Proposed AML/CTF Rules: the red and green flags

Insights26 Feb 2025
 By Pip Bell

The exposure draft Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Rules 2024 (Draft Rules), released by the Australian Transaction Reports and Analysis Centre (AUSTRAC) on 11 December 2024, raise some red and green flags for the financial services industry. 

While parts of the proposed Draft Rules have yet to make an appearance, what are the red and green flags? How much will the new regime (which is largely due to commence operation in March 2026) impact on reporting entities’ compliance arrangements?

Need to know

  • The exposure draft AML/CTF Rules 2024 are broad and more logically structured than the current rules, provide significant flexibility to reporting entities, and are more focused on outcomes and less on prescriptive requirements.
  • There are some red flag items that will significantly change the regime and will require considerable resource engagement by reporting entities, or are potentially ambiguous.
  • Consultation closed on 14 February 2025.

Background

The Anti-Money Laundering and Counter-Terrorism Financing Amendment Bill 2024 was passed by Parliament on 29 November 2024 and received Royal Assent on 10 December 2024, opening the door to a new AML/CTF regime in Australia by making significant amendments to the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (Act). As the devil is inevitably in the detail, these amendments have been treated with some apprehension without the associated AML/CTF Rules to guide the operational application of the regime being published. 

Green flags

The green flags we have spotted are a combination of:

  • introducing greater flexibility for reporting entities to tailor their compliance measures to their own circumstances; and
  • providing greater clarity in situations where, in the past, reporting entities may have been unsure of what was required or expected by AUSTRAC.
Overall assessmentThe Draft Rules are broad and provide significant flexibility to reporting entities in some respects. They are more focused on outcomes and less on prescriptive requirements than the current Anti-Money Laundering and Counter-Terrorism Financing Instrument 2007 (No. 1) (Cth). This approach leaves open the potential for AUSTRAC to impose subjective views on the interpretation of what is reasonable and appropriate. However, it should allow reporting entities to take more measures they deem suitable for their particular circumstances (subject to having appropriate policies in place).
Customer due diligence (CDD)

The Act will become the primary driver for CDD and prescribes very limited CDD criteria. 

For example, if the customer is an individual, a reporting entity must take reasonable steps to establish that the customer is the person they claim to be, categorise their risk, collect information appropriate to that risk categorisation, and then verify their identity using ‘reliable and independent data’. (See below for a related red flag).

Compliance officer

It is commonly accepted that the AML/CTF compliance officer has the central responsibility for implementing, maintaining, and ensuring the reporting entity adheres to appropriate frameworks for compliance with the AML/CTF regime. 

The Draft Rules provide more targeted measures for ensuring the appointed individual is suitable for the role. Significantly, reporting entities will need to put in place policies to ensure their AML/CTF compliance officer has the requisite ‘competence, character, diligence, honesty, integrity and judgment to properly perform the duties’. Reporting entities will also have to examine the individual’s conflicts of interest. It will be interesting to see how employment arrangements and remuneration filter into considerations of conflict, as well as how characteristics such as ‘integrity’ are to be assessed.

There is also an express requirement in the Draft Rules for the AML/CTF compliance officer to provide certain reports to the board at least annually.

Politically exposed persons (PEPs)

Under the Draft Rules, a reporting entity’s policies must require senior manager approval for the provision of designated services to:

  • foreign PEPs; and
  • domestic PEPs and international organisation PEPs who are high risk.

The Draft Rules also require source of wealth and source of funds to be established for the above categories of PEPs.

We consider that the obligation for senior manager approval provides clarity and will take away some of the guesswork around what AUSTRAC might consider to be appropriate compliance measures.

More logical structureThe Draft Rules have been logically arranged into Parts, organised thematically in the order in which a reporting entity would implement each obligation – from enrolment/registration through to record keeping, secrecy and access. This should make the regime easier to follow.

Red flags

Below are the items that we think will significantly change the regime, will require considerable resource engagement by reporting entities (ie have the potential to drive up costs or generate inefficiencies), or are potentially ambiguous. 

PoliciesThe Draft Rules require a reporting entity to have a number of policies which, together with the money laundering and terrorism financing (ML/TF) risk assessment, will constitute the AML/CTF program. Many of these cover the same ground as the current AML/CTF program content requirements, such as tipping off, board oversight, AML/CTF compliance officer obligations and monitoring, reporting, and due diligence. However, the wording and detail of the requirements differ for some policies, so we envisage reporting entities will need to supplement existing AML/CTF governance arrangements to ensure they continue to have compliant policies in place. 

Reporting groups

 

The concept of reporting groups will replace the current concept of designated business groups when the amendments to the Act take effect. The Draft Rules attempt to define which part of a business group would be the ‘lead entity’.  However, this part of the Draft Rules is only partly complete, which is frustrating.

What the Draft Rules currently say is that a provider of designated services, which is resident of Australia and is registered under Division 2 of Part 5B.2 of the Corporations Act, will be the lead entity if it ‘controls’ all other group members who provide designated services. If there is more than one designated service provider that meets the forementioned criteria, then the lead entity will be the one with ‘the most direct control’ of all other designated service providers within the group.

Groups which currently have multiple reporting entities may therefore need to revisit the structure of their existing compliance arrangements.

Anyone wondering what happens if there is no provider of designated services that ‘controls’ all other group members who provide designated services must wait patiently for the next iteration of the Draft Rules.

 

CDD

Individuals

For account-based and transfer of value designated services (ie items 1, 3, 5, 29, and 30), the Draft Rules require a reporting entity to verify an individual’s date of birth and place of birth. 

It could be difficult to verify place of birth, particularly if the individual does not have a passport. It has been indicated this requirement is to assist AUSTRAC in identifying and verifying place of birth when conducting investigations on foreign individuals. However, it will potentially complicate verification processes for reporting entities conducting these designated services. 

Businesses

The Draft Rules require reporting entities to verify the ‘ownership, control, and management structure’ of businesses. While reporting entities currently need to examine beneficial owners, identifying the management structure is a new requirement. 

Requiring identification and verification of the management structure of a business opens the door to potentially far reaching and complicated CDD processes. Reporting entities will likely need thorough frameworks to maximise efficiencies here.  

Employee due diligence and training

Due diligence

In the same manner as the amendments to the CDD arrangements, the Draft Rules propose to provide flexibility in employee due diligence. 

The Draft Rules require a reporting entity to examine an employee’s:

  • skills, knowledge, and expertise relevant to their particular responsibilities; and
  • integrity.

These requirements are very broad and establishing a framework to assess ‘integrity’ could be challenging. We envisage that reporting entities with current procedures to examine criminal history, negative reports, and bankruptcy would maintain those measures for this purpose. 

Training

Under the Draft Rules, reporting entities must conduct both initial and ongoing employee training having regard to the person’s particular needs in their role.

Significantly, the training must also be ‘readily understandable by the person’. While good in principle, this requirement may prove difficult for an AML/CTF compliance officer to monitor or evaluate. It could also prevent generalised employee training being delivered (for efficiency and cost savings) to groups of employees across an organisation, as it seems to imply training must be considered against individual employee needs. This may prove to be impractical for large reporting entities, some of which may have thousands of employees, and expensive for reporting entities of all shapes and sizes. 

Reporting

The Draft Rules require suspicious matter reports, threshold transaction reports and other reports to be ‘complete, accurate and free from unauthorised change’. 

It is unclear what is meant by ‘free from unauthorised change’. Does it mean limiting access to making reports within an organisation or ensuring reports are free from external influences?

Independent evaluations

Note: we believe this will be the largest potential source of increased costs.

The Act (as amended) will require independent evaluations (currently known as ‘independent reviews’) to be undertaken at least every three years. It was hoped the Draft Rules would expand this timeframe for lower risk reporting entities, which unfortunately is not the case. 

AUSTRAC has current guidance indicating high risk organisations should conduct independent reviews at least every two to three years. When the amendments to the Act come into effect, all reporting entities will effectively be captured in this timeframe.

For low and medium risk reporting entities, which may currently conduct independent reviews less frequently than their high-risk counterparts based on the current regulatory guidance, this is likely to significantly increase costs, which will be particularly challenging for smaller businesses to absorb. 

Further, the Draft Rules have differently worded evaluation criteria. In some cases, this may mean the independent evaluation process may be more rigorous than independent reviews previously undertaken. The Draft Rules state that a reporting entity’s policies must require the independent evaluation process to:

  • evaluate the steps taken when undertaking or reviewing ML/TF risk assessments;
  • evaluate the design of the AML/CTF policies;
  • test and evaluate the compliance of the entity with its policies (in essence, a quality assurance review every three years);
  • produce a written report containing findings; and
  • deliver the report to the board and any senior management.
Ongoing customer due diligence (enhanced CDD and transaction monitoring)

Enhanced customer due diligence (ECDD)

ECDD is now required where a customer seeks designated service/s that has/have ‘no apparent economic or legal purpose’ and the proposed provision of designated service/s would involve:

  • unusually complex or large transactions; or
  • an unusual pattern of transactions.

Firstly, it is unclear what circumstances would involve a person receiving a service that has ‘no apparent economic or legal purpose’. This appears to put the onus on a reporting entity to establish that there is an economic or legal purpose when a designated service is sought.

Secondly, this has the potential to capture an extraordinarily broad range of circumstances, without there necessarily being a potential connection to suspicious behaviour. For example, what would be considered an ‘unusually large transaction’? This may be difficult for a reporting entity to establish, particularly if their prior interactions with the customer have been limited or non-existent.

Transaction monitoring

The Rules now provide an extensive list of offences that organisations must monitor transactions and behaviour for, including but not limited to corruption, bribery, fraud, forgery, environmental crime, robbery, murder, and cybercrime (in addition to the usual ML/TF offences). While these offences are captured under the existing AML/CTF regime with a requirement to monitor for criminal offences generally, the specific list will place the onus on reporting entities to have transaction monitoring rules that specifically target the detection of these kinds of criminal activities.

This could be a significant shift for reporting entities if they are currently taking a more generic approach, as they will need to develop more targeted transaction monitoring frameworks.

What’s next?

Consultation closed on 14 February 2025. Reach out to the HW Funds team to understand more about how the amendments to the Act and how the Draft Rules might impact your business and what steps you should consider taking now. We will keep you up to date with further developments. 

Contact

Relevant Sectors
Relevant Services
Related news & insightsView all
Subscribe

Hall & Wilcox acknowledges the Traditional Custodians of the land, sea and waters on which we work, live and engage. We pay our respects to Elders past, present and emerging.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of service apply.
© 2025 Hall & Wilcox. All rights reserved.