2023-2024 AML-CTF

Compliance Roadmap
Leveraging ISO 37301
Australia

2023-2024 AML-CTF Compliance Roadmap Leveraging ISO 37301 → 1 / 10

Introduction
The United Nations (UN) estimates that the amount of money laundered across
the world annually is between $800 billion to $2 trillion USD, which is roughly
2-5% of the global GDP. Each year, money laundering schemes increase in
complexity and novelty, aided by new technologies and becoming harder to track.
In order to respond to these rapidly shifting threats, the anti-money laundering/
countering the financing of terrorism (AML/CTF) regulatory sphere is incredibly
fast-moving. Regulators in each country are responding by conducting ongoing
reviews and updates of existing regulations, as well as introducing entirely
new regulations where feasible. But where does this leave businesses trying to
navigate this cluttered, at times puzzling landscape?

For many, the journey of complying with AML/CTF requirements comes with a
sense of uncertainty. Even if the main regulations are being adhered to, some of
the less prominent ones might have been overlooked. Moreover, the introduction
of intricate and occasionally conflicting cross-jurisdictional regulations only adds
to the complexity. Given these factors, it’s hardly surprising that many compliance
professionals find themselves inundated and questioning whether they are on the
correct course.

This whitepaper acts as a roadmap, designed to help organisations find a clear

path to AML/CTF compliance in 2023 and the years ahead. It dissects the key
issues and priorities on both local and global levels, to help compliance and
risk professionals find greater clarity and certainty in this dynamic landscape.
Additionally, it highlights the importance of having a compliance management
system (CMS) to achieve effective regulatory risk management, as viewed through
the lens of ISO 37301, the standard for compliance management.

2023-2024 AML-CTF Compliance Roadmap Leveraging ISO 37301 → 2 / 10

Navigating the current
AML-CTF legal landscape
In order to efficiently navigate AML/CTF obligations, businesses must
have a comprehensive understanding of the laws encompassed within
this complex regulatory area. The primary legislation falls into three
broad categories:

» Federal AML/CTF law includes the Anti-Money Laundering and

Counter-Terrorism Financing Act 2006 (AML/CTF Act) and provides
the means to help deter, detect and disrupt money laundering and
terrorism financing. It also provides financial intelligence to revenue
and law enforcement agencies. The industry contribution legislation
sets the framework for the collection of the annual industry
contribution levy to cover AUSTRAC’s operation costs.
» Australia also has unexplained wealth laws at both the
Commonwealth level and within the frameworks of state and
territorial legislation. Nationally, they are contained in the Proceeds
of Crime Act, while the arrangements for obtaining unexplained
wealth orders are generally outlined within the criminal proceeds
legislation of each state or territory jurisdiction.
» Sanctions laws also form part of the AML/CTF legislative
framework. Australia’s sanctions laws are categorised into two
types: UN Security Council sanctions, and Australian autonomous
sanctions. UN sanctions give effect to Australia’s obligations under
international law, while autonomous sanctions are implemented by
Australia by virtue of its independent foreign policy.

2023-2024 AML-CTF Compliance Roadmap Leveraging ISO 37301 → 3 / 10

Within Australia’s AML/CTF framework, the primary reference point is the AML/
CTF Act, which sets out general principles and obligations for organisations.
Details of how these obligations are to be carried out are set out in the Anti-
Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No.
1) (AML/CTF Rules).
The AML/CTF Act imposes 6 key obligations on businesses that it regulates.
» Customer due diligence (CDD) to verify a customer’s identity before
providing a designated service, and assessing the customer’s risk profile in
relation to their potential involvement in money laundering activities or other
financial crimes.
» Ongoing due diligence to be conducted throughout the course of a business
relationship. This includes having a transaction monitoring program, and
incorporating CDD procedures when dealing with elevated money laundering
or terrorism financing risks.
» Reporting to AUSTRAC all ‘suspicious matters’, as well as cash transactions
of $10,000 or more, while also submitting annual compliance reports, and
conducting ongoing cross-border movement reporting.
» Develop and maintain an AML-CTF program. This involves identifying money
laundering and terrorist financing risks associated with providing designated
services, and developing a comprehensive program of systems and controls to
mitigate and manage those risks.
» Record-keeping of certain records that could assist with the investigation
of financial crime or are relevant to compliance. These records must
be retained for seven years and be in a form readily accessible to law
enforcement if required.
» Enrol or register with AUSTRAC if engaged in the provision of designated
services. For remittance service providers or digital currency exchange
providers, an additional registration process is required to facilitate
additional verifications to ensure criminals and their associates are kept out
of these sectors.
However, the legal landscape extends further in two directions.
Firstly, there exists a network of internationally recognised best practice guidance,
as well as mandatory laws of other countries to consider. The Financial Action
Task Force is an intergovernmental body that sets international standards and
policies to counter money laundering and terrorism financing. It also oversees
countries to ensure their comprehensive and effective implementation of these
standards. If your business and its operations extend beyond Australia’s borders,
you must also take into account the AML/CTF laws of other countries, as
overseas regimes may have an extraterritorial jurisdiction – Europe and the US
being the two primary examples.
» In the United States (US), the Bank Secrecy Act (BSA) is the primary legal
framework for AML/CTF compliance, imposing reporting and record-keeping
obligations on US financial institutions. The Patriot Act, an amendment to
the BSA, empowers law enforcement agencies with further authorities when
investigating suspected terrorism financing. In 2020, the US introduced the
Anti-Money Laundering Act to address the threats posed by new technologies
and criminal methodologies.
» In the European Union (EU), all regulated entities need to apply customer
due diligence requirements for business relationships. Anti-money laundering
directives are periodically issued by the European Parliament to be
implemented by member states. The most recent of these, 6th Anti-Money
Laundering Directive (6AMLD), harmonises the definition of money laundering
offences across EU member states and expanded the scope to include
additional areas, such as cybercrime and environmental crime.
Moreover, there exists a series of secondary regulatory requirements – by no
means secondary in importance, but requiring consideration in a full assessment
of regulatory compliance. Your broader legal landscape can consist of various
other compliance sources, depending on what type of organisation you are,
the scope of your operations, and your specific business processes. The extent
of delegation within your compliance structure will also play a role – consider
which individuals or compliance teams within your organisation oversee specific
sets of legislation.
2023-2024 AML-CTF Compliance Roadmap Leveraging ISO 37301 → 4 / 10
Evolving AML-CTF Landscape
in Focus – Australia
As with many regulatory imperatives, the AML/CTF landscape is not static — it
continues to evolve and develop over time to respond to changing threats and
conditions. There are a few major changes on the horizon:
Modernisation of Australia’s AML/CTF regime
Part 1 of the public consultation proposes reforms that will simplify and
modernise the operation of the regime. It involves combining the existing Parts
A and B into a single requirement for businesses to develop, implement and
maintain an AML/CTF Program aimed at identifying, mitigating and managing
risks. Part 2 of the public consultation relates to expanding the AML/CTF regime
to include proposed tranche 2 entities, such as lawyers, accountants, and real
estate agents.
Review of the Autonomous Sanctions framework
In preparation for the upcoming expiration of the autonomous sanctions
regulations next year, the review is examining whether our sanctions
framework remains suitable for its intended objectives. This involves identifying
administrative and regulatory efficiencies in order to ensure continued regulation
and compliance.
Payment Systems Reform
Australia’s payment systems framework is also being reformed, which will impact
AML/CTF and financial crime processes. The Australian Government has released
a strategic plan for the country’s payments system, which includes a plan for
measures such as the modernisation of payment infrastructure and the creation
of a new payments licensing framework.
Evolving AML-CTF Landscape
in Focus – Global
Globally, there is also lots of substantive change occurring across Europe, the
United Kingdom (UK), the US, and across Asia and the Pacific. Below is a snapshot
of some of the significant changes which may affect Australian businesses. Key
considerations to determine their impact would be: the physical location of the
business, its operational areas, customer locations, and data storage sites.
The Compliance Challenge
Amidst the overlapping regulatory changes highlighted earlier, several recurring
themes arise. These include the expansion of scope, the application of
extraterritorial reach, heightened reporting requirements, and more stringent risk
management practices. With such a wealth of change, the compliance challenge is
significant. Depending on their industry and the extent of their operations, an entity
might be required to stay abreast of numerous regulations to remain compliant.
As vulnerability to increasingly sophisticated cyber attacks grows, organisations
are exposed to major consequences – not if, but when – they experience a
breach. Over the recent years, numerous prominent organisations have faced
substantial financial penalties due to compliance failures, resulting in financial
penalties in the billions of dollars. However, it’s not just financial penalties that
need to be taken into account. Reputational harm from negative media reporting
and the resulting impact on consumer perception have significant potential to
affect an organisation’s future viability and success.
Evidently, the pace of regulatory change has been accelerating at an
unprecedented rate. In a globalised society with extraterritorial laws, organisations
are increasingly expected to remain informed about changes occurring far beyond
their own borders. Staying compliant across all locations where an organisation
presently operates, or potentially could operate, requires continuous monitoring
of the latest legal and regulatory developments, including new legislation and the
actions of courts and regulators. Adopting a forward-looking approach to monitor
significant trends in the evolving compliance landscape across diverse countries is
of paramount importance.
Finally, ensuring accountability is delegated/dispersed effectively — from the
board and leadership down — and ensuring ongoing, transparent reporting is
crucial to the success of any compliance framework.
2023-2024 AML-CTF Compliance Roadmap Leveraging ISO 37301 → 5 / 10
Global Legislative Landscape
European Union United States United Kingdom New Zealand

The Single rulebook Anti-Money Laundering Act of 2020 The Money Laundering and Terrorist Public consultation on proposed
Financing (Amendment) (No. 2) changes to AML/CTF regulations
Regulations 2022

6AMLD Financial Crimes Enforcement Network Economic Crime (Transparency and Russia Sanctions Act 2022
(FinCEN) Final Rule for Beneficial Enforcement) Act 2022
Ownership Reporting

New European Anti-Money Laundering 2022 National Strategy for Combating

Authority Terrorist and Other Illicit Financing

China Japan Singapore Hong Kong

3-year AML campaign AML/CTF/CPF Action Plan Corruption, Drug Trafficking and Other Anti-Money Laundering and Counter-
Serious Crimes (Confiscation of Benefits) Terrorist Financing (Amendment)
(Amendment) Bill 2023 Ordinance 2022

Administrative Measures for Financial Amendments to the Foreign Exchange Financial Services and Markets Act 2022 Guideline on Anti-Money Laundering
Institutions on Customer Due and Foreign Trade Act 1949 and Counter-Financing of Terrorism
Diligence Investigations and Keeping
of Customer Identity Information
and Transaction Records

2023-2024 AML-CTF Compliance Roadmap Leveraging ISO 37301 → 6 / 10

Mitigating Compliance Risk
Regulatory risk represents an organisation’s ability to comply with laws, rules,
regulations and standards which govern its operations, and the potential
consequences of failure to do so. In essence, it serves as a foundational benchmark
representing the minimal requirements for doing business –what some would
call a “ticket to play”. The degree of regulatory risk is heavily influenced by an
organisation’s industry, the products and services it offers, and its overall strategy
regarding risk management – including its risk appetite, processes, and more.

Mandatory obligations generate the most obvious regulatory and compliance risks.
These are the concrete legal requirements created by laws, regulations and contract
provisions. However, mandatory obligations are only part of an organisation’s
compliance risk profile. Voluntary obligations (the softer obligations created by an
organisation’s values and social commitments) also create compliance risks.

Like any risk, regulatory and compliance risks must be reassessed periodically,
especially in the face of significant changes. These triggers for change can be
incredibly broad.

» New/changed activities, products, services

» Changes to organisational structure/strategy
» Significant external changes, for example, economic conditions, liabilities,
client relationships
» Changes to compliance obligations
» Mergers and acquisitions
» Non-compliance and near-misses

In a complex, uncertain, ever-changing regulatory landscape, it becomes

impractical for an organisation to address regulatory risks haphazardly – the
range, volume and magnitude are simply overwhelming. Consequently, successful
mitigation of regulatory risks often necessitates the implementation of a
structured compliance management system. This is where ISO 37301 can prove
beneficial, assisting organisations in mitigating compliance risks, particularly within
the AML/CTF landscape.

2023-2024 AML-CTF Compliance Roadmap Leveraging ISO 37301 → 7 / 10

ISO 37301 and Implementing a Compliance Management System
Key characteristics of a Compliance Management System
A CMS presents a framework of best practice measures designed to steer an
organisation towards adherence to all of its obligations, including AML/CTF. A
CMS provides visibility and control over the compliance status and activities of
the organisation. This enables senior officers and other interested stakeholders
to understand the organisation’s obligations, the methods and timing of fulfilling
them, and the designated owners for each obligation.
The level of control provided by a CMS program empowers senior officers to
fine-tune risk management activities to suit the organisation’s risk appetite.
A CMS has three primary elements:
» Oversight of the program either by the board or someone with delegated
responsibility for its success and effectiveness.
» The compliance program itself. Central to every CMS is an obligations
register which catalogues the mandatory and voluntary obligations of
the organisation.
» Regular review and audit. This ensures continual enhancement as the
external compliance landscape evolves and as the organisation’s
personality transforms
Because of the benefits of a comprehensive and scalable CMS, capital partners
and issuers of large contracts increasingly require organisations to provide
evidence of an ISO 37301 compliant CMS as a prerequisite of doing business.
Aligning to ISO 37301
ISO 37301 is an international standard that assists organisations to establish,
develop, implement, maintain and improve an effective CMS. First released in
2021, the standard builds upon the principles documented in its predecessor, ISO
19600. The Compliance Management Standard is a Type A standard, meaning
regulators and independent experts can certify an organisation’s CMS as being
compliant with the standard’s requirements.
Certification carries numerous potential benefits. For example, organisations
may use certification to demonstrate their competence to clients and improve
their industry standing. In addition, organisations operating in high compliance risk
industries may be required to maintain certification as a licence condition. The standard
encourages organisations to adopt a plan-do-check-act (PDCA) approach to compliance
management. The PDCA cycle appears frequently in ISO standards governing
management systems, and organisations that adopt PDCA in their CMS can integrate
compliance management into the cycles of other established systems.
Organisations implementing an ISO-compliant CMS must begin by establishing a
compliance register to catalogue all mandatory and voluntary obligations to provide
a comprehensive picture of its obligation status. For instance, in the context of AML/
CTF, the compliance register could contain obligations related to AML/CTF Governance,
Registration with AML/CTF Authorities, Due Diligence, Suspicious Matter & Reporting,
among other aspects.
Having created and populated the register, the organisation must conduct a risk
assessment. Risk professionals should gauge the risk associated with each entry in the
register with the goal of creating the data required to set the organisation’s risk appetite
and propose effective controls. To complete its assessment of the organisation’s
compliance context, the organisation must document any specific compliance
expectations of external parties including partners and holding companies.
Having documented the organisational context, the organisation must create and
document a matrix of controls for ensuring ongoing compliance with the obligations
in the register. The control matrix comprises policies, functions, processes, roles and
tools that achieve prescribed standards, including governance, planning, performance
evaluation and improvement.
Unlike its predecessor, ISO 37301 requires organisations to promote whistleblowing.
Organisations must include formal systems that enable staff to report their concerns
easily, that protect reporters from retaliation, and that ensure the confidentiality
of reports.
A well-designed CMS, aligned to the international compliance standard, will scale
alongside the organisation through the continuous improvement systems discussed
earlier. This implies that a comprehensive CMS implemented in 2023 should continue to
effectively mitigate regulatory risks even in 2033 and beyond.
2023-2024 AML-CTF Compliance Roadmap Leveraging ISO 37301 → 8 / 10
How LexisNexis®
Regulatory Compliance
can help
Our AML-CTF Compliance Register can help you on your path
to compliance
The AML/CTF compliance register provides practical assistance and
guidance to ensure that AML/CTF obligations are complied with,
through the implementation and maintenance of best practice processes
throughout the organisation.

This compliance register also covers the role of the regulator as well
as exemptions to the obligations, where applicable, and circumstances
when the exemptions may or may not apply to the organisation.

2023-2024 AML-CTF Compliance Roadmap Leveraging ISO 37301 → 9 / 10

About LexisNexis Regulatory Compliance
LexisNexis Regulatory Compliance helps you forge a clear path to compliance.

With LexisNexis content know-how at the core, our compliance registers, alerts, and information-driven solutions make compliance
uncomplicated for GRC professionals across the globe.

» Find relevant obligations faster with jargon-free registers that are aligned to your business processes.
» Stay up to date with near-real time alerts delivered straight to your inbox when you may be impacted by regulatory change.
» Explore your compliance obligations under a particular regulator, or a particular compliance source, with SourceData.
» Engage with the wider compliance community and LexisNexis experts through the Community Portal, our self-support platform.
» Access comprehensive, current LexisNexis content that meets your unique needs, with eight core modules relevant to all
businesses, and over 90 industry-specific modules.

Authored by leading legal and industry experts, and supported by flexible technology that works the way you do, LexisNexis
Regulatory Compliance gives you peace of mind while saving time, and money.

To learn more visit: www.lexisnexis.com.au/compliance

Your Free Demonstration.

If you would like a demonstration of the AML-CTF compliance register, scan or click on the QR Code →

LexisNexis, LexisNexis Regulatory Compliance and the Knowledge Burst logo are registered trademarks of RELX Inc.
© 2023 RELX Trading Australia Pty Limited trading as LexisNexis. All rights reserved.

NA082023MV