Please note that we will be adding to the article as we receive more questions.

Theme 1: Tranche 2 legislation and AUSTRAC oversight

When is AUSTRAC indicating that the rules and regulations that will apply to the Tranche 2 legislation be released? 

AUSTRAC and the Governor General’s office have not provided a specific date for the release of the rules and regulations for Tranche 2 legislation.

However, given the legislation was passed at the end of 2024 and round two of consultations closed mid February 2025, most people are expecting the final rules will be released around mid 2025.

We recommend staying updated through AUSTRAC's official communications for the most accurate information.

Given there'll be over 90,000 businesses impacted by this new regime, how do you think AUSTRAC would maintain its oversight functions?

Do you see partnerships possibly with regtechs, consultancy and legal firms?

AUSTRAC will likely adopt a multi-faceted approach to maintain effective oversight of such a large number of newly regulated entities through:

1. Risk-based supervision: Focusing resources on high-risk sectors and entities.
2. Self-service tools: Providing platforms for businesses to self serve reports.
3. Partnerships: Collaborating with industry bodies, RegTechs, and professional services firms are likely. These could include:
   a. Accredited training programmes
   b. Industry body-led education programmes
   c. Templates and guidelines
   d. Guidance around compliance software solutions
   e. Guidance around outsourced audit functions
   f. Tiered approach: different levels of oversight based on business size and risk profile.
   g. Increased staffing: AUSTRAC are already hiring in advance.
   h. Inter-agency cooperation: Collaborate with other regulators to share resources and intelligence.

While AUSTRAC will remain the primary regulator, they are highly likely to emulate what other regulating agencies have done in other countries and share the load.

When do you think regulators will start fining companies for non-compliance with AML regulations?

AUSTRAC is immensely pragmatic and as such we do not expect them to instantly start fining companies. 

Based on experiences in other jurisdictions we expect something similar:

• Education phase: Initially, regulators focus on education and guidance rather than enforcement.
• Soft enforcement: This is where minor infractions result in warnings rather than fines.
• Full enforcement: Full enforcement with fines usually begins 12-24 months after the compliance deadline.
• Severe cases: Regulators may take immediate action against severe or wilful non-compliance, even during the initial phases.
• Risk-based approach: High-risk entities or those handling large transaction volumes may face earlier scrutiny.

Businesses should aim for compliance from day one, but regulators typically understand that achieving full compliance takes time. They focus on the effort as much as the outcome.

Is it mandatory to have an AML audit completed every two or three years like it is in NZ?

Yes. AUSTRAC has released guidance stating that, "Your AML/CTF program must be documented and approved by a senior manager of your business. It must be kept up-to-date to reflect significant changes to your business and relevant ML/TF/PF risk products released by AUSTRAC, and independently evaluated at least once every 3 years."

Can you explain the impact on pre-commencement customers? Do we have to consider them / undertake CDD?

The treatment of pre-commencement customers (existing customers when the new regulations come into effect) is an important consideration in AML/CTF compliance. While the exact requirements will depend on the final regulations, here's a general approach based on common practices:

• Risk-based approach: You'll likely need to assess the risk level of all pre-commencement customers and prioritise CDD accordingly.
• Gradual implementation: There may be a transition period allowing for gradual completion of CDD on existing customers.
• Triggering events: CDD might be required when certain events occur, such as:
  • A significant transaction
  • A material change in the nature of the business relationship e.g. renewal of a contract
  • When customer documentation is out of date
• Ongoing monitoring: You'll need to include pre-commencement customers in your ongoing monitoring processes.
• High-risk customers: Priority should be given to completing CDD on high-risk pre-commencement customers.
• Documentation: Maintain clear records of your approach and reasoning to managing pre-commencement customers.
• Inability to complete CDD: Have a process for handling situations where you can't complete CDD on a pre-commencement customer.
• Regular review: Plan to review all pre-commencement customers over a defined period, even if immediate CDD isn't required.

While you'll likely need to consider all pre-commencement customers, the timing and extent of CDD may vary based on risk and regulatory guidance. It's important to have a clear, risk-based plan for addressing your existing customer base once the regulations come into effect.

Many of my clients are overseas and use trusts. How do we assess risk and verify identities there?

Technology plays a big role here, especially in verifying identities for overseas clients. Biometrics are an excellent option for ensuring that the clients are who they say they are. While certified copies of documents are considered an inferior option, they may still be used as part of the identity verification process.

Under the CDD section of the draft rule, it says the reporting entity needs to collect and verify date of birth (DOB) and place of birth (POB) now, which is different to the current process, ie Drivers Licence is no longer allowed to be collected. is this understanding correct?

We strongly expect the POB requirement will not make it into the final rules. But if it does go through, there are work arounds such as conducting a risk assessment and deem it not necessary to do CDD because it's an unacceptable disruption to the ordinary course of business, but this only delays the need to verify POB.

Theme 2: Learnings from others

What is understood as being the key differences in the way the AML processes are to be implemented in Australia as compared to New Zealand?

There will be large similarities between the two countries with their roll-out and AML obligations. However, we expect AUSTRAC to have learned from how New Zealand implemented its Tranche 2 reforms.

More risk-based approach
The New Zealand regime started with a more prescriptive approach and set of requirements. Over the years, amendments have been introduced to allow for reporting entities to take a more risk-based approach to verification.

One example of this in particular is low-risk domestic trusts. The NZ regime currently requires mandatory enhanced due diligence to be applied regardless of other mitigating low risk factors.

This has been seen as overly onerous for both reporting entities and their clients. This wouldn’t be the case for Australian AML processes where a risk-based approach is encouraged.

Record-keeping
The New Zealand recordkeeping requirements are five years after the conclusion of the business relationship. We expect the current AU requirements to remain the same for seven years. 

Timeline
New Zealand implemented its reforms in stages over several months starting with the legal sector, then accounting and ending with real estate, while Australia appears to be opting for an ‘all-at-once’ approach.

From all the lessons learned in NZ since the AML regime came in, aside from ensuring we're compliant in time, are there one or two key lessons you would recommend firms think carefully about as we ready ourselves for Tranche2?

• Don't leave it to the last minute, change management can take time.
• Implementation is key, this is a new process that needs to be followed across the firm.
• Make sure you get buy in from all key stakeholders.
• AML is now a technology game. You can get by with manual processes, but not at scale.

From Oscar Fransman at MinterEllisonRiddWatts:

"Record keeping is the bedrock of good customer due diligence. So save everything that you have used during the CDD process which informed your decisions on a client. If you looked at something online, print it to PDF and attach it to the client case. You never know if that website or article will be removed, so you need to keep the proof.  

Even if you use AML software, make a habit of downloading everything and storing it securely. You never know when a system will go down." 

From Luke Raven:

"Firstly, industry collaboration is key. Round tables, smaller discussions are really valuable.

Secondly, lean on experts such as Amy Bell from Teal Compliance [now operating in Australia too] who can help you.  There's a tendency in the law sector in particular for lawyers to think that AML is a legal requirement so they know what to do. But AML is actually about risk management. So get consultants that specialise in your area, such as Amy Bell from Teal who specialises in AML for the law sector. 

How have things changed at MinterEllison since the introduction of Tranch 2 until now?

From Oscar Fransman and MinterEllisonRuddWatts

"Onboarding. We used to do everything manually. We used an EIV service but we manually sent everything out to the client, got it back and reviewed it all. But now we use Source [from First AML] where we load the client contact and it's automated from there. We just have to review it at the end.

We still need to do risk assessments and a CDD memo which is handy. It's like a fact sheet that contains all the information that we collected; who was onboarded, what their risk rating was, the captured activity; so you can quickly look at it and then if they're wanting us to do another captured activity we can see if we need to update our CDD or if the person is new and hasn't been onboarded."

Are there any lessons learned from the international landscape that we can expect with the implementation?

The implementation of AML/CTF regulations for designated non financial businesses and professions (DNFBPs) in other countries provides valuable lessons for Australia. Here are some key takeaways:

• Education is crucial: Jurisdictions that invested heavily in education and guidance for newly regulated sectors generally saw smoother implementations.
• A phased approach works well: Countries that implemented regulations in phases (by sector or by obligation) often had better outcomes than those attempting a "big bang" approach.
• Technology adoption is key: Firms that embraced technology for CDD, transaction monitoring, and reporting generally found compliance less burdensome. 
• Collaborative approach: Regulators who worked closely with industry bodies and professional associations achieved better buy-in and compliance.
• Clear guidance is essential: Jurisdictions that provided clear, sector-specific guidance with concrete examples saw fewer compliance issues.
• Risk-based approach needs clarification: Many businesses initially struggled with implementing a risk-based approach, suggesting a need for detailed guidance and examples.
• Resource constraints: Both regulators and regulated entities often underestimate the resources required for implementation.
• Data privacy concerns: Balancing AML requirements with data protection laws has been a challenge in many jurisdictions. The EU/UK has struggled with GDPR and AML over the conflicts with record-keeping. 
• Unintended consequences: Some countries saw de-risking behaviours, where businesses avoided higher-risk clients entirely, potentially pushing them towards less regulated channels.
• Importance of feedback: Regulatory feedback on submitted reports (like SARs/SMRs) has been valuable in improving the quality of reporting over time.
• Ongoing training needs: Continuous training and updating of knowledge has been crucial for maintaining effective compliance.
• Cost of compliance: Many businesses, especially smaller ones, found the cost of compliance higher than initially anticipated.
• Importance of senior management buy-in: Firms where senior management actively supported AML efforts generally had more effective programmes.

By learning from these international experiences, Australia can potentially avoid some pitfalls and implement a more effective and efficient AML/CTF regime for DNFBP.

Theme 3: Operationalisation of AML

As a new law firm, at what point do you need to put in place a firm wide risk assessment?

We might not know the nature of the client base to start with so don't know what to put in the AML programme.

As a new law firm, you should start developing your firm-wide risk assessment as early as possible, ideally before or soon after you begin operations. Here's a general approach:

1. Initial assessment: Start with a basic risk assessment based on your anticipated client base and services.
2. Regular updates: Plan to review and update your risk assessment regularly, especially as you take on new clients and expand your services.
3. Flexible framework: Design your AML programme to be adaptable as your client base evolves.
4. Generic risks: Include general risks associated with legal services, such as client anonymity, high-value transactions, and cross-border activities.
5. Sector-specific risks: Consider risks common to your practice areas (e.g., property transactions, corporate formations).
6. Geographic risks: Assess risks based on your firm's location and anticipated client locations.
7. Consultation: Consider seeking advice from AML specialists or industry bodies for guidance.

Remember, a risk assessment is a living document. It's better to have a basic assessment in place that you can refine over time than to wait until you have a full client base to start.

Do you think we should be aligning our process per SRA?

Aligning your processes with the Solicitors Regulation Authority (SRA) guidelines can be beneficial. It is worth noting that the SRA is only the regulatory body for UK law firms and legal practitioners so not all processes and guidelines will be applicable to Australian law firms.

But some SRA processes could be beneficial:

• Best practices: SRA guidelines often reflect industry best practices for legal professionals. The UK law firms have been subject to AML requirements for significantly longer and have honed what they consider best practices for law firms over the years. 
• Comprehensive framework: The SRA provides a well-developed framework for AML compliance in legal practices. These frameworks have been developed in consideration with regulated firms, industry consultants and others.
• International standards: SRA guidelines are generally aligned with international AML standards, which can be helpful if you have international clients, or with UK branches within your organisation e.g. passporting of work. 

However, keep in mind:

• Local requirements: Ensure you're primarily complying with AUSTRAC and Australian requirements.
• Adaptability: Be prepared to adjust your processes as specific Australian regulations are released.
• Proportionality: Adapt SRA guidelines to fit the size and nature of your practice.
  
  

Can the costs of the new legislation be passed on to clients? What do they do overseas?

Yes. Based on practices observed overseas:

• Cost passing is common: Many businesses do pass on some or all of the costs associated with AML compliance to their clients. We see this commonly folded in as an AML fee or within the onboarding costs. 
• Transparency is key: If costs are passed on, it's generally done transparently, often as a separate line item or clearly explained fee.
• Varied approaches:
  • Some firms incorporate the costs into their overall fee structure.
  • Others charge specific AML-related fees for certain services or high-risk clients.
  • Some absorb the costs entirely, viewing it as a cost of doing business.
• Client education: Firms often educate clients about the necessity and benefits of these procedures to justify any additional costs.
• Competitive considerations: The ability to pass on costs often depends on market conditions and competitive pressures.
• Risk-based approach: Some firms only pass on additional costs for high-risk clients requiring enhanced due diligence.
• Client agreements: Many firms update their client agreements to reflect any AML-related fees or changes in fee structures. I.e. many law firms will add the AML costs to their terms of engagement.
• Periodic review: Firms often review and adjust their approach as they better understand the true costs of compliance over time.
  
  

Will the compliance expectations and practices of very small businesses (i.e. sole practitioners) be different to larger businesses?

Yes. While the core AML/CTF obligations will likely apply to all businesses regardless of size, there may be some differences in compliance expectations and practices for very small businesses compared to larger ones:

• Risk-based approach: Regulators typically expect the complexity of AML systems to be proportionate to the size and risk profile of the business.
• Resources: Sole practitioners may have more flexibility in how they implement their AML programmes, given their limited resources.
• Documentation: While all businesses need to document their processes, the level of detail expected from a sole practitioner may be less than that of a large firm.
• Technology: Large businesses may be expected to use more sophisticated AML software, but manual processes will still be acceptable for all firms.
• Training: All reporting entities are expected to regularly keep up-to-date with AML requirements.
• Independent reviews: AUSTRAC does not mandate the cadence of independent reviews, however they do expect high risk entities to have one conducted every two to three years.
• Reporting officer (AMLCO): In a sole practice, the practitioner will also be the AML compliance officer, whereas larger firms may need a dedicated role.
• Customer due diligence: The basic CDD requirements will likely be the same, but larger businesses may be expected to have more robust systems for ongoing monitoring.

While compliance core principles will be universal, regulators recognise the need for a proportionate approach that doesn't unduly burden very small businesses while still maintaining the integrity of the AML regime.

Is there a difference to money laundering requirements if you do not have a client account and do not hold client money at all?

While not holding client money does reduce some money laundering risks, it doesn't entirely exempt a business from AML/CTF obligations. Here's how it might affect your requirements:

• Core obligations remain: You'll still likely need to conduct customer due diligence, maintain an AML programme, and report suspicious matters.
• Risk assessment: Your overall risk profile may be lower, which could influence the intensity of your AML measures.
• Transaction monitoring: While you won't need to monitor client accounts, you'll still need to be vigilant about the nature of services provided and any potential abuse for money laundering.
• Reduced focus on certain areas: Requirements related specifically to handling client funds (like threshold transaction reporting) may not apply.
• Ongoing due diligence: You'll still need to conduct ongoing due diligence on clients, even if you're not handling their money directly.
• Specific services: Certain services (like company formation) may still be considered high-risk for money laundering, regardless of whether you handle client funds.
• Indirect involvement: Be aware that you could still be indirectly involved in facilitating transactions, even if you don't handle the funds directly.
• Professional obligations: Your professional ethical obligations regarding money laundering prevention would still apply.
• Regulatory guidance: Regulators may provide specific guidance for businesses that don't handle client money.
• Record keeping: You'll still need to maintain records of your clients and the services provided.

While not holding client money may simplify some aspects of AML compliance, it doesn't negate the need for a robust AML programme. The exact requirements will depend on the final regulations and your specific business model. 

Do we have to retain documents or only reference to check / document number?

The specific requirements for document retention will be outlined in the final AML/CTF regulations. The record-keeping requirements will likely remain the same for seven years post-conclusion of the business relationship. However, based on existing AML practices and international standards, it's likely that you'll need to retain more than just references or document numbers. Here's what you could expect:

• Full document retention: In most cases, you'll need to keep copies of the actual documents used for customer due diligence (CDD), not just references.
• Types of documents: This usually includes identification documents, proof of address, and any other documents used to verify the client's identity or assess their risk profile.
• Format: Documents can usually be retained either in physical or electronic form, as long as they remain readily accessible and legible.
• Retention period: AML regulations require documents to be retained for a specific period after the business relationship ends or after the transaction is completed. This is likely to remain the same for seven years. 
• Transaction records: In addition to CDD documents, you'll likely need to keep records of transactions and any due diligence conducted on those transactions.
• Audit trail: It's important to maintain a clear audit trail of checks performed, including dates and methods used as well as senior management sign-off or exceptions. 
• Accessibility: Documents should be readily accessible to senior management and available for review by regulators if required.
• Security: Ensure that retained documents are stored securely to protect client confidentiality and comply with data protection laws.

While keeping full documents may seem burdensome, it provides a stronger audit trail and better protection for your firm in case of regulatory scrutiny. Always refer to the specific guidance provided by AUSTRAC once the new regulations are released, as they will provide definitive requirements for document retention.

Any thoughts on the burden of basic record keeping and evidencing decisions of that due diligence?

Record keeping and evidencing due diligence decisions are crucial aspects of AML/CTF compliance, but they can indeed be burdensome, especially for smaller firms. Here’s how reporting entities in New Zealand and the UK deal with them:

• Clear decision-making framework: Establish a clear framework for making and documenting due diligence decisions to reduce ambiguity.
• Risk-based approach: Focus more detailed record-keeping efforts on higher-risk clients or transactions, while maintaining minimum standards for all.
• Templates and checklists: Create templates and checklists for common scenarios to make the documentation process more efficient.
• Proportionate approach: Ensure your record-keeping is proportionate to the size and nature of your practice while still meeting regulatory requirements.
• Integrated systems: Integrate practice management or CRM systems with AML systems to streamline the process.
• Standardised procedures: Develop clear, standardised procedures for documenting due diligence decisions to ensure consistency and efficiency.
• Regular audits: Conduct periodic internal audits to ensure records are being kept properly and to identify areas for improvement.
• Staff training: Ensure all staff understand the importance of record-keeping and are trained in your firm's procedures.
• Digital solutions: Utilise secure digital storage solutions to reduce physical storage burdens and improve accessibility. This is a key aspect as physical copies are considered much riskier and cause firms to have higher physical security considerations. 
• Ongoing monitoring: Implement a system for ongoing monitoring and updating of client information, rather than starting from scratch each time.
• Outsourcing: Consider outsourcing some aspects of record-keeping or due diligence to specialised service providers, if cost-effective.

While record-keeping can be burdensome, it's also a crucial protection for your firm. Good records demonstrate compliance, aid in internal controls, and are invaluable for auditors and regulators. The key is to develop efficient systems that support existing processes.

Is it possible to undertake biometric verification for EIV purposes on someone overseas and with overseas documents?

Yes. Many solutions, including Source from First AML, allow you to biometrically verify clients no matter what jurisdiction they're from.

How do you deal with lawyers who have urgent cases and want to start acting immediatly on a client but you havent conducted CDD? Do you use the delayed CDD provisions in the legislation?

Oscar Fransman from MinterEllisonRuddWatts:

"If they're a new customer you have to conduct CDD on them before you can do the transaction, there's no way around that. But if it's an existing client then it's different because you may have processes in place that allow you to do that captured or designated work while you're doing CDD. But that should be reflected in your compliance program.

But when Tranche 2 first started they did get very frustrated because they weren't used to being told they couldn't do the work because we had to do CDD first. But it's important to give them training so they can understand why it needs to happen. It's just another step. They need to plan in advance and start the CDD process as soon as possible to make it as easy as possible for their client."

Luke Raven:

"You also probably want an internal policy and process around what qualifies for an expedited review because there's costs to all this as well. So, for example if it's a large or important client then it may be worth pulling your team off other tasks and putting them on the rush jCDD ob, but if that's the process for every job then your firm will be in anarchy.

Also, not so much for lawyers but there's certain preparatory work you don't need to have signed on the bottom to necessarily do. There's a lot of leeway before you get to that regulated line where you can still be assisting someone before you have to have completed CDD."  

As a law firm, what are the specific reports that AUSTRAC would be looking for or require (e.g. SMR, SAR)?

As a law firm under the new AML/CTF regime, you'll likely be required to submit various reports to AUSTRAC. While the exact requirements may be clarified in the final regulations, based on existing obligations for other sectors and international practices, you can expect to be responsible for the following types of reports:

Ongoing reporting obligations

• Threshold Transaction Reports (TTRs): cash transactions above a certain threshold (currently AUD 10,000 for other sectors). For law firms, this might apply to large cash payments for services or transactions.
• International Funds Transfer Instructions (IFTIs): Reporting international funds transfers, which might be relevant if your firm handles international transactions or client funds.
• Suspicious Matter Reports (SMRs): suspicious transactions or activities that may be related to money laundering, terrorism financing, or other criminal activities. These are typically required to be submitted within 24 hours for matters related to terrorism financing, or within 3 business days for other suspicious matters.

Other reporting obligations:

• AUSTRAC compliance reports: annual or biennial reports on your AML/CTF compliance programme and its effectiveness.
• AML/CTF Programme Updates: While not a regular report, you may need to provide your AML/CTF programme to AUSTRAC upon request or when significant changes are made.
• Risk Assessment Reports: Periodic reports on your firm's risk assessment and risk management strategies.
• Registered Designated Service Reports: Information about the specific designated services your firm provides.

Remember, the exact reporting requirements may vary based on the final regulations. It's crucial to stay informed about AUSTRAC's specific guidance for law firms once the Tranche 2 legislation is implemented. Also, ensure you have systems in place to identify reportable matters and submit reports within the required timeframes.

Theme 4: Training and qualifications

How do you train your new team members?

This question was asked of Oscar Fransman at MinterEllisonRuddWatts during a recent webinar. His response was, "New team members usually have AML induction training and training on their AML/CFT duties before they are allowed to undertake any duties unsupervised."

Global providers such as ACAMS do offer training but they're often cost prohibitive and can be perceived as quite theoretical. For practical training speak to your industry body or a local specialist provider such as alphaamltraining.com or ravenaml.com

What qualifications do you recommend for AML in Australia? Is it worth studying the beginner qualifications CKYCA (certified know your customer associate) or CTMA (certified transaction monitoring associate) from ACAMS?

Oscar Fransman at MinterEllisonRuddWatts also commented on this question: "Have a look at all the courses that various universities and ACAMS have to offer. Then way up the pros and cons of each to find the best course suited to you. ACAMS is highly regarded in New Zealand and Australia but it is very expensive.

ACAMS have a few free courses that can be useful tools for upskilling team members on topics like enhancing financial inclusion, fighting modern day slavery and human trafficking, preventing online child exploitation and ending illegal wildlife trade (ACAMS AML Social Impact Certificate Courses | ACAMS)."

What advice would you give someone looking to break into the AML space as a career?

There are many ways into compliance, with one of the most common refrains coming from AMLCOs being, "I just fell into it!" But if you want a more structured approach look at joining a regulated entity in a financial crime/AML analyst role.

Luke Raven, financial crime expert and LinkedIn Top Voice, advises:

"Study the law and AUSTRAC guidance. There’s a lot of great content out there that gives a helpful starting point, even on LinkedIn and vendor websites like First AML’s!

Join an organisation. While expensive training isn’t for everyone, the organisations which offer it also have more cost effective memberships which come with access to articles, events and webinars and helpful communities. The real value is in this membership benefit, not the letters you put after your name if you buy the credential.

Understand the why. A lot of people think of compliance as something we do because we’re told to, but if you spend time thinking about the objectives parts of the legislation aim to achieve you will be in a better place."

Theme 5: Templates

Did you create any templates or guidelines for the partners and authors to use? How did they know what to do? / How did you explain the requirements to the customers? Did you have a ‘talk track’ that everyone used?

This question was asked of Oscar Fransman at MinterEllisonRuddWatts during a recent webinar. His response;

"We updated our standard terms of engagement to contain an AML paragraph whereby the client agrees to provide any information we require in order to manage our AML/CFT obligations which is available on our website (Terms of engagement).

Any client engagement email (which we have a template of) would refer to our standard terms of engagement but would also include a section for the partner or solicitor to include dependent on the type of work (captured or non-captured).

This is an excerpt from the template:

Anti-money laundering and sanctions

We have obligations under New Zealand’s anti-money laundering and countering financing of terrorism laws, as well as under international trade and financial sanctions laws. As part of these obligations, we need to obtain certain information about our clients, as well as their beneficial owners and any person acting on their behalf where we are undertaking work that is considered captured under the Act.

(We include the following line only if work is non-captured) Note that if this matter evolves into captured work, we will be required to conduct customer due diligence prior to commencing any captured work.

We updated existing templates so there wasn’t a whole new process for the solicitors to learn but just current processes that have been adapted to include the AML/CFT obligations and how those are communicated to the clients and internally during client and matter opening.

Education of your clients early is as important as educating staff regarding AML/CFT requirements."

Are there templates we can use [for policies, programmes and risk assessments]? What did the regulators in NZ provide and do you think AUSTRAC will do the same?

Based on experiences from other jurisdictions, including New Zealand, it's likely that AUSTRAC will provide some form of guidance or templates. For example:

New Zealand's approach:

The Department of Internal Affairs (DIA) provided a range of resources, including:

• AML/CFT programme template
• Risk assessment template
• Guidance documents for different sectors
• Sample policies and procedures

Australia's potential approach:

• AUSTRAC : Given AUSTRAC's history of providing guidance, they're likely to offer similar resources. This may include sample AML/CTF program templates, risk assessment guides, and sector-specific guidance.
• Industry bodies: Professional associations (e.g., Law Society, Accounting bodies) may also develop tailored templates.
• Phased release: Templates and guidance may be released in phases, starting with core requirements and expanding over time.
• Customisation needed: While templates are helpful starting points, they'll need to be customised to your specific business model and risk profile.
• Online tools: AUSTRAC may provide online tools or portals to help businesses develop their programmes.
• Workshops and training: Expect AUSTRAC and industry bodies to conduct workshops or webinars on how to use any provided templates or tools.
• Ongoing updates: Templates and guidance are likely to be updated as the regime matures and new risks emerge.
• Consultation process: AUSTRAC may consult with industry on draft templates before finalising them.
• Proportionate approach: Guidance and templates are likely to reflect a risk-based, proportionate approach suitable for businesses of different sizes and risk levels.

Templates can be very helpful but it's advisable to:

• Monitor AUSTRAC's website and communications for updates on available resources.
• Engage with your professional association for sector-specific guidance.
• Consider seeking professional advice to ensure your programme is compliant and effective, especially in the early stages of implementation.

Theme 6: AML / KYC technology

How can automation streamline verifying trusts with multiple trustees and settlors? 

Automation can significantly streamline the process of verifying trusts with multiple trustees and settlors. Here's how:

• API integrations: Direct connections with official databases (e.g., company registries for director and shareholding information for trustee companies, integration with the SuperFund Lookup ) can quickly verify information against publicly available sources and reduce manual collection of information. 
• Document OCR: Optical Character Recognition can extract key information from entity documents e.g. trust/SMSF deeds and identity documents, reducing manual data entry.
• Workflow management: Automated systems can manage the verification process for each party, ensuring all necessary steps are completed. This can range from tools that can automatically determine the requirements, send out consolidated AML requests and follow-up on missing information. 
• Risk scoring: Automated risk assessment tools can quickly evaluate the risk level of the client based on various risk factors and weightings e.g. if the trustee is a resident of Morocco, flag as a higher risk trust.
• Audit trails: Automated systems maintain detailed logs of all verification without need of manual data entry to log steps, reasoning to ensure good record-keeping.
  
  

If we end up using technology, what about the risk of ID theft?

I’ve read case studies where fraudsters purchase identities from the dark web and forge them to replace images on ID documents. This means the person who completes the liveness check is actually the individual depicted on the forged ID.

I’m more concerned about these types of cases. Would it be my responsibility or the service provider’s to prevent such occurrences?

The risk of ID theft and sophisticated fraud methods is valid. While technology providers play a crucial role in preventing such occurrences, the ultimate responsibility for customer due diligence typically rests with the reporting entity (in this case, your firm). Here's a breakdown of responsibilities and best practices:

Your responsibilities:

• Conduct proper due diligence on technology providers before engaging their services.
• Understand the capabilities and limitations of the technology you're using.
• Implement additional verification steps for high-risk clients or transactions.
• Stay informed about emerging fraud techniques and adjust your processes accordingly.
• Train staff to recognise red flags that technology might miss.
• Technology provider's responsibilities:
• Implement robust security measures and fraud detection algorithms.
• Regularly update their systems to address new fraud techniques.
• Provide clear documentation on their verification processes.
• Offer support and guidance on how to use their tools effectively.

Best practices:

• Use a multi-layered approach to identity verification, combining technology with manual checks where necessary.
• Implement ongoing monitoring to detect any suspicious changes in client behaviour or information.
• Consider using multiple technology solutions for cross-verification.
• Maintain clear policies and procedures for escalating suspicious cases for manual review.

While technology can greatly enhance AML processes, it should be seen as a tool to support, not replace, human judgement and oversight. Always err on the side of caution and conduct additional checks if you have any doubts about a client's identity.

Is AI an option for managing some of the manual and labour intensive tasks? Or are humans better for some parts of AML?

AI can assist in managing tasks like document information extraction, especially when dealing with complex structures like trusts. While AI can help streamline the process, it still requires human oversight for more nuanced decision-making and to ensure compliance with AML regulations.

There's a lot of talk about document collection. Can this be automated and what should be managed by a human?

Collecting information for AML compliance can be significantly streamlined through automation, reducing manual effort and improving efficiency. The key types of information you need to collect include:

• Corporate information (e.g. company structures, trust deeds, partnership agreements)
• Identity information (e.g. passports, utility bills, government-issued IDs)

If you’re collecting this information manually, it typically involves back-and-forth emails, document uploads and manual verification. Technology can streamline this process in several ways:

• Automated information requests. Tech platforms can generate and send requests for required documents, track responses, and follow up automatically.
• API integrations. Direct connections with official registries (e.g., company registries, government databases) allow for real-time verification of corporate and identity details.
• OCR (Optical Character Recognition). Scans and extracts key information from uploaded documents, reducing manual data entry.
• Workflow automation. Tech can route collected information for approval, flag missing or incorrect data, and notify relevant team members.
• Risk scoring. Automated tools can apply risk-based assessments to entities based on various risk factors, prioritising manual review where needed. 
• Audit trail generation. Technology maintains a full record of data collection, verification steps, and decision-making processes, reducing compliance burden.

The level of manual intervention depends on the complexity and risk profile of the customer:

• Low-risk customers generally require minimal human involvement if automated systems verify information successfully.
• Medium-risk customers generally require limited human review to ensure compliance but with automated assistance.
• High-risk customers generally require greater human oversight, with technology supporting enhanced due diligence (EDD) steps.

Theme 7: Tranche 1 entities

Will the T2 legislation impact how T1 entities conduct KYC/AML i.e. removing the need for certified IDs towards electronic verification?

Certification has never been the sole way a reporting entity can verify an individual. Electronic verification of an individual’s identity has been encouraged and used by multiple T1 entities as an appropriate means of verification.

We anticipate that as more T2 entities embrace electronic verification as part of KYC, T1 entities will become more accepting of changing their compliance programme to allow for electronic verification.