This instrument is the Anti-Money Laundering and Counter-Terrorism Financing Rules Amendment Instrument 2021 (No. 1).

(1) Each provision of this instrument specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms.

Commencement information
Column 1	Column 2	Column 3
Provisions	Commencement	Date/Details
1. Sections 1 to 4 and anything in this instrument not elsewhere covered by this table	17 June 2021
2. Schedule 1	17 June 2021

Note: This table relates only to the provisions of this instrument as originally made. It will not be amended to deal with any later amendments of this instrument.

(2) Any information in column 3 of the table is not part of this instrument. Information may be inserted in this column, or information in it may be edited, in any published version of this instrument.

3 Authority

This instrument is made under section 229 of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006.

4 Schedules

Each instrument that is specified in a Schedule to this instrument is amended or repealed as set out in the applicable items in the Schedule concerned, and any other item in a Schedule to this instrument has effect according to its terms.

Schedule 1—Amendments

Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1)

1 Chapter 3

Repeal the chapter, substitute:

CHAPTER 3 Correspondent Banking

Part 3.1—Entry into a correspondent banking relationship

3.1.1 This Part is made for subsection 96(1) of the Act.

Carrying out an initial assessment

3.1.2 The first institution (the correspondent) must conduct due diligence to assess the money laundering, financing of terrorism or other serious crime risks associated with entry into a correspondent banking relationship with another financial institution (the respondent) that will involve a vostro account.

3.1.3 The correspondent must consider the following factors when assessing money laundering, financing of terrorism or other serious crime risks:

(1) the ownership, control and management structures of:

(a) the respondent; and

(b) the ultimate parent company of the respondent, if any;

(2) the nature, size, and complexity of the respondent’s business, including:

(a) its products, services, delivery channels and customer types; and

(b) the types of transactions carried out on behalf of underlying customers as part of the correspondent banking relationship and the services provided to underlying customers that relate to such transactions;

(3) the country or countries in which:

(a) the respondent operates or resides; and

(b) if the ultimate parent company of the respondent has group-wide anti-money laundering and counter-terrorism financing systems and controls, and the respondent operates within the requirements of those controls—the ultimate parent company operates or resides;

Note 1: Country has the meaning given by section 5 of the Act.

Note 2: A foreign country may include a region or regions. These regions may have a different risk profile to each other or the rest of the foreign country.

(4) the existence and quality of any anti-money laundering and counter-terrorism financing regulation and supervision in the country or countries identified under subparagraph (3) and the respondent’s compliance practices in relation to those regulations;

(5) the adequacy and effectiveness of the respondent’s anti-money laundering and counter-terrorism financing systems and controls;

(6) publicly-available information relating to the reputation of the respondent and any related bodies corporate, including whether the respondent has been the subject of:

(a) a regulatory investigation relating to implementation of anti-money laundering, counter-terrorism financing or sanctions obligations; or

(b) adverse regulatory action relating to implementation of anti-money laundering, counter-terrorism financing or sanctions obligations; or

(c) an investigation or criminal or civil proceedings relating to money laundering, financing of terrorism or other serious crimes;

(7) if the correspondent maintains vostro accounts that can be accessed directly by the customers of the respondent (payable-through accounts)—the respondent:

(a) conducts customer due diligence and ongoing customer due diligence in relation to those customers; and

(b) is able to provide to the correspondent, on request, the documents, data or other information obtained when conducting customer due diligence and ongoing customer due diligence in relation to those customers.

Requirement for senior officer approval

3.1.4 The senior officer of the correspondent (senior officer) must have regard to:

(1) the money laundering, financing of terrorism or other serious crime risks assessed in the written record of the due diligence assessment; and

(2) the adequacy and effectiveness of the correspondent’s anti-money laundering and counter-terrorism financing program to manage those risks;

before approving entry into a correspondent banking relationship.

3.1.5 If the correspondent maintains payable-through accounts, the senior officer must be satisfied that the respondent:

(1) verifies the identify of, and conducts ongoing customer due diligence in relation to, customers before they have access to those accounts; and

(2) is able to provide the correspondent, on request, the documents, data, or other information obtained when conducing customer due diligence and ongoing customer due diligence in relation to the customers that have access to those accounts.

Part 3.2—Ongoing assessments of a correspondent banking relationship

3.2.1 This Part is made for subsection 96(3) of the Act.

Carrying out ongoing assessments

3.2.2 The first institution (the correspondent) must conduct due diligence to assess the money laundering, financing of terrorism or other serious crime risks of a correspondent banking relationship with another financial institution (the respondent) that involves a vostro account.

3.2.3 The correspondent must consider the factors set out in subparagraphs 3.1.3(1)–(7) when assessing money laundering, financing of terrorism or other serious crime risks.

Timing of ongoing assessments

3.2.4 The correspondent must conduct assessments at times determined appropriate by the correspondent, based on consideration of:

(1) the level of money laundering, financing of terrorism or other serious crime risks of the correspondent banking relationship; and

(2) any material change in respect of those risks;

but in any event, at least every two years.

2 Chapter 6

Repeal the chapter, substitute:

CHAPTER 6 Verification of identity

Part 6.1—Re-verification of KYC information

6.1.1 This Part is made for subparagraph 35(1)(b) and subsection 35(2) of the Act.

6.1.2 A reporting entity must take the action set out in paragraph 6.1.3 if:

(1) the reporting entity suspects on reasonable grounds that the customer is not the person that customer claims to be; or

(2) the reporting entity has doubts about the veracity or adequacy of documents or information previously obtained for the purpose of identifying or verifying:

(a) the customer; and

(b) the beneficial owner of the customer (if any); and

6.1.3 The reporting entity must, as soon as practicable, take reasonable measures to:

(1) obtain and verify additional KYC information; or

(2) update and verify existing KYC information;

so that the reporting entity is reasonably satisfied that the customer, beneficial owner or person purporting to act on behalf of the customer is the person that the customer, beneficial owner or person purporting to act on behalf of the customer claims to be.

Note: A reporting entity is not required to take any measures that would contravene the tipping off offence in section 123 of the Act.

Part 6.2—Verification of identity of pre-commencement customers

6.2.1 This Part is made for subsection 29(2) of the Act.

6.2.2 If a suspicious matter reporting obligation arises for a pre-commencement customer, the reporting entity must take one or more of the following actions as appropriate:

(1) carry out the applicable customer identification procedure unless the reporting entity has previously carried out, or been deemed to have carried out, that procedure or a comparable procedure;

(2) collect additional KYC information about the customer;

(3) verify the KYC information obtained under subparagraph (2) from reliable and independent sources;

so that the reporting entity is reasonably satisfied that the customer is the person that the customer claims to be.

6.2.3 The reporting entity must take the required action or actions as soon as practicable after the day on which the suspicious matter reporting obligation arose.

Note: A reporting entity is not required to take any measures that would contravene the tipping off offence in section 123 of the Act.

Part 6.3—Verification of identity of low-risk service customers

6.3.1 This Part is made for subsection 31(2) of the Act.

6.3.2 If a suspicious matter obligation arises for a low-risk service customer, the reporting entity must take one or more of the following actions as appropriate:

(1) carry out the applicable customer identification procedure unless the reporting entity has previously carried out, or been deemed to have carried out, that procedure or a comparable procedure;

(2) collect additional KYC information about the customer;

(3) verify the KYC information obtained under subparagraph (2) from reliable and independent sources;

so that the reporting entity is reasonably satisfied that the customer is the person that the customer claims to be.

6.3.3 The reporting entity must take the required action or actions as soon as practicable after the day on which the suspicious matter reporting obligation arose.

Note: A reporting entity is not required to take any measures that would contravene the tipping off offence in section 123 of the Act.

3 Chapter 7

Repeal the chapter, substitute:

CHAPTER 7 Reliance on third parties

Part 7.1—Reliance

7.1.1 This Part is made for paragraphs 37A(1)(a) and 38(b) of the Act.

Other procedures that may be relied on for customer identification

7.1.2 The procedures in paragraph 7.1.3 are prescribed.

7.1.3 Customer due diligence procedures (however described) that comply with one or more laws of a foreign country giving effect to the FATF Recommendations relating to customer due diligence and record-keeping and require the other person to:

(1) identify the customer and verify the customer’s identity using reliable and independent sources, so that the other person is satisfied that it knows who the customer is; and

(2) identify the beneficial owner of the customer and take reasonable measures to verify the identity of the beneficial owner, so that the other person is satisfied that it knows who the beneficial owner is; and

(3) identify a person acting on behalf of the customer and take reasonable steps to verify the person’s identity and authority to act on behalf of the customer, so that the other person is satisfied that it knows who the person is and that the person has authority to act on behalf of the customer.

Note 1: Country has meaning given by section 5 of the Act.

Note 2: A foreign country may include a region or regions. These regions may have a different risk profile to each other or the rest of the foreign country.

Part 7.2—Ongoing reliance under an agreement or arrangement

7.2.1 This Part is made for paragraph 37A(1)(b) and subsection 37B(1) of the Act.

Requirements relating to agreements or arrangements for reliance

7.2.2 The following requirements are prescribed:

(1) the written agreement or arrangement must:

(a) document the responsibilities of the first entity and the other person; and

(b) enable the first entity to obtain all required KYC information relating to the identity of:

(i) the customer; and

(ii) the beneficial owner of the customer (if any); and

(iii) a person acting on behalf of the customer (if any);

before commencing to provide a designated service to the customer; and

(c) enable the first entity to obtain a record of the applicable customer identification procedures or the other procedures (as specified in this paragraph) carried out by the other person to verify the identity of the customer, the beneficial owner of the customer or a person acting on behalf of the customer, and all relevant documents, data and information obtained by the other person in the course of carrying out those procedures (verification information):

(i) immediately, in accordance with terms of the agreement or arrangement relating to the management of relevant documents and electronic data relating to identification and verification; or

(ii) as soon as practicable following a request from the first entity to the other person; and

(d) be approved by the governing board or a senior managing official of the first entity;

(2) the first entity must determine:

(a) the type and level of money laundering, financing of terrorism or other serious crime risks that the first entity may reasonably be expected to face in its provision of designated services; and

(b) the nature, size, and complexity of the other person’s business, including its products, services, delivery channels, and customer types; and

(c) the level of money laundering, financing of terrorism or other serious crime risks in the country or countries in which the other person operates or resides;

(3) the other person must be:

(a) a reporting entity; or

(b) a foreign entity regulated by one or more laws of a foreign country giving effect to the FATF Recommendations relating to customer due diligence and record-keeping (equivalent CDD and record-keeping obligations);

(4) if the other person is a reporting entity, the other person must have measures in place to comply with their obligations under Parts 2 and 10 of the Act;

(5) if the other person is a foreign entity, the other person must have measures in place to comply with the equivalent CDD and record-keeping obligations.

Note: Paragraph 37A(2)(d) and section 32 require the first entity to obtain the KYC information referred to in subparagraph 7.2.2(1)(b) from the other person before commencing to provide a designated service.

Regular assessments of agreements or arrangements for reliance

7.2.3 The first entity must carry out regular assessments of the requirements prescribed by paragraph 7.2.2 to ensure that the other person is continuing to meet those requirements.

7.2.4 The assessments must be carried out by the first entity at regular intervals, having regard to:

(1) the type and level of money laundering, financing of terrorism or other serious crime risks faced by the first entity; and

(2) any material change in respect of a matter prescribed by subparagraphs 7.2.2(2)–(5);

but in any event, at least every two years.

Note: If the assessment conducted under paragraph 7.2.3 identifies that the requirements are not being met, the first entity cannot rely on procedures carried out by the other person until the first entity believes on reasonable grounds that the requirements of paragraph 7.2.2 are being met.

Part 7.3—Case-by-case reliance

7.3.1 This Part is made for paragraph 38(e) of the Act.

7.3.2 The first entity may rely on applicable customer identification procedures or other procedures (as prescribed by paragraph 7.1.2) carried out by the other person if:

(1) the other person satisfies the requirements in subparagraphs 7.2.2(3)–(5); and

(2) the other person has obtained all required KYC information relating to the identity of:

(a) the customer; and

(b) the beneficial owner of the customer (if any); and

before the first entity commences to provide a designated service to the customer; and

(3) the first entity has reasonable grounds to believe that the verification information will be:

(a) immediately available to the first entity under an agreement in place for the management of relevant documents and electronic data relating to identification and verification; or

(b) otherwise made available to the first entity as soon as practicable following receipt by the other person of a written request from the first entity, but in any event within 7 calendar days of the request being received.

Note : Subsection 38(c) and section 32 require the first entity to obtain the KYC information referred to in subparagraph 7.3.2(2) from the other person before commencing to provide a designated service.

7.3.3 A belief formed under paragraph 7.3.2 will only be reasonable if the first entity has considered the following factors:

(1) the type and level of money laundering, financing of terrorism or other serious crime risks that the first entity may reasonably be expected to face in its provision of the designated services to the customer;

(2) the level of money laundering, financing of terrorism or other serious crime risks in the country or countries in which the other person operates or resides;

(3) the nature, size, and complexity of the other person’s business, including its products, services, delivery channels, and customer types.

7.3.4 The first entity must make a written record that sets out how the first entity met the requirements in paragraphs 7.3.2 and 7.3.3.

Deemed compliance—reliance within a corporate or designed business group

7.3.5 The first entity is taken to comply with the requirements of paragraphs 7.3.2 and 7.3.3 if the following conditions are met:

(1) the first entity relies on the applicable customer identification procedures or other procedures (as specified in paragraph 7.1.2) carried out by another person who is a member of the same corporate group or designated business group;

(2) the first entity and the other person:

(a) apply a joint anti-money laundering and counter terrorism-financing program (AML/CTF program) or other group-wide measures relating to customer due diligence and record keeping; and

(b) have implemented a joint AML/CTF program or other group-wide anti-money laundering and counter terrorism-financing risk-based systems and controls consistent with the requirements of the relevant FATF Recommendations;

(3) any higher money laundering, financing of terrorism or serious crime risks in the country or countries in which the other person operates or resides are adequately identified, mitigated and managed by the joint AML/CTF program and risk-based systems and controls of the corporate group or designated business group;

(4) the implementation of the risk-based system and controls mentioned in subparagraphs (2) and (3) are supervised or monitored at a group-level by a body empowered by law to supervise and enforce equivalent CDD and record-keeping obligations.

Note 1: If the first entity relies on applicable customer identification procedures or other procedures (as prescribed by paragraph 7.1.2) undertaken by another person under Part 7.3, the first entity retains ultimate responsibility for ensuring that all relevant obligations relating to customer identification and verification, and ongoing due diligence under the Act and Rules are met.

Note 2: Reporting entities that collect information about a customer, beneficial owner of a customer, or person acting on behalf of a customer, from a third party will need to consider their obligation under Australian Privacy Principle (APP) 3. An APP entity must only collect personal information which is reasonably necessary for one or more of the entity’s functions or activities (see APP 3.8).

4 Chapter 10

Repeal the chapter, substitute:

CHAPTER 10

Part 10.1—Casinos

10.1.1 This Part is made for subsections 39(4), 118(2) and 118(4) of the Act.

10.1.2 This Part applies to designated services provided by a casino other than online gambling services.

Customer identification

10.1.3 Division 4 of Part 2 of the Act, subject to paragraph 10.1.5, does not apply to a designated service that:

(1) is of a kind described in items 1, 2, 4, 6, 7, 8 or 9 of table 3 in subsection 6(4) of the Act; and

(2) involves an amount less than $10,000.

10.1.4 Division 4 of Part 2 of the Act, subject to paragraph 10.1.5, does not apply to a designated service that is of a kind described in items 1, 2, 4, 6 or 9 of table 3 in subsection 6(4) of the Act where the service:

(1) involves an amount of $10,000 or more; and

(2) involves the customer giving or receiving only gaming chips or tokens.

10.1.5 An exemption does not apply if the reporting entity determines that it must obtain and verify any KYC information about a customer in accordance with its enhanced customer due diligence program and customer identification program.

Verification of identity

10.1.6 Chapter 6 is modified as follows:

(1) the specified action in paragraph 6.1.3 must be taken:

(a) within 14 days starting after the day on which the circumstance specified in paragraph 6.1.2 comes into existence; or

(b) before the reporting entity commences to provide another designated service to the customer to which Part 2 of the Act applies;

(2) the specified action in paragraph 6.2.2 must be taken:

(a) within 14 days starting after the day on which the suspicious matter reporting obligation arose; or

(b) before the reporting entity commences to provide another designated service to the customer to which Part 2 of the Act applies;

(3) the specified action in paragraph 6.3.2 must be taken:

(a) within 14 days starting after the day on which the suspicious matter reporting obligation arose; or

(b) before the reporting entity commences to provide another designated service to the customer to which Part 2 of the Act applies;

(4) paragraphs 6.2.3 and 6.3.3 do not apply.

Record‑keeping

10.1.7 Sections 106 and 107 of the Act do not apply to a designated service of a kind described in:

(1) items 1, 2, or 6 of table 3 in subsection 6(4) of the Act; or

(2) item 4 of table 3 in subsection 6(4) to the extent that the customer is only given gaming chips or tokens when the service is provided.

Part 10.2—On‑course bookmakers and totalisator agency boards

10.2.1 This Part is made for subsections 39(4), 118(2) and 118(4) of the Act.

10.2.2 This Part applies to designated services provided by a reporting entity that is an on‑course bookmaker or a totalisator agency board.

Customer identification

10.2.3 Division 4 of Part 2 of the Act, subject to paragraph 10.2.5, does not apply to a designated service of a kind described in items 1 or 2 of table 3 in subsection 6(4) of the Act.

10.2.4 Division 4 of Part 2 of the Act, subject to paragraph 10.2.5, does not apply to a designated service that:

(1) is of a kind described in items 4, 7 or 8 of table 3 in subsection 6(4); and

(2) involves an amount less than $10,000.

10.2.5 An exemption does not apply if the reporting entity determines that it must obtain and verify any KYC information about a customer in accordance with its enhanced customer due diligence program and customer identification program.

Verification of identity

10.2.6 Chapter 6 is modified as follows:

(1) the specified action in paragraph 6.1.3 must be taken:

(a) within 14 days starting after the day on which the circumstance specified in paragraph 6.1.2 comes into existence; or

(b) before the reporting entity commences to provide another designated service to the customer to which Part 2 of the Act applies;

(2) the specified action in paragraph 6.2.2 must be taken:

(a) within 14 days starting after the day on which the suspicious matter reporting obligation arose; or

(b) before the reporting entity commences to provide another designated service to the customer to which Part 2 of the Act applies;

(3) the specified action in paragraph 6.3.2 must be taken:

(a) within 14 days starting after the day on which the suspicious matter reporting obligation arose; or

(b) before the reporting entity commences to provide another designated service to the customer to which Part 2 of the Act applies;

(4) paragraphs 6.2.3 and 6.3.3 do not apply.

Record‑keeping

10.2.7 Sections 106 and 107 of the Act do not apply to a designated service of a kind described in:

(1) items 1, 2, or 6 of table 3 in subsection 6(4) of the Act; or

(2) items 7 or 8 of table 3 in subsection 6(4) of the Act where that service involves an amount less than $10,000.

Part 10.3—Gaming machines

10.3.1 This Part is made for subsection 39(4) of the Act.

10.3.2 This Part applies to designated services provided by a reporting entity by way of a gaming machine other than designated services provided at a casino.

Customer identification

10.3.3 Division 4 of Part 2 of the Act, subject to paragraph 10.3.5, does not apply to a designated service of a kind described in items 5 or 6 of table 3 in subsection 6(4) of the Act.

10.3.4 Division 4 of Part 2 of the Act, subject to paragraph 10.3.5, does not apply in respect of a designated service that:

(1) is of a kind described in items 9 or 10 of table 3 in subsection 6(4); and

(2) involves an amount less than $10,000.

10.3.5 An exemption does not apply if the reporting entity determines that it must obtain and verify any KYC information about a customer in accordance with its enhanced customer due diligence program and customer identification program.

Part 10.4—Accounts for online gambling services

10.4.1 This Part is made for paragraphs 33(a) and (b) and subparagraph 34(1)(d)(i) of the Act.

Special circumstances that justify carrying out the applicable identification procedure after commencement of the provision of a designated service

10.4.2 Online gambling services, subject to the conditions specified in paragraph 10.4.3, are specified for the purposes of paragraph 33(a) of the Act.

10.4.3 The special circumstances are only available to the reporting entity if:

(1) the customer is required to open an account in order to obtain the service; and

(2) the reporting entity does not permit the customer to withdraw any funds from the account prior to carrying out the applicable customer identification procedure.

The period ascertained in accordance with subparagraph 34(1)(d)(i) of the Act

10.4.4 The period is 14 days starting on the day that the reporting entity opens the account in the name of the customer.