Ongoing customer due diligence (OCDD)

An introduction to the ongoing customer and transaction monitoring obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006.

This brochure provides an introduction to ongoing customer due diligence obligations (OCDD) under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act).

Detailed information on OCDD is available from AUSTRAC (please see the back of this brochure for contact details).

ARCHIVED

What is ongoing customer due diligence (OCDD)?Under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) and the Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No.1) (AML/CTF Rules) reporting entities have obligations to monitor customers and their transactions on an ongoing basis.

This ‘ongoing customer due diligence’ (OCDD) will help reporting entities to identify, mitigate and manage any money-laundering or terrorism-financing (ML/TF) risks that may arise from providing one or more designated services to their customers.

The AML/CTF Rules specify three mandatory components of OCDD. These are:

1. collection and verification of additional ‘know your customer’ (KYC) information

2. a transaction monitoring program

3. an enhanced customer due diligence program.

The OCDD provisions contained in the AML/CTF Act commence on 12 December 2008.

Who needs to conduct OCDD?You need to conduct OCDD if you are a reporting entity. A reporting entity is an individual, company or other entity that provides a ‘designated service’ as defined in the AML/CTF Act. Reporting entities include banks, non-bank financial services, remittance (money transfer) services, bullion dealers and gambling businesses.

How does OCDD benefit my business?OCDD is complementary to your KYC processes. Conducting OCDD allows you to minimise the risk of your business’s products or services being used to facilitate ML/TF activities.

Mandatory component one: collecting and verifying additional KYC informationPrior to providing a designated service to a customer you must collect information about their identity and verify this information. This is known as initial KYC information.

As part of your OCDD obligations you must also define trigger points in your AML/CTF program for collecting additional KYC information or for verifying existing customer information. Trigger points could include:

– a significant transaction or series of transactions taking place

– a significant change in the way an account has been operated by a customer

– doubts arising about the identity of a customer.

It is up to you to determine what ‘significant’ means for your business and determine your trigger points.

For more information on initial customer identification requirements and AML/CTF program requirements, refer to the Customer identification brochure, the Ready reckoner booklet (which details minimum customer identification and verification requirements for low-risk customers), or the AML/CTF programs brochure.

Do I need to collect and verify additional KYC information about my pre-commencement customers?Pre-commencement customers (any customers to which you had provided a designated service prior to 12 December 2007) may in some circumstances need to be identified or have their details verified as part of OCDD. For example, you would need to collect and verify additional KYC information if there was insufficient identifying information about that customer on your records or if the information did not appear to be reliable.

ARCHIVED

Mandatory component two: a transaction monitoring programThe purpose of a transaction monitoring program is to identify transaction activity that appears to be suspicious. A transaction monitoring process consists of three steps:

– monitoring all customer transactions in accordance

with your business’s policies, systems and procedures

– identifying suspicious transactions

– taking appropriate action.

What are the features of a transaction monitoring program?A transaction monitoring program should be able to detect transactions which have no apparent economic or lawful purpose. These could include:

– complex, unusual, large transactions, and/or

– unusual patterns of transactions.

When you detect and report suspicious transactions to AUSTRAC you should also examine the background, purpose and circumstances of the transaction and use this information to enhance your AML/CTF program.

For more information on reporting suspicious matters refer to the Reporting requirements brochure. The AUSTRAC Typologies and Case Studies Reports also provide indicators which may give rise to further monitoring and enhanced customer due diligence.

Do I need to buy a computer-based software package to conduct transaction monitoring? You must decide on the most appropriate form of transaction monitoring for your business. A transaction monitoring program does not have to be a computer-based software package. However, if you choose to have an automated system in place, you must assess the ‘flags’ produced by the package to ensure they are relevant to your business and your customers prior to using the system.

Mandatory component three: an enhanced customer due diligence programYou must have an enhanced customer due diligence program in place to assess and collect further customer information in situations where you determine that:

– there is a high risk of ML/TF when providing a designated service to a customer; or

– one of the grounds for reporting a suspicious matter to AUSTRAC has been met.

For more information on reporting suspicious matters refer to the Reporting requirements brochure.

If either of the above situations occur, you must assess the information you have collected and verified about the customer. You must then determine what information you want to clarify, update or obtain about the customer or the nature of their business with you.

What is the difference between customer identification and OCDD?Customer identification should be undertaken prior to providing a designated service to a customer. It consists of collecting and verifying initial KYC information.

OCDD is used to respond to any ML/TF risks that arise from the provision of any designated service(s) to your customers at any stage after your initial customer identification. One component of OCDD is the collection and verification of additional KYC information.

Do I need to conduct OCDD on all my customers?OCDD obligations apply to all customers who receive a designated service provided by you, including pre-commencement customers (any customers to which you had provided a designated service prior to 12 December 2007) and customers whose initial KYC information was collected and verified by another entity on your behalf.

ARCHIVED

About AUSTRAC

The Australian Transaction Reports and Analysis Centre (AUSTRAC) is Australia’s anti-money laundering and counter-terrorism financing regulator and specialist financial intelligence unit.

Where can I get more information?

You can contact the AUSTRAC Help Desk Telephone: 1300 021 037 Email: help_desk@austrac.gov.au

Information is also available on the AUSTRAC website at www.austrac.gov.au.

You will find many useful links on this website, including links to the AML/CTF Act and AML/CTF Rules. AUSTRAC’s Regulatory Guide contains a chapter entitled ‘Ongoing customer due diligence’. This provides specific information on meeting your OCDD obligations. AUSTRAC’s website also contains more information on AML/CTF programs, as well as e-learning courses, a Self Assessment Questionnaire and other resources.

The information contained in this document is intended to provide only a summary and general overview on these matters. It is not intended to be comprehensive. It does not constitute, nor should it be treated as, legal advice or opinions. The Commonwealth accepts no liability for any loss suffered as a result of reliance on this publication. AUSTRAC recommends that independent professional advice be sought. The information contained herein was current at the time of publication. 13

9/10

08/C

C

Can I choose to conduct different OCDD procedures depending on the size and nature of my business?Yes. You should have appropriate risk-based systems and controls in place to assist in meeting the AML/CTF program requirements of your business. These systems and controls are based on the nature, size and complexity of your business and the ML/TF risks your business may face.

Where do I document my OCDD measures?Any systems, policies and procedures that you develop to meet your OCDD obligations must be clearly set out and documented in your AML/CTF program. For more information on AML/CTF programs refer to the AML/CTF programs brochure or visit: www.austrac.gov.au/aml_ctf_programs.html.

How does the privacy legislation affect me?You need to be aware of your obligations under the Privacy Act 1988. You need to meet these obligations when you are setting up your OCDD processes and collecting information under them. All your activities must comply with this legislation.

Further assistance about the Privacy Act and privacy obligations is available from the Office of the Privacy Commissioner on 1300 363 992 or visit: www.privacy.gov.au.

General exemptionsOCDD obligations do not apply to a reporting entity that only provides the designated service covered by item 54 of table 1 in section 6 of the AML/CTF Act. This covers an Australian financial services licence (AFSL) holder who arranges for a person to receive another designated service. However, OCDD obligations do apply to AFSL holders when they provide any other designated services.

ARCHIVED