The Australian Transaction Reports and Analysis Centre (AUSTRAC) has published its “final” guidance on providing banking services to high-risk customers, including fintechs, remitters and crypto exchanges.
The new guidance is aimed at financial institutions (FIs) that provide banking services to high-risk customers. It aims to address the issue of “de-banking” using a risk-based approach.
As noted by AUSTRAC, de-banking should be a method of last resort for FIs, as the decision to de-bank a customer can conflict with other legislation such as privacy, human rights and anti-discrimination laws.
“De-banking can have a devastating impact on legitimate businesses,” said AUSTRAC.
“It also reduces the capacity of Australia’s AML/CTF [anti-money laundering/counter terrorism financing] framework to prevent and detect money laundering, terrorist financing and other serious crimes by discouraging transparency and potentially forcing customers into unregulated channels.”
For FIs, the guidance aims to set out AUSTRAC's expectations when banking high-risk customers, while for customers, the guidance aims to clarify what information may be requested when seeking or using banking services and how FIs can provide this guidance.
‘Zero failure’ is not the goal
Under the AML/CTF Act, FIs must develop “tailored” systems and controls that are proportionate to the level of risk posed by a particular business that they may wish to serve.
Further, AUSTRAC notes that using a risk-based approach does not require “disengagement” by FIs from establishing business relationships with high-risk customers.
On the contrary, the guidance reminds FIs that a risk-based approach does not imply a “zero failure” approach to combating financial crime.
“Even if a financial institution implements appropriate risk-based systems and controls, AUSTRAC recognises that no reporting entity can reduce financial crime risk to zero,” it said.
Under the AML/CTF Act, if a reporting entity can prove that it took reasonable precautions and exercised due diligence to avoid contravention of the Act, this is a viable defence in civil proceedings.
Similarly, the AML watchdog reminds FIs that there is no requirement in the act for them to decline business from entire sectors, even if that sector’s relative risk is assessed as high.
Assessing risk factors
When taking into account the risk factors of a prospective customer, AUSTRAC’s guidance reminds FIs that risk is “dynamic” and needs to be continually re-assessed.
Further, taking a customer-specific approach to risk does not require a unique process for each customer.
Instead, developing standard templates and processes for engaging with businesses and gathering key information may assist FIs with keeping engagement costs to a reasonable level.
Though not a requirement under the AML/CTF Act, AUSTRAC also suggests that some FIs may be in a position to arrange a third-party review or certification of their AML/CTF risk assessment of a particular customer.
Such third-party involvement may benefit an FI when deciding whether to provide the services sought by the customer.
Prioritise customer due diligence
Similarly, AUSTRAC reminds FIs that customer due diligence must be completed before providing regulated services to customers and must be continually re-assessed.
Under the AML/CTF Act an FI must be “reasonably satisfied” that the customer is who they say they are and that the beneficial owner of the customer has been established.
If the FI proceeds with the relationship, its beneficial ownership information must be continually updated.
In the AML/CTF Act these requirements are referred to as "applicable customer identification procedures" (ACIP).
Special considerations and red flags
When assessing a potential customer, FIs are reminded to consider “residual” AML/CTF risks presented by the customer’s activities.
This refers to any risk that is likely to emerge after an FI has taken account of the customer’s initial presentation of internal AML/CTF controls and procedures.
“The key question in assessing residual risk is: do the business’s measures to identify, mitigate and manage [A]ML/[C]TF risks appear to be reasonable?” said AUSTRAC.
Similarly, an FI should pay close attention to a customer’s activities around the time of its AUSTRAC registration filing.
Remitters, fintechs and crypto exchanges that offer regulated financial services are required to register with AUSTRAC unless specifically exempted, but registration alone does not mean that a prospective customer is safe to do business with from an AML/CTF perspective.
At the time of AUSTRAC registration, all key personnel should undergo national police checks and adverse media information checks.
In particular, FIs should look out for “phoenixing” — whereby key personnel from a recently closed business re-appear at a new business — and evidence of changes in key personnel immediately after AUSTRAC registration.
The long road to guidance
AUSTRAC’s latest guidance on banking high-risk customers is the product of a two-year process that began with a Senate report published in 2021.
In October that year, the Senate Select Committee on Australia as a Technology and Financial Centre published a report calling for a “review” of Australia’s AML/CTF regulations.
That report was followed, one year later, by an AUSTRAC consultation on new draft guidance on de-banking, which closed in December 2022.
In other jurisdictions, regulators are also taking a closer look at the performance of FIs in managing AML/CTF risks and controls.
This month, as covered by VIXIO, the European Banking Authority (EBA) published its latest report on AML/CTF risks among European payments firms, finding that these risks are “not adequately” managed.
As with AUSTRAC, one of the key issues highlighted by the EBA was European payments firms’ failure to assess residual AML/CTF risks presented by customers.
According to the EBA, this failure is one reason why payment firms have been able to engage in regulatory arbitrage in Europe, establishing their operations in a “less stringent” jurisdiction and then passporting activities to other jurisdictions.