Employee due diligence

About this guidance

You must have an employee due diligence (EDD) program which documents how you will screen and rescreen your employees and contractors for money laundering or terrorism financing (ML/TF) risks to protect your business.

Screening your employees involves checking their background to determine their suitability for the role, making sure they are who they say they are, ensuring that they meet your probity standards, and confirming the information they have provided is true and correct.

Your EDD program must also document the steps you will take in circumstances where an employee fails to comply with your program without reasonable excuse.

This guidance is general and is not specific to any particular industry sector. It relates to situations which pose the highest ML/TF risk and may exceed the minimum requirements as set out in the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) and Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1) (AML/CTF Rules). Therefore, this guidance references where best practice may apply to help you mitigate and manage the risks you may face when conducting EDD. You should tailor your EDD requirements to meet your specific circumstances including your senior management and/or board-approved risk appetite.

Recognising that the AML/CTF regime is risk-based, the examples in this guidance are not exhaustive and are illustrative of how you may comply with these obligations.

On this page

Disclaimer

AUSTRAC provides this guidance for educational purposes only and it does not constitute legal advice. The information in this guidance should be read together with, and not as a substitute for, the AML/CTF Act and Rules.

AUSTRAC does not guarantee, and accepts no legal liability whatsoever arising from, or connected to, the use or reliance of any material contained in this guidance.

For more information, please read AUSTRAC’s website disclaimer.

Identifying roles that pose a risk to your business

Your EDD program must have appropriate risk-based systems and controls to determine whether and how to screen prospective employees or employees being promoted or transferred. This should help you to determine which positions can facilitate the commission a ML/TF offence, may pose a ML/TF risk to your business and identify where you should apply your EDD processes.

To screen prospective employees, you may ask them to provide you with the necessary information to assist you to assess their suitability for the role. This could take the form of a questionnaire requiring the prospective or existing employee to sign a declaration that the information they have provided to you is true and correct, and they consent to you undertaking background checks. Where an existing employee is moving to or being transferred to a new role, you should leverage your risk-based systems and controls to determine whether the role requires the employee to update or undertake further assessment.

It is best practice to rescreen your employees at regular intervals and how often you do so should be risk-based. For example, you may ask each employee to declare or self-attest at five-year intervals that there has been no material changes to their circumstances since they were last screened. Further, you may also require your employees to undertake a new National Police Check. You should review and independently verify the information your prospective and existing employees provide.

Your EDD program is an important component of Part A of your AML/CTF program. You must base it on the ML/TF risk assessment of your business or organisation and the employees’ roles. AUSTRAC expects that you consider the risks identified in your current ML/TF risk assessment and relate these risks to the roles your employees perform.

Your AML/CTF program should also explain the processes, systems and controls you have established to identify, mitigate and manage risk, including how you will screen your prospective employees, which roles you will screen, and when and how you will re-screen an existing employee.

Small and medium size reporting entities

Some small and medium-sized reporting entities may decide to assign the same risk-rating for all employees because they share numerous roles and functions, some of which carry ML/TF risk.

If you apply the same screening checks for all prospective new employees, you should implement appropriate screening commensurate with the highest assessed ML/TF risk.  

Which employees to screen and re-screen

You should screen or re-screen any employee whose role may put them in a position where they could facilitate the commission of a ML/TF offence. You should base the frequency and process of screening and re-screening employees, at all levels, on your risk assessment and senior management and/or board-approved risk appetite.

This includes:

  • employees (including executive directors and senior managers), officers, and contractors

  • prospective employees who, if employed, may be in a position to facilitate a ML/TF offence 

  • existing employees whose role or duties may enable them to facilitate the commission of a ML/TF offence, and

  • existing employees prior to transfer or promotion to a position which may enable them to facilitate the commission of a ML/TF offence.

Depending on the structure of your business, it is best practice to screen and rescreen all employees including board members (executive and non-executive directors), executives, senior managers, officers, and contractors.

How to screen and rescreen employees

To screen both prospective and existing employees you should consider the following non-exhaustive list of steps:

  • Identify and verify their identity.
  • Confirm their employment history and qualifications (for example through original or certified documents, written references or referee reports).
  • Undertake character and background checks to confirm their employment history and past conduct.
  • Where appropriate, confirm if another government agency in Australia has authorised the person to perform certain functions that may intersect with their AML/CTF duties. This may apply, for example, where a person is required to hold a current state or territory gaming regulator-issued licence to perform their functions. You should check if the licence involves a Fit and Proper Person (FPP) test and whether the government agency has subjected the person to any disciplinary action. 
  • For positions that require technical qualifications and/or practicing certificates, such as a lawyer or an accountant, you may confirm the person is a member of the relevant professional association and is not, and has not been, subject to disciplinary action.
  • Decide whether they are suitable for the position and assess whether they pose a risk to your business or organisation.
  • Consider undertaking a National Police Check with the person’s consent.

Employee self-disclosure of changes to circumstances

You may consider requiring your employees to self-disclose material changes in their circumstances that may have an impact on their suitability for their current role. This may include, for example, circumstances where the employee: is being investigated, charged or prosecuted for a criminal offence, has significant changes in their financial arrangements, or proposes to undertake secondary employment.

You may also consider adopting a regular review process where the employee is asked to provide a self-attestation or submit updates disclosing any material changes to their circumstances since their initial or most recent EDD assessment.

National Police Checks

You can obtain a National Police Check through the Australian Federal Police. For more information visit National Police Checks, which provides employers and applicants with further details including fees, an application completion guide, and frequently asked questions covering consent and the Commonwealth Spent Convictions Scheme.

The Australian Criminal Intelligence Commission also maintains a list of accredited bodies to assist you to apply for and submit a National Coordinated Criminal History Check. These accredited bodies are also authorised to submit checks on behalf of organisations to assist these organisations with the screening of their employees (see Legal Entity Customers).

People who have resided overseas

A National Police Check will not identify all concerns or risks associated with people who have resided in one or more foreign jurisdictions. For example, recent migrants to Australia or Australian citizens who have spent considerable time as a resident in another country.

In these circumstances you should consider alternative options to obtain a meaningful criminal history of the person such as using a private service provider that can undertake an International Police Check that covers a range of foreign jurisdictions.

Self-attestation

As part of the screening and rescreening processes, you can ask prospective and existing employees to provide you with information to assist you to assess their suitability for the role. This can take the form of a questionnaire requiring them to declare that the information they have provided to you is true and correct. You should review and independently verify the information provided.

High-risk roles

Some roles in your entity might pose a higher ML/TF risk than others (for example, roles with duties that might make the employee a target for collusion or coercion by associates involved with criminal groups).

You may consider applying more rigorous screening for these roles. For example, this may include checking whether the prospective or existing employee:

  • has a criminal record (to identify convictions or offences relevant to the inherent role requirements). You may request they provide consent for you to a National Police Check.
  • is or has been subject to any regulatory, court or legal action
  • has taken advantage of the laws of bankruptcy for their own benefit
  • is a director or office bearer of a company by searching the ASIC database to ensure that there are no potential conflicts that may present ML/TF risks
  • has secondary employment or business interests that may present ML/TF risks
  • can provide details of independent referees to provide character references and background checks
  • has lived in high-risk countries or regions, and/or
  • is a politically exposed person (PEP), is named on a sanctions list or is the subject of any adverse media reports.

Once you have collected and assessed this information, you will need to determine whether the person is suitable for the role in accordance with the risk profile of the position.

Outsourcing 

For a range of commercial or operational reasons, some reporting entities may outsource their EDD obligations and/or AML/CTF employee risk awareness training to a third party service provider. Under an outsourcing arrangement, legal liability for any breach of compliance with these obligations remains with the reporting entity.

Before engaging a third party, it is best practice to conduct appropriate due diligence to ensure that the third party is suitable and has the appropriate skills, expertise, knowledge, experience and references to conduct the services in accordance with your expectations, AML/CTF program, systems and controls and your ML/TF risk assessment.

If you engage a third party, it is best practice to have appropriate systems and controls in place to monitor their performance as part of your overall governance and risk management arrangements. This may include regular reporting and conducting regular reviews (including independent reviews) to ensure that the third party is meeting your agreed performance and compliance expectations.  

You should document the details of your outsourcing arrangement, including your due diligence processes, how you will address identified ML/TF risks, performance management and governance arrangements, and decision-making, including senior management and/or board approvals of the outsourcing arrangement.

Employees who don’t comply with your AML/CTF program

You must establish, maintain and document a system to manage employees who fail to comply with your AML/CTF program without reasonable excuse (see AML/CTF Rules, paragraphs 8.3.4 and 9.3.4).

Depending on the seriousness of an employee breach, this may include mandatory training to refresh their knowledge of your AML/CTF program or disciplinary action, which might range from formal warnings to dismissal.

If an employee fails to comply with your AML/CTF program, it is best practice for you to document the outcomes of any procedures that are applied.

Review of your employee due diligence processes

It is best practice to document all decisions and outcomes of EDD assessments to provide an audit trail and improve future accountability. You should document any changes or updates to EDD processes and include the reasons for the change and the senior manager responsible for approving the revisions.

You should review your EDD processes at regular intervals and in response to circumstances or events that trigger a review such as changes to your structure or how you deliver a designated service. How you review your EDD processes, and how often you do this depends on the size, nature and complexity of your business or organisation. You may also use an independent review to examine your EDD processes.

Self-assessment questions

These questions are a guide only to assist you to determine whether your business is complying with its obligations.

  • What is your approach to screen and rescreen employees in accordance with your EDD obligations?
  • Do the screening processes and management of different employees (including where you extend the processes to members of the board and senior management) reflect the ML/TF risks to which their role is exposed?
  • How do you assess the effectiveness of your EDD processes?
  • How often, and in response to what triggers, are your EDD processes reviewed and updated and do you record and document any changes or revisions?

Examples of good and bad practices

Good practices Bad practices
Temporary employees are subject to the same levels of EDD processes as permanent employees, where applicable. Failing to assess all positions in the business to determine the ML/TF risks posed to the reporting entity and the level and frequency of the EDD processes that should apply to each position.
Employees employed in higher-risk roles are subjected to higher levels of EDD. Conducting EDD as a one-off process and failing to identify changes that could affect an individual’s suitability for the role.
Where employment agencies are used, the reporting entity periodically satisfies itself that the agency is adhering to the agreed EDD processes. Only screening employees in senior management and board roles while failing to screen operational employees.
A robust framework is maintained to ensure any employee’s non-compliance with internal AML/CTF policies or processes is managed and resolved. Not subjecting staff to re-screening when they move into a higher ML/TF risk role.
Records are maintained for decisions made and actions taken in accordance with EDD program. Not keeping a documented audit trail of reviews and changes or enhancements to your EDD processes.

Employee due diligence examples

These examples of EDD measures for medium and high-risk roles are not exhaustive.

Medium-risk role example

An administrative officer may have some opportunity to facilitate the commission of a ML/TF offence by, for example: 

  • having access to, and the ability to amend, customer information and transaction and account data
  • being responsible for uploading and processing payments, including cash transactions, and
  • performing customer due diligence processes.

Noting the above, you may determine this role poses a medium risk to your business. For a medium risk, you may conduct the following as part of your EDD checks:

  • reference checks from previous employers
  • a character reference
  • request consent to undertake a National Police Check
  • identify whether a government regulator or a professional body has subjected the person to any disciplinary processes, and
  • a bankruptcy search.

Higher-risk role example

A manager may have significant opportunity to facilitate the commission of a ML/TF offence by, for example: 

  • authorising the investment and release of funds
  • corresponding directly with potential or existing customers
  • having the authority to change processes, such as temporary exemptions or a manual work-around to protocols
  • managing and authorising outsourcing or contracting arrangements, and
  • having access to highly sensitive business or customer information.

Noting the above, you may determine this role poses a high risk to your business. For a high risk role, in addition to the checks for a medium risk role, you should consider these additional checks:

  • a sanctions and PEP check (such as a World-Check or equivalent)
  • an ASIC company directorship check, and
  • a check to determine if they have been or are subject to disciplinary action by a regulatory agency.

The content on this website is general and is not legal advice. Before you make a decision or take a particular action based on the content on this website, you should check its accuracy, completeness, currency and relevance for your purposes. You may wish to seek independent professional advice.

Last updated: 15 Jan 2024
Page ID: 19

Was this page helpful?

Was this page helpful?
Please note that feedback you provide here will be used only for the purpose of improving our website. If you have a specific question about your AML/CTF obligations, please contact us.