This includes anyone who allows traders to buy and sell bitcoin, ethereum and other digital and cryptocurrencies that are interchangeable with money or can be used to buy goods or services.
The transitional arrangements came into effect on 3 April 2018. These apply to existing and new DCEs. In this post, we outline the six things you need to do now if you’re a DCE.
1. Enrol with AUSTRAC and register as an exchange
When you must apply to register depends on whether you’re an existing DCE or a new one.
- If you’re an existing DCE who is not enrolled with AUSTRAC, you have until 14 May 2018 to apply to register. This assessment may take more than 90 days. You can continue to provide services while your application is being assessed.
- If you’re a new DCE, you can start to provide services now but you must apply to register by 14 May 2018.
- If you’re already enrolled with AUSTRAC (because you provide other designated services), you must update your enrolment details by 11 June 2018.
- If you intend to commence providing services from 15 May 2018, you must be registered before you do so or you face civil and criminal penalties.
Before you submit your application you need to have police checks completed for key personnel. This includes owners, directors, or any person who makes decisions affecting your business.
2. Have an AML-CTF Program and compliance arrangements
You have until 2 October 2018 to have an AML-CTF Program and compliance arrangements in place.
You must identify your ML-TF risks in your AML-CTF Program, as well as document your compliance arrangements to manage these risks. There are specific things that your AML-CTF Program must include. You can find AUSTRAC’s guidance for your AML-CTF Program here.
Your compliance arrangements must include an employee due diligence program, regular independent review of the AML-CTF Program, training for employees, senior management oversight, incorporation of guidance from AUSTRAC and an AML-CTF Compliance Officer.
Practically, in order to undertake KYC checks and report the matters below, you should have an AML-CTF Program and compliance arrangements in place from the day you are registered (or ideally, before then).
However, until 2 October 2018, AUSTRAC will not take any enforcement action if you have taken ‘reasonable steps’ to comply with the relevant provision of the act. AUSTRAC’s considerations about ‘reasonable steps’ are set out here.
3. Report suspicious matters and threshold transactions
From the day you submit your application to register you must report transactions of $10,000 or more to AUSTRAC. You must also report any suspicious matters to AUSTRAC. While this is not in any of AUSTRAC’s public statements or website, AUSTRAC has told us this verbally.
AUSTRAC has also told us that you will not be able to submit a report to them until they have registered you. If you need to submit a report to AUSTRAC, you must contact them to expedite your application.
4. Complete Know Your Customer (KYC) checks and verification
You must complete KYC checks on all your customers. This must be done before you submit your application to register with AUSTRAC because once you submit your application, you must report suspicious matters and threshold transactions. You can only do this if you know who your customers are.
You may also need to complete ongoing customer checks. To do this you need to:
- Decide when to complete further KYC checks on customers;
- Have a transaction monitoring program. This includes putting in place systems and controls to monitor customer transactions and being able to identify suspicious or unusual transactions; and
- Have an enhanced customer due diligence program. This involves doing more to identify or verify customers who are high risk. There are strict requirements that must be followed in these circumstances.
5. Keep records
You must keep records about your AML-CTF Program, transactions and KYC checks. We recommend that you keep records from at least the day you are registered by AUSTRAC. This includes your application to register.
6. Comply or face penalties
If you don’t do these things you may face civil and criminal penalties. These include fines and up to seven years' imprisonment.
AUSTRAC also has the power to issue an infringement notice, which is like an instant fine, if you do not:
- Meet KYC requirements;
- Report suspicious matters and threshold transactions;
- Lodge compliance reports; and
- Keep records.