Site Search Site Search

Loading Results

Knowing your customer in an era of isolation

25 June 2020

Impacts of the COVID-19 pandemic on money laundering and KYC 

In Brief

The COVID-19 pandemic (COVID) has changed what we do and how we do it, with these rapid changes potentially having a signifcant impact on businesses managing money laundering and terrorism financing risks.  This extends to compliance with the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) and Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No.1) (AML/CTF Rules) (together, the AML/CTF laws).  

With mounting pressures on the economy and new vulnerabilities for businesses operating with reduced staff and/or remote working arrangements, there is increased opportunity for instances of criminal activity, fraud, and exploitation of disrupted cybersecurity and AML/CTF controls and practices.  At the same time, many businesses are struggling for new and ongoing revenue streams and need to remain agile to manage cash and liquidity issues.

In Australia, the AML/CTF regulator, AUSTRAC, has recognised and responded to these challenges by introducing new guidance and new AML/CTF rules to help Reporting Entities manage AML/CTF risks during these unprecedented times.  These include:

  • allowing Reporting Entities to use alternative identity proofing and customer verification (also known as ‘know your customer’ or KYC) processes in COVID related situations; 
  • allowing Reporting Entities to avoid having to carry out customer identification procedures where a customer has already had their identity verified by the Australian Taxation Office (ATO) in an application for early release of superannuation; 
  • identifying areas more vulnerable to criminal exploitation during COVID and reminding Reporting Entities of their ongoing obligations, such as reporting suspicious matters by lodging a suspicious matter report (SMR); and
  • allowing Reporting Entities to either defer lodgement of their 2019 compliance reports until 30 June 2020, or, in some cases, not submit the report at all, without fear that AUSTRAC will take compliance action.

Whilst some flexibility has been afforded to Reporting Entities during the COVID period, they will need to do so with vigilance in light of the heightened areas of criminal exploitation identified by AUSTRAC and regulators to date. However, the flexibility given to KYC requirements may prevent Reporting Entities from unnecessarily:

  • turning away potential new customers;
  • requiring additional information; and
  • using additional resources.

In addition, a Reporting Entity should keep a record of any changes to their processes made during COVID. This will:

  • promote consistency in the way matters are managed internally;
  • enable a Reporting Entity to answer any queries received from AUSTRAC more efficiently and effectively; and
  • allow for a smoother transition post COVID.

In Detail

While COVID related restrictions are slowly easing, self-isolation and social distancing measures are set to remain for the foreseeable future. Many of us are still working from home; some of us are accessing superannuation early to relieve cashflow pressures, businesses have been significantly disrupted and many public facilities remain unavailable.

Regulators and law enforcement bodies around the world have warned that COVID is likely to lead to an increase in financial crime, money laundering and cybersecurity threats.

So what does this mean for the Reporting Entities who are subject to the AML/CTF laws? It’s evident they need to remain vigilant in these times of self isolation and remote working.  AUSTRAC has identified areas of criminal exploitation where a financial system may be more vulnerable.  These include: 

  • an increase in extremist views;
  • unusual purchasing of precious metals and gold bullion;
  • the exploitation of workers;
  • Government assistance programs being targeted through fraudulent applications and phishing scams;
  • more online child exploitation due to travel restrictions;
  • the purchase or sale of illegal or stockpiled goods resulting in large cash movements; and
  • trafficking of vulnerable persons in the community.

KYC flexibility afforded in the AML/CTF laws

One particular area of impact on the AML/CTF laws is in relation to customer identification, which requires Reporting Entities to implement and document procedures in place for identifying and verifying their customers. 

How do Reporting Entities identify and verify new customers during COVID when, for example, they can’t meet them face to face? How do customers provide necessary evidence of their identity when they are in self-isolation or when they can’t access facilities like libraries to print or scan documents? Could remote ways of working cause delays in the timely verification of customers or the submission of SMRs? And do Reporting Entities have to jump through the usual hoops to identify a customer in need of a speedy transaction when an Australian Government department has already done so? 

Encouragingly, recent amendments to the AML/CTF laws will allow Reporting Entities to use alternative identity proofing and KYC processes in COVID related situations.

For background, the AML/CTF Act sets out minimum KYC procedure requirements which are based on the type of customer and the level of ML/TF risk they pose, including what information must be obtained, and how to verify it. In addition to complying with these legislative requirements, a Reporting Entity’s AML/CTF compliance program must also be designed in light of a Reporting Entity’s own risk based systems and controls. This may mean that some Reporting Entities will have adopted KYC procedures which are more stringent than the minimum requirements in the AML/CTF laws in response to the risks, for example, they may require individual customers to be verified face to face.

The AML/ CTF laws already provide some flexibility for times where a Reporting Entity is unable to fulfil the KYC procedures in its AML/CTF program, such as:

  • allowing electronic copies of reliable and independent documentation to be used; and
  • allowing disclosure certificates to be relied on to verify certain types of information about non-individual customers where information is not readily available from other sources.

In addition to the above, in ‘limited and exceptional circumstances’ where the customer doesn’t have and cannot get the necessary information or evidence of identity, alternative processes may be used to prove a customer’s identity. For example, people who are homeless may be unable to provide the information and evidence typically required by a Reporting Entity, and in that case a Reporting Entity could decide on an appropriate alternative process. 

As a result of the Anti-Money Laundering and Counter-Terrorism Financing Rules Amendment Instrument 2020 (No. 2) (Amendment) that came into effect 8 May 2020, these ‘limited and exceptional circumstances’ were expanded to include where a customer has but can’t give the necessary information or evidence of identity due to ‘COVID-19 pandemic measures’, for example where a customer is in self- isolation. 

If a customer’s identity is unable to be established using these alternative processes, a Reporting Entity may accept a self- attestation from the customer in relation to their identity, though this is inherently risky and may require a Reporting Entity to apply ongoing customer due diligence (OCDD) on these customers.

In addition, under the Amendment, where a Reporting Entity would ordinarily require an original or certified copy or extract of a document to verify a customer’s identity, but cannot do so because of ‘COVID-19 pandemic measures’, it can rely on a copy of the documents. 

Examples of alternative or additional KYC Processes

As is the case with AML/CTF programs generally, a Reporting Entity needs to make sure the KYC processes used, including any alternative processes, are appropriate to the level of risks it faces (and the systems and controls in place to mitigate these risks). A Reporting Entity could consider the following alternative or additional verification processes (if appropriate):

  • accepting multiple types of secondary identification documents where ordinarily a primary identification document would be required;
  • using video calls or front-view selfie photographs to verify an individual's identity where face to face methods cannot be used;
  • phoning customers and asking specific questions about their identity; 
  • speaking to a reliable and independent third party to confirm a customer’s identity (e.g. doctor, priest);
  • applying a higher level of OCDD and transaction monitoring (TM) for customers approved during COVID using alternative processes; and 
  • reviewing customers approved during COVID using alternative processes at the end of the pandemic, requesting updated information and evidence in light of standard KYC processes and reassessing any OCDD and TM in place in respect to those customers. 

Reporting Entities should ensure that:

  • relevant members of its staff are aware of any alternative processes in place during COVID; and
  • any alternative processes put in place during COVID are adequately documented.

Streamlining of KYC processes in relation to superannuation funds 

Under the COVID early release of superannuation initiative administered by the ATO, individuals who meet certain criteria can access some of their superannuation early. Under the Anti-Money Laundering and Counter-Terrorism Financing Rules Amendment Instrument 2020 (No. 1) that came into  effect on 16 April 2020, where the ATO has approved the early release of an individual’s superannuation under the initiative, superannuation fund trustees are exempted from carrying out customer identification procedures before making these  payments to their members. This exemption may also apply in respect to retirement savings accounts. 

However, it is important to note that despite these new rules, other obligations under the AML/CTF laws continue to apply. For example, Reporting Entities are still expected to: 

  • apply risk based systems and controls when deciding how to respond to any issues or discrepancies that arise when making a payment;
  • where appropriate, apply  OCDD processes and TMP to identify usual payments that should be subject to enhanced customer due diligence; and
  • lodge SMRs to AUSTRAC where there are reasonable grounds to suspect a transaction may be related to a crime or suspect a customer is not who they claim to be.

SMR reporting obligations during COVID

COVID has resulted in much of our interaction and business being done exclusively online; employees having their hours reduced; some businesses relaxing their standard practices just to keep afloat and some businesses concentrating their efforts on new issues and new ways to cut costs. These may mean that red flags that would previously have given rise to the lodgement of a SMR are now perhaps flying under the radar. We have seen criminals taking advantage of these changes and targeting individuals and consumers in new ways. 

AUSTRAC has noted its expectation that Reporting Entities need to remain vigilant and report any suspicious behavior to AUSTRAC by submitting SMRs. Accordingly, Reporting Entities need to ensure that measures are in place, regardless of the new working environment, to enable the submitting of SMRs in a timely fashion.

Compliance reporting obligations during COVID

As a result of COVID, AUSTRAC has extended the deadline for submitting a Reporting Entity’s 2019 Compliance Report (that would have been due to be submitted to AUSTRAC by 31 March 2020)  until 30 June 2020 and acknowledges that in some situations businesses may be unable to submit a report at all. AUSTRAC has advised that it will not take compliance action in these scenarios.

Keeping records

Reporting Entities must keep full and accurate records of transactions, KYC procedures and its AML/CTF program to comply with the AML/CTF laws. This includes records of transactions, KYC procedures (including alternative processes) and changes to an AML/CTF program carried out during COVID. These records must be stored securely and in a format which facilitates their retrieval and audit.

The takeaway

COVID has brought unprecedented change and new challenges to commerce and society as a whole. These challenges include the facilitation of new business and the increased risk of criminal activity.  For the COVID impacted period (noting that the new rules are time limited measures that are intended to be repealed following the conclusion of COVID), AUSTRAC has released new guidance and rules to:

  • facilitate continued compliance with the AML/CTF laws despite the current obstacles;
  • relax some AML/CTF obligations where practicable e.g. preventing a double up of KYC obligations in early release of superannuation scenarios and allowing flexibility in relation to the lodgement of compliance reports; and
  • remind Reporting Entities of the heightened risks faced during this time and of the importance of their continued vigilance.

These modifications should assist Reporting Entities to comply with the AML/CTF obligations during these times whilst remaining vigilant to the increases in fraud and money laundering activity. It is important for entities to ensure their modified procedures are well communicated and implemented by staff, and documented in line with the regulator’s expectations.

 

Contributing authors: Sylvia Ng (PwC Director-Legal) and Sally Bates (PwC Associate-Legal)

 

 

Contact us

PwC Australia

General enquiries, PwC Australia

Tel: +61 2 8266 0000

Contact form