Deal making and AML/CTF considerations

There has been significant M&A activity in 2021 and 2022. This activity has garnered increasing attention from a range of Australian regulators, particularly in relation to the banking sector.

Much of this activity involves regulated entities (known as ‘reporting entities’) under Australia’s Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (the Act). As we noted in our Australian private M&A deal trends report, the Australian Transaction Reports and Analysis Centre (AUSTRAC) continues to have a growing presence in the M&A environment. Reporting entities therefore need to pay closer attention to their regulatory and legal exposure while considering and executing such transactions.

Buyer Beware?

A cornerstone of Australia’s anti-money laundering and counter-terrorism financing (AML/CTF) Regime, which includes the Act and Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No.1) (Cth) (the Rules), is the requirement for reporting entities to adopt and maintain an AML/CTF Program. A key Program requirement is the implementation of policies and procedures to identify customers, verify that their information is correct and is kept up-to-date. Put simply, reporting entities must know their customers and the potential risks they pose.

Effective customer due diligence (CDD) is integral to enabling reporting entities to know their customers. Section 32 of the Act requires a reporting entity to undertake an Applicable Customer Identification Procedure (ACIP), which includes the collection and independent verification of customer identification information before the provision of a designated service (such as opening a bank account).

In the event of M&A activity between two reporting entities, Chapter 28 of the Rules aims to facilitate the transfer of customer accounts by prescribing specific requirements to enable the Buyer to rely on ACIPs previously undertaken by the Seller. A key rationale for this Chapter appears to be to ensure M&A activity does not disrupt the provision of services to a customer. It also seems designed to ease the compliance burden on a Buyer having to redo the ACIPs for customers of a reporting entity they have merged with or acquired.

At a minimum, the Rules require the Buyer to satisfy itself that the Seller has the appropriate ‘risk-based systems’ and controls to identify, manage and mitigate the money laundering and terrorism financing risk associated with the customers who are implicated by the M&A activity. This requires the Buyer to assess the Seller’s AML/CTF Program to ensure the Program is compliant with the Act and Rules so it can form the view that it is ‘reasonable’ for the Buyer to rely on the Seller’s ACIPs undertaken under its Program.

Yet Chapter 28 is not without its challenges, particularly where Buyers insist on overlaying the Chapter 28 requirements with various contractual terms, conditions and warranties on a Seller. From a regulatory and enforcement perspective, Chapter 28 does not offer a ‘safe harbour’ to the Buyer as they will always bear the compliance and regulatory burden and may be held accountable for breaches of section 32 if they rely on the previously undertaken ACIPs without meeting the specific requirements in the Chapter.

CDD reliance as an alternative?

The Act was amended last year so that reporting entities can now rely on ACIPs undertaken by a ‘reliable third party’. There are two forms of reliance relevant to M&A activity: section 37A (CDD arrangements) and section 38 (case-by-case reliance). Each of these are known as ‘CDD reliance’.

Under section 37A of the Act, a reporting entity can enter into a written agreement known as a ‘CDD arrangement’ with a counterparty in order to allow the reporting entity to rely on the ACIP carried out by that counterparty. To establish and maintain a CDD arrangement, a reporting entity must undertake an assessment of the counterparty’s AML/CTF Program to ensure it is compliant with the Act and Rules. If this assessment satisfies Chapter 7 of the Rules, which stipulates the pre-requisites to undertaking CDD reliance, then the reporting entity can rely on the ACIPs undertaken by the counterparty in accordance with the CDD arrangement in place.

Once the CDD arrangement is established, a reporting entity is not required to review or assess the adequacy of specific customer ACIPs, but is subject to an ongoing obligation to assess the sufficiency of the counterparty’s AML/CTF Program under section 37B. A benefit of a CDD arrangement is that they afford reporting entities a safe harbour from liability, where isolated breaches are identified in the population of ACIP(s) caught by the CDD arrangement.

For this reason, establishing a CDD arrangement may provide the necessary protection to a Buyer if potential breaches of the ACIP requirements is of concern. This would of course be in addition to any terms that can be negotiated as part of the transaction. However, it is important to note that the Buyer will not be protected from liability under section 37A for serious and systemic non-compliance with the ACIP requirements (to the extent the breaches demonstrate it was not reasonable for the Buyer to rely on the Seller in the first place).

Section 38 is the other form of CDD reliance that could be utilised as part of M&A activity. However, this form of reliance provides few incentives in such circumstances. This is predominately because section 38 does not include an explicit ‘safe harbour’ from liability, noting there is a general defence available under section 68 of the Act, which compels the relying party to review each and every ACIP provided by its counterparty. Otherwise, the relying party will be liable for a breach of section 32 of the Act. Consequently, this form of reliance may result in delay and disruption to a transaction and affect the services provided to transferring consumers.

While the Act and Rules provide a range of options for parties to a transaction, a decision on the approaches we have considered above will of course depend on the size, nature and complexity of the deal. Ultimately, reporting entities should consider their options in terms of timeframes for the deal, available resources to review particular information (whether that be ACIPs or another party’s AML/CTF Program) and the necessity to create a shield from liability under the Act.

Norton Rose Fulbright has leading financial crime and corporate practices in Australia and across the Globe. If you have any queries, please contact Scott Atkins, Rajaee Rouhani, Jeremy Wickens and Jasmine Sprange.