Anti-money laundering in Australia: Will 2024 finally bring change?

Australia is a global outlier in AML

Australia is one of only five countries to exempt lawyers, accountants and real estate from anti-money laundering rules. The Australian government has committed to change this, expanding AML/CTF obligations to an additional 100,000 ‘Tranche-2’ entities in Australia, while modernising the AML regime. The reforms are expected to be introduced to parliament in 2024, but have received push back from some affected industries.

What is the current AML/CTF legislation in Australia?

The Anti-Money Laundering Counter Terrorist Financing Act 2006 (AML/CTF Act) imposes reporting obligations on reporting entities who provide designated services.  

Other legislation includes the Financial Transaction Reports Act (1988) (FTR Act) to tackle drug trafficking and organised crime. While Sections 400.3- 400.8 of the Criminal Code Act 1995  and the Proceeds of Crime Act 2002 make it an offence to deal with money or property that is or may be a proceeds of crime.

There is also the Anti-Money Laundering and Counter Terrorism Financing Rules Instrument 2007 (No 1) and the Anti-Money Laundering and Counter-Terrorism Financing (Prescribed Foreign Countries) Regulation 2018.

Businesses that are required to comply with the AML/CTF Act are also required to comply with the Privacy Act 1988. While small businesses (turnover under $3m) are not covered by the Privacy Act, small businesses who are reporting entities under AML/CTF are required to comply with the Privacy Act.

The AML/CTF Act currently regulates financial services (banks, building societies and credit unions), gambling, remittance and bullion sectors that provide designated services listed in the AML/CTF Act. Lawyers, accountants, real estate agents, trust and company service providers, and precious stone dealers (Tranche-2) are currently not covered by the AML/CTF Act.


What are the proposed changes to AML/CTF laws in Australia?

In 2023, the Attorney General’s Department (AGD) of the federal government launched a consultation to extend AML/CTF rules to lawyers, trust and company service providers, accountants, real estate agents, and precious metals and stones dealers. Following the consultation, the Labor government of Antony Albanese is planning to introduce legislation sometime in 2024. This would extend AML rules to Tranche-2 entities (lawyers, accountants, trust and company service providers, real estate agents, and dealers in precious metals and stone).

The expansion would cover around 100,000 Tranche-2 entities who would become reporting entities.

The proposed changes would also simplify the existing legislation by requiring reporting entities to have a single AML and CTF programme, instead of two, and include specific requirements to assess the risk of money laundering and terrorist financing. It would also cover digital currency and amend the tipping off offence.

The Law Council of Australia has stated that the legal profession is vulnerable to being an unwitting party in money laundering, and lawyers are already taking some proactive steps so reform is not needed. There is also opposition from the real estate sector, and lawyers have raised concerns about privilege.

Australia is one of only five jurisdictions to not regulate Tranche-2 entities, the others being China, Haiti, Madagascar and the United States. Australia is currently not in line with global FATF standards.

The consultation recommends excluding from the regulations lawyers representing a client in litigation. The government has also committed to protecting legal professional privilege. The reforms are known as Tranche-2 reforms. The legislation must pass the House of Representatives and Senate to become law.

Previous attempts to regulate these industries have failed due to strong opposition from the affected industries, and lobbying against the changes is continuing.

What are the existing AML/CTF obligations in Australia?

The AML/CTF Act imposes six key regulatory obligations on reporting entities.

  1. Customer due diligence (CDD), know your customer (KYC), and enhanced due diligence (EDD)
  2. Ongoing customer due diligence
  3. Reporting to AUSTRAC all ‘suspicious matters’, cash transactions of A$10,000 or more, all instructions for the transfer of value sent into or out of Australia and annual compliance reports, and cross border movements of monetary instruments.
  4. Developing and maintaining an AML/CTF program which is independently reviewed
  5. Record keeping: Regulated entities must make and retain records for 7 years
  6. Enrol and register with AUSTRAC and report to them annually

Additional obligations under the AML/CTF Act include:

  • Appoint an AML/CTF officer and carry out training
  • Carry out ongoing money laundering risk assessments
  • Identify UBOs and monitor PEPs

The FTR Act obliges solicitors, solicitor corporations or partnerships of solicitors to report significant cash transactions (>AU$10,000) to the Australian Transaction Reports and Analysis Centre (AUSTRAC) 

Designated services include: opening a bank account, obtaining a loan, buying shares or gambling.

What are the penalties for AML/CTF breaches in Australia?

Penalties range from 12 months’ imprisonment and/or fines up to 25 years’ imprisonment along with fines for individuals and entities.

A defendant can defend AML charges if they can show that they had no reasonable grounds for knowing that the property/money was the proceeds of a crime.

Failing to meet AML/CTF obligations can result in enforcement actions which include civil penalty orders, enforceable undertakings, infringement notices and remedial directions.

Civil penalty orders are each worth $313. AUSTRAC can apply for a civil penalty order from the Federal Court. This fine will be paid to the Commonwealth and can be up to 20,000 civil penalty units ($6,260,000) for an individual, or 100,000 penalty units ($31,300,000) for an entity. 

Recent penalties

In July 2023, the Federal Court ordered two casinos (Crown Melbourne and Crown Perth) to pay a $450m penalty for breaching AML/CTF Act. The casino’s AML/CTF programmes were not based on appropriate risk assessments, did not have appropriate systems and controls to manage the risk, and were not subject to oversight by the board of senior manager.

In October 2020, the Federal Court ordered Westpac Bank to pay a $1.3bn fine. Westpac failed to properly report international transfers with $11bn, did not pass on relevant information about these transactions, did not maintain appropriate records and did not appropriately assess the risks. In addition, Westpac failed to carry out appropriate due diligence regarding suspicious transactions associated with possible child exploitation. Westpac admitted to an additional 76,000 contraventions. 

How VinciWorks can help with AML compliance

VinciWorks is global leader in AML systems for some of the world’s leading law firms and accountants. Founded by British-Australian lawyers, VinciWorks has decades of experience in end-to-end AML compliance, from policies to risk assessments, training and CDD.

AML client onboarding solution

Omnitrack, VinciWorks’ AML client onboarding solution provides an end-to-end AML solution with stress-free technology that adapts to your workflows.

Click here to learn more.

AML training suite – relevant training for all staff

VinciWorks strives to make its AML training more than simply a tick-box exercise.
Click here to learn more.

At a glance: AML ongoing monitoring

Automating the ongoing monitoring process can be the key to an effective and successful AML programme. Our one-page guide to ongoing AML monitoring provides a succinct and informative overview of ongoing monitoring including a definition, tips on how to comply with AML ongoing monitoring regulations, and answers the questions of who needs to be checked during ongoing monitoring, when to do CDD reviews, and what has to be recorded during ongoing monitoring.

Are you an Australian professional interested in the future of money laundering?

Get in touch with us today.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.