The Australian Transaction Reports and Analysis Centre (AUSTRAC) provides a guide for digital currency exchange service businesses, which may deal with Bitcoin or other digital currencies, to develop an AML/CTF program, in order to mitigate the associated money laundering and terrorism financing (ML/TF) risks. We explore the key steps identified by AUSTRAC in developing an effective AML/CTF program for digital currency exchanges.
Money-laundering and terrorism financing risk assessment
In order to identify a business’ ML/TF risks, it needs to consider:
- Customer profile, including:
- Types of customers and source of funds.
- Physical location (e.g. in foreign countries that may be considered high risk).
- Expected digital currency exchange patterns, and what may constitute ‘unusual’ behaviour.
- Whether any customers are likely to be Politically Exposed Persons (PEP).
- Services and methods of delivery
- Does the business buy/sell/exchange/hold digital currency?
- Which digital currencies are offered for exchange?
- Does the business purchase digital currencies from reliable sources?
- Are transactions conducted using cash?
- The criminal threat environment and possible vulnerabilities of the business.
- The foreign jurisdictions in which the business provides services.
AML/CTF risk awareness training program
Employees need to be trained about the business’ ML/TF risks and the relevant procedures. The training program should include:
- The business’ obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) and the consequences of non-compliance.
- The types of ML/TF risk the business might face and the potential consequences.
Employee due diligence program
The AML/CTF program must have an employee due diligence program that sets out:
- What checks will be performed on potential employees before they are hired.
- Which business roles may have the potential to facilitate ML/TF, and what additional checks will be performed for these employees.
- How employees will be supervised to ensure compliance with AML/CTF procedures, and what will be done in cases of non-compliance.
Ongoing oversight and review
Once the AML/CTF program is adopted and approved by the board, executives and/or senior management, a procedure needs to be put in place to ensure ongoing review of the program. In addition to being reviewed internally, the program must also be subject to regular independent review.
AML/CTF compliance officer
An AML/CTF compliance officer should be appointed (someone at management level), as well as a backup person who will assume their role when absent.
Responding to AUSTRAC feedback
AUSTRAC may provide feedback to the business about its AML/CTF obligations and in some instances, a response will be requested. Procedures need to be established to ensure that responses are sent in a timely manner.
Reporting procedures
The digital currency exchange service business needs to provide AUSTRAC with reports about suspicious matters, threshold transactions and compliance with AML/CTF obligations.
Suspicious matter reports
A suspicious matter report (SMR) should be submitted any time that suspicious activity is detected, in accordance with the following timeframes:
Suspicion related to terrorism financing – within 24 hours
Suspicion relating to money laundering, tax fraud or tax evasion, or any crime other than terrorism financing – within 3 business days
Threshold transaction reports
A threshold transaction report (TTR) needs to be submitted for transactions over $10,000. The timeframe is 10 business days after the customer is provided with the digital currency exchange service.
Compliance reporting
A compliance report needs to be submitted to AUSTRAC to demonstrate that AML/CTF obligations are being met. It should be identified who within the business will be responsible for submitting this report, and how it will be ensured that due dates are complied with.
Maintaining enrolment and registration details with AUSTRAC
Business enrolment and registration details with AUSTRAC need to be maintained, and the business’ registration needs to be renewed every three years.
Ongoing customer due diligence & transaction monitoring
Ongoing customer due diligence occurs after the relationship with the customer has been established
Updating, verifying and re-verifying customer information
Controls need to be established to determine whether under any circumstances the business will need to update, verify and/or re-verify customer details. For example, if the customer is suspected of being involved in suspicious activity.
Monitoring customer transactions
A transaction monitoring program needs to be established to identify suspicious transactions to report to AUSTRAC. This includes:
- Complex transactions.
- Unusual and large transactions.
- Unusual patterns of transactions.
- Multiple transactions involving a range of digital currencies.
- Digital currencies that pose a higher ML/TF risk or provide greater anonymity.
Enhanced customer due diligence procedures
An enhanced customer due diligence program sets out procedures for situations where there is a high ML/TF risk, when a suspicious matter reporting obligation arises, or where the customer is a foreign PEP.
Record keeping
Digital currency exchange service providers must:
- Retain records of customer identification for seven years after the date they last provided a service to the customer.
- Keep any transaction records for seven years after the transaction is conducted.
- Retain a copy of their AML/CTF program (and record of the adoption of the program) for seven years after the program ceases to have effect. If the AML/CTF program is modified, a copy of the old program must be kept for seven years from the date it is superseded by the new program.
The steps covered in this article form Part A of AUSTRAC’s guidelines to developing an AML/CTF program for digital currency exchange service businesses. Explore the steps involved in Part B: Procedures for collecting and verifying ‘know your customer’ (KYC) information.