which the association was incorporated;

(f) the date upon which the association was incorporated;

(g) the objects of the association;

(h) a certified copy or certified extract of the rules of the association;

(i) in respect of any member – the information required to be collected from an individual under the reporting entity’s customer identification program in respect of individuals; and

(j) the full business name, if any, of the association.

(6) In relation to a customer who is an unincorporated association:

(a) the full name of the association;

(b) the full address of the association’s principal place of administration (if any);

(c) the full name of the chairman, secretary and treasurer or equivalent officer in each case of the association;

(d) in respect of any member – the information required to be collected from an individual under the reporting entity’s customer identification program in respect of individuals;

(e) the objects of the association;

(f) a certified copy or certified extract of the rules of the association; and

(g) the full business name, if any, of the association.

(7) In relation to a customer who is a registered co-operative:

(a) the full name of the co-operative;

(b) the full address of the co-operative’s registered office or principal place of operations (if any) or the residential address of the co-operative’s secretary or (if there is no such person) the co-operative’s president or treasurer;

(c) any unique identifying number issued to the co-operative upon its registration by the relevant registration body;

(d) the full name of the chairman, secretary and treasurer or equivalent officer in each case of the co-operative;

(e) in respect of any member – the information required to be collected from an individual under the reporting entity’s customer identification program in respect of individuals;

(f) the full business name, if any, of the co-operative;

(g) the State, Territory or country in which the co-operative is registered;

(h) the date upon which the co-operative was registered;

(i) the objects of the co-operative; and

(j) a certified copy or certified extract of the rules of the co-operative.

(8) In relation to a customer who is a government body:

(a) the full name of the government body;

(b) the full address of the government body’s principal place of operations;

(c) whether the government body is an entity or emanation, or established under legislation, of a State, Territory, the Commonwealth or a foreign country and the name of that State, Territory or country;

(d) information about the ownership or control of a government body that is an entity or emanation or established under legislation of a foreign country; and

(e) the name of any legislation under which the government body was established.

listed public company means:

(1) in the case of a domestic company – a public company that is included in an official list of a domestic stock exchange;

(2) in the case of a registered foreign company –

(a) a public company that is included in an official list of a domestic stock exchange; or

(b) a public company whose shares, in whole or in part, are listed for quotation in the official list of any stock or equivalent exchange;

(3) in the case of an unregistered foreign company – a public company whose shares, in whole or in part, are listed for quotation in the official list of any stock or equivalent exchange.

ML/TF risk means the risk that a reporting entity may reasonably face that the provision by the reporting entity of designated services might (whether inadvertently or otherwise) involve or facilitate money laundering or the financing of terrorism.

Part A means Part A of a reporting entity’s AML/CTF program.

Part B means Part B of a reporting entity’s AML/CTF program.

on-course bookmaker means a person who carries on a business of a bookmaker or a turf commission agent at a racecourse.

online gambling service means a designated service of a kind described in table 3 of section 6 of the AML/CTF Act that is provided to a customer using any of the means referred to in paragraph 5(1)(b) of the Interactive Gambling Act 2001 and includes an excluded wagering service as defined in section 8A of the Interactive Gambling Act 2001 but does not include a “telephone betting service” as defined in section 4 of the Interactive Gambling Act 2001.

primary non-photographic identification document means any of the following:

(1) a birth certificate or birth extract issued by a State or Territory;

(2) a citizenship certificate issued by the Commonwealth;

(3) a citizenship certificate issued by a foreign government that, if it is written in a language that is not understood by the person carrying out the verification, is accompanied by an English translation prepared by an accredited translator;

(4) a birth certificate issued by a foreign government, the United Nations or an agency of the United Nations that, if it is written in a language that is not understood by the person carrying out the verification, is accompanied by an English translation prepared by an accredited translator;

(5) a pension card issued by Centrelink that entitles the person in whose name the card is issued, to financial benefits.

primary photographic identification document means any of the following:

(1) a licence or permit issued under a law of a State or Territory or equivalent authority of a foreign country for the purpose of driving a vehicle that contains a photograph of the person in whose name the document is issued;

(2) a passport issued by the Commonwealth;

(3) a passport or a similar document issued for the purpose of international travel, that:

(a) contains a photograph and the signature of the person in whose name the document is issued;

(b) is issued by a foreign government, the United Nations or an agency of the United Nations; and

(c) if it is written in a language that is not understood by the person carrying out the verification - is accompanied by an English translation prepared by an accredited translator.

(4) a card issued under a law of a State or Territory for the purpose of proving the person’s age which contains a photograph of the person in whose name the document is issued.

(5) a national identity card issued for the purpose of identification , that:

(a) contains a photograph and the signature of the person in whose name the document is issued;

(b) is issued by a foreign government, the United Nations or an agency of the United Nations; and

(c) if it is written in a language that is not understood by the person carrying out the verification - is accompanied by an English translation prepared by an accredited translator;

public company means a company other than a proprietary company.

racecourse means a place where a race meeting is held by a racing club, and includes adjacent land or premises to which persons attending the meeting have access in connection with the meeting.

registered co-operative means a body registered under legislation as a co-operative.

registered foreign company means a foreign company that is registered under Division 2 of Part 5B.2 of the Corporations Act 2001.

relevant foreign registration body means, in respect of a registered foreign company or an unregistered foreign company, any government body that was responsible for the formation, incorporation or registration of that company in its country of formation, incorporation or registration.

reliable and independent documentation includes but is not limited to:

(1) an original primary photographic identification document;

(2) an original primary non-photographic identification document; and

(3) an original secondary identification document

Note: This is not an exhaustive definition. A reporting entity may rely upon other documents not listed in paragraphs (1) to (3) above as reliable and independent documents, where that is appropriate having regard to ML/TF risk.

secondary identification document means any of the following:

(1) a notice that:

(a) was issued to an individual by the Commonwealth, a State or Territory within the preceding twelve months;

(b) contains the name of the individual and his or her residential address; and

(c) records the provision of financial benefits to the individual under a law of the Commonwealth, State or Territory (as the case may be);

(2) a notice that:

(a) was issued to an individual by the Australian Taxation Office within the preceding 12 months;

(b) contains the name of the individual and his or her residential address; and

(c) records a debt payable to or by the individual by or to (respectively) the Commonwealth under a Commonwealth law relating to taxation;

(3) a notice that:

(a) was issued to an individual by a local government body or utilities provider within the preceding three months;

(b) contains the name of the individual and his or her residential address; and

(c) records the provision of services by that local government body or utilities provider to that address or to that person.

(4) In relation to a person under the age of 18, a notice that:

(a) was issued to a person by a school principal within the preceding three months;

(b) contains the name of the person and his or her residential address; and

(c) records the period of time that the person attended at the school.

totalisator agency board means a board or authority established, or a company holding a licence, under a law of a State or Territory for purposes that include the purpose of operating a betting service.

unregistered foreign company means a foreign company that is not a registered foreign company.

1.2.2 In these Rules, the terms ‘ABN’, ‘ACN’, ‘ARBN’, ‘Australian financial services licence’, ‘ASIC’, ‘managed investment scheme’, ‘proprietary company’, ‘registered office’ and ‘wholesale client’ have the same respective meanings as in the Corporations Act 2001.

CHAPTER 2

Part 2.1 – Definition of ‘designated business group’

2.1.1 These Anti-Money Laundering and Counter-Terrorism Financing Rules (Rules) are made pursuant to section 229 of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) for the purposes of the definition of ‘designated business group’ in section 5 of the AML/CTF Act.

2.1.2 For the purposes of the definition of ‘designated business group’ in section 5 of the AML/CTF Act:

(1) an election will be made in accordance with the AML/CTF Rules if it is made on the approved election form and provided to AUSTRAC by the Nominated Contact Officer;

(2) a ‘designated business group’ is established when the approved form is provided to the AUSTRAC CEO by the Nominated Contact Officer or on such later date as is specified on that form; and

(3) the members of a designated business group must, by their Nominated Contact Officer, notify the AUSTRAC CEO, in writing, in the approved form, of any of the following:

(a) a withdrawal of a member from the designated business group; or

(b) an election of a new member; or

(c) the termination of the designated business group; or

(d) any other change in the details previously notified to the AUSTRAC CEO in respect of the Nominated Contact Officer or the designated business group;

no later than 14 business days from the date on which the withdrawal, election of the new member, termination or change takes effect.

(4) each member of the designated business group must be:

(a) related to each other member of the group within the meaning of section 50 of the Corporations Act 2001; and either

(i) a reporting entity; or

(ii) a company in a foreign country which if it were resident in Australia would be a reporting entity; or

(b) providing a designated service pursuant to a joint venture agreement, to which each member of the group is a party.

2.1.3 In these Rules:

(1) ‘approved election form’ means Form 1 attached to these Rules;

(2) ‘approved form’ for the purposes of sub-rule 2.1.2(2) means Form 2 attached to these Rules;

(3) ‘approved form’ for the purposes of sub-rule 2.1.2(3) means Form 3 attached to these Rules;

(4) ‘company’ has the same meaning as in the Corporations Act 2001;

(5) ‘Nominated Contact Officer’ means the holder from time to time of one of the following positions:

(a) an ‘officer’ as defined in the Corporations Act 2001, of a member of a designated business group; or

(b) the AML/CTF Compliance Officer of a member of a designated business group,

where that officer or compliance officer has been appointed by the designated business group to hold the position of the Nominated Contact Officer.

Form 1

FORM FOR SUB-PARAGRAPH 2.1.2(1) OF THE RULES: ELECTION TO BE A MEMBER OF A DESIGNATED BUSINESS GROUP

For the purposes of the Anti-Money Laundering and Counter-Terrorism Financing Rules made pursuant to section 229 of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) and of the definition of ‘designated business group’ in section 5 of the AML/CTF Act:

I, [name and role/title of Y Pty Ltd], hereby elect on behalf of Y Pty Ltd, to be a member of [name of Designated Business Group]. I hereby confirm that:

(a) Y Pty Ltd, is related to each member of [name of Designated Business Group] within the meaning of section 50 of the Corporations Act 2001; or

(b) Y Pty Ltd is providing a designated service pursuant to a joint venture agreement to which each member of [name of Designated Business Group] is a party; or

(c) Y Pty Ltd is a foreign company which, if it were resident in Australia would be a reporting entity, and is, within the meaning of section 50 of the Corporations Act 2001, related to [name of related company] which is a member of [name of Designated Business Group] and which is a reporting entity.

DATE:

Form 2

FORM FOR SUB-PARAGRAPH 2.1.2(2) OF THE RULES: FORMATION OF A DESIGNATED BUSINESS GROUP

For the purposes of the Anti-Money Laundering and Counter-Terrorism Financing Rules made pursuant to section 229 of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) and of the definition of ‘designated business group’ in section 5 of the AML/CTF Act:

I, [name and role/title of X Pty Ltd], notify AUSTRAC that [role/title of X Pty Ltd] is the Nominated Contact Officer of [name of Designated Business Group ]. I currently hold that position. My contact details are:

Address:

Phone number:

Fax number:

Email address:

I [name] as the Nominated Contact Officer of [name of Designated Business Group] hereby notify AUSTRAC of the establishment of [name of Designated Business Group].

The following have elected to be members of [name of Designated Business Group]:

[name of member]

[name of member]

DATE:

Form 3

FORM FOR SUB-PARAGRAPH 2.1.2(3) OF THE RULES: VARIATIONS

For the purposes of the Anti-Money Laundering and Counter-Terrorism Financing Rules made pursuant to section 229 of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) and of the definition of ‘designated business group’ in section 5 of the AML/CTF Act:

I, [Nominated Contact Officer of X Pty Ltd], being the Nominated Contact Officer of [name of Designated Business Group] hereby advise the AUSTRAC CEO of the following variations to [name of Designated Business Group]:

(a) [withdrawal detail];

(b) [election detail];

(c) [termination];

(d) [any other change]

Election forms are attached.

DATE:

CHAPTER 3

Part 3.1 – Correspondent banking due diligence

3.1.1 These Anti-Money Laundering and Counter-Terrorism Financing Rules (Rules) are made pursuant to section 229 of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) for the purposes of paragraphs 97(2)(a) and 98(2)(a), subparagraphs 98(3)(a)(ii) and 98(3)(b)(ii) and subsections 98(4) and 99(1) of the AML/CTF Act.

3.1.2 For the purposes of paragraph 97(2)(a) of the AML/CTF Act, a financial institution (the first financial institution) must carry out an assessment of the following matters, where and to the extent warranted by the risk identified in accordance with subsection 97(1):

(1) the nature of the other financial institution’s business, including its product and customer base;

(2) the domicile of the other financial institution;

(3) the domicile of any parent company of the other financial institution;

(4) the existence and quality of any anti-money laundering and counter-terrorism financing regulation in the other financial institution’s country of domicile;

(5) the existence and quality of any anti-money laundering and counter-terrorism financing regulation in the country of domicile of any parent company of the other financial institution – where the parent company has group-wide controls and where the other financial institution operates within the requirements of those controls;

(6) the adequacy of the other financial institution’s controls and internal compliance practices in relation to anti-money laundering and counter-terrorism financing;

(7) the ownership, control and management structures of the other financial institution and any parent company, including whether a politically exposed person has ownership or control of the other financial institution or any parent company;

(8) the other financial institution’s financial position;

(9) the reputation and history of the other financial institution;

(10) the reputation and history of any parent company of the other financial institution;

(11) whether the other financial institution has been the subject of an investigation, or any criminal or civil proceedings relating to money laundering or terrorism financing.

3.1.3 For the purposes of subsection 99(1) of the AML/CTF Act, the senior officer must have regard to the due diligence assessment carried out for the purposes of paragraph 3.1.2 of these Rules.

3.1.4 For the purposes of paragraph 98(2)(a) of the AML/CTF Act, the first financial institution must carry out regular assessments of the following matters, if warranted by the risk identified in accordance with subsection 98(1):

(1) the matters specified in paragraph 3.1.2 of these Rules;

(2) any material changes in respect of the matters specified in paragraph 3.1.2 of these Rules;

(3) the nature of the other financial institution’s ongoing business relationship with the first financial institution, including the types of transactions carried out as part of that relationship;

(4) any material change in the nature of the other financial institution’s ongoing business relationship with the first financial institution, including in respect of the types of transactions carried out as part of that relationship.

3.1.5 In accordance with subsection 98(5) of the AML/CTF Act, the first financial institution is required to determine:

(1) in respect of each correspondent banking relationship that it enters into after the commencement of section 98 – the end of the period referred to in subparagraph 98(3)(a)(ii);

(2) in respect of each correspondent banking relationship that it has entered into before the commencement of section 98 – the end of the period referred to in subparagraph 98(3)(b)(ii); and

(3) in respect of each of its correspondent banking relationships – the period referred to in subsection 98(4).

3.1.6 In determining the end of a period or a period for the purposes of paragraph 3.1.5 of these Rules, the first financial institution must have regard to the risk identified in accordance with subsection 98(1) of the AML/CTF Act.

Schedule 2 Rules commencing on 12 December 2007

CHAPTER 4

Part 4.1 – Introduction

4.1.1 These Rules are made pursuant to section 229 of the AML/CTF Act for the purposes of paragraphs 84(3)(b) and 85(3)(b) of the AML/CTF Act. They specify the requirements with which Part B of a reporting entity’s standard AML/CTF program or Part B of a reporting entity’s joint AML/CTF program must comply. The sole or primary purpose of Part B is to set out the reporting entity’s applicable customer identification procedures. Chapter 4 does not apply to pre-commencement customers.

Appropriate Risk-Based Systems and controls

4.1.2 Some of the requirements specified in these Rules may be complied with by a reporting entity putting in place appropriate risk-based systems and controls. When determining and putting in place appropriate risk-based systems and controls, the reporting entity must have regard to the nature, size and complexity of its business and the type of ML/TF risk that it might reasonably face.

4.1.3 For the purposes of these Rules, in identifying its ML/TF risk a reporting entity must consider the risk posed by the following factors:

(1) its customer types, including any politically exposed persons;

(2) the types of designated services it provides;

(3) the methods by which it delivers designated services; and

(4) the foreign jurisdictions with which it deals.

Different requirements with respect to different kinds of customers

4.1.4 These Rules specify different requirements with which Part B must comply in relation to different kinds of customers. Part B must comply with such requirements to the extent that a reporting entity has a customer of a particular kind. These Rules make provision in respect of the following kinds of customers:

(1) Individuals – Part 4.2 of these Rules;

(2) Companies – Part 4.3 of these Rules;

(3) Customers who act in the capacity of a trustee of a trust – Part 4.4 of these Rules;

(4) Customers who act in the capacity of a member of a partnership – Part 4.5 of these Rules;

(5) Incorporated or unincorporated associations – Part 4.6 of these Rules;

(6) Registered co-operatives – Part 4.7 of these Rules;

(7) Government bodies – Part 4.8 of these Rules.

Verification

4.1.5 These Rules also require Part B to comply with the requirements of Part 4.9 of these Rules relating to document-based verification and with the requirements of Part 4.10 of these Rules relating to verification from electronic data.

Agents of customers

4.1.6 Part B must comply with the requirements of Part 4.11 of these Rules in relation to any agent who is authorised to act for or on behalf of a customer in relation to a designated service.

Part 4.2 - Applicable customer identification procedure with respect to individuals

4.2.1 In so far as a reporting entity has any customer who is an individual, Part B must comply with the requirements specified in Part 4.2 of these Rules.

4.2.2 Part B must include appropriate risk-based systems and controls that are designed to enable the reporting entity to be reasonably satisfied, where a customer is an individual, that the customer is the individual that he or she claims to be.

Collection of information

4.2.3 Part B must include a procedure for the reporting entity to collect, at a minimum, the following KYC information from an individual (other than an individual who notifies the reporting entity that he or she is a customer of the reporting entity in his or her capacity as a sole trader):

(1) the customer’s full name;

(2) the customer’s date of birth; and

(3) the customer’s residential address.

4.2.4 Part B must include a procedure for the reporting entity to collect, at a minimum, the following KYC information from a customer who notifies the reporting entity that he or she is a customer of the reporting entity in his or her capacity as a sole trader:

(1) the customer’s full name;

(2) the customer’s date of birth;

(3) the full business name (if any) under which the customer carries on his or her business;

(4) the full address of the customer’s principal place of business (if any) or the customer’s residential address; and

(5) any ABN issued to the customer.

4.2.5 Part B must include appropriate risk-based systems and controls for the reporting entity to determine whether, in addition to the KYC information referred to in paragraph 4.2.3 or 4.2.4 above, any other KYC information will be collected from a customer.

Note: reporting entities should consider their obligations under other legislation, including the Privacy Act 1988 when deciding what information is required to be collected to fulfil their obligations under these Rules.

Verification of information

4.2.6 Part B must include a procedure for the reporting entity to verify, at a minimum, the following KYC information about a customer:

(1) the customer’s full name; and

(2) either:

(a) the customer’s date of birth; or

(b) the customer’s residential address.

4.2.7 Part B must require that the verification of information collected about a customer be based on:

(1) reliable and independent documentation;

(2) reliable and independent electronic data; or

(3) a combination of (1) and (2) above.

4.2.8 Part B must include appropriate risk-based systems and controls for the reporting entity to determine whether, in addition to the KYC information referred to in paragraph 4.2.6 above, any other KYC information collected from the customer should be verified from reliable and independent documentation, reliable and independent electronic data or a combination of the two.

Responding to discrepancies

4.2.9 Part B must include appropriate risk-based systems and controls for the reporting entity to respond to any discrepancy that arises in the course of verifying KYC information collected from a customer so that the reporting entity can determine whether it is reasonably satisfied that the customer is the person that he or she claims to be.

Documentation-based safe harbour procedure where ML/TF risk is medium or lower

4.2.10 Paragraph 4.2.11 sets out one procedure for documentation-based verification which a reporting entity may include in Part B to comply with its obligations under paragraphs 4.2.3 to 4.2.8 and 4.9.1 to 4.9.3 of these Rules where the relationship with the customer is of medium or lower ML/TF risk. Paragraph 4.2.11 does not preclude a reporting entity from meeting the requirements of paragraphs 4.2.3 to 4.2.8 and 4.9.1 to 4.9.3 of these Rules in another way where the relationship with the customer is of medium or lower ML/TF risk.

4.2.11 Part B of an AML/CTF program that requires the reporting entity to do the following will be taken to meet the requirements of paragraphs 4.2.3 to 4.2.8 and 4.9.2 to 4.9.3 of these Rules in respect of a customer, where a reporting entity determines that the relationship with that customer is of medium or lower risk:

(1) collect the KYC information described in paragraph 4.2.3 or 4.2.4 (as the case may be) from a customer;

(2) verify the customer’s name and either the customer’s residential address or date of birth, or both, from:

(a) an original or certified copy of a primary photographic identification document; or

(b) both:

(i) an original or certified copy of a primary non-photographic identification document; and

(ii) an original or certified copy of a secondary identification document; and

(3) verify that any document produced by the customer has not expired (other than in the case of a passport issued by the Commonwealth that expired within the preceding two years).

Electronic-based safe harbour procedure where ML/TF Risk is medium or lower

4.2.12 Paragraph 4.2.13 sets out one procedure for electronic verification which a reporting entity may follow to comply with its obligations under paragraphs 4.2.3 to 4.2.8 and 4.10.1 of these Rules where the relationship with the customer is of medium or lower ML/TF risk. Paragraph 4.2.13 does not preclude a reporting entity from meeting the requirements of paragraphs 4.2.3 to 4.2.8 and 4.10.1 of these Rules in another way where the relationship with the customer is of medium or lower ML/TF risk.

4.2.13 Part B of an AML/CTF program that requires the reporting entity to do the following will be taken to meet the requirements of paragraphs 4.2.3 to 4.2.8 and 4.10.1 of these Rules in respect of a customer, where a reporting entity determines that the relationship with the customer is of medium or lower risk:

(1) collect the KYC information described in paragraph 4.2.3 or 4.2.4 (as the case may be) from a customer;

(2) verify, having regard to the matters set out in subparagraph 4.10.2(1):

(a) the customer’s name and the customer’s residential address using reliable and independent electronic data from at least two separate data sources; and either

(b) the customer’s date of birth using reliable and independent electronic data from at least one data source; or

(c) that the customer has a transaction history for at least the past 3 years.

Part 4.3 – Applicable customer identification procedure with respect to companies

4.3.1 In so far as a reporting entity has any customer who is a domestic or a foreign company, Part B must comply with the requirements specified in Part 4.3 of these Rules.

4.3.2 Part B must include appropriate risk-based systems and controls that are designed to enable the reporting entity to be reasonably satisfied, where a customer is a company, that:

(1) the company exists; and

(2) in respect of certain companies, the name and address of any beneficial owner of the company has been provided.

Existence of the company - collection of minimum information

4.3.3 Part B must include a procedure for the reporting entity to collect, at a minimum, the following KYC information from a company:

(1) in the case of a domestic company:

(a) the full name of the company as registered by ASIC;

(b) the full address of the company’s registered office;

(c) the full address of the company’s principal place of business, if any;

(d) the ACN issued to the company;

(e) whether the company is registered by ASIC as a proprietary or public company; and

(f) if the company is registered as a proprietary company, the name of each director of the company;

(2) in the case of a registered foreign company:

(a) the full name of the company as registered by ASIC;

(b) the full address of the company’s registered office in Australia;

(c) the full address of the company’s principal place of business in Australia (if any) or the full name and address of the company’s local agent in Australia, if any;

(d) the ARBN issued to the company;

(e) the country in which the company was formed, incorporated or registered;

(f) whether the company is registered by the relevant foreign registration body and if so whether it is registered as a private or public company or some other type of company; and

(g) if the company is registered as a private company by the relevant foreign registration body - the name of each director of the company;

(3) in the case of an unregistered foreign company:

(a) the full name of the company;

(b) the country in which the company was formed, incorporated or registered;

(c) whether the company is registered by the relevant foreign registration body and if so:

(i) any identification number issued to the company by the relevant foreign registration body upon the company’s formation, incorporation or registration;

(ii) the full address of the company in its country of formation, incorporation or registration as registered by the relevant foreign registration body; and

(iii) whether it is registered as a private or public company or some other type of company by the relevant foreign registration body;

(d) if the company is registered as a private company by the relevant foreign registration body - the name of each director of the company; and

(e) if the company is not registered by the relevant foreign registration body, the full address of the principal place of business of the company in its country of formation or incorporation.

4.3.4 Part B must include appropriate risk-based systems and controls for the reporting entity to determine whether, in addition to the KYC information referred to in paragraph 4.3.3, any other KYC information relating to the company’s existence will be collected in respect of a company.

Existence of company – verification of information

4.3.5 Part B must include a procedure for the reporting entity to verify, at a minimum, the following information about a company:

(1) in the case of a domestic company:

(a) the full name of the company as registered by ASIC;

(b) whether the company is registered by ASIC as a proprietary or public company; and

(c) the ACN issued to the company;

(2) in the case of a registered foreign company:

(a) the full name of the company as registered by ASIC;

(b) whether the company is registered by the relevant foreign registration body and if so whether it is registered as a private or public company; and

(c) the ARBN issued to the company;

(3) in the case of an unregistered foreign company:

(a) the full name of the company; and

(b) whether the company is registered by the relevant foreign registration body and if so:

(i) any identification number issued to the company by the relevant foreign registration body upon the company’s formation, incorporation or registration; and

(ii) whether the company is registered as a private or public company.

4.3.6 Part B must include appropriate risk-based systems and controls for the reporting entity to determine whether, in addition to the KYC information referred to in paragraph 4.3.5, any other KYC information referred to in paragraph 4.3.3 or other KYC information relating to the company’s existence collected in respect of the company, should be verified.

4.3.7 In determining whether, and what, additional information will be collected and/or verified in respect of a company pursuant to paragraphs 4.3.4 and/or 4.3.6, the reporting entity must have regard to ML/TF risk relevant to the provision of the designated service.

4.3.8 If Part B includes the simplified company verification procedure described below with respect to a company that is:

(1) a domestic listed public company;

(2) a majority owned subsidiary of a domestic listed public company; or

(3) licensed and subject to the regulatory oversight of a Commonwealth, State or Territory statutory regulator in relation to its activities as a company;

Part B is taken to comply with the requirements of paragraphs 4.3.5, 4.3.6 and 4.3.7 of these Rules in so far as those customers are concerned.

4.3.9 (1) Part B may include appropriate risk-based systems and controls for the reporting entity to determine whether and in what manner to verify the existence of a foreign company by confirming that the foreign company is a foreign listed public company.

(2) If Part B includes systems and controls of that kind, Part B must include a requirement that, in determining whether and in what manner to verify the existence of a foreign listed public company in accordance with those systems and controls, the reporting entity must have regard to ML/TF risk relevant to the provision of the designated service, including the location of the foreign stock or equivalent exchange (if any).

(3) If Part B includes systems and controls of that kind, Part B is taken to comply with the requirements of paragraphs 4.3.5, 4.3.6 and 4.3.7 of these Rules in so far as those customers are concerned.

Beneficial owner – collection and verification of information in respect of certain companies

4.3.10 Part B must include a procedure for the reporting entity to collect the name and address of each beneficial owner (if any) of a proprietary or private company (other than a proprietary company that is licensed and subject to the regulatory oversight of a Commonwealth, State or Territory statutory regulator in relation to its activities as a company).

4.3.11 Part B must include appropriate risk-based systems and controls for the reporting entity to determine whether and to what extent any of the information referred to in paragraph 4.3.10 should be verified.

4.3.12 Part B must include a requirement that, in determining whether and what information will be verified in respect of a company and the extent to which any information is verified pursuant to a procedure of the kind described in paragraph 4.3.11, the reporting entity must have regard to ML/TF risk relevant to the provision of the designated service.

4.3.13 Part B must include appropriate risk-based systems and controls for the reporting entity to determine whether to collect and/or verify the name and address of each beneficial owner (if any) of:

(1) a foreign public company;

(2) a domestic unlisted public company; or

(3) a company that is licensed and subject to the regulatory oversight of a Commonwealth, State or Territory statutory regulator in relation to its activities as a company.

4.3.14 Part B must include a requirement that, in determining whether to collect and/or verify the name and address of each beneficial owner (if any) of a company referred to in paragraph 4.3.13(1), the reporting entity must have regard to ML/TF risk relevant to the provision of the designated service, including the jurisdiction of incorporation of the company as well as the jurisdiction of the primary operations of the company and the location of the foreign stock or equivalent exchange (if any).

4.3.15 Part B must include a requirement that, in determining whether to collect and/or verify the name and address of each beneficial owner (if any) of a company referred to in paragraph 4.3.13(2) or 4.3.13(3), the reporting entity must have regard to ML/TF risk relevant to the provision of the designated service.

4.3.16 For the avoidance of doubt, if Part B includes systems and controls of the kind described in paragraphs 4.3.13 to 4.3.15, Part B need not comply with the requirements of paragraph 4.3.10 in so far as customers of the kind described in paragraph 4.3.13 are concerned.

Methods of verification

4.3.17 Subject to paragraph 4.3.18, Part B must require that the verification of information about a company be based as far as possible on:

(1) reliable and independent documentation;

(2) reliable and independent electronic data; or

(3) a combination of (1) and (2) above.

4.3.18 For the purposes of subparagraph 4.3.17(1), ‘reliable and independent documentation’ includes a disclosure certificate that verifies information about the beneficial ownership of a company (other than a foreign company).

4.3.19 Part B must include appropriate risk-based systems and controls for the reporting entity to determine whether to rely on a disclosure certificate to verify information about a foreign company where such information is not otherwise reasonably available.

4.3.20 Part B must include a requirement that, in determining whether to rely on a disclosure certificate to verify information in relation to a foreign company in accordance with the requirements of paragraph 4.3.19 above, the reporting entity must have regard to ML/TF risk relevant to the provision of the designated service, including the jurisdiction of incorporation of the foreign company as well as the jurisdiction of the primary operations of the foreign company and the location of the foreign stock or equivalent exchange (if any).

Responding to discrepancies

4.3.21 Part B must include appropriate risk-based systems and controls for the reporting entity to respond to any discrepancy that arises in the course of verifying information about a company so that the reporting entity can determine whether it is reasonably satisfied about the matters referred to in subparagraphs 4.3.2(1) and (2).

Part 4.4 – Applicable customer identification procedure with respect to trustees

4.4.1 In so far as a reporting entity has any customer who acts in the capacity of a trustee of a trust, Part B must comply with the requirements specified in Part 4.4 of these Rules.

4.4.2 Part B must include appropriate risk-based systems and controls that are designed to enable the reporting entity to be reasonably satisfied, where a person notifies the reporting entity that the person is a customer of the reporting entity in the person’s capacity as the trustee of a trust, that:

(1) the trust exists; and

(2) the name of each trustee and beneficiary, or a description of each class of beneficiary, of the trust has been provided.

Existence of the trust - collection and verification of information

4.4.3. Part B must include a procedure for the reporting entity to collect, at a minimum, the following KYC information from a customer:

(1) the full name of the trust;

(2) the full business name (if any) of the trustee in respect of the trust;

(3) the type of the trust;

(4) the country in which the trust was established;

(5) if any of the trustees is an individual, then in respect of one of those individuals – the information required to be collected from an individual under the applicable customer identification procedure with respect to individuals set out in Part B;

(6) if any of the trustees is a company, then in respect of one of those companies – the information required to be collected from a company under the applicable customer identification procedure with respect to companies set out in Part B; and

(7) if the trustees comprise individuals and companies then in respect of either an individual or a company – the information required to be collected from the individual or company (as the case may be) under the applicable customer identification with respect to the individual or company set out in Part B.

4.4.4 Part B must include appropriate risk-based systems and controls for the reporting entity to determine whether, in addition to the KYC information referred to in paragraph 4.4.3, any other KYC information relating to the trust’s existence will be collected in respect of a trust.

4.4.5 Part B must include a procedure for the reporting entity to verify, at a minimum:

(1) the full name of the trust from a trust deed, certified copy or certified extract of the trust deed, reliable and independent documents relating to the trust or reliable and independent electronic data;

(2) if any of the trustees is an individual, then in respect of one of those individuals – information about the individual in accordance with the applicable customer identification procedure with respect to individuals set out in Part B;

(3) if any of the trustees is a company, then in respect of one of those companies – information about the company in accordance with the applicable customer identification procedure with respect to companies set out in Part B; and

(4) if the trustees comprise individuals and companies then in respect of either an individual or a company – the information about the individual or company (as the case may be) in accordance with the applicable procedures with respect to the individual or company set out in Part B.

4.4.6 Part B must include appropriate risk-based systems and controls for the reporting entity to determine whether and to what extent, in addition to the KYC information referred to in paragraph 4.4.5, any other KYC information relating to the trust’s existence collected in respect of the trust should be verified.

4.4.7. In determining whether, and what, additional information will be collected and/or verified in respect of a trust pursuant to paragraphs 4.4.4 and/or 4.4.6, the reporting entity must have regard to ML/TF risk relevant to the provision of the designated service.

4.4.8 If Part B includes the simplified trustee verification procedure described below with respect to a trust that is:

(1) a managed investment scheme registered by ASIC;

(2) a managed investment scheme that is not registered by ASIC and that:

(a) only has wholesale clients; and

(b) does not make small scale offerings to which section 1012E of the Corporations Act 2001 applies;

(3) registered and subject to the regulatory oversight of a Commonwealth statutory regulator in relation to its activities as a trust; or

(4) a government superannuation fund established by legislation;

Part B is taken to comply with the requirements of paragraphs 4.4.5, 4.4.6 and 4.4.7 of these Rules in so far as those customers are concerned.

Trustees and beneficiaries – collection and verification of information

4.4.9 Part B must include a procedure for the reporting entity to collect, at a minimum, the following KYC information from a customer (other than a trustee in respect of a trust to which paragraph 4.4.13 or 4.4.14 applies):

(1) the full name and address of each trustee in respect of the trust; and

(2) either:

(a) the full name of each beneficiary in respect of the trust; or

(b) if the terms of the trust identify the beneficiaries by reference to membership of a class – details of the class.

4.4.10 Part B must include appropriate risk-based systems and controls for the reporting entity to determine whether, in addition to the KYC information referred to in paragraph 4.4.9, any other KYC information relating to the trustees or beneficiaries will be collected in respect of the trust.

4.4.11 Part B must include appropriate risk-based systems and controls for the reporting entity to determine whether and, if so, in what manner to verify the name of any or each trustee or beneficiary, or details of any or each class of beneficiaries, or any other KYC information collected pursuant to a procedure of the kind described in paragraph 4.4.9, from the sources described in paragraph 4.4.15.

4.4.12 Part B must include a requirement that, in determining whether and what KYC information will be collected and/or verified in respect of a trust and the extent to which any KYC information is verified, pursuant to a procedure of the kind described in paragraphs 4.4.10 and/or 4.4.11, the reporting entity must have regard to ML/TF risk relevant to the provision of the designated service.

4.4.13 Part B need not include the requirements specified in paragraphs 4.4.9 to 4.4.12 in relation to a trust that is:

(1) a managed investment scheme registered by ASIC;

(2) a managed investment scheme that is not registered by ASIC and that:

(a) only has wholesale clients; and

(b) does not make small scale offerings to which section 1012E of the Corporations Act 2001 applies; or

(3) a government superannuation fund established by legislation.

4.4.14 Part B need not include the requirements specified in paragraph 4.4.9 in relation to a trust that is registered and subject to the regulatory oversight of a Commonwealth statutory regulator in relation to its activities as a trust.

Methods of verification

4.4.15 Subject to paragraph 4.4.16, Part B must require that the verification of information about a trust be based on:

(1) a trust deed, certified copy or certified extract of a trust deed;

(2) reliable and independent documents relating to the trust;

(3) reliable and independent electronic data; or

(4) a combination of (1) to (3) above.

4.4.16 For the purposes of subparagraph 4.4.15(2), ‘reliable and independent documents relating to the trust’ includes a disclosure certificate that verifies information about a trust where:

(1) the verification is for the purposes of a procedure of the kind described in paragraphs 4.4.6 or 4.4.11 of these Rules; and

(2) the information to be verified is not otherwise reasonably available from the sources described in paragraph 4.4.15.

Responding to discrepancies

4.4.17 Part B must include appropriate risk-based systems and controls for the reporting entity to respond to any discrepancy that arises in the course of verifying information about a customer so that the reporting entity can determine whether it is reasonably satisfied about the matters referred to in subparagraphs 4.4.2(1) and (2).

Part 4.5 - Applicable customer identification procedure with respect to partners

4.5.1 In so far as a reporting entity has any customer who acts in the capacity of a partner in a partnership, Part B must comply with the requirements specified in Part 4.5 of these Rules.

4.5.2 Part B must include appropriate risk-based systems and controls that are designed to enable the reporting entity to be reasonably satisfied, where a person notifies the reporting entity that the person is a customer of the reporting entity in the person’s capacity as a partner in a partnership, that:

(1) the partnership exists; and

(2) the name of each of the partners in the partnership has been provided in accordance with subparagraph 4.5.3(5).

Collection and verification of information

4.5.3 Part B must include a procedure for the reporting entity to collect, at a minimum, the following KYC information and documentation from a customer:

(1) the full name of the partnership;

(2) the full business name (if any) of the partnership as registered under any State or Territory business names legislation;

(3) the country in which the partnership was established;

(4) in respect of one of the partners - the information required to be collected from an individual under the applicable customer identification procedure with respect to individuals set out in Part B; and

(5) the full name and residential address of each partner in the partnership except where the regulated status of the partnership is confirmed through reference to the current membership directory of the relevant professional association.

4.5.4 Part B must include appropriate risk-based systems and controls for the reporting entity to determine whether, in addition to the information referred to in paragraph 4.5.3, any other KYC information will be collected in respect of a partnership.

4.5.5 Part B must include a procedure for the reporting entity to verify at a minimum:

(1) the full name of the partnership from the partnership agreement, certified copy or certified extract of the partnership agreement, reliable and independent documents relating to the partnership or reliable and independent electronic data; and

(2) information about one of the partners in accordance with the applicable customer identification procedure with respect to individuals set out in Part B.

4.5.6 Part B must include appropriate risk-based systems and controls for the reporting entity to determine whether, and to what extent, in addition to the KYC information referred to in paragraph 4.5.5, any other KYC information collected in respect of the partnership should be verified.

Methods of verification

4.5.7 Subject to paragraph 4.5.8, Part B must require that the verification of information about a partnership be based on:

(1) a partnership agreement, certified copy or certified extract of a partnership agreement;

(2) a certified copy or certified extract of minutes of a partnership meeting;

(3) reliable and independent documents relating to the partnership;

(4) reliable and independent electronic data; or

(5) a combination of (1) to (4) above.

4.5.8 For the purposes of subparagraph 4.5.7(3), ‘reliable and independent documents relating to the partnership’ includes a disclosure certificate that verifies information about a partnership where:

(1) the verification is for the purposes of a procedure of the kind described in paragraph 4.5.6 of these Rules; and

(2) the information to be verified is not otherwise reasonably available from the sources described in paragraph 4.5.7.

Responding to discrepancies

4.5.9 Part B must include appropriate risk-based systems and controls for the reporting entity to respond to any discrepancy that arises in the course of verifying information about a customer so that the reporting entity can determine whether it is reasonably satisfied about the matters referred to in subparagraphs 4.5.2(1) and (2).

Part 4.6 – Applicable customer identification procedure with respect to associations

4.6.1 In so far as a reporting entity has any customer who is an incorporated or unincorporated association, Part B must comply with the requirements specified in Part 4.6 of these Rules.

4.6.2 Part B must include appropriate risk-based systems and controls that are designed to enable the reporting entity to be reasonably satisfied, where a customer notifies the reporting entity that it is an incorporated or unincorporated association, that:

(1) the association exists; and

(2) the names of any members of the governing committee (howsoever described) of the association have been provided.

Collection and verification of information

4.6.3 Part B must include a procedure for the reporting entity to collect, at a minimum, the following KYC information from an incorporated or unincorporated association:

(1) if the customer notifies the reporting entity that it is an incorporated association:

(a) the full name of the association;

(b) the full address of the association’s principal place of administration or registered office (if any) or the residential address of the association’s public officer or (if there is no such person) the association’s president, secretary or treasurer;

(c) any unique identifying number issued to the association upon its incorporation by the State, Territory or overseas body responsible for the incorporation of the association; and

(d) the full name of the chairman, secretary and treasurer or equivalent officer in each case of the association; and

(2) if the person notifies the reporting entity that he or she is a customer in his or her capacity as a member of an unincorporated association:

(a) the full name of the association;

(b) the full address of the association’s principal place of administration (if any);

(c) the full name of the chairman, secretary and treasurer or equivalent officer in each case of the association; and

(d) in respect of the member – the information required to be collected from an individual under the applicable customer identification procedure with respect to individuals set out in Part B.

4.6.4 Part B must include appropriate risk-based systems and controls for the reporting entity to determine whether, in addition to the KYC information referred to in paragraph 4.6.3, any other KYC information will be collected in respect of an association.

4.6.5 Part B must include a procedure for the reporting entity to at a minimum:

(1) if the customer is an incorporated association - verify from information provided by ASIC or by the State, Territory or overseas body responsible for the incorporation of the association or from the rules or constitution of the association or from a certified copy or certified extract of the rules or constitution of the association or from reliable and independent documents relating to the association or from reliable and independent electronic data:

(a) the full name of the incorporated association; and

(b) any unique identifying number issued to the incorporated association upon its incorporation; and

(2) if the customer notifies the reporting entity that he or she is a customer in his or her capacity as a member of an unincorporated association:

(a) verify the full name (if any) of the association from the rules or constitution of the association or from a certified copy or certified extract of the rules or constitution of the association or from reliable and independent documents relating to the association or from reliable and independent electronic data; and

(b) verify information about the member in accordance with the applicable customer identification procedure with respect to individuals set out in Part B.

4.6.6 Part B must include appropriate risk-based systems and controls for the reporting entity to determine whether and to what extent, in addition to the KYC information referred to in paragraph 4.6.5, any other KYC information collected in respect of the association should be verified.

Methods of verification

4.6.7 Subject to paragraph 4.6.8, Part B must require that the verification of information about an association be based on:

(1) the constitution or rules of the association or a certified copy or certified extract of the constitution or rules of the association;

(2) the minutes of meeting of the association or a certified copy or certified extract of minutes of meeting of the association;

(3) in the case of an incorporated association, information provided by ASIC or by the State, Territory or overseas body responsible for the incorporation of the association;

(4) reliable and independent documents relating to the association;

(5) reliable and independent electronic data; or

(6) a combination of (1)–(5) above.

4.6.8 For the purposes of subparagraph 4.6.7(4), ‘reliable and independent documents relating to the association’ includes a disclosure certificate that verifies information about an association where:

(1) the verification is for the purposes of a procedure of the kind described in paragraph 4.6.6 of these Rules; and

(2) the information to be verified is not otherwise reasonably available from the sources described in paragraph 4.6.7.

Responding to discrepancies

4.6.9 Part B must include appropriate risk-based systems and controls for the reporting entity to respond to any discrepancy that arises in the course of verifying information about an association so that the reporting entity can determine whether it is reasonably satisfied about the matters referred to in subparagraphs 4.6.2(1) and (2).

Part 4.7 - Applicable customer identification procedure with respect to registered co-operatives

4.7.1 In so far as a reporting entity has any customer who is a registered co-operative, Part B must comply with the requirements specified in Part 4.7 of these Rules.

4.7.2 Part B must include appropriate risk-based systems and controls that are designed to enable the reporting entity to be reasonably satisfied, where a customer notifies the reporting entity that it is a registered co-operative, that:

(1) the co-operative exists; and

(2) the names of the chairman, secretary or equivalent officer in each case of the co-operative have been provided.

Collection and verification of information

4.7.3 Part B must include a procedure for the reporting entity to collect, at a minimum, the following KYC information from a registered co-operative:

(1) the full name of the co-operative;

(2) the full address of the co-operative’s registered office or principal place of operations (if any) or the residential address of the co-operative’s secretary or (if there is no such person) the co-operative’s president or treasurer;

(3) any unique identifying number issued to the co-operative upon its registration by the State, Territory or overseas body responsible for the registration of the co-operative; and

(4) the full name of the chairman, secretary and treasurer or equivalent officer in each case of the co-operative.

4.7.4 Part B must include appropriate risk-based systems and controls for the reporting entity to determine whether, in addition to the information referred to in paragraph 4.7.3, any other KYC information will be collected in respect of a registered co-operative.

4.7.5 Part B must include a procedure for the reporting entity to, at a minimum, verify from information provided by ASIC or by the State, Territory or overseas body responsible for the registration of the co-operative or from any register maintained by the co-operative or a certified copy or certified extract of any register maintained by the co-operative or from reliable and independent documents relating to the co-operative or from reliable and independent electronic data:

(1) the full name of the co-operative; and

(2) any unique identifying number issued to the co-operative upon its registration.

4.7.6 Part B must include appropriate risk-based systems and controls for the reporting entity to determine whether and to what extent, in addition to the KYC information referred to in paragraph 4.7.5, any other KYC information relating to the registered co-operative should be verified.

Methods of verification

4.7.7 Subject to paragraph 4.7.8, Part B must require that the verification of information about a registered co-operative be based on:

(1) any register maintained by the co-operative or a certified copy or certified extract of any register maintained by the co-operative;

(2) any minutes of meeting of the co-operative or a certified copy or certified extract of any minutes of meeting of the co-operative;

(3) information provided by the State, Territory or overseas body responsible for the registration of the co-operative;

(4) reliable and independent documents relating to the co-operative;

(5) reliable and independent electronic data; or

(6) a combination of (1)–(5) above.

4.7.8 For the purposes of subparagraph 4.7.7(4), ‘reliable and independent documents relating to the co-operative’ includes a disclosure certificate that verifies information about a registered co-operative where:

(1) the verification is for the purposes of a procedure of the kind described in paragraph 4.7.6 of these Rules; and

(2) the information to be verified is not otherwise reasonably available from the sources described in paragraph 4.7.7.

Responding to discrepancies

4.7.9 Part B must include appropriate risk-based systems and controls for the reporting entity to respond to any discrepancy that arises in the course of verifying information about a registered co-operative so that the reporting entity can determine whether it is reasonably satisfied about the matters referred to in subparagraphs 4.7.2(1) and (2).

Part 4.8 - Applicable customer identification procedure with respect to government bodies

4.8.1 In so far as a reporting entity has any customer who is a government body Part B must comply with the requirements specified in Part 4.8 and (in so far as they are applicable) Parts 4.9 and 4.10.

4.8.2 Part B must include appropriate risk-based systems and controls that are designed to enable the reporting entity to be reasonably satisfied, where a customer notifies the reporting entity that it is a government body, that:

(1) the government body exists; and

(2) in the case of certain kinds of government bodies –information about the beneficial ownership of the government body has been provided, where sought by the reporting entity.

Collection and verification of information

4.8.3 Part B must include a procedure for the reporting entity to collect, at a minimum, the following KYC information from a government body:

(1) the full name of the government body;

(2) the full address of the government body’s principal place of operations;

(3) whether the government body is an entity or emanation, or is established under legislation, of the Commonwealth; and

(4) whether the government body is an entity or emanation, or is established under legislation, of a State, Territory, or a foreign country and the name of that State, Territory or country.

4.8.4 Part B must include appropriate risk-based systems and controls for the reporting entity to determine whether, in addition to the KYC information referred to in paragraph.4.8.3 above, any other KYC information will be collected in respect of a government body.

4.8.5 Part B must include a procedure for the reporting entity to verify the information collected under paragraph 4.8.3 from reliable and independent documentation, reliable and independent electronic data or a combination of both.

4.8.6 Part B must include appropriate risk-based systems and controls for the reporting entity to determine whether, in addition to carrying out the procedure described in paragraph 4.8.5, any KYC information collected under paragraph 4.8.4 should be verified.

Beneficial ownership in respect of foreign government entities

4.8.7 Part B must include appropriate risk-based systems and controls for the reporting entity to determine whether to collect any KYC information about the ownership or control of a government body that is an entity or emanation, or is established under legislation, of a foreign country.

4.8.8 Part B must include appropriate risk-based systems and controls for the reporting entity to determine whether to verify any KYC information collected pursuant to a procedure of the kind described in paragraph 4.8.7 from reliable and independent documentation, reliable and independent electronic data or a combination of both.

Responding to discrepancies

4.8.9 Part B must include appropriate risk-based systems and controls for the reporting entity to respond to any discrepancy that arises in the course of verifying information about a government body so that the reporting entity can determine whether it is reasonably satisfied about the matters referred to in subparagraphs 4.8.2(1) and (2).

Part 4.9 - Verification from documentation

Verification with respect to individuals

4.9.1 In so far as Part B provides for the verification of KYC information collected from a customer who is an individual by means of reliable and independent documentation, Part B must comply with the requirements specified in paragraphs 4.9.2 and 4.9.3.

4.9.2 Part B must require that the reporting entity be satisfied that any document from which the reporting entity verifies KYC information collected from a customer has not expired (other than in the case of a passport issued by the Commonwealth that expired within the preceding two years).

4.9.3 Part B must include appropriate risk-based systems and controls for the reporting entity to determine:

(1) what reliable and independent documentation the reporting entity will require a customer to produce for the purpose of verifying the customer’s name and date of birth and/or residential address (as the case may be);

(2) if any other KYC information collected from a customer is to be verified – what reliable and independent documentation may be used to verify that information;

(3) whether, and in what circ*mstances, the reporting entity is prepared to rely upon a copy of a reliable and independent document;

(4) in what circ*mstances a reporting entity will take steps to determine whether a document produced by a customer may have been forged, tampered with, cancelled or stolen and, if so, what steps the reporting entity will take to establish whether or not the document has been forged, tampered with, cancelled or stolen;

(5) whether the reporting entity will use any authentication service that may be available in respect of a document; and

(6) whether, and how, to confirm KYC information collected from a customer by independently initiating contact with the person that the customer claims to be.

Verification with respect to persons other than individuals

4.9.4 In so far as Part B provides for the verification of KYC information about a customer who is not an individual by means of reliable and independent documentation, Part B must comply with the requirements specified in paragraph 4.9.5.

4.9.5 Part B must include appropriate risk-based systems and controls for the reporting entity to determine:

(1) what and how many reliable and independent documents the reporting entity will use for the purpose of verification;

(2) whether a document is sufficiently contemporaneous for use in verification;

(3) whether, and in what circ*mstances, the reporting entity is prepared to rely upon a copy of a reliable and independent document;

(4) in what circ*mstances the reporting entity will take steps to determine whether a document produced by a customer may have been cancelled, forged, tampered with or stolen and, if so, what steps the reporting entity will take to establish whether or not the document has been cancelled, forged, tampered with or stolen;

(5) whether the reporting entity will use any authentication service that may be available in respect of a document; and

(6) whether, and how, to confirm information about a customer by independently initiating contact with the customer.

Part 4.10 - Verification from reliable and independent electronic data

4.10.1 In so far as Part B provides for the verification of KYC information collected from a customer by means of reliable and independent electronic data, Part B must comply with the requirements specified in paragraph 4.10.2.

4.10.2 Part B must include appropriate risk-based systems and controls for the reporting entity to determine:

(1) whether the electronic data is reliable and independent, taking into account the following factors:

(a) the accuracy of the data;

(b) how secure the data is;

(c) how the data is kept up-to-date;

(d) how comprehensive the data is (for example, by reference to the range of persons included in the data and the period over which the data has been collected);

(e) whether the data has been verified from a reliable and independent source;

(f) whether the data is maintained by a government body or pursuant to legislation; and

(g) whether the electronic data can be additionally authenticated; and

(2) what reliable and independent electronic data the reporting entity will use for the purpose of verification;

(3) the reporting entity’s pre-defined tolerance levels for matches and errors; and

(4) whether, and how, to confirm KYC information collected from a customer by independently initiating contact with the person that the customer claims to be.

Part 4.11 - Agents of customers

Agents of customers who are individuals

4.11.1 For the purposes of paragraph 89(1)(b) and 89(2)(b) of the AML/CTF Act, paragraphs 4.11.2 to 4.11.4 of these Rules apply in relation to an agent of a customer who is an individual where that agent is authorised to act for or on behalf of the customer in relation to a designated service.

4.11.2 Part B must include a procedure for the reporting entity to collect, at a minimum, the following information and documentation (if any) from the customer:

(1) the full name of each individual who purports to act for or on behalf of the customer with respect to the provision of a designated service by the reporting entity; and

(2) evidence (if any) of the customer’s authorisation of any individual referred to in subparagraph 4.11.2(1).

4.11.3 Part B must include appropriate risk-based systems and controls for the reporting entity to determine whether, and to what extent, it should verify the identity of any of the individuals referred to in subparagraph 4.11.2(1).

4.11.4 Part B must require the reporting entity to have regard to the ML/TF risk relevant to the provision of the designated service for the purposes of determining whether, and to what extent, it should verify the identity of any of the individuals referred to in paragraph 4.11.2(1).

4.11.5 For the purposes of paragraph 89(1)(b) and 89(2(b)of the AML/CTF Act, paragraphs 4.11.6 to 4.11.8 of these Rules apply in relation to an agent of a customer who is not acting in his or her capacity as an individual where that agent is authorised to act for or on behalf of the customer in relation to a designated service.

4.11.6 Part B must include a procedure for the reporting entity to collect, at a minimum, the following information and documentation from the customer:

(1) the full name of each individual who purports to act for or on behalf of the customer with respect to the provision of a designated service by the reporting entity; and

(2) evidence of the customer’s authorisation of any individual referred to in subparagraph 4.11.6(1).

4.11.7 Part B must include appropriate risk-based systems and controls for the reporting entity to determine whether, and to what extent, it should verify the identity of any of the individuals referred to in subparagraph 4.11.6(1).

4.11.8 Part B must require the reporting entity to have regard to the ML/TF risk relevant to the provision of the designated service for the purposes of determining whether, and to what extent, it should verify the identity of any of the individuals referred to in subparagraph 4.11.6(1).

Verifying officers and agents of non-natural customers

4.11.9 Part B may provide for an agent of a customer who is a non-natural person to be identified by the customer’s verifying officer, provided the requirements in paragraphs 4.11.12 to 4.11.13 are met.

4.11.10 In so far as:

(1) Part B provides for an agent of a non-natural customer to be identified by a verifying officer; and

(2) the requirements in paragraphs 4.11.12 to 4.11.13 of these Rules are met;

Part B need not apply the requirements in 4.11.6 to 4.11.8 of these Rules in relation to that agent.

Appointment of a verifying officer

4.11.11 A verifying officer is a person appointed by a customer to act as a verifying officer for the purposes of these Rules. A person may be appointed as a verifying officer if he or she is an employee, agent or contractor of the customer.

Identification by a verifying officer

4.11.12 Where Part B provides for an agent to be identified by a verifying officer, Part B must include a requirement for:

(1) the agent to be identified by the customer’s verifying officer in accordance with paragraph 4.11.13 of these Rules;

(2) the verifying officer to be identified and verified by the reporting entity in accordance with the requirements specified in Chapter 4 of these Rules;

(3) the reporting entity to be provided with evidence of the customer’s authorisation of the verifying officer to act as a verifying officer;

(4) the verifying officer to make and for the customer to retain, a record of all matters collected pursuant to paragraph 4.11.13; and

(5) the verifying officer to provide the following to the reporting entity:

(a) the full name of the agent; and

(b) a copy of the signature of the agent.

4.11.13 A verifying officer will be taken to have identified an agent if he or she has collected the following:

(1) the full name of the agent;

(2) the title of the position or role held by the agent with the customer;

(3) a copy of the signature of the agent; and

(4) evidence of the agent’s authorisation to act on behalf of the customer.

CHAPTER 5

Part 5.1 – Special anti-money laundering and counter-terrorism financing (AML/CTF) program

5.1.1 These Anti-Money Laundering and Counter-Terrorism Financing Rules (Rules) are made pursuant to section 229 of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) for the purposes of paragraph 86(1)(c) of that Act. They specify the requirements with which a special AML/CTF program must comply.

5.1.2 A reporting entity must have a special AML/CTF program where all of the designated services it provides are covered by item 54 of table 1 in section 6 of the AML/CTF Act. The sole or primary purpose of a special program is to set out the reporting entity’s applicable customer identification procedures. Chapter 5 does not apply to pre-commencement customers.

Part 5.2 – Applicable customer identification procedures in relation to special AML/CTF program

5.2.1 The requirements with which a special AML/CTF program must comply are the requirements that are specified in the Rules in Chapter 4 with respect to Part B of a standard AML/CTF program and Part B of a joint AML/CTF program.

5.2.2 For the avoidance of doubt, the requirements specified in the Rules in Chapter 4 apply with respect to a special AML/CTF program as if any reference in those paragraphs to ‘Part B’ includes a reference to ‘a special AML/CTF program.’

5.2.3 Paragraphs 4.11.1 and 4.11.5 of the Rules in Chapter 4 apply with respect to a special AML/CTF Program as if the rule were made under paragraph 89(3)(b) of the AML/CTF Act.

CHAPTER 6

Part 6.1 – Verification of identity of customers

6.1.1 These Anti-Money Laundering and Counter-Terrorism Financing Rules (Rules) are made pursuant to subsection 29(2), subsection 31(2), subparagraph 35(1)(b)(ii), subsection 35(2) and section 229 of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act).

Part 6.2 – Verification of the identity of customers for the purposes of section 35

6.2.1 For the purposes of subparagraph 35(1)(b)(ii) of the AML/CTF Act, section 35 will apply to a reporting entity in circ*mstances where the reporting entity suspects on reasonable grounds that the customer is not the person that he or she claims to be.

6.2.2 Where the circ*mstance specified in paragraph 6.2.1 above comes into existence, the specified action for the purposes of subsection 35(2) of the AML/CTF Act is set out at paragraph 6.2.3 below.

6.2.3 The reporting entity must, within 14 days commencing after the day on which the circ*mstance specified in paragraph 6.2.1 above comes into existence, take one or more of the actions specified below:

(1) collect any KYC information in respect of the customer; or

(2) verify, from a reliable and independent source, certain KYC information that has been obtained in respect of the customer;

for the purpose of enabling the reporting entity to be reasonably satisfied that the customer is the person that he or she claims to be.

Part 6.3 - Verification of the identity of pre-commencement customers

6.3.1 For the purposes of subsection 29(2) of the AML/CTF Act, the specified action is as set out in paragraph 6.3.2.

6.3.2 The reporting entity must, within 14 days commencing after the day on which the suspicious matter reporting obligation arose, take one or more of the actions specified below:

(1) carry out the applicable customer identification procedure unless the reporting entity has previously carried out or been deemed to have carried out that procedure or a comparable procedure;

(2) collect any KYC information in respect of the customer; or

(3) verify, from a reliable and independent source, certain KYC information that has been obtained in respect of the customer;

for the purpose of enabling the reporting entity to be reasonably satisfied that the customer is the person that he or she claims to be.

Part 6.4 - Verification of the identity of low-risk service customers

6.4.1 For the purposes of subsection 31(2) of the AML/CTF Act, the specified action is as set out in paragraph 6.4.2 below.

6.4.2 The reporting entity must, within 14 days starting after the day on which the suspicious matter reporting obligation arose, take one or more of the actions specified below:

(1) carry out the applicable customer identification procedure unless the reporting entity has previously carried out or been deemed to have carried out that procedure or a comparable procedure;

(2) collect any KYC information in respect of the customer; or

(3) verify, from a reliable and independent source, certain KYC information that has been obtained in respect of the customer;

for the purpose of enabling the reporting entity to be reasonably satisfied that the customer is the person that he or she claims to be.

CHAPTER 7

Part 7.1 – applicable customer identification procedures deemed to have been carried out by a reporting entity

7.1.1 These Anti-Money Laundering and Counter-Terrorism Financing Rules (Rules) are made pursuant to sections 38 and 229 of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act).

7.1.2 For the purposes of these Rules:

the first reporting entity means the reporting entity referred to in paragraph 38(a) of the AML/CTF Act; and

the second reporting entity means the reporting entity referred to in paragraph 38(c) of the AML/CTF Act.

Part 7.2 – Licensed financial advisers

7.2.1 A circ*mstance for the purposes of paragraph 38(b) of the AML/CTF Act is that the first reporting entity has provided a designated service within the meaning of item 54 of table 1 of section 6 of the AML/CTF Act to a particular customer.

7.2.2 In relation to the circ*mstances specified in paragraph 7.2.1, the following are conditions for the purposes of paragraph 38(d) of the AML/CTF Act:

(1) the designated service referred to in paragraph 7.2.1 involved the first reporting entity making arrangements for the customer to receive a designated service from the second reporting entity;

(2) the second reporting entity has obtained a copy of the record made by the first reporting entity in accordance with subsection 112(2) of the AML/CTF Act in respect of the customer or under an agreement in place for the management of identification or other records, the second reporting entity has access to the record made by the first reporting entity in accordance with subsection 112(2); and

(3) the second reporting entity has determined that it is appropriate for it to rely upon the applicable customer identification procedure carried out by the first reporting entity having regard to the ML/TF risk faced by the second reporting entity relevant to the provision of the designated service to the customer.

Part 7.3 – Designated business groups

7.3.1 A circ*mstance for the purposes of paragraph 38(b) is that the first reporting entity is a member of a designated business group as defined in section 5 of the AML/CTF Act.

7.3.2 In relation to the circ*mstance specified in paragraph 7.3.1, the following are conditions for the purposes of paragraph 38(d) of the AML/CTF Act:

(1) at the time when the customer referred to in paragraph 7.3.1 becomes a customer of the second reporting entity, or at any other time when a customer is required to undergo the applicable customer identification procedure by the second reporting entity, the second reporting entity is a member of the same designated business group to which the first reporting entity belongs;

(2) the second reporting entity has obtained a copy of the record made by the first reporting entity in accordance with subsection 114(2) of the AML/CTF Act in respect of the customer or under an agreement in place for the management of identification or other records, the second reporting entity has access to the record made by the first reporting entity in accordance with subsection 112(2); and

(3) the second reporting entity has determined that it is appropriate for it to rely upon the applicable customer identification procedure carried out by the first reporting entity having regard to the ML/TF risk faced by the second reporting entity relevant to the provision of the designated service to the customer.

CHAPTER 8

Part 8.1 – Part A of a standard anti-money laundering and counter-terrorism financing (AML/CTF) program

8.1.1 These Anti-Money Laundering and Counter-Terrorism Financing Rules (Rules) are made pursuant to section 229 and (in relation to these Rules in 8.1 to 8.7) paragraph 84(2)(c) of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act). Part 7 of the AML/CTF Act obliges a reporting entity to adopt and maintain an AML/CTF program relating to the provision of designated services. A standard AML/CTF program is a program that applies to a particular reporting entity. Standard AML/CTF programs are divided into Parts A and B.

8.1.2 The primary purpose of Part A of a standard AML/CTF program is to identify, manage and mitigate money laundering or terrorism financing (ML/TF) risk a reporting entity may reasonably face in relation to the provision by the reporting entity of designated services at or through a permanent establishment in Australia. These Rules set out the requirements with which Part A of a standard AML/CTF program must comply.

The risk-based approach and ML/TF risk

8.1.3 Some of the requirements specified in these Rules may be complied with by a reporting entity putting in place appropriate risk-based systems or controls. When determining and putting in place appropriate risk-based systems or controls, the reporting entity must have regard to the nature, size and complexity of its business and the type of ML/TF risk that it might reasonably face.

8.1.4 For the purposes of these Rules, in identifying its ML/TF risk a reporting entity must consider the risk posed by the following factors:

(1) its customer types, including any politically exposed persons;

(2) the types of designated services it provides;

(3) the methods by which it delivers designated services; and

(4) the foreign jurisdictions with which it deals.

8.1.5 Part A must be designed to enable the reporting entity to:

(1) identify significant changes in ML/TF risk for the purposes of its Part A and Part B programs;

(2) recognise such changes in ML/TF risk for the purposes of the requirements of its Part A and Part B programs; and

(3) assess the ML/TF risk posed by:

(a) all new designated services prior to introducing them to the market;

(b) all new methods of designated service delivery prior to adopting them; and

(c) all new or developing technologies used for the provision of a designated service prior to adopting them.

8.1.6 Part A must include a requirement that, in determining what is an appropriate risk-based procedure for inclusion in Part B or the reporting entity’s standard AML/CTF program, the reporting entity must have regard to ML/TF risk relevant to the provision of the designated service.

Application

8.1.7 Unless otherwise provided in the AML/CTF Act or these Rules, a reporting entity must apply Part A to all areas of its business that are involved in the provision of a designated service, including in relation to any function carried out by a third party.

Part 8.2 - AML/CTF risk awareness training program

8.2.1 Part A must include an AML/CTF risk awareness training program that meets the requirements of paragraphs 8.2.2 to 8.2.3 below.

8.2.2 The AML/CTF risk awareness training program must be designed so that the reporting entity gives its employees appropriate training at appropriate intervals, having regard to ML/TF risk it may reasonably face.

8.2.3 The AML/CTF training program must be designed to enable employees to understand:

(1) the obligations of the reporting entity under the AML/CTF Act and Rules;

(2) the consequences of non-compliance with the AML/CTF Act and Rules;

(3) the type of ML/TF risk that the reporting entity might face and the potential consequences of such risk; and

(4) those processes and procedures provided for by the reporting entity’s AML/CTF program that are relevant to the work carried out by the employee.

Part 8.3 - Employee due diligence program

8.3.1 Part A must include an employee due diligence program that meets the requirements of paragraphs 8.3.2 to 8.3.4 of these Rules.

8.3.2 The employee due diligence program must put in place appropriate risk-based systems and controls for the reporting entity to determine whether to, and in what manner to, screen any prospective employee who, if employed, may be in a position to facilitate the commission of a money laundering or financing of terrorism offence in connection with the provision of a designated service by the reporting entity.

8.3.3 The employee due diligence program must include appropriate risk-based systems and controls for the reporting entity to determine whether to, and in what manner to, re-screen an employee where the employee is transferred or promoted and may be in a position to facilitate the commission of a money laundering or financing of terrorism offence in connection with the provision of a designated service by the reporting entity.

8.3.4 The employee due diligence program must establish and maintain a system for the reporting entity to manage any employee who fails, without reasonable excuse, to comply with any system, control or procedure established in accordance with Part A or Part B.

Note: Reporting entities should note the Privacy Commissioner’s information sheet in relation to the handling of employee information.

Part 8.4 - Oversight by boards and senior management

8.4.1 A reporting entity’s Part A program must be approved by its governing board and senior management. Part A must also be subject to the ongoing oversight of the reporting entity’s board and senior management. Where the reporting entity does not have a board, Part A must be approved and overseen by its chief executive officer or equivalent.

Part 8.5 - AML/CTF Compliance Officer

8.5.1 Part A must provide for the reporting entity to designate a person as the ‘AML/CTF Compliance Officer’ at the management level. The AML/CTF Compliance Officer may have other duties.

Part 8.6 - Independent review

8.6.1 Part A must be subject to regular independent review. The review may be carried out by either an internal or external party.

8.6.2 The purpose of the review should be to:

(1) assess the effectiveness of the Part A program having regard to the ML/TF risk of the reporting entity;

(2) assess whether the Part A program complies with these Rules;

(3) assess whether the Part A program has been effectively implemented; and

(4) assess whether the reporting entity has complied with its Part A program.

8.6.3 The result of the review, including any report prepared, must be provided to the governing board and senior management.

Part 8.7 - AUSTRAC feedback

8.7.1 Part A must include appropriate procedures for the reporting entity to have regard to any feedback provided by AUSTRAC in respect of the reporting entity’s performance on the management of ML/TF risk.

Part 8.8 - Permanent establishments in a foreign country

8.8.1 The Rules in part 8.8 are made pursuant to section 229 of the AML/CTF Act for the purposes of paragraph 84(2)(b) of that Act. The Rules in part 8.8 apply to a reporting entity in respect of any permanent establishment in a foreign country at or through which it provides designated services.

8.8.2 Subject to 8.8.3 below, Part A of a reporting entity’s AML/CTF program must include systems and controls that meet the obligations under the AML/CTF Act that apply to the provision by the reporting entity of designated services at or through a permanent establishment of the reporting entity in a foreign country.

8.8.3 Where a reporting entity’s permanent establishment in a foreign jurisdiction is regulated by anti-money laundering and counter-terrorism financing laws comparable to Australia, only minimal additional systems and controls need to be considered.

8.8.4 The requirements in parts 8.4 to 8.7 of these Rules apply in relation to a permanent establishment in a foreign country at or through which a reporting entity provides designated services. The requirements in parts 8.1 to 8.3 of these Rules do not apply in relation to a permanent establishment in a foreign country at or through which a reporting entity provides designated services.

CHAPTER 9

Part 9.1 - Part A of a joint anti-money laundering and counter-terrorism financing (AML/CTF) program

9.1.1 These Anti-Money Laundering and Counter-Terrorism Financing Rules (Rules) are made pursuant to section 229 and (in relation to these Rules in 9.1 to 9.7) paragraph 85(2)(c) of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act). Part 7 of the AML/CTF Act obliges a reporting entity to adopt and maintain an AML/CTF program relating to the provision of designated services. A joint AML/CTF program is a program that applies to each reporting entity that from time to time belongs to a designated business group. Joint AML/CTF programs are divided into Parts A and B.

9.1.2 The primary purpose of Part A of a joint AML/CTF program is to identify, manage and mitigate ML/TF risk faced by each reporting entity (in a designated business group) in relation to the provision by the reporting entity of designated services at or through a permanent establishment in Australia. These Rules set out the requirements with which Part A of a joint AML/CTF program must comply.

The risk-based approach and ML/TF risk

9.1.3 Some of the requirements specified in these Rules may be complied with by putting in place appropriate risk-based systems and controls. In determining and putting in place appropriate risk-based systems and controls, Part A must have regard to the following factors in relation to each reporting entity in the designated business group:

(1) the nature, size and complexity of business; and

(2) the type of ML/TF risk that might be reasonably faced.

9.1.4 For the purposes of these Rules, in identifying the ML/TF risk, Part A must take account of the risk posed by the following factors in relation to each reporting entity in the designated business group:

(1) the customer types, including any politically exposed persons;

(2) the types of designated services provided;

(3) the methods by which designated services are delivered; and

(4) the foreign jurisdictions dealt with.

9.1.5 Part A must be designed to enable:

(1) significant changes in ML/TF risk to be identified for the purposes of the group’s Part A and Part B programs;

(2) such changes in ML/TF risk to be recognised for the purposes of the requirements of the group’s Part A and Part B programs; and

(3) the ML/TF risk posed by the following to be assessed:

(a) all new designated services prior to introducing them to the market;

(b) all new methods of designated service delivery prior to adopting them; and

(c) all new or developing technologies used for the provision of a designated service prior to adopting them.

9.1.6 Part A must include a requirement that, in determining what is an appropriate risk-based procedure for inclusion in Part B of the reporting entity’s joint AML/CTF program, the reporting entity must have regard to ML/TF risk relevant to the provision of the designated service.

Application

9.1.7 Unless otherwise provided in the AML/CTF Act or these Rules, each reporting entity in the designated business group must apply Part A to all areas of its business that are involved in the provision of a designated service, including in relation to any function carried out by a third party.

Part 9.2 - AML/CTF risk awareness training program

9.2.1 Part A must include an AML/CTF risk awareness training program that meets the requirements of paragraphs 9.2.2 and 9.2.3 below.

9.2.2 The AML/CTF risk awareness training program must be designed so that each reporting entity gives its employees appropriate training at appropriate intervals, having regard to ML/TF risk it may reasonably face.

9.2.3 The AML/CTF training program must be designed to enable employees to understand:

(1) the obligations of the reporting entity under the AML/CTF Act and Rules;

(2) the consequences of non-compliance with the AML/CTF Act and Rules;

(3) the type of ML/TF risk that the reporting entity might face and the potential consequences of such risk; and

(4) those processes and procedures provided for by the reporting entity’s AML/CTF program that are relevant to the work carried out by the employee.

Part 9.3 - Employee due diligence program

9.3.1 Part A must include an employee due diligence program that meets the requirements of paragraphs 9.3.2 to 9.3.4 of these Rules.

9.3.2 The employee due diligence program must put in place appropriate risk-based systems and controls for each reporting entity to determine whether to, and in what manner to, screen any prospective employee who, if employed, may be in a position to facilitate the commission of a money laundering or financing of terrorism offence in connection with the provision of a designated service by the reporting entity.

9.3.3 The employee due diligence program must include appropriate risk-based systems and controls for each reporting entity to determine whether to, and in what manner to, re-screen an employee where the employee is transferred or promoted and may be in a position to facilitate the commission of a money laundering or financing of terrorism offence in connection with the provision of a designated service by the reporting entity.

9.3.4 The employee due diligence program must establish and maintain a system for each reporting entity to manage any employee who fails, without reasonable excuse, to comply with any system, control or procedure established in accordance with Part A or Part B.

Part 9.4 - Oversight by boards and senior management

9.4.1 Except where paragraph 9.4.2 applies, the Part A program must be approved by the governing board and senior management of each reporting entity in the designated business group. Part A must also be subject to the ongoing oversight of each reporting entity’s board and senior management. Where the reporting entity does not have a board, Part A must be approved and overseen by its chief executive officer or equivalent.

9.4.2 Where each member of a designated business group is related to the other members, the Part A program may be approved by and subject to the ongoing oversight of the governing board and senior management of the main holding company of the group.

Part 9.5 - AML/CTF Compliance Officer

9.5.1 Part A program must provide for the designated business group to designate a person as the ‘AML/CTF Compliance Officer’ at the management level. The AML/CTF Compliance Officer may have other duties.

Part 9.6 - Independent review

9.6.1 Part A must be subject to regular independent review. The review may be carried out by either an internal or external party.

9.6.2 The purpose of the review should be to:

(1) assess the effectiveness of the Part A program having regard to the ML/TF risk of each reporting entity in the designated business group;

(2) assess whether the Part A program complies with these Rules;

(3) assess whether the Part A program has been effectively implemented; and

(4) assess whether each reporting entity in the designated business group has complied with its Part A program.

9.6.3 The result of the review, including any report prepared, must be provided to senior management of each reporting entity in the designated business group.

Part 9.7 - AUSTRAC feedback

9.7.1 Part A must include appropriate procedures for each reporting entity in the designated business group to have regard to any feedback provided by AUSTRAC in respect of the reporting entity’s performance on the management of ML/TF risk.

Part 9.8 - Permanent establishments in a foreign country

9.8.1 The Rules in 9.8 are made pursuant to section 229 of the AML/CTF Act for the purposes of paragraph 85(2)(b) of that Act. The Rules in 9.8 apply to those reporting entities in the designated business group that provide designated services at or through a permanent establishment in a foreign country.

9.8.2 Subject to 9.8.3, Part A of a reporting entity’s AML/CTF program must include systems and controls that meet the obligations under the AML/CTF Act that apply to the provision by the reporting entity of designated services at or through a permanent establishment of the reporting entity in a foreign country.

9.8.3 Where a reporting entity’s permanent establishment in a foreign jurisdiction is regulated by anti-money laundering and counter-terrorism financing laws comparable to Australia, only minimal additional systems and controls need to be considered.

9.8.4 The requirements in parts 9.4 to 9.7 of these Rules apply in relation to a permanent establishment in a foreign country at or through which a reporting entity provides designated services. The requirements in parts 9.1 to 9.3 of these Rules do not apply in relation to a permanent establishment in a foreign country at or through which a reporting entity provides designated services.

CHAPTER 10

Part 10.1 - Casinos

10.1.1 These Anti-Money Laundering and Counter-Terrorism Financing Rules (Rules) are made pursuant to section 229 of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act).

10.1.2 These Rules at paragraphs 10.1.3 to 10.1.8 apply with respect to designated services provided by casinos other than online gambling services.

Customer identification

10.1.3 These Rules at paragraphs 10.1.4 to 10.1.6 are made pursuant to subsection 39(4) of the AML/CTF Act.

10.1.4 Subject to paragraph 10.1.6 of these Rules, the provisions in Division 4 of Part 2 of the AML/CTF Act do not apply in respect of a designated service that:

(1) is of a kind described in items 1, 2, 4, 6, 7, 8 or 9 of table 3 of section 6; and

(2) involves an amount less than $10,000.

10.1.5 Subject to paragraph 10.1.6 of these Rules, the provisions in Division 4 of Part 2 of the AML/CTF Act do not apply in respect of a designated service that is of a kind described in items 1, 2, 4, 6 or 9 of table 3 of section 6 where the service:

(1) involves an amount of $10,000 or more; and

(2) involves the customer giving or receiving only gaming chips or tokens.

10.1.6 The exemptions in paragraphs 10.1 4 and 10.1.5 of these Rules do not apply in circ*mstances where a reporting entity determines in accordance with its enhanced customer due diligence program that it should obtain and verify any KYC information in respect of a customer in accordance with its customer identification program.

Verification of identity

10.1.7 The requirements specified in paragraphs 6.2.3, 6.3.2 and 6.4.2 of these Rules are modified as follows in respect of a reporting entity that is a casino:

(1) the specified action in paragraph 6.2.3 must be taken within 14 days starting after the day on which the circ*mstance specified in paragraph 6.2.1 comes into existence, or before the reporting entity commences to provide another designated service to which Part 2 of the AML/CTF Act applies, to the customer;

(2) the specified action in paragraph 6.3.2 must be taken within 14 days starting after the day on which the suspicious matter reporting obligation arose, or before the reporting entity commences to provide another designated service to which Part 2 of the AML/CTF Act applies, to the customer;

(3) the specified action in paragraph 6.4.2 must be taken within 14 days starting after the day on which the suspicious matter reporting obligation arose, or before the reporting entity commences to provide another designated service to which Part 2 of the AML/CTF Act applies, to the customer.

Record-keeping

10.1.8 This Rule is made pursuant to subsections 118(2) and (4) of the AML/CTF Act. Sections 106 and 107 of the AML/CTF Act do not apply to a designated service of a kind described in:

(1) items 1, 2, or 6 of table 3 of section 6; or

(2) item 4 of table 3 of section 6 to the extent that the service is provided by giving the customer only gaming chips or tokens.

Part 10.2 - On-course bookmakers and totalisator agency boards

10.2.1 These Rules at paragraphs 10.2.2 to 10.2.7 apply with respect to designated services provided by a reporting entity that is an on-course bookmaker or a totalisator agency board.

Customer identification

10.2.2 These Rules at paragraphs 10.2.3 to 10.2.5 are made pursuant to subsection 39(4) of the AML/CTF Act.

10.2.3 Subject to paragraph 10.2.5 of these Rules, the provisions in Division 4 of Part 2 of the AML/CTF Act do not apply in respect of a designated service of a kind described in items 1 or 2 of table 3 of section 6.

10.2.4 Subject to paragraph 10.2.5 of these Rules, the provisions in Division 4 of Part 2 of the AML/CTF Act do not apply in respect of a designated service of a kind described in item 4 of table 3 of section 6 where that service involves an amount less than $10,000.

10.2.5 The exemptions in paragraphs 10.2.3 and 10.2.4 of these Rules do not apply in circ*mstances where a reporting entity determines in accordance with its enhanced customer due diligence program that it should obtain and verify any KYC information in respect of a customer in accordance with its customer identification program.

Record-keeping

10.2.6 This Rule is made pursuant to subsections 118(2) and (4) of the AML/CTF Act. Sections 106 and 107 of the AML/CTF Act do not apply to a designated service of a kind described in items 1, 2, or 6 of table 3 of section 6.

Verification of identity

10.2.7 The requirements specified in paragraphs 6.2.3, 6.3.2 and 6.4.2 of these Rules are modified as follows in respect of a reporting entity which provides a designated service that is an on-course bookmaker or a totalisator agency board:

(1) the specified action in paragraph 6.2.3 must be taken within 14 days starting after the day on which the circ*mstance specified in paragraph 6.2.1 comes into existence, or before the reporting entity commences to provide another designated service to which Part 2 of the AML/CTF Act applies, to the customer;

(2) the specified action in paragraph 6.3.2 must be taken within 14 days starting after the day on which the suspicious matter reporting obligation arose, or before the reporting entity commences to provide another designated service to which Part 2 of the AML/CTF Act applies, to the customer;

(3) the specified action in paragraph 6.4.2 must be taken within 14 days starting after the day on which the suspicious matter reporting obligation arose, or before the reporting entity commences to provide another designated service to which Part 2 of the AML/CTF Act applies, to the customer.

Part 10.3 - Gaming machines

10.3.1 These Rules at paragraphs 10.3.2 to 10.3.5 apply with respect to a designated service provided by a reporting entity by way of a gaming machine other than designated services provided at a casino.

Customer identification

10.3.2 The Rules at paragraphs 10.3.3 to 10.3.5 are made pursuant to subsection 39(4) of the AML/CTF Act.

10.3.3 Subject to paragraph 10.3.5 of these Rules, the provisions in Division 4 of Part 2 of the AML/CTF Act do not apply in respect of a designated service of a kind described in items 5 or 6 of table 3 of section 6.

10.3.4 Subject to paragraph 10.3.5 of these Rules, the provisions in Division 4 of Part 2 of the AML/CTF Act do not apply in respect of a designated service of a kind described in items 9 or 10 of table 3 of section 6 where that service involves an amount less than $10,000.

10.3.5 The exemptions in paragraphs 10.3.3 and 10.3.4 do not apply in circ*mstances where a reporting entity determines in accordance with its enhanced customer due diligence program that it should obtain and verify any KYC information in respect of a customer in accordance with its customer identification program.

Part 10.4 - Accounts for online gambling services

Special circ*mstances that justify carrying out the applicable identification procedure after commencement of the provision of a designated service

10.4.1 Subject to the condition specified in paragraph 10.4.2, online gambling services are specified for the purposes of paragraph 33(a) of the AML/CTF Act.

10.4.2 For the purposes of paragraph 33(b) of the AML/CTF Act, the special circ*mstances in respect of online gambling services are only available if:

(1) the customer is required to open an account in order to obtain the service; and

(2) the reporting entity does not permit the customer to withdraw any funds from the account prior to carrying out the applicable customer identification procedure.

The period ascertained in accordance with subparagraph 34(1)(d)(i) of the AML/CTF Act

10.4.3 This Rule is made pursuant to subparagraph 34(1)(d)(i) of the AML/CTF Act. In respect of the designated services specified in paragraph 10.4.1 above, the period is 90 days commencing on the day that the reporting entity opens the account in the name of the customer.