26FReporting entities must develop and maintain AML/CTF policies

#### 26F Reporting entities must develop and maintain AML/CTF policies (1) A reporting entity must develop and maintain policies, procedures, systems and controls (AML/CTF policies) that: (a) appropriately manage and mitigate the risks of money laundering, financing of terrorism and proliferation financing that the reporting entity may reasonably face in providing its designated services; and (b) ensure the reporting entity complies with the obligations imposed by this Act, the regulations and the AML/CTF Rules on the reporting entity; and (c) are appropriate to the nature, size and complexity of the reporting entity’s business; and (d) comply with any requirements specified in the AML/CTF Rules. > Note: See also section 26U (business of a lead entity of a reporting group). Additional obligations that apply to reporting entities that provide designated services at or through permanent establishments in Australia (2) Subsections (3) and (4) apply if the reporting entity provides a designated service at or through a permanent establishment of the reporting entity in Australia. (3) Without limiting paragraph (1)(a), the AML/CTF policies of a reporting entity must deal with the following: (a) identifying significant changes to any of the matters mentioned in subsection 26C(3); (b) carrying out customer due diligence in accordance with Part 2; (c) reviewing and updating the AML/CTF policies in the following circumstances: (i) in response to a review of the reporting entity’s ML/TF risk assessment under section 26D; (ii) circumstances specified in the AML/CTF Rules; (d) reviewing the AML/CTF policies of the reporting entity at the intervals or with the frequency specified in the AML/CTF Rules (and in any event at least once every 3 years); (e) any other matters specified in the AML/CTF Rules. (4) Without limiting paragraph (1)(b), the AML/CTF policies of a reporting entity must deal with the following: (a) if the reporting entity is not an individual—ensuring its governing body is sufficiently informed of the risks of money laundering, financing of terrorism and proliferation financing that the reporting entity may reasonably face in providing its designated services; (b) designating an AML/CTF compliance officer for the reporting entity; (c) designating one or more senior managers of the reporting entity as responsible for approving: (i) the AML/CTF policies of the reporting entity; and (ii) the ML/TF risk assessment of the reporting entity; (d) undertaking due diligence in relation to persons who are, or will be, employed or otherwise engaged by the reporting entity and who perform, or will perform, functions relevant to the reporting entity’s obligations under this Act; (e) providing training to persons who are employed or otherwise engaged by the reporting entity and who perform, or will perform, functions relevant to the reporting entity’s obligations under this Act in relation to: (i) the risk of money laundering, financing of terrorism and proliferation financing that the reporting entity may reasonably face in providing its designated services; and (ii) the obligations imposed by this Act, the regulations and the AML/CTF Rules on the reporting entity; (f) the conduct of independent evaluations of the reporting entity’s AML/CTF program, including the frequency with which such evaluations must be conducted, which must: (i) be appropriate to the nature, size and complexity of the reporting entity’s business; and (ii) be at least once every 3 years; (g) any other matters specified in the AML/CTF Rules. > Note: See also section 26U (business of a lead entity of a reporting group). Additional obligations that apply to lead entities of reporting groups (5) Without limiting paragraph (1)(a), if a reporting entity is the lead entity of a reporting group, the AML/CTF policies of the reporting entity must deal with the following: (a) ensuring the appropriate sharing of information between members of the reporting group for the following purposes: (i) carrying out customer due diligence under Part 2; (ii) appropriately identifying, assessing, managing and mitigating the risks of money laundering, financing of terrorism and proliferation financing that each reporting entity that is a member of the reporting group may reasonably face in providing its designated services; (b) any other matters specified in the AML/CTF Rules. (6) Without limiting paragraph (1)(b), if a reporting entity is the lead entity of a reporting group, the AML/CTF policies of the reporting entity must deal with the following: (a) ensuring the sharing of information between members of the reporting group that is necessary for the members of the reporting group who are reporting entities to comply with: (i) their obligations imposed by this Act, the regulations and the AML/CTF Rules; and (ii) the AML/CTF policies of the lead entity; (b) if any member of the reporting group discharges an obligation imposed on another member of the reporting group by this Act, the regulations or the AML/CTF Rules: (i) which members of the reporting group may discharge which obligations of which other member; and (ii) ensuring that each member of the reporting group that is a reporting entity makes, or has access to, records to demonstrate any discharge by another member of the reporting group of any such obligations imposed on the reporting entity; (c) ensuring the confidentiality and appropriate use of any information shared between members of the reporting group, including to prevent any contravention of subsection 123(1) by any member of the reporting group; (d) any other matters specified in the AML/CTF Rules. > Note: For other rules about how this Part applies in relation to reporting groups, see sections 26U and 236B. AML/CTF Rules (7) The AML/CTF Rules may do either or both of the following: (a) specify requirements that must be complied with in relation to a matter mentioned in subsection (3), (4), (5) or (6); (b) set out circumstances in which the AML/CTF policies of a reporting entity are taken to comply with a matter mentioned in those subsections. Reporting entities must develop and maintain AML/CTF policies before providing designated services (8) A reporting entity must not commence to provide a designated service to a customer if the reporting entity does not comply with subsection (1). Civil penalty (8A) Subsection (8) is a civil penalty provision. (9) A reporting entity that contravenes subsection (8) commits a separate contravention of that subsection in respect of each designated service that the reporting entity provides to a customer at or through a permanent establishment of the reporting entity in Australia. (10) A reporting entity that contravenes subsection (8) commits a separate contravention of that subsection on each day that the reporting entity provides designated services at or through a permanent establishment of the reporting entity in a foreign country. Exception (11) Despite subsection (1), a reporting entity is not required to develop or maintain policies, procedures, systems and controls that specifically deal with the risk of proliferation financing if: (a) the reporting entity reasonably assesses, under section 26C or 26D, the risk of proliferation financing that the reporting entity may reasonably face as low; and (b) the reporting entity reasonably assesses that its risk of proliferation financing can be appropriately managed and mitigated by its policies, procedures, systems and controls that manage and mitigate the risks of money laundering or financing of terrorism. (12) A person who wishes to rely on subsection (11) bears a legal burden in relation to that matter.