A 5 Minute Guide to Australia’s AML Obligations for FinTechs

Under the AML/CTF Act 2006, designated businesses must meet four key obligations that reflect the private sector obligations set out by the Financial Action Task Force (FATF).
These include:

1. Enrollment and registration

FinTechs that provide designated financial services must enroll with the Australian Transaction Reports and Analysis Centre (AUSTRAC), Australia’s key AML/CTF regulator. This covers all firms that provide services listed in Article 6 of the AML/CTF Act, including account or deposit-taking, lending, credit, currency exchange or investments, insurance, wires, and remittances. 

Remittances and digital currency exchange (i.e., cryptocurrency exchange) service providers must also sign up to AUSTRAC’s Remittance Register or the Digital Currency Exchange (DCE). According to AUSTRAC, it can take up to 90 days to register a remittance business or digital exchange, and there is the potential for further questions and requests for information during processing.

Licensing from other financial regulators, including the Australian Securities and Investments Commission (ASIC) and the Australian Prudential Regulation Authority (APRA), is required for broader regulatory purposes. 

2. Develop and maintain an AML/CTF program 

Firms must create policies, procedures, and controls to identify, manage, and mitigate financial crime risks. A vital aspect is appointing a senior figure legally responsible for the firm’s AML/CTF framework, known as the Money Laundering Reporting Officer (MLRO).

At the heart of an AML/CFT program is the conduct of Customer Due Diligence (CDD), including the Identification and Verification (ID&V) of customers’ identities, Enhanced Due Diligence (EDD) for high-risk customers such as Politically Exposed Persons (PEPs), and regular re-screens of customers over time. 

3. Report to AUSTRAC

In undertaking CDD, firms will sometimes come across causes for concern. From a name being found on a sanctions list to discovering unusual or suspicious behavior patterns, firms must report their concerns to the authorities through authorized channels by submitting Suspicious Matters Reports (SMRs) to AUSTRAC. 

FinTechs must submit the following reports online through the firm’s AUSTRAC account:

The penalties imposed on FinTechs for failing to meet these expectations can be significant. For example, failing to submit an appropriate SMR, or doing it late, can lead to a fine of 20,000 penalty units in a federal court for a single business and up to 100,000 for a corporate group. One unit is currently worth AUD 222, so fines can be substantial. 

4. Record keeping

Undertaking AML/CTF requirements generate important data. To help the work of AUSTRAC and broader law enforcement, firms are expected to maintain records on AML/CFT operations for a minimum period of seven years, providing them to official bodies of law enforcement on request. 

Australian laws and regulations stress that these obligations must be met with sensitivity to the reality of risks faced by an individual business. Different approaches may be required depending on what a firm does, with whom, and where – alongside other criteria. For example, a firm fulfilling a high volume of large remittances for customers in or around a high-risk jurisdiction may conduct more intensive due diligence on client transactions than a firm doing small domestic transactions. This is called adopting a risk-based approach (RBA) to financial crime compliance and is fundamental to effectively meeting a firm’s obligations.