AUSTRAC has opened a second consultation seeking further feedback on the proposed re-write of the Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Rules. This follows the passage of the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 (the Amended AML/CTF Act) by the Australian Parliament in November 2024.
While the major changes introduced in the first exposure draft were covered in a previous article, several updates have been made following the initial consultation:
(a) allowing delayed initial customer due diligence (CDD) in a broader range of circumstances;
(b) providing greater flexibility in determining the lead entity of reporting groups;
(c) clarifying how to form reporting groups;
(d) clarifying the definitions related to value transfers and travel rule requirements (e.g., “ordering institution”, “beneficiary institution”); and
(e) addressing practical implementation challenges for businesses.
In addition to these updates, the second exposure draft (ED2) introduces more onerous information requirements to obtain registration as a VASP, new requirements for suspicious matter reports, new obligations targeting financial sanctions compliance and policy requirements in relation to travel rule compliance.
Key Updates in the ED2
Enrolment Applications
Part 2 of the ED2 contains updated requirements for all enrolment applications. Reporting entities will now be asked to provide additional details such as the number of employees and membership in any industry or professional associations.
Registration of RSPs and VASPs
Under the amended AML/CTF Act and the ED2 Rules, remittance service providers (RSPs) and Virtual Asset Service Providers (VASPs) must apply for registration with AUSTRAC before providing registrable services, in addition to enrolling as reporting entities. Registration differs from enrolment in that AUSTRAC assesses the application before making a decision.
Part 3 of the ED2 introduces a more robust VASP registration process by expanding the information AUSTRAC must consider, aligning Australia with international standards (e.g. the UK, Singapore and Hong Kong). AUSTRAC will also maintain a VASP Register and publish key registration details (see Draft Rule s 3-2). By contrast, the current DCE register is not published by AUSTRAC.
Section 3-4 outlines the general information that must be included in a VASP’s application, such as the applicant’s identity, place of business, beneficial ownership and operational information.
Section 3-5 requires VASPs to identify the money laundering, terrorism financing and proliferation financing risks they may reasonably face in providing their registrable services. This includes risks associated with:
(a) the types of customers they service;
(b) foreign countries they operate in;
(c) the specific products and services offered;
(d) the delivery channels used to provide those services; and
(e) the types of transactions undertaken.
Applicants must also explain how they review and update this ML/TF risk assessment. Under Section 3-6, VASPs must outline their AML/CTF policies, including evidence of the knowledge, training and experience of key personnel in meeting AML/CTF obligations. Section 3-9 further requires due diligence on key personnel, including criminal history and findings from court proceedings or regulators.
Section 3-14 introduces additional requirements for VASP registration, including:
- the types of virtual assets offered in connection with registrable services;
- the delivery channels used to provide the services;
- how customers’ virtual assets or funds may be used in exchanges;
- whether transaction or time limits will apply, and if so, their details;
- expected average monthly:
- number of designated services provided; and
- total value of customers’ money, virtual assets, and property handled in the first 12 months after registration; and
- for each wallet controlled by the applicant, the types of virtual assets it can store and the wallet’s address.
Transitional provisions are also proposed to allow VASPs to continue operating while AUSTRAC assesses their registration applications, helping to avoid unnecessary business disruption during the transition.
Financial Sanctions Policies
ED2 introduces a new requirement for all reporting entities to develop and maintain AML/CTF policies that ensure compliance with targeted financial sanctions (TFS), such as asset freezing, when providing designated services. For example, Section 4-12 of the ED2 Rules states that reporting entities must have policies to ensure that in providing its designated service, it does not “use or deal with, or allow or facilitate the use of or dealing with, any money, property or virtual assets owned or controlled (directly or indirectly) by a person designated for targeted financial sanctions, in contravention of either of those Acts”.
Customer Due Diligence (CDD)
Several updates have been made to Part 5 of the ED2, including:
- removing the requirement to collect and verify a customer’s place of birth (following submissions noting the difficulties of doing so);
- allowing delayed verification of identification requirements for all reporting entities providing designated services, provided the conditions set out in the rules are met;
- exempting certain low-risk customers from beneficial ownership due diligence such as government bodies, entities regulated by prudential, insurance, or investor protection authorities and publicly listed companies subject to disclosure obligations that ensure transparency of beneficial ownership; and
- clarifying that the obligation to identify persons on whose behalf a service is provided is limited to establishing the beneficiaries of a trust (or foreign equivalents) on reasonable grounds (that is, there is no requirement to conduct CDD on a customer’s customers).
Suspicious Matter Reports (SMRs) and Threshold Transaction Reports (TTRs)
ED2 provides new details on the required contents of SMRs and TTRs. These changes are meant to reflect the increased use of digital technologies and new financial products. Under Sections 8-4 (SMRs) and 8-8 (TTRs) of ED2, where the matter involves virtual assets, reports must include:
(a) the type of virtual assets, including details of the backing asset (if any);
(b) the quantity of virtual asset units;
(c) the value in AUD;
(d) the applicable exchange rate in determining the value;
(e) the unique transaction reference number, including a transaction hash; and
(f) the wallet address, including destination tag or memo details.
According to the Consultation Paper, AUSTRAC will also be releasing new online forms for SMRs and TTRs.
Transitional Arrangements for International Value Transfer Reports
The Department of Home Affairs has proposed transitional arrangements to keep the current international funds transfer reporting framework in place until after 2026. This will give AUSTRAC and industry time to develop and consult on the new reporting requirements for:
- International value transfer services (under section 46 of the Amended AML/CTF Act), and
- Transfers involving unverified self-hosted virtual asset wallets (under section 46A of the Amended AML/CTF Act).
The Travel Rule and Counterparty Due itDiligence for Virtual Asset Transfers
Section 66A of the Amended AML/CTF Act introduces the “travel rule”, which requires that certain identifying information about the payor and payee be transmitted with transfers of value, including virtual asset transfers.
However, a “sunrise issue” was raised during consultation. For example, Australian reporting entities may be required to transmit or receive travel rule information under domestic obligations but may interact with counterparties in jurisdictions where such requirements do not yet exist. To address this, subsections 66A(9) and (10) of the Amended AML/CTF Act provide limited exceptions. These permit an Australian reporting entity to omit travel rule information if it has reasonable grounds to believe that the counterparty institution:
- cannot securely comply with the travel rule, or
- cannot safeguard the confidentiality of the information.
AUSTRAC has stated that these are objective tests, and the reason for the determination must be documented.
Another question raised in submissions was how a VASP can undertake counterparty due diligence to determine whether a third-party virtual asset wallet is controlled by a regulated VASP, an unregulated VASP, an illegally operating VASP or is a self-hosted wallet. In response, AUSTRAC has stated that further guidance will be issued with examples of how to assess the status of a third-party wallet. Nonetheless, Section 4-13 of ED2 require entities to have AML/CTF policies that explain how they will undertake counterparty due diligence.
Class Exemptions and Other Matters
In addition to ED2, the exposure draft of the AML/CTF Rules (Class Exemptions and Other Matters) 2007 has been released for public consultation for the first time. Only selected chapters are being retained, with most older provisions removed or replaced by updated rules in ED2. Some exemptions include issuing or selling a security or derivative in specified circumstances (Chapter 21), designated services related to OTC derivatives involving certain commodities or products (Chapter 22) and designated services to a risk-only life policy member of a superannuation fund under certain conditions (Chapter 47).
Submissions for the second round of consultation will close on 27 June 2025.
