Professionals in risk and compliance within financial institutions or financial service providers are already familiar with the complexities of assessing customer risk, particularly when the customer is another financial entity. When an ADI provides correspondent banking services there are specific rules governing this which are found in Part 8 of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act) and Chapter 3 of the Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No.1) (AML/CTF Rules). Building on existing correspondent banking obligations, these requirements will soon extend to other service arrangements.
These new requirements are set to take effect at the end of March 2026. They include the formal regulation of Nested Services Relationships, which will now trigger enhanced customer due diligence (Enhanced CDD) obligations. These reforms are relevant to financial institutions, remitters, and virtual asset service providers (VASPs), and are aimed at addressing the heightened money laundering (ML) and terrorism financing (TF) risks associated with certain complex cross-border service arrangements.
What is a Nested Services Relationship?
Under section 5 of the AML/CTF Act, a Nested Services Relationship is defined as follows:
- A reporting entity that is a financial institution, remitter, or VASP provides a designated service from a permanent establishment in one country;
- Its customer – also a financial institution, remitter, or VASP – uses that service to provide designated services to its own customers in another country; and
- The arrangement is not a correspondent banking relationship.
In effect, one entity’s non-banking services are “nested” within the operations of another entity, with the upstream service provider relying on the downstream customer’s AML/CTF controls. These layered service models are known to present heightened compliance risks, particularly where downstream entities operate in jurisdictions with weaker regulatory oversight or differing AML/CTF standards.
An example might include a provider of remittance services in a country that is grey listed by FATF (e.g. South Africa), where that provider has an account in Australia with a remittance provider or ADI from which it makes payments to or receives payments from third parties located in Australia.
Enhanced customer due diligence (CDD) required
The amendments identify Nested Services Relationships as a new trigger for Enhanced CDD. Accordingly, a reporting entity involved in such an arrangement will be required to apply enhanced risk-based measures, both at the commencement of the relationship and on an ongoing basis.
To support implementation of these reforms, AUSTRAC has released a Second Exposure Draft of amendments to the Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1) (Draft AML/CTF Rules), setting out the enhanced CDD measures that must be applied by reporting entities in these relationships.
Initial CDD Obligations
Under the amended AML/CTF Act, a reporting entity must not provide a designated service to a customer in a Nested Services Relationship unless it has established, on reasonable grounds, key matters including the identity of the customer and its beneficial owners. The Draft AML/CTF Rules impose further requirements, which include obtaining and verifying the following information:
1. Ownership and control
- The ownership, control, and management structures of the customer and any ultimate parent entity.
2. Business operations
- The nature, size and complexity of the customer's business, including:
- Products/services offered and delivery channels;
- Types of clients served by the customer; and
- Transactions and services to be conducted on behalf of those clients.
3. Jurisdictional and group structures
- Jurisdictions in which the customer and any parent entity operate.
- Whether the parent entity maintains group-wide AML/CTF systems.
4. AML/CTF systems and reputation
- The effectiveness of the customer’s own AML/CTF systems and controls
- Publicly available information on the customer’s reputation, including:
- Any prior regulatory investigations or enforcement actions; or
- Criminal or civil proceedings related to ML/TF or other serious offences.
5. Customer due diligence practices
- Conducts adequate due diligence on its own customers;
- Can provide this information to the reporting entity upon request; and
- Prohibits providing services to shell banks or through nested or correspondent relationships involving shell banks.
Ongoing CDD Obligations
The amended AML/CTF Act also imposes ongoing monitoring obligations, requiring reporting entities to identify, assess, manage and mitigate ML, TF and proliferation financing risks associated with their designated services. In addition to the obligations in section 30(2) of the Act, the Draft AML/CTF Rules require reporting entities in a Nested Services Relationship to:
- Review and update ML/TF risk assessments for the customer at least once every two years;
- Reverify and update KYC information relating to the customer at least once every two years;
- Reverify and update KYC information when commencing a new designated service for the customer under a Nested Services Relationship.
Non-Compliance risks are significant
Failure to comply with these obligations can result in multiple contraventions. There is a separate contravention for each designated service – and for each day the service continues – where the service provided to the customer at or through a permanent establishment of the reporting entity in Australia.
In light of the elevated regulatory expectations, reporting entities that may engage in Nested Services Relationships should proactively assess whether their existing due diligence frameworks are sufficiently robust to manage associated risks. Ahead of the 31 March 2026 commencement date, entities should also evaluate the need for enhanced systems and controls to ensure compliance.
Please contact us if you would like to discuss how these reforms may affect your business.