Example 1: Entering and resolving issues under a CDD arrangement within Australia

Eclipse Financial Services Pty Ltd (Eclipse) and Moneypenny Limited (Moneypenny) are unrelated reporting entities located in Australia that provide financial services. Eclipse often refers customers to Moneypenny. To create a more efficient referral service and streamline the customer experience, they agree to enter into a CDD arrangement, which allows Moneypenny to rely on the ACIP undertaken by Eclipse.

Before entering into the arrangement, Moneypenny undertakes an assessment of the risks associated with such reliance, including the standard of Eclipse’s measures for complying with CDD and record keeping requirements under the AML/CTF Act and Rules.

The assessment concludes that there is a moderate risk of relying on Eclipse. Having completed the assessment a recommendation is then made to a senior managing official in Moneypenny to enter into a CDD arrangement with Eclipse, and in so doing implements the following risk-based systems and controls:

• Moneypenny will request fortnightly samples of ACIP undertaken by Eclipse of customers that fit certain risk profiles and validate them for accuracy.
• Moneypenny will undertake a risk assessment review after one year rather than wait for the maximum two year interval, unless other circumstances trigger an earlier review.

Under the agreement Eclipse will provide the fortnightly samples of ACIP undertaken within 24 hours of them being requested.

After the first month of sample reviews, Moneypenny notices that most samples take several days to be provided and at least two are not provided at all. Moneypenny undertakes an immediate assessment to ensure that the ACIP requirements are being met by Eclipse. Moneypenny observes that ACIP requirements were not being met for corporate customers and Eclipse could not locate all of its ACIP records for five of its individual customers.

Moneypenny immediately ceases relying on ACIP undertaken by Eclipse and implements steps to carry out its own ACIP for all future referrals. Moneypenny also implements a remediation program to ensure ACIP has been adequately undertaken for all affected referrals.

Given the good relationship between Eclipse and Moneypenny and the commercial benefits of the arrangement, the two businesses create a joint working group to develop systems and controls to ensure the ACIP and record keeping requirements can be met with the aim of entering into a new arrangement in the coming months.

Example 2: Resolving issues under a CDD arrangement with an entity residing outside Australia

Belle Financial Service PLC (Belle) is an offshore entity that offers customers the opportunity to invest in Australian-based managed funds manager, Maroona Investments Ltd (Maroona), an Australian-based reporting entity. To support efficiencies in its referral service and streamline the customer experience, Belle and Maroona agree to enter into a CDD arrangement, which allows Maroona to rely on the ACIP undertaken by Belle.

Prior to entering into the arrangement, Maroona undertakes an assessment of the risks associated with such reliance, which includes using a range of resources including the most recent FATF mutual evaluation report assessing the:

• standard of AML/CTF laws and regulation Belle is subject to
• nature, scale and scope of ML/TF risks of the jurisdiction in which Belle operates
• level and scope of the standard of Belle’s measures to comply with the CDD and record keeping requirements.

The assessment concludes that there is a low risk of relying on Belle, so Maroona, after seeking board approval, decides to enter into the agreement.

Over the first six months of the agreement, Maroona requests copies of the documentation associated with a number of new customers that Belle has carried out ACIP on and noticed that they were all received promptly and included all of the required information.

One month later, Maroona notices through its news subscription with Belle’s regulator, that it just fined Belle for some historical systemic breaches of AML/CTF obligations, including breaches relating to customer due diligence.

Maroona immediately suspends the CDD arrangement with Belle and implements steps to carry out its own ACIP for all future referrals. Maroona decides to undertake an immediate assessment to understand the nature and breadth of the enforcement action and reveals that:

• the breaches date back to a period that ceased some three years ago
• Belle has since uplifted its customer due diligence capabilities and undertaken a series of assurance processes to confirm that they are now complying with its requirements.

Belle and Maroona decide to negotiate and modify the existing CDD arrangement, which limits reliance to occur on those Maroona customers who have had ACIP carried out after the relevant enforcement period date.

In addition to the required broader regular assessments of the agreement, Maroona decides to undertake additional interim assessments every three months to test the dates of when Belle carried out the ACIP to ensure it did not pre-date the relevant enforcement period date.

Example 3: Rectification of issues identified under the CDD arrangement processes 

Glastonbury Services Limited (Glastonbury) and Salisbury Plains Investment Ltd (Salisbury Plains) are unrelated reporting entities. Glastonbury often refers customers to Salisbury Plains. To support efficiencies in its referral service and streamline the customer experience, they decide to enter into a CDD arrangement, which allows Salisbury Plains to rely on the ACIP undertaken Glastonbury.

Prior to entering into the arrangement, Salisbury Plains undertakes an assessment of the risks associated with such reliance, including the standard of Glastonbury’s measures to comply with its CDD and record keeping requirements. The assessment concludes that there is a low risk of relying on Glastonbury, so Salisbury Plains seeks board approval and decides to enter into the arrangement.

After the first year of the agreement, Salisbury Plains decides to undertake a comprehensive assessment review and concludes that no issues of non-compliance are found, with the exception of an isolated breach involving a customer using an expired driver’s licence when undertaking ACIP.

Glastonbury immediately undertakes a refresh of that customer’s identity with no issues of concern identified. Meanwhile, Salisbury Plains reviews its systems and controls and provides additional training to a small team responsible for ACIP processes.

Glastonbury is in the process of a review by AUSTRAC and advises AUSTRAC of the non-compliance. AUSTRAC notes the information and acknowledges the steps taken to prevent future non-compliance. AUSTRAC confirms that as Glastonbury completed a comprehensive assessment of the risks prior to entering into the agreement and as it is an isolated breach, it would not be liable for the non-compliance.

Example 4: Identification of an isolated breach under case-by-case reliance

Centenary Financial Services Pty Ltd (Centenary) and Worcester Investments Ltd (Worcester) are unrelated reporting entities. Centenary wants to refer a small number of customers who are seeking a financial product offered by Worcester.

They do not expect these referrals to be ongoing so do not enter into an agreement. Instead they decide to rely on the ACIP carried out on these customers by Centenary on a case-by-case basis. Prior to relying on the ACIP, Centenary provides Worcester with:

• its AUSTRAC enrolment details as evidence that it is a reporting entity
• a copy of sections of its AML/CTF program relating to how it complies with the customer due diligence and record keeping requirements
• its latest independent review which found no concerns in these areas
• its ML/TF risk assessment findings which conclude that Centenary operates in a low risk ML/TF environment.

Centenary also confirms that it stores all ACIP-related documentation electronically and can provide any available documentation upon request by Worcester within 24 hours.

Worcester opens individual accounts for this group of customers as a result of relying on the ACIP carried out by Centenary.

Three months later a law enforcement agency advises both Centenary and Worcester that one of the customers is being investigated for tax evasion and has opened an account in a false name.

Both Centenary and Worcester provide AUSTRAC with suspicious matter reports. Worcester decides to do a refresh of all of the other referred customers and finds no issues of concern. Centenary reviews its ACIP processes to establish how a false name account was opened, discovers that the ACIP was not carried out in that case and makes changes to ensure it does not happen again.

Although an isolated breach, as the reliance is on a case by case basis, Worcester may also be liable for providing a designated service without first carrying out the ACIP.