The Final AML/CTF Rules Have Landed: Our Key Takeaways

The initial CDD requirements in the Final Rules remain prescriptive, with limited relief provided. There are various rules (primarily rules 6-17 and 6-19) that “deem” certain initial CDD matters to have been established. 

However, these deeming rules do not apply to every matter in section 28(2) that must be established and the conditions that must be met to rely on these rules create some practical challenges.

There has also been some confusion introduced in relation to initial CDD for trusts. The initial CDD requirements no longer apply in respect of “trustees of a trust” but rather to “trusts”. This arguably creates confusion regarding the legal person that is the “customer” of the designated service, with the Explanatory Statement suggesting that the “trust estate should be treated as the customer”. Initial CDD requirements are also imposed for trustees (as persons acting on behalf of the customer) and beneficiaries (as persons on whose behalf the customer receives the service).

It is easiest to illustrate the operation of the “deeming” provisions with an example: a reporting entity carrying out initial CDD in relation to a trust.

If the reporting entity treats the “trust” as the “customer” of the designated service (ie the legal relationship between the trustee and beneficiaries), key initial CDD requirements include establishing on reasonable grounds the identify of beneficiaries (as persons on whose behalf the trust is receiving the designated service), the identity of trustees and their authority to act (as persons acting on behalf of the trust), and the identity of any beneficial owners of the trust.

The new rule 6-17 deems the reporting entity to have established these matters subject to certain conditions, including that:

• the ML/TF risk of the trust is low and no ECDD trigger set out in section 32 of the amended AML/CTF Act has been met for the customer. This requires the reporting entity to be satisfied, for example, that no trustee or beneficiary is a PEP or subject to sanctions, and that no suspicious matter reporting obligation arises for the trust. In practice it may be challenging to establish these matters without collecting a considerable amount of information about the trust;
• it has identified the ML/TF risk of the trust based on KYC information reasonably available before commencing to provide the designated service. The application of this condition is uncertain;
• it has collected KYC information about the trust relating to those matters “that is appropriate to the ML/TF risk of the customer”. Similar to the above condition, this creates uncertainty and may negate the “deeming” effect of this rule; and
• there are no reasonable grounds for the reporting entity to doubt the veracity of that KYC information.

Even if rule 6-17 applies, certain prescriptive requirements will still apply, including to:

• establish on reasonable grounds the “identity” of the trust, which under the Final Rules includes collecting information including:
  • evidence of the trust’s existence;
  • information about the powers that bind and govern the trust;
  • the full name of the individual, or each member of the group of individuals, with primary responsibility for the governance and executive decisions of the trust;
  • information about the nature of the trust’s business or operations; and
• establish on reasonable grounds whether the trust, beneficial owners, trustees and beneficiaries are PEPs or subject to sanctions.

If rule 6-17 does not apply, there are other provisions that deem specific matters to have been established. However, the conditions to rely on these provisions again create practical challenges. For example, rule 6-19 deems a reporting entity to have established the identity of persons acting on behalf of the trust (eg trustees) and their authority to act. Unusually, one of the conditions to rely on this is that the reporting entity establishes on reasonable grounds the trustee’s authority to act on behalf of the trust (ie it is circular). 

Where a designated service is provided at or through a permanent establishment in Australia, a reporting entity may defer establishing certain matters (Permitted Matters) until after providing the designated service, provided certain requirements are met.

Although the Final Rules reduce the timeframe in which a reporting entity must establish the Permitted Matters from 30 to 20 days after providing the designated service, they also allow a wider range of matters to be deferred, including the establishment of the identity of any person on whose behalf the customer is receiving the designated service, the identity of beneficial owners, and the nature and purpose of the business relationship or occasional transaction.

Further, certain conditions to rely on the delayed verification relief when opening an account and allowing a deposit have been removed. For example, the Final Rules replace the requirement to identify the ML/TF risk of the customer and take reasonable steps to establish individual customers are the person they claim to be with a requirement not to make transfers on behalf of the customer or make money available to the customer (otherwise than by holding the money in the opened account).

Under the Draft Rules, the travel rule applied where an item 29, 30 or 31 designated service (Value Transfer Service) was provided irrespective of whether the transfer occurred entirely offshore.

The Final Rules provide that the travel rule does not apply to a person providing a Value Transfer Service at or through a foreign permanent establishment provided that:

• the service is provided in accordance with the laws of the foreign country that give effect to the FATF recommendations; and
• either the value is transferred within the European Economic Area (EEA) or it is transferred within a foreign country.

However, this means that the travel rule must still be applied even if the value is transferred completely offshore where:

• the transfer relates to virtual assets;
• the transfer is between non-EEA countries (irrespective of whether those countries implement the FATF Recommendations); or
• the transfer is within a foreign country but the person providing the Value Transfer Service is in a country that does not implement the FATF Recommendations.

No relief has been provided in the Final Rules where compliance with the travel rule would not be permitted under local laws.

Further, there was a concern with the Draft Rules that foreign permanent establishments accepting transfer instructions from existing customers would need to verify information about their customer to comply with the travel rule (even if they were relying on grandfathering relief from initial CDD obligations). The Final Rules now address this concern and provide that an ordering institution is not required to verify certain information about a payer in relation to instructions accepted before 1 July 2030 provided that:

• the customer was a pre-commencement customer, or an existing customer that was grandfathered under rule 6-42 (for domestic customers) or rule 6-32 (for customers of foreign permanent establishments); and
• there are no reasons for the reporting entity to doubt the adequacy or veracity of the payer information.

The Draft Rules only provided limited relief from initial CDD for existing customers of foreign permanent establishments of reporting entities. A new rule has been included providing that a reporting entity is deemed to comply with initial CDD obligations in respect of a customer if:

• a designated service is provided to the customer at or through the reporting entity’s permanent establishment overseas; and
• prior to 31 March 2026, the reporting entity had complied with the local laws giving effect to the FATF recommendations relating to customer due diligence and record-keeping in relation to the customer.

Under the Draft Rules, each entity in a “business group” automatically became a member of a “reporting group” if at least one person in the business group provided a designated service (Business Reporting Group).

Under the Final Rules, a Business Reporting Group won’t be formed unless each member of the “business group” agrees in writing as to which member is the lead entity of the reporting group (being a member that satisfies certain requirements in Rule 2-1(2)).

One consequence of this may be that if one or more members of the business group do not agree in writing on a lead entity, or if the agreed lead entity does not meet the requirements in rule 2-1(2), none of the members may be part of the reporting entity’s “reporting group”. This means that the reporting entity may be unable to rely on section 236B(5) of the amended AML/CTF Act where other members of that business group discharge its obligations (although common law principles of agency may still apply). 

As part of the amendments to the AML/CTF Act, the definition of “security” was changed to have the same meaning as “security” in Chapter 7 of the Corporations Act 2001 (Cth) (Corporations Act) (rather than prior to the amendments where the definition was based on section 92(1) of the Corporations Act). However, the definition of “security” in Chapter 7 of the Corporations Act does not include interests in a managed investment scheme because they are treated as a separate financial product under Chapter 7.

The Final Rules have resolved this issue by clarifying that the definition of “security” includes interests in a managed investment scheme.

It remains important to remember that the new definition has significantly expanded the definition of “security” beyond share, debentures and now interests in a managed investment scheme to include, for example, a legal or equitable right in a share, debenture or interest in a managed investment scheme or a right to acquire such a product.  

The Final Rules provide transitional relief for SMRs and TTRs which differs according to when the obligation to submit the report to AUSTRAC arises:

• for reports required to be submitted between 31 March 2026 and 30 June 2026 – existing reporting entities who submit reports which meet the form and content requirements prescribed in the current AML/CTF Act and AML/CTF Rules will be deemed to comply with the requirements in the Final AML/CTF Rules;
• for reports submitted between 1 July 2026 and 30 March 2029:
  • entities who are enrolled with AUSTRAC as reporting entities on 30 March 2026 can either submit reports which meet the form and content requirements prescribed in the current AML/CTF Act and AML/CTF Rules or submit reports which meet the requirements in the Final AML/CTF Rules; and
  • entities who are not enrolled with AUSTRAC as at 30 March 2026 must submit reports which meet the requirements in the Final AML/CTF Rules. 

Although the application of the travel rule has been modified (particularly for offshore transfers), no transitional relief has been provided in the Final Rules.