Upcoming Tranche 2 AML/CTF Reforms: key KYC obligations

A key component for all reporting entities is the KYC checks to be conducted on customers before providing designated services.

There have been significant changes to this obligation as part of the Tranche 2 reforms. Below, we have summarised what a complete KYC check process looks like and then explore some of the exemptions available to reporting entities. 

Diagram: Customer due diligence (CDD) overview (source AUSTRAC)

The new AML/CTF legislation contains an express requirement for reporting entities to assess the ML/TF risk of a customer prior to providing designated services to that customer, based on all the information reasonably available to the reporting entity.

The KYC checks conducted on the customer will depend on this ML/TF risk rating. For example, where the ML/TF risk rating is high (based on information reasonably available to the reporting entity about the customer prior to providing services), the entity:

• must obtain approval from its senior manager(s) to commence providing designated services; and
• would likely need to apply its enhanced customer due diligence program.

Reporting entities should note that the obligation to assess the ML/TF risk rating applies continuously prior to providing designated services. While a reporting entity may not have information 'reasonably available to it' based on an initial telephone call from a potential investor to support assigning an ML/TF risk rating that differs from the reporting entity's broader ML/TF risk assessment, once a fund manager receives an application form with customer information, this ML/TF risk assessment should be updated. At any point prior to providing designated services, if the reporting entity has information reasonably available to it that indicates the customer is not who they say they are, is seeking designated services for an unusual purpose, or there are discrepancies in the information the customer has provided, the ML/TF risk rating may need to be updated and the KYC checks conducted on the customer may also need to change.

The approval of a reporting entity's senior manager is also required where:

• the customer is a foreign politically exposed person; or
• where a customer is unable to provide information or evidence necessary for the reporting entity to complete its KYC checks.

Under the current Act and Rules, the process of conducting KYC checks generally refers to the processes of collecting and verifying information to be satisfied of the identity of the customer to whom an entity would be providing designated services.

Under Tranche 2, AUSTRAC has intentionally shifted the emphasis away from the procedural method of determining what information to collect and verify for every 'customer type' (eg company, trust, individual, etc). Instead, under the Tranche 2 reforms, KYC generally refers to establishing, on reasonable grounds, the relevant KYC matters depending on the customer type and ML/TF risk rating. For all customers, reporting entities must establish on reasonable grounds all the following matters:

While the above broad framework for conducting KYC checks has changed as part of the Tranche 2 reforms, it remains necessary to collect and verify information to complete KYC checks on a customer. The collection and verification of information is a crucial aspect of what it means to 'establish, on reasonable grounds', the relevant KYC matters.

The information that must be collected and verified depends in large part on the 'entity type' of the customer (eg individual, company, trust, etc.) Rules 6-1 to 6-5 set out what information must be collected depending on the entity type, for example:

• Rule 6-1 sets out what information must be collected on a sole trader.
• Rule 6-2 sets out what information must be collected on a company.
• Rule 6-3 sets out what information must be collected on a trust (including foreign trusts).
• Rule 6-4 sets out what information must be collected on a government body.

Notably, the Rules no longer set out what information must be 'verified'. Instead, the new laws simply state that a reporting entity must verify as much of the KYC information it has collected on the customer as is proportionate to the ML/TF risk rating of the customer. In this way, the Tranche 2 reforms demonstrate an intentional shift away from the drafting of the current Act and Rules, which set out exactly what information must be collected and verified for all customer types.

Reporting entities are exempt from verifying the information in points 2-5 in the table above where the following circumstances apply:

• the reporting entity is not required to apply its enhanced customer due diligence program to the customer;
• the reporting entity has assigned the customer a low ML/TF risk rating; and
• the reporting entity has collected all relevant information in points 2-5 above, and there is no reason to doubt the adequacy or veracity of this information.

Where these circumstances apply, a reporting entity is required to:

• collect and verify information about the customer;
• only collect information about the nature and purpose of the customer's business relationship (or the occasional transaction) eg by collecting information about the reasons the customer is seeking designated services;
• (if the customer is a trust), only collect information about the beneficiaries (or classes of beneficiaries) under a trust;
• only collect information about any agents acting on behalf of the customer in receiving designated services, if there are any such agents; and
• only collect information about the beneficial owners of a customer eg by collecting information about the ownership and control structure of the customer; and
• conduct checks on all the above identified persons for their respective PEP status or if any individuals are persons designated by sanctions.

In addition to the above exemption, a reporting entity is also entitled not to collect any information on a customer's beneficial owners, if the customer is (or is controlled by) a public listed company, an entity subject to government or prudential regulation by a registration or licensing requirement, or a government body (in which case it is also not required to verify the PEP status of any beneficial owners as these will not be known to the reporting entity).

Fund managers generally assess the ML/TF risk of their customers, and of providing designated services, to be low. Assuming a fund manager has no reason to doubt the adequacy and veracity of information it has received, we expect the KYC checks a reporting entity would conduct on an investor that is a managed investment scheme (Investor Fund)would be as follows:

• collect and verify information about the Investor Fund in accordance with Rule 6-3 (eg information that must be collected on a trust);
• collect information about the reason the Investor Fund is seeking designated services;
• collect information about the classes of beneficiaries of the Investor Fund;
• collect information about the trustee of the Investor Fund in accordance with Rule 6-2(2); and
• determine the PEP status of any individual named in the above information collected.

The beneficial owners of the Investor Fund do not need to be collected or identified on the basis the Investor Fund is an entity subject to government regulation by a licensing requirement.

The above provides only a snapshot of what KYC checks will look like in practice for reporting entities. The KYC checks required in each instance will depend on what is stated in each entity's AML/CTF program and policies, and on the ML/TF risk posed by a customer from time to time.

All reporting entities need to review and update their KYC procedures in line with the new AML/CTF regime. We encourage taking proactive steps now to review your current practices and stay ahead of the regulatory changes. For both new and existing reporting entities, reach out to our team to ensure you understand what is required.