28Undertaking initial customer due diligence

#### 28 Undertaking initial customer due diligence (1) A reporting entity must not commence to provide a designated service to a customer if the reporting entity has not established on reasonable grounds each of the matters in subsection (2) in relation to the customer. > Note 1: See also section 31 (simplified customer due diligence). > Note 2: See also section 32 (enhanced customer due diligence). > Note 3: See section 36 for rules that apply to pre‑commencement customers. (2) The matters are as follows: (a) the identity of the customer; (b) the identity of any person on whose behalf the customer is receiving the designated service; (c) the identity of any person acting on behalf of the customer and their authority to act; (d) if the customer is not an individual—the identity of any beneficial owners of the customer; (e) whether the customer, any beneficial owner of the customer, any person on whose behalf the customer is receiving the designated service, or any person acting on behalf of the customer is: (i) a politically exposed person; or (ii) a person designated for targeted financial sanctions; (f) the nature and purpose of the business relationship or occasional transaction; (g) any other matter relating to the customer that is specified in the AML/CTF Rules. (3) Without limiting subsection (1), a reporting entity must do the following for the purposes of establishing on reasonable grounds the matters in subsection (2): (a) if the customer is an individual—take reasonable steps to establish that the customer is the person the customer claims to be; (b) identify the ML/TF risk of the customer, based on KYC information about the customer that is reasonably available to the reporting entity before commencing to provide the designated service; (c) collect KYC information about the customer that is appropriate to the ML/TF risk of the customer; (d) verify, using reliable and independent data, such of the KYC information referred to in paragraph (c) as is appropriate to the ML/TF risk of the customer. (4) If a reporting entity provides its designated services at or through a permanent establishment of the reporting entity in Australia, a reporting entity must take into account the following matters when identifying the ML/TF risk of the customer for the purposes of paragraph (3)(b): (a) the reporting entity’s ML/TF risk assessment; (b) the kind of customer to whom the designated services will be provided; (c) the kinds of designated services provided, or proposed to be provided, by the reporting entity to the customer; (d) the delivery channels by which the reporting entity’s designated services are or will be provided to the customer; (e) the countries with which the reporting entity deals, or will deal, in providing its designated services to the customer; (f) the matters (if any) specified in the AML/CTF Rules. (5) Subsection (4) does not limit the matters a reporting entity may take into account for the purposes of paragraph (3)(b). (6) The AML/CTF Rules may do either or both of the following: (a) specify requirements that must be complied with for the purposes of establishing on reasonable grounds the matters in subsection (2); (b) set out circumstances in which a reporting entity is taken to comply with a matter mentioned in that subsection. (7) Without limiting paragraph (2)(g) or (4)(f) or subsection (6), AML/CTF Rules made for the purposes of any of those provisions may make different provision in relation to different classes of customers, including: (a) customers in relation to whom simplified due diligence measures may be taken in accordance with section 31; and (b) customers in relation to whom enhanced customer due diligence measures must be undertaken in accordance with section 32. > Note: This subsection also does not limit subsection 13(3) of the Legislation Act 2003 or subsection 33(3AB) of the Acts Interpretation Act 1901: see section 249. (8) Subsection (1) is a civil penalty provision. (9) A reporting entity that contravenes subsection (1) in relation to a customer commits a separate contravention of that subsection in respect of each designated service that the reporting entity provides to the customer at or through a permanent establishment of the reporting entity in Australia. (10) A reporting entity that contravenes subsection (1) in relation to a customer commits a separate contravention of that subsection on each day that the reporting entity provides designated services to the customer at or through a permanent establishment of the reporting entity in a foreign country.