Sanctions Compliance in the AI and Quantum Technology Sector: ASO Guidance Note

Sanctions Compliance in the AI and Quantum Technology Sector: ASO Guidance Note

Introduction: Role of Compliance in Emerging Technologies

The Australian Sanctions Office (ASO), operating under the Department of Foreign Affairs and Trade (DFAT), issues guidance to help businesses, researchers, and industry professionals understand their obligations under Australia’s Sanctions framework. This article offers a practical overview of how sanctions apply to the fast-evolving fields of Artificial Intelligence (AI) and Quantum Technologies. While the Guidance Note outlines key principles, it is not intended to replace legal advice, and organisations remain responsible for ensuring their own compliance with sanctions law.
Sanctions compliance is a shared responsibility. The ASO collaborates closely with the regulated community to prevent misuse of advanced technologies and encourages initiative-taking engagement. This includes reporting suspected breaches, whether involving other entities or through self-disclosure. By promoting transparency and cooperation, the ASO underscores the critical role of businesses and individuals in safeguarding Australia’s national security interests while supporting responsible technological invention.

Regulatory Framework and Compliance Duties

The rapid advancement of AI and Quantum Technologies creates exciting opportunities but also brings complex sanctions risks. In particular, the transfer of assets, whether tangible or intangible, such as intellectual property, research data, and the provision of certain services, may fall within the scope of Australia’s sanctions law.

Oversight by the Australian Sanctions Office

The ASO is responsible for administering and enforcing sanctions law. While it offers resources and encourages reporting, the ultimate duty to comply rests with individuals and organisations themselves.

Responsibility of Businesses

Obligations for businesses and entities in Australia extend far beyond financial restrictions. Organisations must ensure appropriate reporting duties are fulfilled, not only for their own activities but also when becoming aware of potential breaches by others.

Seeking independent legal advice, conducting ongoing due diligence, and embedding compliance responsibilities into everyday practice are essential steps for mitigating risk while advancing innovation responsibly.

Key Sanctions Risks in AI and Quantum Technology

The rise of AI and Quantum research has introduced new layers of complexity to global compliance. Australian sanctions laws apply not only to the transfer of physical goods but also to intangible assets, such as intellectual property, software and more. For AI and Quantum sector, understanding these risks is vital to avoiding inadvertent breaches.

Controlled Assets: Intellectual Property, Software and Research Data

Australian sanctions prohibit dealing with designated persons, entities, and their assets to ensure such parties cannot access or benefit from them. An asset under the law is defined broadly, covering tangible or intangible property, including intellectual property, research, software, and electronic material.
Targeted Financial Sanctions (TFS) prohibit:
  • Providing, directly or indirectly, any asset to or for the benefit of a listed person or entity
  • Using, managing, or enabling the use of assets owned or controlled by a designated person or entity.

These assets are referred to as “frozen” by the ASO until the restrictions are lifted.

The DFAT maintains a Consolidated List of sanctioned persons and entities upon which TFS have been imposed. Checking this list is crucial for all businesses operating in Australia to reduce the risk of accidentally enabling restricted actors to access valuable technology and data.

AI and Quantum Tech: The Military End-Use Challenge

Australia’s sanctions laws restrict the supply, transfer, or sale of goods that could support military activity. For the AI and Quantum Technology sector, this risk is significant because tools built for civilian use may also be used for military purposes.
Under Australian sanctions laws, “arms or related material” can include:
  • Weapons, ammunition, and military vehicles
  • Equipment and spare parts
  • Paramilitary tools and accessories

Items not clearly listed may still fall under this definition. For example, AI-driven data analytics or advanced machine learning may be treated as “dual use,” given their potential in both civilian and military contexts.

To remain compliant, companies should apply the three-step test to assess whether their technologies could be classified as controlled material before export or collaboration.

Restricted Services Under Sanctions Laws

Australian sanctions laws restrict the provision of certain services that may contribute to sanctioned activities. While the prohibitions vary by framework, they commonly cover the supply of:
  • Technical advice, training, or assistance
  • Financial Assistance or services
  • Other forms of support
These restrictions apply when the service is linked to:
  • A sanctioned supply,
  • A military activity, or
  • The manufacture, maintenance, or use of export-sanctioned goods (such as dual-use technologies)

For technology companies, this often relates to providing expertise or knowledge that supports the development or use of “export sanctioned goods.” “Technology” in this context extends to detailed information about design, production, or use. The prohibitions may also apply where services are provided directly to a sanctioned country, entity or individual.

Additionally, certain sanctions frameworks impose country-specific restrictions on services, including those tied to Syria, Russia, Zimbabwe, North Korea (DPRK), and specified regions of Ukraine, particularly in scientific or technical cooperation.

Penalties and Liabilities for Sanctions Breaches

Breaching Australian sanctions laws attracts severe penalties:
  • For individuals:
    • Up to 10 years’ imprisonment, and/or
    • Fines of 2,500 penalty units (=$825,000 as of Nov 2024), or
    • Three times the value of the transaction, whichever is greater.
  • For corporations:
    • Fines of up to 10,000 penalty units (=$3.30 million), or
    • Three times the transaction value, whichever is greater.
These are strict liability offences for companies, meaning intent need not be proven. However, businesses may defend themselves if they demonstrate reasonable precautions and due diligence to prevent breaches.

Red Flags Every AI and Quantum Tech Firm Should Look Out For

AI and Quantum Technology companies face unique compliance challenges, especially when customers or partners might be linked to high-risk activities.
Identifying red flags early is critical to prevent sanctions breaches. Warning signs may include:
  • Mismatch of Industry Use- The end receiver operates in a sector that has no legitimate need for AI software or Quantum research.
  • Opaque Profiles- Customers (domestic or foreign) with limited online presence and vague business interests.
  • Suspicious Addresses- Use of generic postal locations, freight-forwarder addresses, or co-location with unrelated businesses.
  • Complex Ownership- Entities with opaque or layered Beneficial Ownership structures.
  • High-Risk Jurisdictions- Operations based in countries subject to sanctions or heightened monitoring.
  • Unusual Payments- Reliance on non-bank channels such as remittance networks, cryptocurrency, or unrelated third-party payees.
Recognising these signals helps firms apply stronger due diligence and avoid exposure to inadvertent sanctions.

Practical Measures to Strengthen Compliance in Emerging Technology

To navigate sanctions risks, AI and Quantum Technology firms must embed strong compliance measures into their operations. Effective due diligence includes:
  • Sanctions Screening to ensure customers are not individuals or entities listed under Australian or international sanctions.
  • Collecting and verifying customer details such as name, contact information, incorporation records, and Beneficial Ownership, to reduce identity risks.
  • Assessing the end user, intended use, and potential re-export of AI or Quantum products.
  • Ensuring products are not diverted to restricted sectors or sanctioned jurisdictions.
  • Using end user certificates and restricting access to customers in high-risk regions.
These steps strengthen sanctions compliance, protect business integrity, and ensure AI innovation remains within legal boundaries.

Key Takeaways and Practical Resources

Sanctions compliance in the AI and Quantum Technology sectors is not a one-off task but an ongoing responsibility. As global risks evolve, businesses must regularly reassess obligations under Australian sanctions law and strengthen internal safeguards. In practice, seeking independent legal advice helps organisations navigate complex cases, while official resources offer practical support.

Key tools include the Sanctions Compliance Toolkit, the Sanctions Risk Assessment Tool, DAFT Guidance Note for Universities. By actively using these resources, firms can manage AI sanctions compliance in Australia, address Quantum Technology sanctions challenges, and ensure responsible innovation while protecting business integrity.

About the Author

Linkedin

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 9+ years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

Reach Out to Jyoti

Australia’s New AML/CTF Framework: Key Changes Under the 2025 Rules

Australia’s New AML/CTF Framework: Key Changes Under the 2025 Rules

Introduction: Purpose and Scope of the AML/CTF Rules 2025

The Anti Money Laundering and Counter Terrorism Financing Rules 2025 (AML/CTF Rules or 2025 Rules) mark a decisive turning point in Australia’s compliance framework. Issued under the Anti-Money Laundering and Counter Terrorism Financing 2006 (AML/CTF Act), the rules were finally signed on 29 August 2025 and will take effect from 31 March 2026. This transition period allows institutions to restructure systems, update governance practices, and prepare for expanded obligations.

Unlike earlier iterations, the 2025 Rules go beyond consolidation by extending regulatory scope. Alongside traditional reporting entities and remittance providers, the framework now directly encompasses Virtual Asset Service Providers (VASPs) and, for the first time, Real Estate transactions. They also formalise definitions of Domestic Politically Exposed Persons (PEPs), reflecting closer alignment with global best practices.

The new regime reflects AUSTRAC’s broader strategy, embedding accountability, raising compliance expectations and positioning Australia as a credible partner in the global fight against illicit finance. Far from a routine update, the Rules establish a forward-looking framework that balances regulatory strength with business adaptability.

Who All Will Be Regulated?

The AML/CTF Rules 2025 expand AUSTRAC’s authority, capturing new sectors and closing regulatory gaps. While retaining core obligations, the framework significantly broadens its scope and raises compliance expectations across diverse industries.

Current Reporting Entities

Reporting Entities remain at the centre of Australia’s AML/CTF framework. These include banks, financial institutions, and other designated service providers. While their core obligations are familiar, the 2025 Rules place sharper emphasis on governance structures and accountability mechanisms.

Domestic Politically Exposed Persons in Focus

The 2025 Rules also spell out clearer definitions for Domestic PEPs. By subjecting these clients to enhanced scrutiny, Australia strengthens its safeguards against political corruption risks and better aligns with international best practices for managing high-risk customers.

Regulation of Real Estate Dealings

One of the most notable shifts is the formal inclusion of Real Estate dealings within AML/CTF oversight. Property transactions, long recognised as attractive for illicit fund flows, now fall squarely under AUSTRAC’s remit, requiring compliance by agents, developers, and settlement professionals.

Remittance Providers and Virtual Asset Services

Remittance operators and VASPs are again in regulatory focus, reflecting the risks of fast, opaque cross-border transactions. These entities must now adopt stricter Customer Due Diligence and reinforce monitoring systems to address evolving Money Laundering threats.

Major Shifts Brought by the 2025 Framework

The AML/CTF Rules modernise Australia’s compliance framework, merging earlier obligations, bringing virtual assets and real estate under the regulations, and refining Customer Due Diligence (CDD). Collectively, these reforms strengthen governance and reflect evolving global standards in financial crime prevention.

Direct Oversight of Virtual Asset Services

VASPs are formally regulated through a new register, requiring disclosures on assets, wallets and customer channels. Programs must assess wallet types, licensing, and secure transfers, ensuring digital finance risks are addressed alongside traditional services.

Stronger AML/CTF Programs and Due Diligence

Compliance programs must now address Proliferation Financing, Targeted Sanctions, and Real Estate transactions. Refined CDD rules require deeper ownership checks, ongoing monitoring of high-risk clients, and stricter reliance provisions for third-party KYC, enhancing transparency and accountability.

Streamlined Regulatory Structure

Replacing the former framework, the 2025 Rules adopt twelve parts for clarity and accessibility. This streamlined framework reduces fragmentation, supports compliance, consistency, and provides entities until 31 March 2026 to align their systems with the updated structure.

Central Compliance Duties Under the 2025 Rules

The AML/CTF Rules establish a robust framework of compliance obligations designed to strengthen governance and accountability across Reporting Entities. The obligations are far more comprehensive than in earlier frameworks, reflecting both domestic priorities and international Financial Action Task Force (FATF) standards.

Requirements for Enrolment and Registration

All reporting entities must undergo an updated enrollment process, which captures detailed information on ownership, corporate structures, identifiers, business activities, and exposure to financial crime risks. VASPs for the first time, are required to obtain a formal registration, creating a greater transparency in relation to wallet management and delivery mechanisms.

Designing Robust AML/CTF Programs

Entities are expected to implement customised programs that directly address the risk of Money Laundering, Terrorist Financing, and Proliferation Financing. These programs must embed strong governance measures, including regular reporting from the Compliance Officer to the boards, independent reviews of effectiveness, and rigorous due diligence and training for employees.

Enhanced Customer Identification and Monitoring

The new framework expands verification obligations across individuals, corporates, trusts, and government agencies. Enhanced checks apply in high-risk contexts, including dealings with PEPs and Real Estate transactions. Entities must also conduct Ongoing Monitoring to ensure customer information remains accurate and up to date.

Obligations For Record Management

The 2025 Rules embed record-keeping as a cornerstone of compliance. Lead Entities must maintain updated registers of group membership, reliance agreements must assign clear documentation responsibilities, and entities acquiring customers from another provider must secure historical records. These requirements underpin transparency, support audits, and support investigative capacity when irregularities occur or any suspicious activity is detected.

Reporting Duties and Transaction Requirements

Obligations relating to Suspicious Matter Reports (SMRs), Threshold Transaction Reports (TTRs), and cross-border movement declarations have become more detailed and data-intensive. Transitional arrangements permit temporary reliance on earlier reporting formats, giving institutions a limited adjustment period before full compliance is enforced.

Correspondent Banking and Transfers of Value

Financial institutions are required to perform detailed due diligence before entering correspondent banking arrangements, with senior management overseeing them. Rules on transfer transparency now cover both traditional money transfers and virtual assets, requiring ordering, intermediary, and beneficiary institutions to capture and pass on complete transaction information.

Practical Challenges for Businesses

While the AML/CTF Rules 2025 establish a stronger compliance regime, they also create a far more demanding environment for businesses. Meeting these requirements need a substantial amount of investment in people, processes, and governance, technology, and skilled personnel, exposing entities to operational pressure and reputational risks.

Heavy Reporting Obligations

Reporting requirements for SMRs, TTRs, and cross-border movement disclosures now demand highly detailed data. The sheer volume increases compliance costs and data-management risks, while AUSTRAC’s public reporting of breaches exposes businesses to reputational damage if obligations are not met effectively.

Managing International and Third-Party Relationships

Relying on third parties for KYC verification or managing correspondent banking ties requires rigorous due diligence. Businesses must evaluate whether the overseas partners meet FATF standards and repeat such assessments regularly, an exercise that is resource-heavy and highly technical.

Ongoing Risk Monitoring and Assessments

Entities must maintain continuous oversight of Money Laundering or Terrorist Financing and Proliferation Financing Risks across products, delivery channels, and jurisdictions. Policies require rapid updates whenever independent reviews reveal weaknesses. For smaller institutions, this constant cycle of monitoring and adjustment can be especially burdensome.

Complex Data Collection and Verification Needs

The new framework expands CDD obligations, compelling institutions to gather detailed Know Your Customer (KYC) information across individuals, corporates, trusts, and government bodies. Providing Beneficial Ownership in layered or opaque structures is particularly difficult, especially where evidence is incomplete or subject to delayed verification.

Compliance Challenges for VASPs

VASPs encounter distinct challenges. They must identify custodial versus self-hosted wallets, confirm that controllers are properly licensed, and ensure secure handling of transaction data. The decentralised nature of Virtual Assets makes these tasks uniquely difficult.

Transparency and International Alignment

The AML/CTF Rules 2025 place a strong focus on transparency and global consistency. By mandating public disclosures, reinforcing payment traceability, and harmonising with the FATF framework, they bolster Australia’s domestic accountability while strengthening its standing in the international financial system.

Public Disclosure and Payment Transparency Measures

Listed public companies that are already bound by market disclosure rules are treated as transparent for Beneficial Ownership during CDD. In addition, the updated “Payment Transparency” obligations for Transfers of Value demand that both payer and payee information be verified and transmitted through the chain, reflecting FATF-strengthened recommendations.

Cross-Border Cooperation and Oversight Mechanisms

AUSTRAC is also empowered to share information with both domestic regulators and foreign counterparts, enhancing cooperation against financial crime. More importantly, registrations can be suspended or cancelled if providers are subject to adverse findings or sanctions, ensuring that international risks are factored into Australia’s oversight.

Alignment with FATF Global Standards

The Rules allow reliance on CDD already undertaken in FATF-compliant jurisdictions, as well as delayed verification in foreign branches where such regimes are recognised. For Virtual Asset transactions, service providers must confirm wallet controllers are licensed under laws consistent with FATF standards, otherwise services must proceed.

AUSTRAC’s Role in Promoting Openness

Under the Rules 2025, AUSTRAC must publish details from the Remittance Sector Register and the Virtual Asset Service Provider Register that are publicly accessible. This includes legal identifiers such as entity names, ABNs, registered addresses, and website domain names. Where conditions are attached to a registration, or where an entity faces suspension or cancellation, AUSTRAC is required to publish these outcomes to maintain openness.

The AML/CTF Rules 2025 represent a turning point in Australia’s approach to financial regulation. By weaving international best practices into local compliance obligations, the framework strengthens domestic safeguards while reinforcing Australia’s credibility on the global stage. Beyond meeting regulatory demands, these rules provide businesses with a chance to adopt more resilient systems, contributing to a safer and more transparent financial environment worldwide.

Key Takeaway

The AML/CTF Rules 2025 are more than just a compliance exercise; they represent a decisive recalibration of Australia’s regulatory landscape. By extending obligations to Real Estate, VASPs, and Domestic PEPs, the framework plugs long-standing gaps that criminals might have exploited. For businesses, the challenge lies in balancing the heavy operational burden of data collection, risk assessment, and reporting with the opportunity to build resilience and trust.

With the March 2026 deadline fast approaching, organisations that invest early in governance, technology and training will be better positioned not only to meet AUSTRAC’s standards but also to strengthen their competitive standing in a global marketplace where transparency and accountability increasingly define success.

About the Author

Linkedin

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 9+ years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

Reach Out to Jyoti

Identity Verification Toolkit for Tranche 2 Entities

Identity Verification Toolkit for Tranche 2 Entities

In this article, we will explore the critical role of Identity Verification (IDV) in AML/CFT/CPF compliance. Financial crimes have an adverse impact on the economy and society at large. Governments across the globe have implemented AML/CFT/CPF laws and regulations to curb the menace of financial crimes like money laundering, terrorist financing, and proliferation financing. Know Your Customer (KYC) processes play a huge role in preventing and detecting financial crimes. One of the important aspects of KYC processes is to perform customer ID Verification.

What is ID Verification

ID Verification, also known as Identity Verification, is a regulatory obligation where a Reporting Entity identifies and verify the authenticity of the ID Documents provided by the individual customers as well as non-individual customers (such as companies, associates, trust, etc.). This verification helps Reporting Entities in Australia to establish the true identity of their clients before providing designated services to them, thereby reducing the risk of being exploited for illegal financial activities.

Regulatory Requirements for ID Verification

IDV is a regulatory obligation for all the Reporting Entities in Australia under the following legislations:
  • Anti-Money Laundering and Counter-Terrorism Financing Act 2006
  • Anti-Money Laundering and Counter-Terrorism Financing Rules 2007
  • Associated regulations, etc.
The proposed reform, the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024, introduces the requirement of the ID Verification for Tranche 2 Entities which will come into effect from July, 2026.

Role of in Tranche 2 Entity’s AML/CTF Framework

Knowing a customer’s profile gives insight into who a customer is and what the nature of their business is. Having knowledge of the customer and their business helps in detecting irregular activities or behavior. A business can monitor customer transactions and activities and detect abnormal or unusual transactions. It also helps in knowing the risks associated with customers.

Each customer is different and has different types of risks associated with them. For example, a PEP poses a higher risk than a non-PEP individual. In the same way, a customer from high jurisdictional risk poses more risk than a customer from low jurisdictional risk. Therefore, it is important to understand the customer for the right risk assessment.

Below are some of the key roles that IDV performs in mitigating ML/TF risk:

Reduction in Financial Crimes

Identity verification helps in the reduction of financial crimes. As Reporting Entities are required to perform Identity Verification procedures before entering into a business transaction, it discourages criminals from placing their illicit money into the legitimate economy and thereby reduces financial crimes and their adverse effects on the economy and society at large.

Enhanced Trust and Reputation

Businesses that are compliant with the ID verification procedures know who they are dealing with and can take a risk-based approach when performing their Customer Due Diligence (CDD) Procedures. If there is a slight suspicion as to the legitimacy of the ID Documents provided, more detailed KYC procedures can be applied. A compliant business creates an environment of trust among other businesses and thereby earns a reputation and a positive brand image.

Improved Regulatory Compliance

Identity Verification procedures ensure compliance with the regulatory requirements. If a Reporting Entity is consistently doing IDV before customer onboarding then if any suspicion arises with respect to Money Laundering, Terrorist Financing, or Proliferation Financing, it can be reported to the Australian Transaction Reports and Analysis Centre (AUSTRAC) within a reasonable time.

Streamlined Customer Onboarding Procedures

Identity Verification ensures uniform business-wide customer onboarding procedures. This results in proper Customer Due Diligence and risk assessment. The appropriate level of due diligence is carried out depending on the risks associated with the customer.

Steps for Identity Verification by Reporting Entities

All the Reporting Entities, including Tranche 2 entities, must continuously maintain and updating Applicable Customer Identification Procedures (ACIP) as part of a thorough and risk-sensitive approach to Customer Due Diligence:

Identifying the Timeframe

  • Reporting Entities are expected to complete customer identification procedures prior to delivering any designated service. This obligation applies regardless of whether the interaction involves a single transaction or forms part of an ongoing business arrangement.
  • In relation to beneficial ownership and Politically Exposed Person (PEP) status, the timing requirements are slightly more flexible. While it is preferable to determine these aspects before the designated service is provided or shortly thereafter, provided it is completed as soon as practicable within a risk-based framework.

Collecting and Verifying Customer’s ID Documents

Tranche II Reporting Entities must obtain reliable Identification Documents or data and verify their authenticity to confirm the customer’s identity. When verifying a customer’s identity, Reporting Entities must be relying on documents that are both trustworthy and independent. The reliable and independent documents in Australia include:

A. For Individuals

1. Primary Photographic Identification Documents: These are official documents that include a photograph of the individual and are generally issued by a government authority. Acceptable examples include:

  • Driver’s licence (physical or digital)
  • Australian passport
  • Australian-issued proof of age card
  • Passport issued by a foreign government or the United Nations
  • International travel document from a recognised authority
  • National identity card issued by a foreign government or the United Nations.

2. Primary Non-Photographic Identification Documents: Where a photograph is not available, the following original documents can be used to verify identity:

  • Australian birth certificate or
  • Australian citizenship certificate
  • Foreign birth or citizenship certificate
  • Concession card issued by the Australian government (such as a pensioner card, healthcare card, or seniors health care card).

3. Secondary Identification Documents: These documents provide supporting information and must include the customer’s name and residential address. Acceptable examples are:

  • Letter or notice from a government agency (e.g., the ATO or Centrelink) issued within the past 12 months
  • Utility bill or local council rates notice issued within the last 3 months (e.g., electricity, gas, or water bill)
  • For minors under 18:

    • Letter from a school principal issued within the last 3 months, showing the student’s name, residential address, and attendance details
    • Student identification card, if available.

Note: All documents used must be current. However, an Australian or foreign passport can be accepted if it has expired within the last two years.

B. For Legal Entities

  • Certificate of incorporation of a company from ASIC (Australian Securities and Investment Commission) and/or an annual statement including the amendments submitted to ASIC
  • Trust deed
  • Partnership agreement
  • Constitution and/or certificate of incorporation for an incorporated association
  • Constitution of a registered cooperative.

Identifying Beneficial Ownership

When the customer is a legal entity, the Reporting Entity must be:
  • Identifying the individuals who own 25% ownership or control the entity.
  • Verifying their identity using reliable and independent documents.
  • Understanding the ownership and control structure.

Performing Screening for Politically Exposed Persons (PEPs)

  • Tranche 2 Reporting Entities should determine if the customer or their beneficial owners are PEPs, which may elevate the risk profile.
  • Enhanced Due Diligence (EDD) is required if the individual is a PEP, due to elevated ML/TF risk.

Understanding the Business Relationship

  • Tranche 2 Reporting Entities should gather information on why the customer is engaging with their services.
  • Understanding the expected nature, purpose, and duration of the relationship.

Addressing Risk Based Factors

IDV Procedures of a Reporting Entity must be developed with regard to the specific risks relevant to their operations. Key factors to address include:
  • The size, scope, and complexity of the business activities
  • The nature and purpose of the customer relationship
  • The level and type of money laundering or terrorism financing (ML/TF) risks involved
  • Types of customers and their profiles, including their ownership and control structures
  • The sources of customer funds and wealth
  • The method of delivery of your services (face-to-face, digital, third-party, etc.)
  • The jurisdictions involved, especially where foreign exposure increases risk

Different Types of Customer Verification Procedures for Reporting Entities

Identity Verification Procedures vary based on the type of customer and their assessed level of Money Laundering (ML) and Terrorism Financing (TF) risk. Below is a breakdown of the customer verification approaches for individuals, companies, and trusts, particularly under simplified or ‘safe harbour’ provisions:

1. ‘Safe Harbour’ Verification Procedure

Reporting Entities may apply ‘safe harbour’ procedures when verifying the identity of individuals assessed as posing medium or low ML/TF risk. These procedures are less rigorous than those required for high-risk individuals but still mandate the collection and verification of key identifiers such as:
  • Full name, and
  • Either the date of birth or residential address.
Verification can be carried out using:
  • Reliable and independent documentation (originals or certified copies of primary or secondary identification documents), or
  • Electronic data sources, ensuring at least two independent and credible sources are used (e.g., databases from credit reporting agencies).

2. Simplified Verification Procedures

Reporting Entities may apply simplified verification procedures in low-risk cases:

For Companies: Verification is simplified if the company is:

  • Listed on an Australian stock exchange
  • A majority-owned subsidiary of a listed company
  • Licensed and regulated by a Commonwealth, State, or Territory authority
In these cases, Reporting Entity can verify through Stock exchange listings, Australian Securities and Investments Commission (ASIC) records, annual reports, or regulator databases.

For Trusts: Simplified checks apply if the trust is:

  • A registered managed investment scheme
  • An unregistered scheme for wholesale clients only
  • Supervised by a Commonwealth regulator
  • A government superannuation fund

Methods of Performing Identity Verification or Tranche 2 Entities

Verification of identity can be done in different ways, such as digital verification using biometrics or identity verification using identity cards. Following are multiple methods that Reporting Entities may adopt to verify the identity of individuals as well as entities:

Biometric Verification

Using technology to scan fingerprints, eye scans, and facial recognition and compare them against the central database provides more security, and this method is more reliable. It is difficult to fake this verification.

Document Verification

For individuals, verification typically includes checking official documents such as For companies, Australian Business Number (ABN) registration details or Australian Securities and Investments Commission (ASIC) records can be used.
Reporting Entities should verify the authenticity of customer ID Documents through both online and offline methods, which include:
  • ID Confirmation: Validate the document with issuing authorities such as the Department of Home Affairs (for Australian passports). ID Documents that are using electronic data can verify the data through Document Verification Service (DVS) which is a secure online system managed by the Department of Home Affairs.
  • ID Validation: Assess the genuineness of the document to detect any signs of forgery or tampering.
  • ID Number Match: Verify the document’s issue date and validity period to ensure the ID document is current and accurate.

Knowledge-Based Authentication (KBA)

Reporting Entities may enhance identity assurance by asking personalized security questions that only the genuine individual can answer. This method will add an extra layer of protection to fight against ML/TF risk.

Online verification with Biometrics and AI

Reporting Entities can authenticate IDs in real-time by prompting customers to upload selfies which is then matched against the image in their Identity Document using facial recognition and artificial intelligence.

Two-Factor Authentication (2FA)

Reporting Entities should use multi-layer security by adding a layer of security and asking users to confirm their identity through a second method like a code or One Time Password (OTP) sent to their phone or email along with the password.

Device Verification

Reporting Entities may assess the legitimacy of ID documents and the device used by the customer during onboarding or transactions to detect fraud and ensure security.

Challenges in IDV Process for Reporting Entities

Despite the clear regulatory requirements, Reporting Entities often face several challenges in effective implementation of the ID Verification process such as:

Uneven Jurisdictional Requirements

IDV systems face significant complexity when deployed across multiple jurisdictions. Each country may have distinct Know Your Customer (KYC) regulations, resulting in inconsistent record-keeping standards and verification requirements.

Data Privacy and Security Compliance

A major hurdle for IDV solutions is navigating stringent data privacy laws and biometric data regulations. Gaining valid consent and managing sensitive biometric information such as facial recognition or fingerprint data must be done in full compliance with regional laws (e.g., GDPR, Australia’s Privacy Act, 1988). Any misstep could lead to legal penalties and loss of user trust.

Exploitation Through Deepfakes and Cyber Threats

The remote nature of IDV particularly in digital onboarding exposes systems to sophisticated threats. Deepfake technology may be used to impersonate individuals, bypassing facial verification tools. Additionally, malware infections, phishing, and cyberattacks targeting IDV databases pose persistent risks to data integrity and authenticity.

Lack of System Integration

Not all IDV tools are designed for easy integration into a company’s existing infrastructure. This lack of interoperability can disrupt the onboarding workflow and lead to inefficiencies, as organisations are forced to manually bridge gaps between legacy systems and modern IDV platforms.

Resistance from High-Risk Customer Segments

Despite advanced IDV technologies, challenges persist in verifying high-risk customers such as Politically Exposed Persons (PEPs) or Ultimate Beneficial Owners (UBOs) with complex corporate ownership structures. These individuals may delay or withhold critical information, hindering timely completion of the IDV process and increasing exposure to compliance risk.

Best Practices for ID Verification

To meet global compliance expectations and reduce exposure to financial crime, Tranche two Entities should adopt the following best practices for implementing a robust IDV process:

Adopt a Risk-Based Approach

Reporting Entities must apply Identity Verification measures proportionate to the level of risk posed by each customer or transaction. A standardised approach for all customers fails to account for varying levels of money laundering risks. Therefore, a risk-based strategy should be incorporated by Reporting Entities which includes classifying customers into risk categories (low, medium, high) and adjusting verification procedures based on risk (e.g., enhanced due diligence for high-risk profiles).

Define Comprehensive IDV Policies and Procedures

Internal AML/CFT policies must clearly define the types of Identity Documents that are acceptable, and how these documents are verified. It should categorically define the steps that are required to handle non-face-to-face onboarding and remote verifications.

Incorporate Ongoing Monitoring

Identity verification is not a one-time task. Businesses must establish processes for monitoring for changes in customer information and Re-verifying Identities during periodic reviews or when risk profiles change.

Ensure Staff Competency Through Training

Reporting Tranche II entities should ensure that their employees who are responsible for conducting IDV such as KYC analysts, and Compliance Officers must be trained to detect forged or fraudulent document and identify red flags such as inconsistent information, false addresses, or outdated IDs.

Leverage Technology and Automation

Digital solutions are key to improving the speed, accuracy, and reliability of IDV. Reporting Tranche II entities should include tools such as facial recognition, biometric checks, and OCR, API-based integration with government databases and watchlists, etc. Automated verification reduces human error and speeds up onboarding while ensuring full audit trails.

Technologies Powering Identity Verification Software for Tranche 2 Entities

Identity verification software enables Reporting Entities to efficiently capture customer data and perform its verification against the relevant databases. It helps the Reporting Entities to overcome the challenges associated with the manual methods and provides an efficient, timesaving, less error-prone, systematic, and accurate way to perform the IDV of their clients. By automating the process, IDV software ensures a streamlined, accurate, and compliant approach to verifying customer identities, thereby enhancing regulatory adherence and customer onboarding experience.

Artificial Intelligence and Machine Learning

Artificial intelligence and machine learning are central to modern IDV systems. It helps analyze ID documents by identifying patterns, attributes, and potential anomalies. It will flag the documents if they appear to be forged.

Optical Character Recognition

Optical Character Recognition (OCR) helps in extracting data from documents, thereby saving time and ensuring a faster turnaround. It also minimizes manual data entry errors, improving operational efficiency.

Blockchain Technology

Blockchain provides an enhanced layer of security as it provides a temper-proof ID verification. It makes the entire process auditable, traceable, and verifiable.

Biometric Verification

Biometric IDV tools helps the Reporting Entities to verify customer identity by different methods such as facial recognition, fingerprint scanning, and iris detection, offer robust security and accuracy.

Electronic Know Your Customer (eKYC)

eKYC eliminates the need for physical documents by enabling digital Identity Verification using government-backed databases and secure APIs. It allows customers to complete KYC processes remotely, offering a faster, paperless, and cost-effective method of compliance, especially in digital banking and fintech platforms.

These advanced technologies collectively ensure that Identity Verification software remains an essential component of an effective AML/CTF compliance framework, improving risk management while enhancing user experience and regulatory compliance.

Let IDV Concerns Disappear in Your Rearview Mirror!

Verifying customer identity gives more knowledge about the customer and their business. Correct risk rating and due diligence can be done if the identification process is right. When doing Identity Verification, a business gains access to customers’ personal information. It is important to protect customer information from data breaches and fraud. Thus, a Reporting Tranche 2 Entity should identify the customer by having the right identification and verification program and protect customer data by having the right data management and protection tools.

About the Author

Linkedin

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 9+ years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

Reach Out to Jyoti

Mitigating TFS Risk Through Sanction Compliance Program: RACI Edition

Mitigating TFS Risk Through Sanction Compliance Program: RACI Edition

This article provides a detailed walkthrough of the legal framework in Australia governing Targeted Financial Sanctions (TFS)and its compliance, including:
  • Sanctions Regime in Australia
  • The Need for Sanctions Compliance Policy in Tranche 2 Entities to ensure alignment with the guidelines given by the Australian Sanctions Office (ASO), the Australian Sanctions Regulator.
    • Emphasising how the Compliance and Governance Function can leverage the RACI matrix to ensure smooth execution of roles and responsibilities to mitigate terrorism financing and proliferation financing risk
  • Consequences of Non-Compliance with TFS Obligations
  • Types of Sanctions Issued by Australia
  • Challenges encountered while implementing TFS measures and Best Practices to be incorporated for robust TFS Compliance
Including emphasis on processes to have in place for identifying designated persons and entities, assessing potential prohibited activities for TFS risk, and effective compliance measures to be implemented within the Sanctions Compliance Policy.

What are Targeted Financial Sanctions (TFS)?

Meaning of Sanctions:
In order to understand TFS, we first need to understand the meaning and intent behind sanctions. Sanctions are restrictive measures that a country or international organisation takes to respond to serious international concerns. Sanctions are imposed as restrictive measures to influence the behavior of individuals, groups, entities, or countries to compel desired behavior or stance.

Countries impose sanctions when there is an increase in violations of human rights, terrorism, proliferation financing, and other inhuman acts that are detrimental to society. Instead of using armed forces, governments use sanctions as a method to punish wrongdoers or delinquents and compel their compliance with government foreign policy requirements.

Meaning of Targeted Financial Sanctions (TFS)

TFS restricts the direct or indirect role in making an asset available to a designated person or entity and taking measures to freeze such assets, if in control, to prevent their use by designated persons or entities. In simple words, TFS strictly prohibits the supply of any assets to designated persons or entities. Australia maintains a Consolidated List, known as the Australian Sanctions Office (ASO) Consolidated List, which consists of names of designated individuals and entities subject to Targeted Financial Sanctions. This list includes details such as:
  • Names
  • Aliases
  • Dates of birth
  • Other identifying information.
Reporting Entities must compare names in TFS lists every time they onboard new customers and monitor existing business relationships to ensure compliance with sanctions regulations . Under the Australian Sanctions Regime, engaging in financial transactions with these designated persons or entities is prohibited.

Sanctions Regime in Australia

Australia enforces two primary categories of Sanction laws, which play a significant role in maintaining national security and aligning with international laws. To navigate this sanctions regime effectively, Reporting Entities should ensure that their Sanction Compliance Policies align with the legislative requirements to mitigate any consequences arising from non-compliance.

The two categories of Sanction laws enforced in Australia are given below:

United Nations (UN) Sanctions

These sanctions are imposed by the United Nations Security Council (UNSC). Australia implements these sanctions under the Charter of the United Nations Act, 1945 and its regulations, to which Australia adheres.

Autonomous Sanctions

These sanctions are imposed by the Australian authorities to address specific foreign policy concerns. These sanctions are administered by the Australian Sanctions Office (ASO) and are based on the following laws:
  • Autonomous Sanctions Act 2011
  • Autonomous Sanctions Regulations 2011.

In situations of international concern, Australia and the UNSC are applicable. These Sanctions frameworks are named after the targeted country, group, or thematic issue (e.g., ‘Iran sanctions’) to address specific circumstances and objectives. Sanctions frameworks are regularly updated by Australia to align with the foreign policy goals and international obligations.

Given below is the UNSC and Australian Autonomous Sanctions Framework:

Need for Sanctions Compliance Program in Tranche 2 Entities to Ensure TFS Compliance

In the evolving Sanctions regime landscape, Tranche 2 Reporting Entities such as Lawyers, Real Estate Agents, Accountants, Trust, and Company Service Providers need to align their TFS Compliance obligations with prevailing sanctions compliance requirements. In order to efficiently comply with these regulations and mitigate the risk of violating such sanctions, it is imperative for these Reporting Tranche 2 entities to develop, adopt, and implement a robust and well-crafted Sanction Compliance Program.

Key Elements that should be incorporated in the Sanction Compliance Program (SCP) are discussed below:

Simplifying Compliance and Governance Functions’ Roles and Responsibilities Using a RACI Matrix

Reporting Entities must establish a structured Sanctions Compliance Program (SCP) that sets out clear governance structures by defining roles, responsibilities, procedures, and internal controls to comply with Australian Sanctions laws. However, simply having a policy in place is not enough; the challenge lies in its effective implementation.

A crucial governance tool that helps the Tranche II entities to delineate the duties of their governance functions effectively is the incorporation of a RACI (Responsible, Accountable, Consulted, Informed) chart, also known as the Sanctions RACI matrix, into the Sanctions Compliance Program. It helps with a clear visual understanding of which employee in the organisation is responsible, accountable, consulted, or informed in the context of specific TFS compliance-related tasks, for instance:

What is a Sanctions RACI Chart

  • Responsible – Task Execution: For instance, the Screening Analyst is “Responsible” for carrying out the execution of the Sanctions Screening obligation.
  • Accountable – Define Outcome Ownership refers to building from the above example, the AML Compliance Officer is “Accountable” for the outcome generated during the screening exercise, and needs to decide further action, depending on the screening outcome.
  • Consulted – Input Provision refers to seeking relevant inputs, if any, from colleagues who are responsible for associated tasks, such as in the instance of screening, the Screening Analyst may be required to consult with the KYC Analyst to obtain key identifier details of the customer which need to be entered into Screening Software to carry out screening obligation.
  • Informed – Keep in the Loop refers to keeping relevant parties informed about the tasks in question.

Why is the Sanctions RACI Matrix Important for Sanctions Compliance?

The Sanctions RACI model clearly assigns who will perform tasks, who oversees them, and who needs to be consulted or informed, ensuring seamless operational execution of TFS compliance. This Matrix is helpful for Reporting Entities because it:
  • Clearly defines the responsibilities of Sanctions Compliance in an organisation.
  • Avoids duplication and gaps by assigning specific roles in sanctions-related workflows.
  • Enhances cross-functional coordination between various designated personnel of compliance, legal, and operations teams.
  • Supports audit readiness by providing a structured governance framework with accountability for sanctions compliance.

Suggestive Sanctions RACI Matrix Illustration

Given below is the Sanctions RACI chart mapping key sanctions compliance tasks to the internal governance function within a Tranche 2 Reporting Entity:

Mapping TFS Governance in Tranche 2 Entities Through RACI Matrix:

1. Understanding the Sanctions Regime
Sanctions are official measures imposed by governments or international bodies to achieve specific foreign policy or national security objectives. These measures can include restrictions on trade, financial transactions, or other economic activities with designated individuals, entities, or countries.

Boards and Senior Management of a Reporting entity should develop a written AML/CTF program by understanding the applicable sanction regime. Therefore, it becomes crucial for them to understand:

  • When to apply sanctions
  • Why are sanctions imposed
  • Who is responsible for Sanction Compliance
  • How to implement and monitor compliance procedures

2. Conducting Sanctions Risk Assessments
Risk plays a key factor in ensuring sanctions compliance. By gaining a clear understanding of the risks that an organization encounters at the overall operational level, it becomes possible for a Tranche 2 entities to create a more effective Sanctions Compliance Program.
The Boards and Senior Management of the Reporting Entities are responsible for conducting a comprehensive Risk Assessment to continuously assess their exposure to sanctions risks in terms of:

  • Nature of products and services offered
  • Customer and supplier base
  • Geographic regions of operation, etc.
By evaluating these elements, Reporting Entities can draft their SCP to address their unique risk profiles effectively.

3. Implementing Sanction Screening Software
Compliance Officer of Reporting Entities should implement robust Sanctions Screening Software for automating the process of checking transactions and counterparties against the sanctions list.

Such software should be finalized based on the Sanction Compliance framework and Risk Assessment of the Reporting Entity so that the software should be capable of integrating seamlessly with the existing system.

Regular updates and maintenance are necessary to ensure that the software remains effective with the update in the Sanction list.

4. Screening Transactions & Parties

Screening Analyst, in consultation with the compliance team, has the responsibility to systematically screen all customers, transactions, and third-party service providers against the following lists to detect any prohibited dealings against:

  • UN Sanctions list, and
  • Australian Autonomous Sanction list.
This process should be risk-based, focusing more resources on high-risk areas, such as transactions involving high-risk jurisdictions or sectors.

5. Analysing Sanctions Matches
When a potential match is identified during screening, it is essential for the Screening Analyst to analyse and disambiguate it thoroughly to determine if it is a:

  • Full Match
  • Partial Match
  • No Match
  • False Match.

6. Reporting Suspicious Matters to AUSTRAC
Reporting Entities should engage in conducting the Screening comprehensively against the Consolidated list and the UN list, and if they find any suspicion, then the Compliance Officer of the organization has the responsibility of filing a Suspicious Matter Report (SMR) to the AUSTRAC CEO within a reasonable time. At the same time, the Compliance Officer must ensure that customer-facing personnel, such as the frontline staff or other staff members, do not tip off the existing or potential customer regarding SMR in their name, if any. This can be achieved by ensuring that the information sharing in the context of suspicious matters is restricted and limited to relevant employees only.

7. Updating Sanctions Compliance Policies and Procedures
Sanctions regulations are dynamic, which undergo frequent updates and changes. Boards and Senior Management of the Reporting Entities should regularly review and update their internal policies and procedures to reflect the current legal landscape.
This may include several activities such as:

  • Revising compliance manuals
  • Updating training materials
  • Updating operational protocols to incorporate new sanctions regimes, etc.

8. Providing Role-Specific Training and Awareness Programs
The Compliance Officer has the responsibility to implement the internal policies and procedures effectively and regularly comply with the AML/CFT framework, and to do this, there needs to be an effective training and awareness program. The Reporting Entities should provide ongoing training to their employees regarding sanction compliance requirements. Training programs should be tailored to distinct roles within the organisation, ensuring that all staff understand their responsibilities and the importance of the Sanction Compliance Program as well as the risk of sanctions contraventions.

9. Ongoing Monitoring AML Compliance Officers of Reporting Entities should conduct day-to-day monitoring and periodic reviews to assess the effective implementation of the Sanctions Compliance Program (SCP). Ongoing monitoring may include activities such as:
  • Reviewing screening processes
  • Evaluating the handling of potential matches
  • Ensuring that policies are being followed correctly
  • Addressing weaknesses in the compliance framework
  • Identifying areas of improvement, etc.

10. Maintaining Records
The Compliance Officer of a Reporting Entity has a responsibility to ensure that the entity is complying with the AML/CTF Act and Rules. Therefore, in order to comply with such statutory obligation, the Compliance Officer should maintain detailed records of all the measures taken during the Sanction Compliance Policy to demonstrate diligence and readiness for audits and regulatory reviews. It is the obligation of the Reporting Entities to retain records of designated services and related customers for 7 years.

Benefits of the Sanctions RACI model in Sanctions Compliance and Governance

The Sanctions RACI model enhances Sanctions Compliance and Governance by clearly defining roles and responsibilities for critical tasks like screening, analysing, and reporting, and thereby reducing the ambiguity and duplication of efforts. It ensures that the compliance team of an organisation know who is Responsible, Accountable, to be consulted, and kept informed at each stage of the sanctions compliance process. This structured matrix improves coordination, streamlines decision-making, and strengthens regulatory adherence to the AML/CTF framework.

Identification of Applicable Sanction Regime

As an initial step in drafting an effective Sanction Compliance Policy (SCP) under the AML/CTF Program, Reporting Entities must make themselves aware of the relevant sanctions regime that their business needs to adhere to.
  • If sanctions requirements apply to the extent of imposing restrictions on trade or commercial activities, Reporting Entities should ensure that their Sanctions Compliance Policy includes a provision and procedure for conducting due diligence when such goods or services are offered to customers.
  • When Targeted Financial Sanctions are applicable to Reporting Entities, they need to have in place Sanctions Compliance Policies and Procedures which accurately provide for the identification of sanctioned individuals and entities. Such categories of persons or organisations designated under TFS may include Politically Exposed Persons (PEPs), entities linked to terrorism, or those acting on behalf of sanctioned countries.

Subscription to Relevant Regulators for Updates

Keeping up to date with the regulatory requirements is crucial for ensuring effective TFS compliance. Tranche 2 Reporting Entities should actively monitor the updates in Australia’s Sanctions framework by subscribing to the DFAT’s Mailing List.
  • Reporting Entities should subscribe to DFAT’s Mailing List to get timely updates on the following:
    • Changes to Australian sanctions laws
    • Revisions to existing regulations
    • Additions or removals from the Consolidated List of sanctioned individuals and entities.
  • If the proposed activity of the Reporting Entity is subject to sanctions and meets the criteria for a permit, then the Reporting Entity must register and apply through the PAX Portal.

Sanctions Screening

  • Reporting Entities should choose the appropriate Automated Screening Tool (AST) in their AML/CTF Compliance Program by integrating it into their internal due diligence process to screen persons, entities, and assets.
  • Reporting Entities should ensure real time checking against the Consolidated List as maintained by ASO. The Screening Process should be dynamic and updated regularly to capture new listings or delisting.

Performing Sanctions Due Diligence

To ensure compliance with the TFS measures and minimize the sanctions risk of their organization, Tranche two entities should incorporate some due diligence measures to comply efficiently with the Sanctions Compliance Policy. Due Diligence is a critical element in assessing the risk of engaging in prohibited activities and in identifying designated persons or entities.

1. Conducting Independent Checks

Reporting Entities should conduct independent checks on all persons or entities involved in the proposed activity. If a Reporting Entity is dealing with a company, it should understand its corporate structure. It should also look out for any indirect connections to designated persons or entities on Australia’s sanctions list.

2. Assessing the purpose and end use of Goods and services

Reporting Entities should ensure who will use the goods and services and what they will be used for. Reporting Entities should search the Australian Department of Foreign Affairs and Trade (DFAT) Consolidated List to verify whether any person or entity with which the Reporting Entity is dealing is subject to targeted financial sanctions.

3. Understanding Complex Business Structure & Beneficial Owners

When dealing with companies or any legal structures, Reporting Entities should assess the ownership and control of that organisation to identify the Ultimate Beneficial Owner (UBO), Director, Authorised Signatory, etc. that may be linked to sanctions target.

4. Performing Sanction Risk Assessment (SRA)

Reporting Entities should conduct a structured Sanctions Risk Assessment (SRA) in identifying and assessing whether the proposed activity is prohibited under TFS Compliance Regime. SRA forms a core component of an effective Sanction Compliance Policy.

A. Identifying Prohibited Activities

To ensure compliance with Targeted Financial Sanctions (TFS), obligated entities must adhere to strict prohibitions regarding interactions with the designated persons or entities. Following are the activities that are prohibited under TFS:

  • Provision of Assets: Reporting Entities are prohibited to provide assets directly or indirectly to, or for the benefit of, designated persons or entities.
  • Use of Controlled Assets: Asset holders must not use, deal with, or facilitate the use of assets owned or controlled by designated persons or entities. Such assets are considered ‘frozen’ by the ASO and cannot be accessed or utilized in any manner by the Reporting Entities.
Reporting Entities must ensure that their Sanctions Compliance Policy include a clearly defined assessment procedure for evaluating whether a proposed activity is prohibited under TFS. The Reporting Entity should examine:
  • Whether the proposed activity involves any direct or indirect provision of assets to a designated person or entity, or whether it benefits them in any way. If so, the activity may constitute a breach of TFS obligation and must be flagged for further review or reported to AUSTRAC CEO.
  • Whether the activity involves the use of or dealings with any assets that is owned or controlled by a designated person or entity. If so, the activity will be prohibited under TFS.
If neither of the elements is present, the proposed activity will fall outside the purview of prohibited activities and Reporting Entities can continue with the business relationship.

SCP Training & Internal Awareness

As part of their obligation to comply with the Sanctions Compliance Policy, Reporting Entities should prioritize staff training and internal awareness. Tranche 2 entities should implement regular training programs to help their employees:
  • Building awareness on the Australian Sanctions framework
  • Identifying restricted persons/assets
  • Knowing actions to take when a designated entity or asset is flagged
  • Acknowledging their responsibility to contact ASO in case of uncertainty.

Review of Sanctions Compliance Measures

To ensure continued compliance with the SCP:
  • Reporting Entities should perform periodic sanctions health checks
  • Reporting Entities should implement timely remediation measures based on the findings from the evaluations
  • Reporting Entities should identify compliance gaps and take corrective actions to make improvements in their current policies and framework.

Control Framework for TFS Compliance

To ensure that Tranche 2 entities remain compliant with the Sanctions laws, it is essential to understand the specific Sanction measures. Key Sanction measures often include:
  • Freezing of assets: Sanctions may require Reporting Entities to block access to funds, bank accounts and freezing of physical or digital assets owned by the blacklisted individuals or entities.
  • Travel Bans: Travel restriction prevents designated individuals from entering or passing through Australia.
  • Trade Restriction: These measures include banning the sale or purchase of specific goods or services between the countries.
  • Business Limitations: Stopping companies from investing, buying shares, forming joint ventures, or transferring intellectual property with the targeted party.
These measures can be used for different purposes. Sometimes it may be used to prevent a harmful situation from continuing. In some cases, the measures can also be used as a tool to control damage caused by any crisis.

Consequences of Non-Adherence to Sanctions Compliance Requirements

Reporting Entities should establish and maintain a robust SCP to ensure adherence to applicable Sanctions laws. If they do not comply or contravene with the applicable sanctions’ compliance laws, then they may have to face the following penalties:

For Individuals: If the contravening party is an individual, then they will be liable for an imprisonment of up to 10 years or a fine of up to 2500 Penalty Units or three times the value of the transaction (whichever is greater), or both.

For a Body Corporate: If contravention is done by the body corporate, then it will be punishable by a fine of up to 10,000 Penalty Units or three times the value of transaction (whichever is greater).

Note: The term “Penalty Unit” refers to a standard monetary amount used in Australian legislation to calculate fines for various offences. As of 1 July 2024, the value of a penalty unit is set at Australian $330.
From 1 July 2026, the Australian Dollar amount of a Penalty Unit is replaced by the amount calculated using the following formula:

Penalty Unit Value = (Indexation Factor × Previous Penalty Unit Value)

Types of Sanctions in Australia

Sanctions are of distinct types, each designed to address specific issues. Apart from TFS, the following are some of the other types of Sanctions:

Sectoral Sanctions

These sanctions focus on specific sectors of the economy. It does not block everything, but places limits on some financial activities within a sector to slow down growth in those areas.

Comprehensive Sanctions

These sanctions are the most wide-ranging. It prohibits all forms of trade and financial interaction with a targeted nation.

Challenges Faced by Regulated Entities While Complying with TFS Requirements

Ensuring risk-based compliance with TFS may present several challenges for Regulated Entities, including Tranche 2 Entities. To effectively uphold their SCP, Reporting Entities must recognize and address the following challenges:

1. Suppliers and International Branch Offices: Operating across multiple jurisdictions means navigating varying sanctions laws and enforcement practices. This complexity can lead to inconsistencies in compliance efforts across different regions.
2. Reporting and Alert Management: Regulatory bodies and requirements, such as ASO and Australian sanctions laws, often require prompt reporting of matches or suspicious activities. Delays or inaccuracies in reporting can lead to penalties. Sometimes, inaccurate, or incomplete data can result in missed matches or false positives, undermining the effectiveness of the compliance process.
3. Sanctions Evasion Tactics: Sanctioned individuals and entities continuously develop new methods or emerging technologies to circumvent the restrictions; therefore, it becomes a challenging task for the Reporting Entities to have ongoing vigilance and continuous monitoring of the current compliance strategies.
4. Automated Screening Complexities: Automated systems can generate numerous alerts that require manual review, consuming significant resources and potentially delaying legitimate transactions. Implementing automated screening solutions that seamlessly integrate with current IT infrastructure and workflows is often complex and resource intensive for the Reporting Entities.

Best Practices for Regulated Entities to Ensure Robust TFS Compliance

To ensure robust compliance with Targeted Financial Sanctions, Regulated Entities should adopt the following best practices in their SCP to mitigate risks and penalties:

1. Effective Management of Sanction Alerts: Reporting Entities should make sure that relevant personnel are trained to interpret and manage alerts that are generated by the sanctions screening systems.
2. Timely Reporting and application of TFS Measures: Upon identifying a confirmed match, Reporting Entities should promptly apply necessary TFS measures, such as freezing assets and prohibiting transactions.
3. Conducting Sanctions Risk Assessment: Reporting Entities should regularly conduct risk assessments to identify and evaluate potential sanctions risk associated with the organization’s operations.
4. Ongoing Training and Awareness Programs: Reporting Entities should provide ongoing education and training to their employees about sanctions regulations and the organization’s compliance obligations.
5. Implementing Internal Controls to Mitigate Sanctions Risk: Reporting Entities should implement robust policies and procedures to prevent and detect Targeted Financial Sanctions violations in their organization.
6. Establishing Sanctions Compliance Committee: Reporting Entities should establish a Sanctions Compliance Committee to oversee the implementation and effectiveness of the Sanctions Compliance Program in their organisation. This Committee should play a key role in ensuring proper governance and continuous improvement of the compliance framework.

Don’t Leave TFS Compliance to Chance!

Regulated entities, including Tranche 2 Entities, must have a Sanctions Compliance Policy as an integral part of their Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) obligations. Ensuring adherence to TFS not only safeguards the entity from significant legal and financial risks but also strengthens the integrity of Australia’s financial system.

By implementing comprehensive risk assessments, robust internal controls, timely reporting mechanisms, and continuous staff training, Tranche II Entities can confidently navigate the complex sanctions landscape in Australia.

Embedding sanctions compliance that aligns firmly with the AML/CTF framework demonstrates a proactive commitment to regulatory expectations and contributes to global efforts against financial crimes and terrorism financing. Ultimately, a well-structured SCP is essential for sustainable compliance, operational resilience, and maintaining the trust of regulators and stakeholders alike.

About the Author

Linkedin

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 9+ years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

Reach Out to Jyoti

How Blockchain helps in AML Compliance

How Blockchain helps in AML Compliance

This blog discusses how reporting entities, particularly tranche 2 entities, can capitalise on compliance with regulatory obligations through operational efficiency. With features like transparency, immutability, and decentralised nature, blockchain technology aligns seamlessly with Australia’s AML/CFT regulations. The blog explores key aspects of blockchain technology in an Australian context by explaining:  
  • What is blockchain, and what are the unique features that help combat money laundering, terrorism financing, and proliferation financing (ML, TF, and PF)?
  • The Role of Blockchain-Enabled KYC Process and its role in reshaping the AML compliance landscape in Australia.

What is Blockchain?

Blockchain is a process of tracking and recording transactions over a blockchain network. Each transaction is recorded as a data block and forms a chain of data. It is not possible to edit, temper, tweak, or modify data that has been entered once in a blockchain. Hence, blockchain provides a ledger of transactions that cannot be altered.

Blockchain is a shared database where transactions are recorded and tracked. It differs from traditional databases as data cannot be changed once entered. If a wrong data entry is made, then a reversal entry must be passed to nullify the effect. The salient features of blockchain transactions are discussed below:

Trusted Data Sharing – The data of a blockchain network is shared amongst the members only. It helps in keeping confidential data safe and protects it from being misused. Only those members who have access to blockchain data can access the information stored.

Decentralisation of Data – Blockchain data is not stored at a centralised location. It is captured over different computers on a network. When new information is added to the block, it is difficult to alter because other computers will reject it.

Easy Tracking – Multiple transactions are recorded in real time. It helps keep track of transactions easily.

Tamper-Proof – Data over a blockchain network is safe and secure from tampering. When new transactions are recorded, they are validated by other computer devices over the network based on a hash key of the current and previous transactions. After validation, the information is added to a block. No one can change or delete the transactions recorded, making the transactions immutable.

Efficient Record Keeping – Manual record-keeping is time-consuming and often leads to duplication. Blockchain helps in reducing the record-keeping process and eliminates the issue of duplicate records.

Accurate Information Retrieval – Data stored on a blockchain network is validated automatically, eliminating the chances of errors due to manual input in the data validation. This helps with accurate information retrieval.

Configurable Accessibility – There are various types of blockchains which can be customised and configured according to requirements. If a blockchain is public, anyone can view the data stored. Some businesses use private blockchains to keep the transactions and information within the organisation. It is accessible only to members who are part of a blockchain network.

Auditability – Blockchain, due to its tamper-proof security, efficient record-keeping, and accessibility, helps track transactions backed by blockchain. The transactions are recorded in a chronological manner, with all the information, like who did what. Since everything is captured online, the audit becomes easier and faster, providing easy auditability.

Blockchain-Enabled KYC

Blockchain helps in storing and tracking customer data. Moving from paper-based KYC to digital KYC helps in reducing costs. With all information saved on a decentralised network, it is not possible to tamper with customer data.

Legal Basis for Blockchain-Enabled KYC in Australia

The Australian AML laws administered by Australian Transaction Reports and Analysis Centre (AUSTRAC) require reporting entities to verify customer identities, assess risks, and monitor transactions to prevent financial crimes. Traditional KYC methods often have high costs, data security, and inefficiency issues. Blockchain-enabled KYC solves these concerns by streamlining compliance enhancing security and transparency.

Under the AML/CFT Amendment Act, 2024, tranche 2 reporting entities are required to conduct initial customer due diligence (CDD) before providing designated services to customers. This replaces the previous ‘applicable customer identification procedures’ (ACIP) with the initial CDD, which focuses on knowing the customer and understanding the risks of money laundering, terrorist financing, or proliferation financing while providing designated services to them.

Benefits of Blockchain-Enabled KYC

Security – Blockchain enabled KYC solutions provide security to customer information. The customer data is stored on a decentralised network, which is only accessible to participant members. Thus, criminals find it difficult to breach the system and get confidential customer information. With public and private keys in blockchain, people who do not have the key cannot access confidential data.

No tempering – One of the inherent properties of blockchain is that the data stored cannot be altered. A blockchain KYC system allows information to be validated by different network systems. If the data entered is changed, it will be validated by other systems. The majority of systems will reject the changes if validation fails. Hence, the altered data will not become part of a block. Data quality can be maintained as the log is created when an attempt is made to alter data.

Consistent & Efficient – Blockchain makes the KYC process efficient. It prevents making duplicate entries. The risk of error and inconsistency can be avoided.

Data storage – Blockchain helps in storing the customer data. AML laws require to keep customer data for several years. When data is stored in a database, it can be easily accessed as and when required. Huge amounts of data can be stored easily by reducing the size without compromising the authenticity of data.

Real-Time Update – The KYC information is stored on a decentralised network. It can be shared within the network. With this, other businesses that are part of the network can use the information, saving time and the cost of collecting the same information again.

Blockchain is Reshaping the AML Compliance

Blockchain technology has revolutionised AML compliance in Australia. It provides solutions to the concerns posed by traditional compliance methods. This technology has enhanced the customer due diligence process through blockchain-enabled KYC, providing secure and efficient identity verification and reducing the cost of operations and duplication. This empowers tranche 2 reporting entities to meet AUSTRAC’s reporting requirements and retain the records accurately.

Low cost – Blockchain helps a business reduce the cost of AML compliance. When transactions are stored and kept in a digital ledger, fewer human resources are required, also removing the element of human error. It also increases efficiency when the AML compliance team can dedicate more time to matters related to AML compliance. Cross-border transactions need more intermediaries. Blockchain can help reduce the involvement of intermediaries and related expenses.

More transparent – Public blockchain networks give transparency of information. Law enforcement agencies can leverage this information to investigate suspicious activities. As a log of each activity is maintained digitally, it is easy to investigate any transaction. Smart contracts help in identifying suspicious transactions. For example, if a threshold is exceeded in a financial transaction, the system will flag and alert the compliance team.

More secure – A blockchain network is decentralised. It does not allow changes in the data entered in a block. Criminals find it difficult to alter data in a blockchain database. Private blockchain networks are only accessed by members who have the right to access them. It prevents financial information from going into the hands of criminals. Thus making it safe and secure.

FAQs on Blockchain in AML Compliance

How does blockchain help in KYC?

KYC is a process of identifying a customer by collecting personal information. Blockchain is a database that helps collect, verify, and store confidential data, including customers’ KYC details and transactions. Blockchain makes the KYC process transparent and secure and reduces the overall cost of the process. With blockchain technology, customer data is securely stored on a decentralised network. Alteration of customer identification information is not possible by non-members who don’t have access to the network.

It streamlines the onboarding process by reducing the information collection time and verification. The KYC questionnaire is sent to the customer and is not accessed by anyone else. The customer will provide information and supporting documents, which can be viewed by users who have access to them, making the KYC process fast and secure. It protects the integrity of customer information, data privacy and alteration of data.

About the Author

Linkedin

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 9+ years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

Reach Out to Jyoti

Understanding the New Tipping Off Regime in Australia

Understanding the New Tipping Off Regime in Australia

The tipping off mandate has been updated in Australia as a part of a series of reforms to the Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Act 2006. These reforms are set to apply from 31st March 2025. In this article, we discuss the new and updated definition of tipping off in Australia, its essentials, and guidance for reporting entities on how to reduce the risk of breach of the tipping off offence.

Reformed Definition of Tipping Off for AML/CTF Compliance in Australia

If a person discloses a certain kind of information to another person, where such information would/could reasonably be expected to prejudice an investigation, then such an act of disclosure amounts to an offence of Tipping Off under the new reforms to the Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Act 2006.

Insights into the Need for Tipping Off Offence

The offence of tipping off prevents reporting entities from disclosing any kind of information that can lead criminals to hide or change their illegal activities. Tipping off also protects the privacy and reputation of the customer, who may be a victim of the suspected criminal activity, as mere suspicion is not conclusive evidence that the customer is involved in any financial crimes.

The provision of tipping off offence also protects the identity of the person submitting a Suspicious Matter Report (SMR) to AUSTRAC by maintaining high standards of confidentiality.

Now, let us understand the essentials of the new tipping off offence.

Essentials of the New Tipping Off Offence

The amended AML/CTF Act, 2006 provides the essential elements of tipping off offences in Australia, which include:
  • If the person discloses information to another person who is not entrusted by AUSTRAC
  • If the person making the disclosure is or has been either a reporting entity/ any officer/employee/agent of a reporting entity/ a person required to share further information or documents specified in a notice by AUSTRAC CEO/Commissioner of the Australian Federal Police/CEO of Australian Crime Commission/Commissioner of Taxation/Comptroller-General of Customs/National Anti-Corruption Commissioner/Investigation Officer concerning the reports filed by the reporting entity under the AML/CTF ACT, 2006 or the repealed Financial Transaction Reports Act 1988, or information/document that may assist AUSTRAC CEO in performing their functions.
  • If the information disclosed includes:
    • Information that can establish that the reporting entity submitted an SMR or that their reporting obligations are triggered.
    • Information about the report made or prepared for the purpose of meeting SMR obligations
    • Copies of the SMR or any document purporting to set out SMR information, like formation or existence of a suspicion.
    • Information about any notice sent by the AUSTRAC CEO for obtaining information or documents in certain circumstances or for seeking further information and whether the person is required to give information or produce a document in response to the notice.
    • For Cash Dealers prior to 7 January 2025, Information about Suspect Transaction Report (SUSTR) under the repealed Financial Transaction Reports Act 1988, including specifications about the suspicion formed concerning a transaction, whether such information was submitted to AUSTRAC CEO through SUSTR or as a response to the relevant notice and any information from which anyone could reasonably deduce that such information concerning suspicion was given to AUSTRAC
  • If the disclosure would or could reasonably be expected to prejudice an investigation of any offence against a law of the Commonwealth or any State/Territory, or for the purpose of the Proceeds of Crime Act 2002 (POCA) or any regulations thereunder, or any State or Territory laws corresponding to POCA or any regulations thereunder.

Understanding Prejudice to an Investigation as a Requirement for Tipping Off Offence

One of the major requirements for the offence of Tipping Off is that the disclosure of information could or would reasonably be expected to prejudice an investigation. This means that if disclosure of information can reasonably be expected to negatively affect an investigation, then it amounts to tipping off. The risk of prejudicing an investigation may depend on a combination of the following factors:

Content of the Information Disclosed

If the content of the information disclosed includes any protected information covered in the AML/CTF Act, 2006, for instance, if any information relating to the Suspicious Matter Report is revealed or any explicit actions from which the customer can infer that a suspicion has arisen, then it can negatively affect an investigation.

Recipient of the Disclosed Information

Whether a disclosure can prejudice an investigation also depends on the person to whom the disclosure is made. For example, if the disclosure is made to any person entrusted by AUSTRAC, then such disclosure cannot negatively affect an investigation, but say if the disclosure is made to a third party who can potentially share it with the public at large, like a journalist, then that can prejudice an investigation.

Method of Disclosure

For a disclosure to amount to tipping off, it is not necessary for the person disclosing information to know that the disclosure will negatively affect an investigation. For example, if an employee discloses any such information by mistake on a public platform, then it would still amount to tipping off.

Time of Disclosure

Time is everything when combating financial crimes, and therefore, if disclosures are made before or during the period of investigation, then it can give the criminals an opportunity to conceal any trail of evidence, certainly hampering the course of an investigation. However, this does not imply that reporting entities are free to disclose any protected information after reporting it because it may even compromise future investigation efforts, if any. Thus, it is important for compliance professionals to be alert about not unintentionally disclosing information while following their Customer Due Diligence (CDD) obligations.

Therefore, reporting entities must ensure that to avoid any kind of prejudice to an investigation, their protected information should not be publicly released or get back to a person who might be engaged in any criminal activity or to any other person who is associated with the person suspected of criminal activity.

Disclosures that are not Considered as Tipping Off

There are some disclosures that are exempted from being considered as tipping off. At the same time, some disclosures are not likely to be considered as tipping off, as per AUSTRAC:

Disclosures to Prevent Crime

Disclosures relating to information or reports concerning suspicious matters are exempted from being considered as tipping off if:

  • The person making the disclosure is a reporting entity that is either a legal practitioner/qualified accountant/any partnership or company carrying on a business of providing professional legal services/accountancy services through legal practitioners or qualified accountants, respectively, or any other person specified in the AML/CTF Rules, and
  • The information is about the affairs of the reporting entity’s customer, and the disclosure is made in good faith to prevent the customer from partaking in any sort of conduct that constitutes or may constitute an offence against the law of the Commonwealth or a State/Territory.
  • AUSTRAC recommends that such entities focus on how the customers’ activities could result in a breach of the law and the penalties thereof. However, it is recommended that reporting entities do not disclose any information about related STR/SUSTR/relevant notice or obligations of the reporting entity with respect to the STR or notice.

Disclosures for Sharing Information to Identify, Avert or Disrupt Money Laundering, Terrorism Financing, Proliferation Financing (ML, TF, and PF), and Other Serious Crimes

Disclosure of any protected information does not amount to an offence of tipping off if such disclosure is made to another reporting entity for the purpose of identifying, averting, or disrupting ML, TF, PF, and other serious crimes, subject to any regulatory conditions prescribed.

For example, disclosures made between reporting entities engaging in the activities of Fintel Alliance cannot be considered as tipping off.

Disclosures to Comply with Requirements in Commonwealth, State, or Territory Laws

If any disclosures are made pursuant to the laws of the Commonwealth or State/Territory, for instance, there are multiple disclosure requirements under the Scams Prevention Framework that the regulated entities need to follow. In such cases, the disclosures made shall not amount to tipping off.

Disclosures Made for Meeting the Reporting Entity’s AML/CTF Obligations or Mitigating ML/TF Risks to the Business

Any internal disclosures made to the reporting entity’s staff or senior management, or any external disclosures to other reporting entities of the same designated business group for the purpose of managing ML/TF risks to the business, are not considered as tipping off.

Similarly, if a reporting entity appoints any external service providers/ consultants to support them in AML/CTF remediation and enhancement or seeks any legal advice from a lawyer on its AML/CTF obligations, then such communication cannot be considered as tipping off.

Disclosures Made During Corporate Restructuring

According to AUSTRAC, any disclosures made during a merger or acquisition involving the reporting entity to support the due diligence processes will not be considered as tipping off.

Reasonable Questions for Effective Risk-Based Customer Due Diligence

As per AUSTRAC, if a reporting entity’s SMR obligations are not triggered, and the reporting entity or persons engaged by the reporting entity ask reasonable questions to a customer or conduct Enhanced Due Diligence, then such line of questioning cannot be considered as tipping off.

Disclosures to AUSTRAC Entrusted Persons

Disclosure of information to AUSTRAC entrusted persons or Australian law enforcement, intelligence, or regulatory agencies, like the Commonwealth, State/Territory police and agencies having investigative functions, such as the Australian Taxation Office, National Anti-Corruption Commission, Australian Border Force, Australian Criminal Intelligence Commission and alike agencies, does not amount to a breach of the new tipping off offence.

AML Compliance Procedures to Follow to Avoid the Risk of Tipping Off

Businesses that do not deploy adequate controls within their structure are often at a higher risk of tipping off when sharing information within their designated business group or with a third party. Upon implementing the following AML/CTF compliance procedures, reporting entities have a better chance of avoiding the risk of tipping off:

1. Adopting and Maintaining AML/CTF Policies to Prevent Tipping Off

To comply with the new tipping off reforms, AUSTRAC recommends reporting entities to adopt and maintain AML/CTF policies that define proper procedures for identifying the information held by the business, the situations where disclosing such information would or could be reasonably expected to prejudice any investigation and determine measures to implements to prevent the risk of tipping off when disclosing any information or processing any communication.

The AML/CTF policies should also define the legal obligations of third parties to whom any protected information is shared

2. Maintaining Proper Audit Trails

Reporting entities should implement and periodically review audit trails with employee names and timestamps to understand who has access to specific information and during what period of time.

3. Employee Training and Employee Due Diligence

Reporting entities must perform due diligence on their employees to ensure that they do not pose any ML/TF risks and are suited for sharing sensitive information. Additionally, periodic training must be provided to the employees to make sure that they are aware of the risks of breaching the tipping off offence. Role-specific training should be given to customer-facing staff on how to handle sensitive information while balancing customer relationships.

One important thing to keep in mind when training employees is that if any trends or insights are discussed, then reporting entities should be cautious about not mentioning specific customer information or transactions and simply talking about the generally identified patterns.

4. Record-Keeping

It is important for reporting entities to document all the steps taken by the reporting entity. For example, when dealing with a customer in relation to a suspicious activity or information, reporting entities should document their interactions with the customer along with the steps taken by the reporting entity to reduce the risk of breach of the tipping off offence.

Similarly, if at the time of conducting Enhanced Customer Due Diligence (ECDD), the reporting entity is of the opinion that some specific ECDD measures would tip off the customer, then they should not proceed with ECDD and document the reasons for taking this decision.

Moreover, if a person makes any kind of disclosure that is exempted from being an offence, then they should maintain proper records of the disclosure, including the purpose of disclosure, method of disclosure, time of disclosure, etc. This is because, under the AML/CTF Act, 2006, the burden of providing evidence that suggests a reasonable possibility that the disclosure is exempted from the tipping off offence rests with the party seeking exemption.

Thus, by adopting and following proper AML/CTF procedures, reporting entities can reduce the risk of tipping off to a great extent. But let’s take a moment to understand the impact of following AML/CTF obligations on customer relationships and how reporting entities can fulfil their regulatory obligations without tipping off the customer or damaging their reputation.

Balancing Customer Relationships Without Tipping Off

Reporting entities constantly need to balance their need for business growth and the necessity of mitigating the risk of financial crimes. Therefore, while fulfilling their regulatory requirements, it is also important to be aware of its impact on customer relationships. Being seen with a suspicious eye is no pleasant experience for any customer, so here’s how reporting entities can fulfil their regulatory obligations without tipping off and without any friction with the customer:

Seeking Further Information from a Customer without Tipping Off

As discussed before, asking reasonable questions about a customer’s activity cannot in itself be considered as tipping off, but it is necessary for reporting entities to ensure that while seeking additional information, they do not disclose any protected information that could or would reasonably be likely to prejudice an investigation. So to avoid indicating that the reporting entity is suspicious of the customer’s behaviour, AUSTRAC recommends reporting entities to either:
  • Inform the customer that the information sought is a part of their routine AML/CTF compliance obligations or KYC obligations, or
  • Tell the customer that the exercise is conducted to ensure that the reporting entity has the most updated details on its record or
  • Inform them that it is a business policy to collect additional information in certain situations or
  • Additional verification is required to resolve issues with customer information or identification documents

Terminating a Business Relationship with a Customer without Tipping Off

Where a reporting entity chooses to terminate the business relationship with a customer, then it is advised that they offer genuine reasons for the same which do not indicate that the reporting entity is suspicious of the customer’s behaviour, such as:
  • Reasons that can establish that there is a commercial basis for ending the relationship or
  • The reporting entity does not have the funds, additional systems or controls required to manage the regulatory obligations that are related to the customer’s account or
  • The customer has taken an unreasonably long time to provide the additional information requested by the reporting entity or
  • The additional information shared by the customer is unsatisfactory or
  • The nature of the customer’s activities is beyond the reporting entity’s risk appetite
In addition to the steps suggested by the regulatory authorities, reporting entities can also follow some of the industry-wide accepted best practices to further reduce the risk of tipping off.

Best Practices to Follow To Lower the Risk of Tipping Off

In addition to modifying the AML compliance procedures, reporting entities can adopt some of the following best practices to further reduce the risk of breach of the tipping off offence:
  • Imposing restrictions on access to information on a strict and genuine need-to-know basis
  • Using legally enforceable agreements or undertakings when disclosing protected information to employees or third parties to maintain the confidentiality of information.
  • Using secure electronic document storage systems with password protection to prevent easy access to protected information
  • When appointing any third party to support the reporting entity’s AML/CTF compliance obligations, the reporting entity should, as a best practice, take into consideration the internal controls deployed by the third party to prevent tipping off
  • When seeking additional information from the customer, use standardised forms or means of communication so the customer is not tipped off and does not feel uneasy about requests for additional information
  • When training new customer-facing staff, provide them with scripts or clear communication instructions for making additional inquiries

Frequently Asked Questions about Tipping Off Reforms

Can a person be required to disclose protected information to Courts and Tribunals?

A person is not required to disclose protected information to a court or tribunal except where it is necessary to disclose the protected information to give effect to the AML/CTF Act, 2006.

Is disclosing information to a third party allowed under the new tipping off offence?

Reporting entities are not prohibited from disclosing information to third parties under the new tipping off offence so long as it would not or could not reasonably be expected to prejudice an investigation. However, this non-prohibition on disclosure cannot be considered as authorisation for disclosure as other legal restrictions may be applicable to reporting entities, such as the restrictions stipulated in the Privacy Act 1988.

If the reporting entity is of the perception that performing Enhanced Customer Due Diligence (ECDD) will lead to tipping off, should they proceed with ECDD?

While gathering more information about a customer’s identity and source or destination of funds for the purpose of ECDD is not in itself considered as tipping off, if the reporting entity is of the opinion that performing specific ECDD measures would lead to tipping off, then such measures should not be performed.

AML Australia’s Due Considerations Towards the New Tipping Off Reforms

Our experts at AML Australia know the value of long-term business relationships and the need for business risk protection. Therefore, we give due weightage to tipping off requirements when designing AML/CTF programs for our customers so that their business thrives on the foundation of AML compliance.

About the Author

Linkedin

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

AML Compliance and Big Data Analytics

AML Compliance and Big Data Analytics

In today’s complex financial world, Anti-Money Laundering (AML) compliance with the help of big data is transforming how institutions detect and prevent financial crime. Traditional data analysis methods often fall short due to inaccuracies.

As financial transactions become more sophisticated, regulators demand stronger compliance measures, making it crucial for businesses to adopt advanced technologies.

Big data empowers financial institutions by providing deeper insights into customer behaviour, transaction patterns, and potential risks. With advanced analytics, organisations can identify anomalies, enhance customer due diligence, improve transaction monitoring, and streamline investigations.

By leveraging big data, compliance teams can not only meet regulatory obligations more effectively but also optimise resources and reduce operational costs. In this article, we discuss the limitations of traditional data analysis, the role of big data in AML compliance, and how data analytics addresses key challenges in financial crime prevention.

Drawbacks of Traditional Data Analysis Systems

Traditional data analysis methods synthesise data using typical statistical methods and human expertise to extract information and draw conclusions for the purpose of decision-making. Since traditional data analysis methods rely on manual techniques, they are prone to certain challenges, such as:

Human Errors

It is not possible to analyse enormous amounts of data manually. The human workforce tends to make wrong analysis or miss important data while doing the work manually because of extensive data. These human errors can be costly for a business.

Time Constraints

Lots of alerts are generated every single day for financial transactions. It is time-consuming to investigate each alert and make the right decision.

High Cost

Businesses need huge manpower to interpret large data sets, causing the need to hire more employees to reduce the workload. This adds up to the cost that the business must bear.

Greater Inaccuracies in Results

Traditional data analysis outcomes suffer from a high rate of false positives and negatives due to limited insights into the transaction patterns and connections between data sets. The inherent human bias based on past experiences, assumptions, and preconceived notions also contributes to inaccurate outcomes.

Lack of Scalability

When dealing with a high volume of data, it is not possible for traditional data analysis methods to efficiently deliver high-quality results in a short span of time, therefore reducing its scalability.

Understanding Big Data and Big Data Analytics in the Context of AML Compliance

While there is no standard definition for big data, the term commonly refers to a large volume of information that is generated through information systems. It can include financial data, personal data, data from the Internet of Things, social media data, etc.
Some of the most important data types required for data analytics in AML compliance include:
  • Customer Data
  • Beneficial Ownership Data
  • Sanctions Screening Data
  • Politically Exposed Person (PEP) Screening Data
  • Adverse Media Data
  • Geographic Risk Data
  • Transaction Data
  • Behavioural Data
  • Past History Data

Big data analytics means processing large amounts of structured or unstructured data, like customer feedback, news articles, legal judgements, etc., to make correct decisions. It helps in finding patterns and trends by analysing huge data sets accurately.

Businesses use data analysis to process financial transactions and customer data to detect suspicious behaviour.

Data analytics when integrated with AML solutions can help in effective risk management. The analysis is done with the help of data analytics tools.

Using Big Data Analytics in AML Compliance

Big data analytics can be instrumental in executing AML procedures. Here’s how Big Data Analytics can be incorporated in AML Compliance processes:

Business ML/TF Risk Assessment

Big data analytics, along with predictive assessment techniques, can synthesise past data to identify risk factors and potential threats. Thus allowing businesses to undertake a risk-based approach in allocating resources on the basis of the likelihood and impact of the potential threats

Know Your Customer (KYC)

Big data analytics can facilitate digital identity verification processes by integrating data sets from multiple channels, such as publicly available information and digital footprints, such as their social media accounts and online activities, and by comparing biometric information with existing databases.

To pass the KYC checks, a customer may submit false identification documents. Leveraging artificial intelligence (AI) backed by big data helps scan and identify fake documents. For example, with AI and data analytics, fake passports and identity cards can be detected.

Name Screening

Data analytics in name screening ensures that the customer information is screened against comprehensive sanctions watchlists, PEP databases, and adverse media sources.

Customer Risk Assessment

Data analytics can use classification algorithms to identify the various kinds of fraudulent transactions using past data, and supervised machine learning systems can classify customers into high-risk, medium-risk, and low-risk customers based on the characteristics that they display.

Ongoing Monitoring of Transactions and Customer Profile

Data analytics can be helpful in monitoring transactions as it can trace transactions from their origin until termination to identify anomalies in transaction patterns like sudden changes in the volume of transactions, the frequency of transactions below the reporting threshold in real-time, or any peculiar trends in transaction patterns, enabling prompt resolution of suspicious transaction alerts.

For example, consider a business that uses big data analytics to monitor customer transactions in the professional services sector. Over time, the monitoring tools driven by machine learning can be capable of identifying the usual transaction patterns of that customer and detecting deviations in case one arises.

With the help of data analytics, it is also easy to track customer behaviour by developing a customer profile, mapping data movement, and identifying any deviations from the customers’ usual behaviour. Data mining by the association rule is a great way to establish relationships between products and services.

Reporting

Businesses that are classified as reporting entities in Australia are required to report certain transactions and suspicious matters to AUSTRAC. Big data analytics can automate the filing process for Threshold Transaction Reports for the prescribed values and lead to prompt, precise risk evaluations by generating alerts for suspicious behaviour or transactions so that the compliance teams can make data-driven decisions when filing Suspicious Matter Reports.

Record-Keeping

Data analytics can be immensely helpful in keeping comprehensive records like timestamps, types of transactions, particulars of the customer and related parties, and mandatory documentation.

In today’s data-driven world, there is an abundance of data. However, these data sets are siloed across multiple sources. In such a situation, data in its original form can more likely deviate from compliance efforts rather than optimise them. To avoid unintended consequences for the use of big data, read about the best practices to adopt when using big data analytics in AML compliance.

Best Practices for Adopting Big Data Analytics in AML Compliance

When transitioning from traditional analysis systems and adopting big data analytics, businesses should adopt industry-wide accepted best practices like:
  • Include big data analytics strategies in your AML Program to ensure that the outcome of the data analysis aligns with the business’s AML compliance goals and regulatory obligations.
  • Ensure that the abundant and publicly available data is used for targeted investigation outcomes and not for hoarding futile information.
  • Deploy strong data privacy and security measures
  • Provide role-based training to employees in using data analysis outputs

The Future of AML Compliance with Big Data

As financial crime becomes more advanced, the role of big data in AML compliance will continue to expand. With the help of artificial intelligence and machine learning, businesses will be able to spot suspicious activities faster and more accurately.

This means fewer false alarms and better compliance with regulations. Automation will also make processes like tracking transactions and verifying customers more efficient and less expensive. At the same time, the importance of human oversight cannot be overstated.

Therefore, businesses that use big data wisely stand a better chance of having a stronger defence against financial crimes and staying ahead of changing regulations.

About the Author

Linkedin

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Art and Money Laundering: The Hidden Brushstrokes of Crime

Art and Money Laundering: The Hidden Brushstrokes of Crime

Art has always been looked at as a medium of expressing emotions, creativity, and thoughts. In the brushstrokes of art lie serious crimes like money laundering, which are well hidden due to the unregulated nature of this industry. In this article, we have covered the connection between art and money laundering, the red flags to look for when selling art items, and practices to follow to prevent money laundering.

There is a need for AML training of art market participants, be it art galleries, museums, or auction sales, to identify suspicious transactions and adopt preventive measures for making the art industry free from financial crimes.

Why Criminals Use Art for Money Laundering

  • Absence of Price Control
The price of art items is not fixed, which gives criminals the chance to fix prices the way they want. As the price is not regulated, a criminal can buy a less costly painting for a huge price to launder a large amount of money.
Organisations should perform background checks on current employees as well as potential hires.
  • Less Regulations
The art and antiques market is not governed under the AML/CTF laws in Australia, making it convenient for criminals to evade regulatory scrutiny.
  • Anonymity of Transactions
Transactions in arts and antiques are not transparent in nature, making it difficult for regulatory authorities to verify the trail of money. This gap is exploited by criminals for their benefit.
  • Involvement of Intermediaries
Purchase and sale of art items by forming shell companies as intermediaries to hide the origin of dirty money. The purpose is to receive or transfer money in the company’s name.
  • Involvement of Multiple Jurisdictions
Consider an example where a painting can be bought in one country. Payment for that painting can be wired from a different country, leaving less room to find the origin and source of the funds. Thus, criminals also favour the export and import of art. However, it must be noted that Australian legislations seek to restrict the movement of artworks and historical, archaeological, numismatic, philatelic, science, or technology objects that are of cultural significance. This bid to retain the country’s cultural heritage has a role to play in preventing money laundering through art and artifacts.

How Art is Used for Money Laundering

Money Laundering is the process of disguising the proceeds of crime and its origin to give it the mask of legitimately earned money. A series of complex transactions are performed to put the illegal money into the financial system and disguise its source with the intention of making it look clean or legal money. The whole process of money laundering is divided into three stages: Placement of money into the financial system, Layering to hide the source of illegal money and Integration of money to make it appear legal.

Art is a multi-million-dollar industry. It is also one of the industries that are least regulated by the authorities. Criminals do not prefer traditional methods of money laundering as countries regulate industries to prevent money laundering. The art industry, being the least regulated, attracts criminals. Money launderers use high-value art items to hide their illicit money.

Criminals use people to auction less-value art at high prices anonymously. It is also convenient to move art pieces across countries without declaration to customs authorities. Criminal money is used to buy art collections in cash.

The art market is also used for carrying out fraud and theft to raise funds for money laundering, where the purpose is typically personal enrichment. For example, forged artworks or unauthorised distribution of artwork by agents are some of the common means of art crimes where the proceeds of such crimes can be used for the purpose of money laundering.

Spotting Red Flag Indicators of Money Laundering in Art Market

As an innocent participant in the art market, it may be difficult for individuals or businesses to identify organised crimes such as money laundering. However, there are some signs of suspicious behaviour or red flags which can indicate potential risks of money laundering. Some of the red flag indicators that art dealers, auctioneers or agents should be aware of when dealing with a buyer are:
  • If art is bought by a shell company from a high-risk country
  • If the address of the buyer or company is from a place which is fake and cannot be located on a map
  • If the buyer provides false identity information
  • If the buyer uses a large amount of cash to buy art which is inconsistent with the customer’s profile or business
  • If the payment is made by third-party not related to the transaction on behalf of the buyer
  • If the buyer participates in the auction over the telephone or Internet and pays an unusually large sum of money

Protecting the Art Industry from Financial Crimes

To spot the red flags and prevent exploitation from financial crimes, it is important for art market participants to undertake certain AML compliance actions. These actions include:

Establishing the AML/CTF Compliance Program

Establishing a comprehensive AML/CTF compliance program by first making an assessment of the ML, TF, and PF risks that the art participant may face and developing internal policies, procedures, systems, and controls to mitigate the risks.

Performing Customer Due Diligence

Before entering into a business relationship, art participants should undertake due diligence measures for their buyers or their beneficial owners if the buyer is not a natural person. This includes:

  • Collecting the buyer or beneficial owner’s information and verifying it against independent and reliable sources during the Know Your Customer (KYC) process.
  • Name screening the buyer or beneficial owner’s name to check if he/she is a politically exposed person or a person designated for targeted financial sanctions.
  • Undertaking the buyer and the beneficial owner’s ML/TF risk assessment in relation to the kind of service that the art participant is providing, its delivery channel, and the country in which they are dealing with the buyer.
  • Performing Risk-Based Due Diligence specific to the buyer’s risk criteria. For example, Simplified Due Diligence for low-risk buyers and Enhanced Due Diligence for high-risk buyers

Avoiding Cash Transactions above a Threshold Value

High-value cash transactions can be indicative of financial crime risks. Therefore, as a best practice, art market participants should avoid cash transactions above a certain threshold value specified in their AML program to prevent themselves from being exploited by illicit actors.

Staying Updated about the Red Flags and Emerging Patterns Concerning Money Laundering in the Art Industry

Art dealers or art auctioneers can stay updated with the emerging patterns by subscribing to weekly newsletters or other such sources concerning Anti-Money Laundering, just like AML Australia’s weekly email newsletter, where all regulatory updates, industry trends, and expert insights are shared at absolutely no cost.

Conducting Staff Training

People in the art business should know about unusual transactions, high-risk factors and measures to mitigate them. Thus, art dealers, auctioneers, and art houses must conduct regular training programs for the staff to identify, assess, and mitigate ML, TF, and PF risks.

AML Australia’s Key Takeaways on Breaking the Link between Art and Money Laundering

Art is a high-risk market due to anonymous transactions, high-value items, and easy movement of art in different jurisdictions. Although the art sector is not covered under the AML/CTF regulations in Australia, it can still undertake due diligence measures to prevent ML, TF, and PF risks by understanding the red flags and adopting the AML compliance processes suggested in this article.

Frequently Asked Questions on Art and Anti-Money Laundering

Why is the art industry considered a vehicle for money laundering?

Anonymous transactions, high-value items, and easy movement of art in different jurisdictions make the art industry a suitable vehicle for criminals to launder money.

What is AML in art?

Anti-Money Laundering (AML) is a set of compliance procedures that Art Market Participants can perform to prevent money laundering risks to their business.

About the Author

Linkedin

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Performing Background Checks on Employees for AML Compliance

Performing Background Checks on Employees for AML Compliance

Charity begins at home, and due diligence begins within the organisation. Customer Due Diligence is an integral part of Anti-Money Laundering (AML) compliance, but Employee Due Diligence is equally valuable in the eyes of law. Therefore, in this Article, AML Australia discusses the intricacies of performing background checks on employees for AML Compliance.

Anti-Money Laundering (AML) Regulations and Background Checks of Employees

The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 and Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 require their reporting entities to perform due diligence for persons who are employed or engaged or to be employed or engaged by the reporting entity for performing the reporting entity’s AML functions under these regulations. Additionally, the reporting entities are required to develop an employee due diligence program with proper risk-based systems and controls for the following functions:
  • Determining whether the prospective employee must be screened
  • Determining the manner in which screening must be conducted for a prospective employee
  • Determining if and when re-screening must be conducted for employees
  • Managing employees who fail to comply with the reporting entity’s policies, systems, controls, and procedures without any reasonable excuse
Organisations should perform background checks on current employees as well as potential hires.

Current Employees:- When employees are considered for promotion to take a higher position or get transferred, they must be screened if they may be in a position to facilitate Money Laundering or Terrorism Financing (ML/TF) activities to know if there has been any significant change in their status. Some professional licenses expire with time. The validity of such licenses can be determined by background checks. This allows a reporting entity to promote the right people. It is good practice to periodically screen the existing employees.

Potential Employees:- As part of the hiring process, background checks on potential candidates should be done to see if they may be in a position to facilitate ML/TF activities if they are hired. Whether done by external agencies or internal staff, these checks should be performed vigilantly as per the role. By doing so, reporting entities stay compliant with the regulatory requirements.
To implement the mandate of the Employee Due Diligence Program, a checklist should be created, which can be customised depending on the role of a candidate.

To implement the mandate of the Employee Due Diligence Program, a checklist should be created, which can be customised depending on the role of a candidate.

Employee Background Checklist for Anti-Money Laundering (AML) Compliance

What points should form part of the background screening depends on the role of an individual. Some roles have a higher influence on internal control systems and exposure to ML/TF risks than others. For example, broader enhanced screening is required for an individual at the board/top management level as compared to an entry-level employee in a junior role. The candidate’s consent must be obtained before initiating screening.

Here is an employee background checklist for reporting entities to refer to for the purpose of AML compliance:

Identity Verification: This is a check on the identity of a person to confirm they are who they say they are. Undertake to Know Your Employee (KYE) procedures just as you undertake to Know Your Compliance (KYC) procedures. This includes verifying personal details such as name, date of birth, and place of birth and verifying them against reliable and independent documentation.

Name Screening: A name screening involves screening a person’s name against various global watchlists to identify persons having negative media attention, criminals, PEPs (local or international) and sanctioned individuals.
Reporting entities should adopt a risk-based approach when screening and re-screening customers.

National Police Check/ National Police Certificate (NPC): A police check provides information on whether an individual is or has been a criminal in Australia. In Australia, this can be taken from the Australian Federal Police.

Employment & Educational Background Check: To verify the information given by a candidate on a resume, checks on employment history and educational qualifications must be performed.
For employment checks, official documents from previous employers, such as employment and experience letters, can be obtained.
Degrees & certificates can be collected to verify the educational background of a candidate.
These official, original, and certified documents can be further verified with written references, referee reports or by contacting universities or training institutions to know about the time of education, degree received, year of completion, grade and scores obtained and by getting official degrees and passing certificates sealed and signed by the institution.

Self-Disclosure & Attestation: It may not be practically feasible for reporting entities to update their employee’s information on a real-time basis based on changing circumstances due to the lack of availability of accurate information. Hence, some employers get signed and attested disclosures from potential and existing employees to update the reporting entity on changes in the material information provided.

Background Check through Social Media Platforms: Social media platforms like LinkedIn provide a great deal of information about a person, such as their employment history, education, and professional certificates. To know about employability and work ethics, reporting entities can check recommendations given by people they have worked with in the past.

Additional Checks: For positions where the risk of M/TF activities is high, employers perform credit checks and obtain the history of the geographic location where the candidate has lived. This is to verify the employee’s creditworthiness and to confirm if the employee is from any high-risk jurisdiction. It is also important to know if the employee has an interest in another business/company to mitigate the risk of conflict of interest. Further, checks on financial standing help ascertain whether the candidate is or has been declared bankrupt or has a poor credit history.

Importance of Employee Due Diligence in Anti-Money Laundering (AML)

When doing business with a customer, a reporting entity wants to understand the customer before entering into a business relationship. Having knowledge about customers and their businesses helps in identifying high-risk customers, unusual transactions and activities.

Similarly, when a reporting entity hires an employee, it is important to understand the background of the employee to see if the person is a good fit for the role as well as the reporting entity and does not pose any ML/TF risks to the reporting entity. Hiring the wrong candidate can be costly for a reporting entity. This is because, as per the Anti-Money Laundering and Counter-Terrorism Financing Act 2006, reporting entities are vicariously liable for the actions of their employees or agents.

This can cause significant legal and reputational damage to the said entity.

Moreover, as employees have access to confidential data about the reporting entity and customers, it is important to ensure that the data does not go into unwanted hands. It helps in preventing risks of fraud and creates a safer work environment. Background checks help identify illicit actors and prevent the risks of hiring them.

Best Practices for Employee Background Checks

  • All the observations and decisions made during the employee due diligence process must be recorded and maintained throughout the period of employment and for a period of 7 years after the record is no longer relevant
  • Adopting a Risk-Based Approach in Employee Due Diligence, i.e. subjecting persons holding high-risk positions to Enhanced Due Diligence
  • Setting up an internal system to deal with employees who fail to comply with the reporting entity’s AML/CTF program
  • Using emerging technologies for automating due diligence processes, such as KYE and name screening
  • When outsourcing hiring processes, reporting entities should ensure that the agency to whom they outsource hiring conducts employee due diligence.

AML Australia’s Key Takeaways on Performing Background Checks on Employees for AML Compliance

Hiring the right candidate can be advantageous for a reporting entity, and hiring the wrong candidate can be disadvantageous money-wise and reputation-wise. To know about candidates, their conduct in previous employments, and if their values align with the reporting entity, background checks are required. Screening on potential hires should be done at all levels to verify the information given by a candidate and to avoid any risks from financial crimes.

About the Author

Linkedin

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Why AML/CTF Risk Awareness Training Program is Non-Negotiable for Businesses Today

Why AML/CTF Risk Awareness Training Program is Non-Negotiable for Businesses Today

Reporting entities like Financial Institutions (FIs) and Designated Non-Financial Businesses and Professions (DNFBPs) are at risk from money laundering and terrorism financing activities. Criminals use a variety of methods to carry out their illicit transactions. It is indispensable for reporting entities in Australia to impart Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Training to counter Money Laundering or Terrorism Financing (ML/TF) risks effectively. The staff must be trained around red flags, control mechanisms deployed, and regulatory reporting requirements, considering their role in the business.

In this blog, we explore why a comprehensive AML/CTF Risk Awareness Training program is non-negotiable for businesses today.

Importance of AML/CTF Risk Awareness Training

In Australia, reporting entities must have an AML/CTF risk awareness training program to train employees on the risks of ML/TF as part of their AML/CTF program. Ongoing training equips the employees to identify suspicious transactions to prevent financial crimes. When the staff does not have adequate AML knowledge, the business is more prone to ML/TF risks. To prevent this, an effective AML/CTF Risk Awareness Training program is required. A well-informed employee on AML regulations, internal AML/CTF policies & procedures, ML trends and cases is better equipped to detect and prevent suspicious activities and transactions. Employees should not only be trained at the time of joining a company but also periodically to refresh their knowledge. When businesses follow the applicable laws, it builds a good reputation for them. It creates a sense of trust amongst the customers.
Customer will be at ease knowing the business has experienced and skilled staff and their personal information are in good hands. The intention behind AML/CTF Risk Awareness Training should not only be to comply with laws but also to prepare the staff to identify and mitigate the threats of financial crimes.

Best Practices Concerning AML/CTF Risk Awareness Training Program

Before starting an AML/CTF Risk Awareness Training program, it is important to ensure that the training program is in line with Australian regulations on AML compliance. Here are some important goals to keep in mind when formulating a training program:

Understand the Regulations: Familiarising the team with the Anti-Money Laundering and Counter-Terrorism Financing Act, 2006, the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act, 2024, and related rules to build a strong foundation on the laws applicable to the reporting entities.

Identify Your Obligations: The training program should explain the reporting entity’s obligations under the AML/CTF regulations.

Align with AML/CTF Program: The AML/CTF Risk Awareness Training program should be tailored to the reporting entity’s business’s AML/CTF program, including the policies, procedures, and controls.

Risk Awareness: Ensuring that the staff understands the ML/TF risks that the reporting entity may face as well as the consequences of those risks as a part of the training.

Quintessential Questions in AML/CTF Training: Who to Train and When

Training the right people at the right time is a way to ensure that employees have sufficient knowledge to meet the AML/CTF obligations. All the relevant employees, including
  • Board Members
  • Directors
  • Contractors
  • AML/CTF Compliance Team
  • Consultants
  • Operational Staff
  • Front-line Workers

should be trained based on their roles and the ML/TF risks they may face.

While the frequency of training must be determined in the reporting entity’s AML/CTF program, there are a certain set of events that would require reporting entities to provide AML/CTF Risk Awareness Training, such as:

  • When employees fail to comply with the AML/CTF program
  • When there is a change in the roles or responsibilities of employees
  • When new risks to the reporting entity’s business emerge, or new typologies are developed
  • If there is any feedback from the regulatory authorities regarding the reporting entity’s compliance program or the ML/TF risks that they may face.
In addition to the periodic training sessions, regular correspondence by way of emails and bulletins on the latest updates for employees can be helpful in creating a compliance culture that is not subject to the occurrence of specific events.

Topics to Cover in an AML/CTF Risk Awareness Training Program

A comprehensive AML/CTF Training program should be inclusive of the following topics –
  • The AML/CTF legislative framework and the obligations of the reporting entity under the legislative framework
  • The implications of non-compliance with AML/CTF legislative framework
  • Insights on the ML/TF Risk Assessment exercise conducted by the reporting entity and the ML/TF risks associated with the service, product or technology that the reporting entity offers and their consequences
  • Behaviours, techniques, and practices of money launderers or terrorists, so reporting entities can protect themselves against the ML/TF patterns
  • Role-specific training for senior management, AML compliance team, front-line workers, and operational staff on the AML/CTF Program, including the policies, procedures, and controls established by the reporting entity
  • Familiarity and coordination between non-compliance team members and compliance staff, such as the compliance officer and other members responsible for implementing the ML/TF Risk Assessment and AML/CTF Program
  • Guidance on how to identify suspicious transactions or activities and prepare and submit a Suspicious Matter Report (SMR)
  • Industry guidance, trends, and standards that the reporting entity should stay updated with
Reporting entities are at liberty to include more diverse subjects for AML/CTF Risk Awareness Training, subject to their AML Program.

Ways to Deliver an AML/CTF Risk Awareness Training

Training can be provided in various ways. An organisation can either go for in-house staff training or opt for outsourcing to external experts.

Best Practices to Counter Placement in Money Laundering

  • In-house training: When the organisation has time, required experience & expertise available, it can prepare the AML/CTF Risk Awareness Training program by itself that is best suited for its employees. Reporting entities can opt for in-house training as it is easy to organise and cost-savvy.
  • External training: A company can opt for outsourcing the AML/CTF Risk Awareness Training program to external service providers who specialise in AML/CTF Risk Awareness Training.
    It is a good practice to perform due diligence before appointing external trainers to determine if they possess the required skills, experience, knowledge, and expertise. Reporting entities should have appropriate control systems to monitor and review the performance of the external trainers.
    As a best practice, reporting entities must document all the steps, like the due diligence processes, performance management, and senior management approval on the outsourcing arrangement.
Reporting entities can choose to conduct training either way depending on their budget, size of business and availability of resources. Likewise, training can be imparted either online or offline. Both have their advantages and disadvantages:
  • Offline Training: It is a traditional training method where knowledge is provided at a training centre either on the business premises or at the premises of a consultancy agency. It is a great way of fostering cross-department collaborations.
  • Online Training: The biggest advantage of online training is it provides flexibility. Employees can take such training at their own pace for better understanding.
In addition to the regular AML/CTF training sessions, reporting entities also encourage their senior management to attend specific webinars and conferences to gain knowledge on current AML trends.

A Trained Team is the Backbone of an Effective AML Compliance Program

AML/CTF risk awareness training program is not only a legal requirement in Australia but also a way to safeguard a business from financial crimes like money laundering and terrorist financing.

Training, whether delivered in-house or externally, is the effectiveness of the AML/CTF Risk Awareness Training program that empowers the staff with appropriate knowledge and resources to identify and mitigate ML/TF risks. This way, reporting entities can save themselves from ML/TF risks and build a good reputation and a sustainable business.

Frequently Asked Questions on AML/CTF Risk Awareness Training

Why is training important in AML?

To fight against the risks of money laundering, the staff must know applicable rules and regulations. A trained staff is always better equipped to identify risks of ML and TF and prevent and detect such risks compared to a non-trained staff.

Is AML training mandatory?

Yes, the AML/CTF Act in Australia mandates reporting entities to perform AML/CTF risk awareness training.

Who needs AML training?

According to Australia’s regulatory regime, all employees or persons engaged by reporting entities like financial institutions and other businesses should be trained if they are performing any functions that are relevant to the reporting entity’s AML/CTF obligations.

About the Author

Linkedin

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik