Ongoing customer due diligence (OCDD) under the AML/CTF Act

What OCDD requires

Section 36 of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) mandates that reporting entities continuously monitor customer transactions and behaviour. This ongoing customer due diligence (OCDD) is a core compliance obligation. OCDD must be appropriate to the ML/TF risk of the customer, reflecting an AML risk-based approach (AUSTRAC).

Chapter 15 of the AML/CTF Rules details the specific requirements for OCDD. These requirements are not a one-size-fits-all approach, but are tailored to the individual risk profile of each customer.

OCDD encompasses several key activities, including transaction monitoring, implementing enhanced customer due diligence (ECDD) when heightened risk is detected, and maintaining current and accurate customer ‘Know Your Customer’ (KYC) information.

Transaction monitoring program

A transaction monitoring program is a required component of a reporting entity’s AML/CTF program, specifically forming part of Part A. This program’s purpose is to identify unusual transactions for subsequent review.

The program must consider a customer’s profile, account behaviour, the relevant jurisdiction, and the designated services provided when assessing transactions. If unusual transactions are detected, they must be examined. Where necessary, these transactions should be reported as Suspicious matter reports — AUSTRAC.

Documented monitoring rules are essential for the program’s operation. These rules must be reviewed regularly to ensure their continued effectiveness.

Refreshing customer information

Chapter 15.9 of the AML/CTF Rules mandates that reporting entities update Know Your Customer (KYC) information. This updating process, known as refreshing customer information, must be conducted using a risk-based approach. The frequency of refreshes is directly linked to a customer’s assessed risk level.

Higher risk customers, such as Politically Exposed Persons (PEPs) and those from high-risk jurisdictions, necessitate more frequent updates to their KYC information. Conversely, lower risk customers can be refreshed less often, although updates are still required at any material change.

Specific events trigger the need to refresh customer information. These include changes to beneficial ownership, new sanctions designations, alterations to a customer’s transaction profile, and the emergence of adverse media. Following the conclusion of a customer relationship, reporting entities must retain KYC records for a minimum period of 7 years, as stipulated by section 113.

Enhanced Customer Due Diligence triggers

Enhanced Customer Due Diligence (ECDD) is required in specific circumstances to mitigate money laundering and terrorism financing (ML/TF) risks. These triggers necessitate a more rigorous approach to customer verification and monitoring than standard Ongoing Customer Due Diligence (OCDD).

ECDD must be applied when an entity suspects that ML/TF may occur, or when the customer is a foreign Politically Exposed Person (PEP). Furthermore, ECDD is mandated when the customer or a transaction originates from a high-risk jurisdiction. These jurisdictions are identified by either the Financial Action Task Force (FATF) or AUSTRAC.

The minimum measures that must be specified for ECDD are outlined in Chapter 15. These measures include senior management approval, additional Know Your Customer (KYC) processes, verification of source of wealth and source of funds, and enhanced ongoing monitoring.