A customer due diligence arrangement (CDD arrangement) allows you to rely on the applicable customer identification procedures (ACIP) carried out by another reporting entity regulated under the AML/CTF regime, or an equivalent entity regulated under a foreign law.

When entering into a CDD arrangement with a third party, the arrangement must be recorded in writing. CDD arrangements must be approved by an appropriate senior managing official or your governing board, and appropriately documented.

The AML/CTF Rules define a senior managing official as an individual who makes, or participates in making decisions that affect the whole, or a substantial part, of the business of a customer of a reporting entity or who has the capacity to affect significantly the financial standing of a customer of a reporting entity.

Circumstances when you can enter into a CDD arrangement with a reliable third party 

The third party you enter a CDD arrangement with must meet the relevant AML/CTF obligations and have appropriate measures in place to comply with those obligations

It’s important to consider both whether the third party has appropriate measures documented in its systems and controls, as well as how well these are implemented in practice. This can be based on information reasonably available to you, such as:

• responses to questions you have put to the third party concerning their record-keeping and CDD systems and controls as part of your assessment process
• the existence of any adverse media reporting
• any published disciplinary action by regulators.

CDD arrangements must be in writing, but you can decide how a CDD arrangement is documented. A CDD arrangement may take the form of a legally binding contract, a memorandum of understanding, standard operating procedures or another written document.

Whichever format your CDD arrangement takes, you must ensure that it complies with the AML/CTF Rules. You must have reasonable grounds to believe that:

• the CDD arrangement will enable you to obtain the required Know Your Customer (KYC) information relating to a customer before commencing to provide a designated service to a customer
• the CDD arrangement will enable you to obtain verification information from the reliable third party either immediately (that is, where IT systems permit real-time access) or without delay following a request
• the reliable third party has measures in place to comply with CDD and record keeping obligations under the AML/CTF Act or equivalent foreign obligations.

The CDD arrangement must also be approved by your governing board or a senior managing official and appropriately documented.

It is important that you can demonstrate that your assessment of the third party provides you with sufficient evidence to support your decision to enter into a CDD arrangement for the purpose of reliance. You must also be able to demonstrate that your CDD arrangement received the appropriate level of approval.

Third parties you can rely on

A reliable third party for the purposes of a CDD arrangement means:

• another reporting entity that is regulated under the AML/CTF Act
• an entity located in a foreign country that is subject to equivalent AML/CTF laws in regards to CDD and record-keeping obligations as those in Australia.

If the reliable third party you are seeking to rely on resides outside Australia is not subject to regulation by AUSTRAC as a reporting entity:

• it must be subject to appropriate AML/CTF regulation that gives effect to the Financial Action Task Force (FATF) recommendations relating to customer due diligence and record keeping (that is, equivalent obligations)

• you must have regard to the ML/TF risks of the country where the third party is based

• the CDD arrangement must enable you to comply with the customer due diligence and record keeping requirements by obtaining KYC information before commencing to provide a designated service to a customer, and to promptly obtain information about how that KYC information was verified and any associated documents, data or other relevant information on request.

For more information, see Managing risk and assessing foreign jurisdictions for reliance.

A CDD arrangement for reliance must include the following:

• an outline of the responsibilities of each of the parties to the arrangement

  • provisions to enable the relying reporting entity to obtain all required KYC information relating to the identity of the customer, the beneficial owner of the customer or a person acting on behalf of the customer before commencing to provide a designated service to a customer.

• provision to enable the relying reporting entity to receive verification information from the reliable third party either immediately or on request and without delay.

What is a ‘delay’ in providing verification information? 

What constitutes a ‘delay’ in providing verification information will depend on factors such as the nature of the product and delivery channels.

For products where a customer may be expected to undertake multiple transactions in rapid succession and the risk may be higher, your CDD arrangement should account for these circumstances and ensure that the reliable third party can provide the information without delay.

Where customers may undertake a rapid succession of higher risk transactions, it may be appropriate for verification to be available immediately (that is, under IT systems permitting real-time access) or within minutes of a request. For an ordinary lower-risk personal savings account used for day to day transactions, your CDD arrangement could provide for up to one business day for the reliable third party to respond to a request. We would not expect to see delays beyond one business day for providing information following a request.

Prior to entering into a CDD arrangement, a reliable third party should ensure that the arrangement includes provision that the reliable third party:

• is a reporting entity regulated under the AML/CTF Act or under a foreign law that gives effect to the FATF Recommendations on CDD and record keeping

• can satisfy the requirements of the AML/CTF Rules and in particular, make the required KYC information available before the relying reporting entity commences to provide a designated service to a customer

• can provide verification information to the relying reporting entity either immediately, or on request and without delay

• has the appropriate consent from the client under applicable privacy and data protection laws to disclose the KYC information to you.

Reliance and more than one third party 

Entering into CDD arrangements with more than one reliable third party 

There are no restrictions on the number of CDD arrangements a reporting entity can enter into provided that the reporting entity has reasonable grounds to believe that each of the reliable third parties are in compliance with the AML/CTF Act and Rules.

Entering into multipartite CDD arrangements 

A CDD arrangement is an agreement or arrangement between a reporting entity and a reliable third party.

While there is nothing to prevent a CDD arrangement being embedded within a multipartite arrangement, each reporting entity remains separately responsible for ensuring it complies with the AML/CTF Act and Rules. This means each reporting entity must have reasonable grounds to believe that the requirements of the AML/CTF Act and Rules were met in relation to the CDD arrangement with each of the reliable third parties when entering the CDD arrangement.

Each relying reporting entity also remains responsible for conducting regular assessments of the CDD arrangement in compliance with the AML/CTF Rules.

A group of relying reporting entities under a multipartite arrangement may agree upon a process for assessing CDD arrangements embedded in a multipartite arrangement, but each reporting entity will individually be responsible for forming its own assessment of the ML/TF risk of providing a service to the customer, and about whether it has reasonable grounds to believe that the requirements of the AML/CTF Act and Rules continue to be met with respect to each reliable third party and for documenting this assessment. Each relying reporting entity should also trigger a review where it identifies a material change affecting its reliance on a particular reliable third party.

Can KYC information obtained under a CDD arrangement be passed on by another entity as part of a separate CDD arrangement?

No. You may only rely on the KYC information collected and verified by a reliable third party under a CDD arrangement you have entered.

You cannot rely on information received from a third party under a CDD arrangement where the third party has not completed verification itself, e.g. if the third party obtained the information under a separate CDD arrangement or any other form of reliance.

Regular assessments of CDD arrangements 

You must undertake regular assessments of the CDD arrangement to ensure that the reliable third party is continuing to meet the agreed requirements.

These assessments of the CDD arrangements must be conducted at least every two years, or more regularly as appropriate, having regard to the following:

• the type and level of ML/TF and other serious crime risks you face—this will help you to establish the regular review interval
• any material changes in respect to the requirements relating to the CDD arrangements - this means that if you become aware (or should reasonably have been aware) of new developments that materially affect the basis of your most recent assessment, you should immediately begin to review the arrangement to ensure it continues to meet the requirements of the AML/CTF Act and Rules.

Information which may indicate a material change include:

• publication of adverse regulatory findings against the third party
• adverse media against the third party
• changes in ownership or control of the third party that may affect its risk profile, for example, if it is likely that a new owner is a politically exposed person in a jurisdiction with higher bribery and corruption risks, or could be an entity subject to sanctions
• open-source information indicating a significant change in the domestic money laundering, terrorism financing or serious crime risk environment in the country where the third party is based.

If the relied-on third party is domiciled in a foreign country, you should identify any changes in the country profile having regard to available information including any updates of FATF Mutual Evaluation Reports, FATF public statements or other reliable and independent country assessments.

For example, Transparency International’s Corruption Perceptions Index, or consult relevant reports and databases on corruption risk published by specialised national, international, nongovernmental and commercial organisations.

Written record of each regular assessment of the CDD arrangement 

You must make a written record within 10 days of completing each regular assessment outlining the findings and conclusions.

The outcomes of this assessment will contribute to your decision to continue, suspend or terminate the CDD arrangement with the relied on third party.

• Sections 37A and 37B of the AML/CTF Act
• Chapter 7 of the AML/CTF Rules