Understanding anti-money laundering for Australian regulated entities

Australia has been an outlier in AML for some time. Many accountants, lawyers and real estate agents who would be captured by AML requirements in Europe or the UK have been exempted from these requirements which are commonplace in other parts of the world. New Zealand has been updating its AML requirements on regulated entities for a number of years with no sign of backtracking. While Australia will hope to avoid some of the implementation mistakes made across the Tasman Sea, it does seem that this time, increased AML regulation in Australia is coming. 

Fortunately, Australian firms are in a strong position to learn from what regulated entities in the UK and Europe have been doing since at least the Fourth Directive was ratified by the EU in 2015. With years of experience in supporting the regulated sector to understand and comply with seemingly complex money laundering regulations, VinciWorks is here to demystify the changes and reassure the Australian regulated sector that things are going to be okay.

What will the most difficult changes be for Australian firms to grasp?

Changes to client due diligence

CDD is not a new concept for most regulated entities in Australia, but undertaking differing levels of CDD, and knowing when to do so can seem complex at first. There are likely to be specific reasons written into the legislation which will determine the level of CDD. Triggers can be things like jurisdiction, such as the client is based in a high risk country, or there is a suspicion of possible money laundering. 

When and how should due diligence be done?

Client due diligence should be carried out before establishing a business relationship with the client. This means the checks must be completed prior to any work being done for the client. Clients may need to amend their expectations as to the timing of work being carried out, and understand that these checks must be done first. 

CDD should also be carried out with respect to data security and data privacy laws. Collection, storage and processing must meet the level of data protection the law expects. This also means data will have to be deleted after a certain time, and kept secure with limited access.

What is customer due diligence?

Customer due diligence is the process of identifying your customers and checking they are who they say they are. In practice, this means obtaining a customer’s name, photograph on an official document which confirms their identity and residential address and date of birth. There are three levels of customer due diligence: simplified, standard and enhanced.

Simplified customer due diligence

This can be applied when a risk assessment has shown a negligible or low risk of money laundering. The only requirement is to identify the customer and there is no need to verify the customer’s identity.

Standard customer due diligence

This involves identifying the customer, and ensuring it is based on a reliable independent source. The purpose and intended nature of the business relationship or transaction must be assessed and further information obtained where appropriate.

Enhanced customer due diligence

Enhanced CDD must be applied when the risk of money laundering is high, such as if the person in question is a politically exposed person. Enhanced due diligence measures can include:

  • Additional identification information from the customer
  • Information on the source of funds or source of wealth
  • The intended nature of the business relationship
  • The purpose of the transaction
  • Subjecting the customer to additional ongoing monitoring procedures

For more, download our guide to undertaking risk based due diligence.

The risk based approach

The risk based approach (RBA) is cornerstone of AML compliance in Europe and the UK since this was codified in the Fourth Money Laundering Directive in 2015 and introduced across the EU in the years after. The approach calls for skill in both risk assessment and the ability to react quickly. This will feel like a change for many Australian firms, as it calls for a more proactive approach of understanding the risks of different types of clients, conduct, and countries.

Ultimately, the risk based approach is effective at mitigating the risk of a money laundering failure.

A risk-based approach means you are identifying the highest compliance risks to your organisation and making them a priority for the organisation’s compliance controls, policies and procedures. These are the measures put in place to mitigate that risk. Once your compliance programme reduces those highest risks to acceptable levels, it moves on to medium and then lower risks. RBA involves not only understanding the risks your organisation faces but also creating controls for these risks based on prioritising the damage they could potentially inflict.

Adopting a risk based approach for Australian firms

A risk-based approach focuses efforts based on the level of risk. It involves firms mitigating the risks that they face, with regard to the resources available. Mitigating practices include initial client due diligence (CDD) and ongoing monitoring, as well as a range of internal policies, training, and systems to address the vulnerabilities of the firm.

The key is to implement controls to limit the potential money laundering / terrorist financing (ML/TF) risks your firm identified while conducting risk assessments to stay within your risk tolerance level.

Risk identification and assessment 

This involves identifying money laundering / terrorist financing (AML/CTF) risks facing a firm, taking into account its customers, services, countries of operation, and publicly available information regarding those risks.

Risk management and mitigation 

This involves identifying and applying measures to effectively and efficiently mitigate and manage AML/CTF risks.

Ongoing monitoring

This involves putting in place policies, procedures, and information systems to monitor changes to AML/CTF risks.


This involves documenting risk assessments, strategies, policies and procedures to monitor, manage and mitigate AML/CTF risks.

Certain activities have been found to be more susceptible to AML/CTF activities because they involve the movement or management of client assets. Firms can get ahead of these risks by carrying out risk assessments on these types of activities, and the types of clients who request them. For example, a multinational company sending lots of money abroad is a much lower risk than a local hairdresser sending a lot of money abroad. It’s not so much the types of activities but the type of customer seeking to carry them out. This is why CDD is often known as KYC – Know Your Customer.

For more, download our guide to the risk based approach to AML.

Senior management buy-in

Having the right tone from the top is vital for firms to ensure a successful transition to the new regime. This sets compliance as an integral part of the business entity. Having senior management dismiss or whinge about changes that have to be done by the firm is not going to help establish a successful new way of working.

The most successful AML programmes are ones where staff are on board and understand the need and benefit of adhering to policy. This is where training comes in. Training staff on money laundering is likely to be both a requirement, but also helps create a positive change in culture that will have lasting benefits. 

For more on training, trial our series of AML courses which will soon  be customised for the Australian legislation.