On 21 November 2022 AUSTRAC released for consultation draft guidance for financial institutions when providing designated services to customers that are assessed as high risk for money laundering and terrorist financing (ML/TF). While de-banking of certain industries is not new, the consultation follows an increase in financial institutions either declining, withdrawing or limiting the designated services provided to customers that are assessed as high risk for ML/TF. The guidance responds to the Council of Financial Regulators third recommendation in the Potential Policy Responses to De-Banking in Australia report released in August 2022, to provide guidance to the four major banks of AUSTRAC’s expectations in relation to their risk tolerance and requirements to bank the digital currency exchange (DCE), fintech and remittance sectors.
AUSTRAC has expressed concern that customers assessed as high risk are turned away and de-banked by financial institutions are seeking unregulated alternatives, reducing the information gathered by financial institutions and reported to AUSTRAC. This creates a gap in regulatory oversight and reduces the ability to detect and prevent ML/TF and other serious crimes. The detriment caused by de-banking was outlined by AUSTRAC in a media release on 29 October 2021 after many years of industry voicing concerns.
While the substance of the guidance does not change statutory obligations for reporting entities, it clarifies AUSTRAC’s expectations of the way that reporting entities and high-risk customers manage their relationship to mitigate de-banking. As a key component, AUSTRAC’s expectations are that financial institutions request high risk customers that are reporting entities disclose significant aspects of their anti-money laundering and counter-terrorism financing (AML/CTF) compliance framework so they can make informed decisions as to the residual ML/TF risk of these customers. Ultimately, limiting or ceasing to provide designated services to high-risk customers is unaffected and remains a commercial decision, however, it is expected that such decisions will be made on a case by case basis after the financial institution has considered information relevant to a particular customer, rather than blanket refusals to bank entire industries (unless the financial institution does not have the resources to understand how a specific customer type or industry sector operates).
Importantly, the guidance reiterates that the decision to provide designated services is a commercial one to be made by the financial institution and that the financial institution is in control of requesting information about the high-risk customer. It does however provide clarity for high risk customers on the types of conversations they can expect to have with financial institutions in order to demonstrate they have appropriate systems and controls in place to manage and mitigate their ML/TF risks. Further, it may also serve to realign financial institutions policies and approaches to high-risk customers so that a more fulsome assessment is undertaken on a case by case basis, before a customer is de-banked.
Although the intended audience for the draft guidance is specifically financial institutions and their customers that are assessed as high risk, in the remittance, DCE and fintech sectors, principles may also be applicable to reporting entities with high-risk customers that are also reporting entities.
Summary of the guidance for financial institutions
The guidance for financial institutions reiterates existing statutory obligations applicable to reporting entities, although it clarifies AUSTRAC’s expectations of the practical steps a financial institution may take as part of its risk-based procedures in relation to higher ML/TF risk customers.
AUSTRAC has reiterated that there is no legal requirement for a financial institution to decline to provide designated services to customers that are assessed as high risk, acknowledging that no reporting entity can reduce financial crime to nil. It is not suggested that any less rigour is applied by a reporting entity in how they discharge their AML/CTF obligations, rather AUSTRAC emphasises the importance of robust ML/TF risk assessments and controls that are tailored and proportionate to the level of ML/TF and serious crime risks faced by the reporting entity, as a tool to identify and manage high risk customers.
Reflecting existing obligations, the guidance sets out that financial institutions are expected to assess and understand the ML/TF risks presented by each customer and be based on a reasonable understanding of the customer, considering:
- the nature of an institutions business relationship with the customer;
- the risks associated with the product or service being provided;
- the methods of delivering the designated service to the customer; and
- any relevant foreign jurisdiction or geographic risks.
Reflecting existing obligations, AUSTRAC expects an assessment of a customer’s ML/TF risk profile to be informed by:
- the reporting entity’s current ML/TF risk assessment;
- risk assessments and relevant AUSTRAC guidance;
- ongoing monitoring of customers’ activities; and
- direct feedback received from AUSTRAC.
As required by the Anti-Money Laundering and Counter-Terrorism Act 2006 (Cth) (AML/CTF Act) financial institutions must complete applicable customer identification procedures before providing designated services, the level of which must be appropriate to the ML/TF risk profile of the customer.
AUSTRAC reiterates the existing requirement that an AML/CTF Program must enable an institution to understand the nature and purpose of the business relationship with a customer and to consider the ML/TF risks that may arise from providing a designated service to the customer which inform whether and what additional KYC information needs to be collected and verified about the customer.
The guidance reiterates the circumstances in which enhanced customer due diligence (ECDD) is required and appropriate, including where customers are assessed as high risk. It is expected that reporting entities continue to submit suspicious matter reports (SMR), while noting that a SMR does not automatically require a financial institution to cease providing a designated service to a customer.
A customer’s risk profile (which may change over time, as new information becomes available, including from transaction monitoring) should be considered in accordance with the standard ML/TF risk factors (contained in a reporting entity's AML/CTF Program):
- customer type;
- customers’ sources of funds and wealth;
- the nature and purpose of the business relationship with your customers;
- the control structure;
- the types of designated services provided; and
- the methods by which you deliver the designated service and the foreign jurisdictions you are dealing with.
Special considerations for high-risk customers regulated by AUSTRAC
The consultation contains guidance for financial institutions on AUSTRAC’s expectations where a high-risk customer is also a reporting entity. It is expected that a financial institution will consider the residual ML/TF risks presented by AUSTRAC regulated entities, at the beginning of a relationship and on an ongoing basis.
It is clarified that AUSTRAC does not expect a financial institution to undertake a comprehensive audit or review of a customer’s ML/TF risk assessment procedures, but they should consider asking themselves “do the business’ measures to identify, mitigate and manage ML/TF risks appear to be reasonable?”.
Financial institutions may consider a customer’s registration with AUSTRAC as a factor when assessing its ML/TF risks, noting:
- this does not remove the requirement to undertake initial and ongoing customer due diligence; and
- adverse media or information about key personnel associated with the business, evidence of phoenixing or that a business has changed ownership or key personnel shortly after AUSTRAC registration without a reasonable explanation may be red flags to be taken into account.
Financial institutions are encouraged to search the remittance sector register and ask DCEs for evidence of registration with AUSTRAC. While regulated businesses that do not provide remittance or DCE services are not required to register with AUSTRAC, they must be enrolled with AUSTRAC, evidence of which may be requested from AUSTRAC by a financial institution on a case-by-case basis.
Financial institutions may request a copy of the customer’s ML/TF risk assessment to consider if, on its face:
- is up to date;
- reasonably reflects the business’ current business model and practices; and
- is tailored to the services provided by the business.
AUSTRAC also suggests a financial institution may wish to speak to the business’ AML/CTF compliance officer or senior management to gauge their understanding of the ML/TF risks in their risk assessment, on a case-by-case basis, after considering ML/TF risk and documentation provided.
AUSTRAC suggests it is reasonable to ask a reporting entity whether it has an AML/CTF Program, how it was developed and to understand the priority the business places on implementing it. It is also suggested that a copy of the business’ AML/CTF Program may be requested to consider if systems and controls are as the financial institution would expect. If so, an AML/CTF Program that is generic, a template or restates the AML/CTF laws is insufficient to identify, mitigate and manage ML/TF risks.
Illustrative examples of good practice that may be in an AML/CTF Program include:
- how a remitter’s transaction monitoring program applies to transactions involving higher-risk jurisdictions;
- what due diligence remitters and DCEs undertake when establishing relationships with businesses in other jurisdictions; and
- how a DCE uses blockchain analysis tools where they permit digital currency deposits from, and withdrawals to, external wallets.
Where financial institutions assess a customer as high risk, AUSTRAC reiterates that due diligence requires an understanding of the nature of their business relationship with a customer, including collecting information about of the types of services the business provides and the types of customers it provides services to, such as:
- the usual and expected values of typical remittances, digital currency exchanges or other transactions;
- for remitters, its payment corridors and typical reasons for customers using their services (e.g. low-value remittances between family members in lower-risk payment corridors);
- for remittance affiliates, the remittance network provider’s monitoring of, and support for, the affiliate’s implementation of AML/CTF systems and controls and whether an affiliate also provides independent remittance services;
- for DCEs, the types of digital currencies exchanged (e.g. if a DCE deals in significant volumes of privacy coins which may be withdrawn from the DCE, this may present specific risks that could require additional risk mitigation by the DCE); and
- for fintech businesses, the nature of the designated services, the methods by which the fintech business delivers these services and the types of customers that typically use the services.
There is no prescribed way to collect such information but approaches could include:
- incorporating questions into standard customer on-boarding forms;
- a dedicated form with standard questions for on-boarding customers that are high risk remitters, DCEs or fintech businesses; or
- direct engagement and discussion with the business, including its AML/CTF compliance officer.
A financial institution should have a reasonable understanding of the residual ML/TF risks of their customer and document the assessment and the outcome in relation to the customer.
The guidance indicates that a financial institution may also use these factors to inform more targeted training as part of ML/TF risk awareness training.
Where an AUSTRAC regulated business is assessed as high risk, AUSTRAC expects the following steps be taken initially and periodically, taking a risk-based approach:
- a more detailed analysis of the expected level of transaction behaviour, including future transactions;
- review whether the customer continues to comply with relevant regulatory requirements (e.g. registration with AUSTRAC remains current);
- consider whether the customer’s ML/TF risk assessment remains up to date and it continues to set out reasonably appropriate AML/CTF systems and controls in its AML/CTF Program; and
- maintain a current understanding of the types of services the business provides, the types of customers the business provides services to, and the foreign jurisdictions the business deals with.
1. What high risk business customers can do to increase their chances of being provided banking services
- Be transparent about the nature of your business and the purpose for which you are seeking to use a financial institution’s service.
- Provide relevant information that may be requested of you in a timely manner including relevant documentary or electronic evidence to:
- help the financial institution understand the legal structure of your business, and the individuals who ultimately own or control it;
- describe in sufficient detail the types of services you provide to your customers;
- show that you understand, and have met, all licensing and other regulatory requirements applicable to your business under Commonwealth, state, territory or local laws and any relevant overseas laws;
- share the results of any reviews of your own regulatory and risk management systems and follow-up actions (where permitted);
- share information about the types of customers you provide services to (you do not need to disclose identifying information about individual customers);
- provide details of the geographical locations in which your customers reside and/or the locations to which they transfer value using your services; and
- indicate the expected volumes of transactions you are likely to engage in using the financial institution’s services.
2. Additional steps high risk reporting entities (DCEs, remitters and fintechs) can take to increase their chances of being provided banking services
- Be prepared to provide evidence that you are complying with your AML/CTF obligations and are implementing the systems and controls in your AML/CTF program effectively.
- Assess and understand your business’s specific ML/TF risks, ensuring you have appropriate risk-based systems and controls in relation to these risks.
- Implement an AML/CTF program that is tailored to your ML/TF risks that has appropriate risk-based systems and controls, complies with the AML/CTF Laws and takes into account applicable AUSTRAC guidance.
- Ensure customer due diligence is adequate for your customer types, designated services and jurisdictions you deal with.
- Be prepared to demonstrate, if asked that:
- your AML/CTF Program was designed for your business and is not a template or restatement of the AML/CTF laws;
- senior management oversee and support implementation of the AML/CTF Program;
- staff understand and implement the AML/CTF Program and receive appropriate training in accordance with the AML/CTF Rules;
- your AML/CTF compliance officer has the seniority, competence and resources to oversee the AML/CTF Program and can understand and speak with confidence about the systems and controls implemented.
- Be responsive with financial institutions when they request further information.
Consider a more open dialogue with financial institutions about the services you provide. While the guidance does not introduce new statutory requirements, and many DCEs, remitters and fintech businesses have already attempted these strategies in response to de-banking with limited success, it provides a clear message around AUSTRAC’s expectations of both financial institutions and high-risk customers, which will hopefully lead to each party better navigating their AML/CTF obligations and enabling more efficient commercial discussions and fair outcomes that protect Australia from ML/TF and other serious crimes.
Next Steps: How G+T can help
The consultation period is open until 21 December 2022. If you would like to discuss your options or prepare a submission to Treasury, please contact our Fintech + Web3 team.