Tranche 2: Frequently Asked Questions (FAQs)

When is AUSTRAC indicating that the rules and regulations that will apply to the Tranche 2 legislation be released? 

AUSTRAC and the Governor General’s office have not provided a specific date for the release of the rules and regulations for Tranche 2 legislation.

However, given the legislation is expected to be passed by the end of 2024 - early 2025 we anticipate that draft rules may be released for consultation within 6 months from there.

The final rules are likely to be published at least 6 months before the compliance deadline of mid-2026 to give businesses time to prepare. We recommend staying updated through AUSTRAC's official communications for the most accurate information.

What is understood as being the key differences in the way the AML processes are to be implemented in Australia as compared to New Zealand?

There will be large similarities between the two countries with their roll-out and AML obligations. However, we expect AUSTRAC to have learned from how New Zealand implemented its Tranche 2 reforms.

More risk-based approach
The New Zealand regime started with a more prescriptive approach and set of requirements. Over the years, amendments have been introduced to allow for reporting entities to take a more risk-based approach to verification.

One example of this in particular is low-risk domestic trusts. The NZ regime currently requires mandatory enhanced due diligence to be applied regardless of other mitigating low risk factors.

This has been seen as overly onerous for both reporting entities and their clients. This wouldn’t be the case for Australian AML processes where a risk-based approach is encouraged.

Record-keeping
The New Zealand recordkeeping requirements are five years after the conclusion of the business relationship. We expect the current AU requirements to remain the same for seven years. 

Timeline
New Zealand implemented its reforms in stages over several months starting with the legal sector, then accounting and ending with real estate, while Australia appears to be opting for an ‘all-at-once’ approach.

Will the T2 legislation impact how T1 entities conduct KYC/AML i.e. removing the need for certified IDs towards electronic verification?

Certification has never been the sole way a reporting entity can verify an individual. Electronic verification of an individual’s identity has been encouraged and used by multiple T1 entities as an appropriate means of verification.

We anticipate that as more T2 entities embrace electronic verification as part of KYC, T1 entities will become more accepting of changing their compliance programme to allow for electronic verification.

When do you think regulators will start fining companies for non-compliance with AML regulations?

AUSTRAC is immensely pragmatic and as such we do not expect them to instantly start fining companies. 

Based on experiences in other jurisdictions we expect something similar:

• Education phase: Initially, regulators focus on education and guidance rather than enforcement.
• Soft enforcement: This is where minor infractions result in warnings rather than fines.
• Full enforcement: Full enforcement with fines usually begins 12-24 months after the compliance deadline.
• Severe cases: Regulators may take immediate action against severe or wilful non-compliance, even during the initial phases.
• Risk-based approach: High-risk entities or those handling large transaction volumes may face earlier scrutiny.

Businesses should aim for compliance from day one, but regulators typically understand that achieving full compliance takes time. They focus on the effort as much as the outcome.

Given there'll be over 50,000 businesses impacted by this new regime, how do you think AUSTRAC would maintain its oversight functions?

Do you see partnerships possibly with regtechs, consultancy and legal firms?

AUSTRAC will likely adopt a multi-faceted approach to maintain effective oversight of such a large number of newly regulated entities through:

1. Risk-based supervision: Focusing resources on high-risk sectors and entities.
2. Self-service tools: Providing platforms for businesses to self serve reports.
3. Partnerships: Collaborating with industry bodies, RegTechs, and professional services firms are likely. These could include:
   a. Accredited training programmes
   b. Industry body-led education programmes
   c. Templates and guidelines
   d. Guidance around compliance software solutions
   e. Guidance around outsourced audit functions
   f. Tiered approach: different levels of oversight based on business size and risk profile.
   g. Increased staffing: AUSTRAC are already hiring in advance.
   h. Inter-agency cooperation: Collaborate with other regulators to share resources and intelligence.

While AUSTRAC will remain the primary regulator, they are highly likely to emulate what other regulating agencies have done in other countries and share the load.

As a new law firm, at what point do you need to put in place a firm wide risk assessment?

We might not know the nature of the client base to start with so don't know what to put in the AML programme.

As a new law firm, you should start developing your firm-wide risk assessment as early as possible, ideally before or soon after you begin operations. Here's a general approach:

1. Initial assessment: Start with a basic risk assessment based on your anticipated client base and services.
2. Regular updates: Plan to review and update your risk assessment regularly, especially as you take on new clients and expand your services.
3. Flexible framework: Design your AML programme to be adaptable as your client base evolves.
4. Generic risks: Include general risks associated with legal services, such as client anonymity, high-value transactions, and cross-border activities.
5. Sector-specific risks: Consider risks common to your practice areas (e.g., property transactions, corporate formations).
6. Geographic risks: Assess risks based on your firm's location and anticipated client locations.
7. Consultation: Consider seeking advice from AML specialists or industry bodies for guidance.

Remember, a risk assessment is a living document. It's better to have a basic assessment in place that you can refine over time than to wait until you have a full client base to start.

Do you think we should be aligning our process per SRA?

Aligning your processes with the Solicitors Regulation Authority (SRA) guidelines can be beneficial. It is worth noting that the SRA is only the regulatory body for UK law firms and legal practitioners so not all processes and guidelines will be applicable to Australian law firms.

But some SRA processes could be beneficial:

• Best practices: SRA guidelines often reflect industry best practices for legal professionals. The UK law firms have been subject to AML requirements for significantly longer and have honed what they consider best practices for law firms over the years. 
• Comprehensive framework: The SRA provides a well-developed framework for AML compliance in legal practices. These frameworks have been developed in consideration with regulated firms, industry consultants and others.
• International standards: SRA guidelines are generally aligned with international AML standards, which can be helpful if you have international clients, or with UK branches within your organisation e.g. passporting of work. 

However, keep in mind:

• Local requirements: Ensure you're primarily complying with AUSTRAC and Australian requirements.
• Adaptability: Be prepared to adjust your processes as specific Australian regulations are released.
• Proportionality: Adapt SRA guidelines to fit the size and nature of your practice.
  
  

Will the compliance expectations and practices of very small businesses (i.e. sole practitioners) be different to larger businesses?

Yes. While the core AML/CTF obligations will likely apply to all businesses regardless of size, there may be some differences in compliance expectations and practices for very small businesses compared to larger ones:

• Risk-based approach: Regulators typically expect the complexity of AML systems to be proportionate to the size and risk profile of the business.
• Resources: Sole practitioners may have more flexibility in how they implement their AML programmes, given their limited resources.
• Documentation: While all businesses need to document their processes, the level of detail expected from a sole practitioner may be less than that of a large firm.
• Technology: Large businesses may be expected to use more sophisticated AML software, but manual processes will still be acceptable for all firms.
• Training: All reporting entities are expected to regularly keep up-to-date with AML requirements.
• Independent reviews: AUSTRAC does not mandate the cadence of independent reviews, however they do expect high risk entities to have one conducted every two to three years.
• Reporting officer (AMLCO): In a sole practice, the practitioner will also be the AML compliance officer, whereas larger firms may need a dedicated role.
• Customer due diligence: The basic CDD requirements will likely be the same, but larger businesses may be expected to have more robust systems for ongoing monitoring.

While compliance core principles will be universal, regulators recognise the need for a proportionate approach that doesn't unduly burden very small businesses while still maintaining the integrity of the AML regime.

Can you explain the impact on pre-commencement customers? Do we have to consider them / undertake CDD?

The treatment of pre-commencement customers (existing customers when the new regulations come into effect) is an important consideration in AML/CTF compliance. While the exact requirements will depend on the final regulations, here's a general approach based on common practices:

• Risk-based approach: You'll likely need to assess the risk level of all pre-commencement customers and prioritise CDD accordingly.
• Gradual implementation: There may be a transition period allowing for gradual completion of CDD on existing customers.
• Triggering events: CDD might be required when certain events occur, such as:
  • A significant transaction
  • A material change in the nature of the business relationship e.g. renewal of a contract
  • When customer documentation is out of date
• Ongoing monitoring: You'll need to include pre-commencement customers in your ongoing monitoring processes.
• High-risk customers: Priority should be given to completing CDD on high-risk pre-commencement customers.
• Documentation: Maintain clear records of your approach and reasoning to managing pre-commencement customers.
• Inability to complete CDD: Have a process for handling situations where you can't complete CDD on a pre-commencement customer.
• Regular review: Plan to review all pre-commencement customers over a defined period, even if immediate CDD isn't required.

While you'll likely need to consider all pre-commencement customers, the timing and extent of CDD may vary based on risk and regulatory guidance. It's important to have a clear, risk-based plan for addressing your existing customer base once the regulations come into effect.

As a law firm, what are the specific reports that AUSTRAC would be looking for or require (e.g. SMR, SAR)?

As a law firm under the new AML/CTF regime, you'll likely be required to submit various reports to AUSTRAC. While the exact requirements may be clarified in the final regulations, based on existing obligations for other sectors and international practices, you can expect to be responsible for the following types of reports:

Ongoing reporting obligations

• Threshold Transaction Reports (TTRs): cash transactions above a certain threshold (currently AUD 10,000 for other sectors). For law firms, this might apply to large cash payments for services or transactions.
• International Funds Transfer Instructions (IFTIs): Reporting international funds transfers, which might be relevant if your firm handles international transactions or client funds.
• Suspicious Matter Reports (SMRs): suspicious transactions or activities that may be related to money laundering, terrorism financing, or other criminal activities. These are typically required to be submitted within 24 hours for matters related to terrorism financing, or within 3 business days for other suspicious matters.

Other reporting obligations:

• AUSTRAC compliance reports: annual or biennial reports on your AML/CTF compliance programme and its effectiveness.
• AML/CTF Programme Updates: While not a regular report, you may need to provide your AML/CTF programme to AUSTRAC upon request or when significant changes are made.
• Risk Assessment Reports: Periodic reports on your firm's risk assessment and risk management strategies.
• Registered Designated Service Reports: Information about the specific designated services your firm provides.

Remember, the exact reporting requirements may vary based on the final regulations. It's crucial to stay informed about AUSTRAC's specific guidance for law firms once the Tranche 2 legislation is implemented. Also, ensure you have systems in place to identify reportable matters and submit reports within the required timeframes.

Any thoughts on the burden of basic record keeping and evidencing decisions of that due diligence?

Record keeping and evidencing due diligence decisions are crucial aspects of AML/CTF compliance, but they can indeed be burdensome, especially for smaller firms. Here’s how reporting entities in New Zealand and the UK deal with them:

• Clear decision-making framework: Establish a clear framework for making and documenting due diligence decisions to reduce ambiguity.
• Risk-based approach: Focus more detailed record-keeping efforts on higher-risk clients or transactions, while maintaining minimum standards for all.
• Templates and checklists: Create templates and checklists for common scenarios to make the documentation process more efficient.
• Proportionate approach: Ensure your record-keeping is proportionate to the size and nature of your practice while still meeting regulatory requirements.
• Integrated systems: Integrate practice management or CRM systems with AML systems to streamline the process.
• Standardised procedures: Develop clear, standardised procedures for documenting due diligence decisions to ensure consistency and efficiency.
• Regular audits: Conduct periodic internal audits to ensure records are being kept properly and to identify areas for improvement.
• Staff training: Ensure all staff understand the importance of record-keeping and are trained in your firm's procedures.
• Digital solutions: Utilise secure digital storage solutions to reduce physical storage burdens and improve accessibility. This is a key aspect as physical copies are considered much riskier and cause firms to have higher physical security considerations. 
• Ongoing monitoring: Implement a system for ongoing monitoring and updating of client information, rather than starting from scratch each time.
• Outsourcing: Consider outsourcing some aspects of record-keeping or due diligence to specialised service providers, if cost-effective.

While record-keeping can be burdensome, it's also a crucial protection for your firm. Good records demonstrate compliance, aid in internal controls, and are invaluable for auditors and regulators. The key is to develop efficient systems that support existing processes.

Are there any lessons learned from the international landscape that we can expect with the implementation?

The implementation of AML/CTF regulations for designated non financial businesses and professions (DNFBPs) in other countries provides valuable lessons for Australia. Here are some key takeaways:

• Education is crucial: Jurisdictions that invested heavily in education and guidance for newly regulated sectors generally saw smoother implementations.
• A phased approach works well: Countries that implemented regulations in phases (by sector or by obligation) often had better outcomes than those attempting a "big bang" approach.
• Technology adoption is key: Firms that embraced technology for CDD, transaction monitoring, and reporting generally found compliance less burdensome. 
• Collaborative approach: Regulators who worked closely with industry bodies and professional associations achieved better buy-in and compliance.
• Clear guidance is essential: Jurisdictions that provided clear, sector-specific guidance with concrete examples saw fewer compliance issues.
• Risk-based approach needs clarification: Many businesses initially struggled with implementing a risk-based approach, suggesting a need for detailed guidance and examples.
• Resource constraints: Both regulators and regulated entities often underestimate the resources required for implementation.
• Data privacy concerns: Balancing AML requirements with data protection laws has been a challenge in many jurisdictions. The EU/UK has struggled with GDPR and AML over the conflicts with record-keeping. 
• Unintended consequences: Some countries saw de-risking behaviours, where businesses avoided higher-risk clients entirely, potentially pushing them towards less regulated channels.
• Importance of feedback: Regulatory feedback on submitted reports (like SARs/SMRs) has been valuable in improving the quality of reporting over time.
• Ongoing training needs: Continuous training and updating of knowledge has been crucial for maintaining effective compliance.
• Cost of compliance: Many businesses, especially smaller ones, found the cost of compliance higher than initially anticipated.
• Importance of senior management buy-in: Firms where senior management actively supported AML efforts generally had more effective programmes.

By learning from these international experiences, Australia can potentially avoid some pitfalls and implement a more effective and efficient AML/CTF regime for DNFBP.

How can automation streamline verifying trusts with multiple trustees and settlors? 

Automation can significantly streamline the process of verifying trusts with multiple trustees and settlors. Here's how:

• API integrations: Direct connections with official databases (e.g., company registries for director and shareholding information for trustee companies, integration with the SuperFund Lookup ) can quickly verify information against publicly available sources and reduce manual collection of information. 
• Document OCR: Optical Character Recognition can extract key information from entity documents e.g. trust/SMSF deeds and identity documents, reducing manual data entry.
• Workflow management: Automated systems can manage the verification process for each party, ensuring all necessary steps are completed. This can range from tools that can automatically determine the requirements, send out consolidated AML requests and follow-up on missing information. 
• Risk scoring: Automated risk assessment tools can quickly evaluate the risk level of the client based on various risk factors and weightings e.g. if the trustee is a resident of Morocco, flag as a higher risk trust.
• Audit trails: Automated systems maintain detailed logs of all verification without need of manual data entry to log steps, reasoning to ensure good record-keeping.
  
  

If we end up using technology, what about the risk of ID theft?

I’ve read case studies where fraudsters purchase identities from the dark web and forge them to replace images on ID documents. This means the person who completes the liveness check is actually the individual depicted on the forged ID.

I’m more concerned about these types of cases. Would it be my responsibility or the service provider’s to prevent such occurrences?

The risk of ID theft and sophisticated fraud methods is valid. While technology providers play a crucial role in preventing such occurrences, the ultimate responsibility for customer due diligence typically rests with the reporting entity (in this case, your firm). Here's a breakdown of responsibilities and best practices:

Your responsibilities:

• Conduct proper due diligence on technology providers before engaging their services.
• Understand the capabilities and limitations of the technology you're using.
• Implement additional verification steps for high-risk clients or transactions.
• Stay informed about emerging fraud techniques and adjust your processes accordingly.
• Train staff to recognise red flags that technology might miss.
• Technology provider's responsibilities:
• Implement robust security measures and fraud detection algorithms.
• Regularly update their systems to address new fraud techniques.
• Provide clear documentation on their verification processes.
• Offer support and guidance on how to use their tools effectively.

Best practices:

• Use a multi-layered approach to identity verification, combining technology with manual checks where necessary.
• Implement ongoing monitoring to detect any suspicious changes in client behaviour or information.
• Consider using multiple technology solutions for cross-verification.
• Maintain clear policies and procedures for escalating suspicious cases for manual review.

While technology can greatly enhance AML processes, it should be seen as a tool to support, not replace, human judgement and oversight. Always err on the side of caution and conduct additional checks if you have any doubts about a client's identity.

Do we have to retain documents or only reference to check / document number?

The specific requirements for document retention will be outlined in the final AML/CTF regulations. The record-keeping requirements will likely remain the same for seven years post-conclusion of the business relationship. However, based on existing AML practices and international standards, it's likely that you'll need to retain more than just references or document numbers. Here's what you could expect:

• Full document retention: In most cases, you'll need to keep copies of the actual documents used for customer due diligence (CDD), not just references.
• Types of documents: This usually includes identification documents, proof of address, and any other documents used to verify the client's identity or assess their risk profile.
• Format: Documents can usually be retained either in physical or electronic form, as long as they remain readily accessible and legible.
• Retention period: AML regulations require documents to be retained for a specific period after the business relationship ends or after the transaction is completed. This is likely to remain the same for seven years. 
• Transaction records: In addition to CDD documents, you'll likely need to keep records of transactions and any due diligence conducted on those transactions.
• Audit trail: It's important to maintain a clear audit trail of checks performed, including dates and methods used as well as senior management sign-off or exceptions. 
• Accessibility: Documents should be readily accessible to senior management and available for review by regulators if required.
• Security: Ensure that retained documents are stored securely to protect client confidentiality and comply with data protection laws.

While keeping full documents may seem burdensome, it provides a stronger audit trail and better protection for your firm in case of regulatory scrutiny. Always refer to the specific guidance provided by AUSTRAC once the new regulations are released, as they will provide definitive requirements for document retention.

Can the costs of the new legislation be passed on to clients? What do they do overseas?

Yes. Based on practices observed overseas:

• Cost passing is common: Many businesses do pass on some or all of the costs associated with AML compliance to their clients. We see this commonly folded in as an AML fee or within the onboarding costs. 
• Transparency is key: If costs are passed on, it's generally done transparently, often as a separate line item or clearly explained fee.
• Varied approaches:
  • Some firms incorporate the costs into their overall fee structure.
  • Others charge specific AML-related fees for certain services or high-risk clients.
  • Some absorb the costs entirely, viewing it as a cost of doing business.
• Client education: Firms often educate clients about the necessity and benefits of these procedures to justify any additional costs.
• Competitive considerations: The ability to pass on costs often depends on market conditions and competitive pressures.
• Risk-based approach: Some firms only pass on additional costs for high-risk clients requiring enhanced due diligence.
• Client agreements: Many firms update their client agreements to reflect any AML-related fees or changes in fee structures. I.e. many law firms will add the AML costs to their terms of engagement.
• Periodic review: Firms often review and adjust their approach as they better understand the true costs of compliance over time.
  
  

Is there a difference to money laundering requirements if you do not have a client account and do not hold client money at all?

While not holding client money does reduce some money laundering risks, it doesn't entirely exempt a business from AML/CTF obligations. Here's how it might affect your requirements:

• Core obligations remain: You'll still likely need to conduct customer due diligence, maintain an AML programme, and report suspicious matters.
• Risk assessment: Your overall risk profile may be lower, which could influence the intensity of your AML measures.
• Transaction monitoring: While you won't need to monitor client accounts, you'll still need to be vigilant about the nature of services provided and any potential abuse for money laundering.
• Reduced focus on certain areas: Requirements related specifically to handling client funds (like threshold transaction reporting) may not apply.
• Ongoing due diligence: You'll still need to conduct ongoing due diligence on clients, even if you're not handling their money directly.
• Specific services: Certain services (like company formation) may still be considered high-risk for money laundering, regardless of whether you handle client funds.
• Indirect involvement: Be aware that you could still be indirectly involved in facilitating transactions, even if you don't handle the funds directly.
• Professional obligations: Your professional ethical obligations regarding money laundering prevention would still apply.
• Regulatory guidance: Regulators may provide specific guidance for businesses that don't handle client money.
• Record keeping: You'll still need to maintain records of your clients and the services provided.

While not holding client money may simplify some aspects of AML compliance, it doesn't negate the need for a robust AML programme. The exact requirements will depend on the final regulations and your specific business model. 

Are there templates we can use [for policies, programmes and risk assessments]? What did the regulators in NZ provide and do you think AUSTRAC will do the same?

Based on experiences from other jurisdictions, including New Zealand, it's likely that AUSTRAC will provide some form of guidance or templates. For example:

New Zealand's approach:

The Department of Internal Affairs (DIA) provided a range of resources, including:

• AML/CFT programme template
• Risk assessment template
• Guidance documents for different sectors
• Sample policies and procedures

Australia's potential approach:

• AUSTRAC : Given AUSTRAC's history of providing guidance, they're likely to offer similar resources. This may include sample AML/CTF program templates, risk assessment guides, and sector-specific guidance.
• Industry bodies: Professional associations (e.g., Law Society, Accounting bodies) may also develop tailored templates.
• Phased release: Templates and guidance may be released in phases, starting with core requirements and expanding over time.
• Customisation needed: While templates are helpful starting points, they'll need to be customised to your specific business model and risk profile.
• Online tools: AUSTRAC may provide online tools or portals to help businesses develop their programmes.
• Workshops and training: Expect AUSTRAC and industry bodies to conduct workshops or webinars on how to use any provided templates or tools.
• Ongoing updates: Templates and guidance are likely to be updated as the regime matures and new risks emerge.
• Consultation process: AUSTRAC may consult with industry on draft templates before finalising them.
• Proportionate approach: Guidance and templates are likely to reflect a risk-based, proportionate approach suitable for businesses of different sizes and risk levels.

Templates can be very helpful but it's advisable to:

• Monitor AUSTRAC's website and communications for updates on available resources.
• Engage with your professional association for sector-specific guidance.
• Consider seeking professional advice to ensure your programme is compliant and effective, especially in the early stages of implementation.