Reporting Groups: Multi-Entity AML Compliance Under the AML/CTF Act

A reporting group is a formal structure recognised under the AML/CTF Act that allows multiple related reporting entities to operate a joint AML/CTF Program and share compliance functions. The legal framework for reporting groups is found in Part 9 of the AML/CTF Rules.

A reporting group is not merely a matter of corporate structure — it requires active recognition and management. To form a reporting group, the entities involved must enter into a formal arrangement that satisfies the AML/CTF Rules' requirements, and they must manage the group in accordance with specific governance obligations.

The core benefits of a reporting group are efficiency and consistency. Without a reporting group arrangement, each related entity must independently develop and maintain its own AML/CTF Program, conduct its own customer due diligence, and manage its own AUSTRAC reporting obligations. This creates significant duplication — the same customer may be subject to KYC across multiple related entities, the same Program may need to be separately drafted and audited, and the same compliance functions may need to be replicated across the group.

A reporting group allows these duplicated functions to be consolidated. A single AML/CTF Program can cover all entities in the group. Customer due diligence conducted by one group entity can be relied upon by another (subject to conditions). A single compliance officer and team can manage compliance across all entities. A single independent audit can review the group's Program. The cost and effort of compliance is significantly reduced, while the standard maintained is no lower than if each entity operated independently.

Not all groups of related businesses can form a reporting group under the AML/CTF Act. The eligibility requirements are specific and must be assessed before a group structure can be implemented.

The primary eligibility criterion is that all entities in the reporting group must be "related bodies corporate" within the meaning of the Corporations Act 2001. Related bodies corporate are entities that are in a holding-subsidiary relationship with each other or are subsidiaries of the same holding company. The most common reporting group structure is a holding company and its wholly-owned or majority-owned operating subsidiaries.

Additional structures may be eligible under specific provisions of the AML/CTF Rules: entities that are not related bodies corporate may be able to participate in a reporting group where they have a prescribed relationship with the other group members and satisfy AUSTRAC's assessment of the appropriateness of group compliance.

Each entity in the reporting group must be a reporting entity in its own right — that is, it must provide at least one designated service and be enrolled or registered with AUSTRAC individually. The reporting group does not create a combined reporting entity; it creates a mechanism for shared compliance functions across multiple separately-enrolled entities.

Entities that are not reporting entities — for example, a holding company that does not itself provide designated services — may participate in the group's compliance structure as "non-reporting entity members" under the Designated Business Group provisions, but their role is different from full reporting group membership.

One of the most significant operational benefits of a reporting group is the ability to share customer due diligence across group entities. Under the AML/CTF Rules, an entity within a reporting group can rely on KYC/KYB conducted by another group entity, subject to conditions.

The conditions for CDD reliance are important. The entity relying on another's CDD (the "relying entity") must be satisfied that: the CDD was conducted to the same standard that the relying entity would have applied; the entity that conducted the CDD (the "conducting entity") has provided the relying entity with access to the CDD records; and there is a formal arrangement in place within the reporting group authorising the reliance.

Where these conditions are met, a customer who has been fully verified by Entity A in the group can be accepted by Entity B in the group without Entity B conducting its own independent verification. This is particularly valuable for corporate groups where customers deal with multiple entities — a business banking group, for example, where customers use both the lending entity and the payment processing entity.

It is important to note that CDD reliance does not transfer liability. If the underlying CDD conducted by Entity A was deficient — if documents were not properly verified, if beneficial ownership was not investigated — Entity B's reliance on it does not reduce Entity B's compliance obligation. Both entities remain responsible for the adequacy of the CDD on their customers. The group must therefore maintain robust quality standards for CDD across all entities, even where shared reliance is in place.

Shared CDD also requires careful data governance. The CDD records must be accessible to all entities relying on them, in a timely and complete manner. A centralised customer data platform that all group entities can access, with appropriate access controls, is the standard implementation.

Reporting groups can implement consolidated AUSTRAC reporting, whereby a single entity — the Designated Reporting Entity (DRE) — lodges reports on behalf of the group. This simplifies the reporting process and provides AUSTRAC with consolidated intelligence across the group's activities.

The DRE is designated in the reporting group arrangement. It is responsible for lodging SMRs, IFTIs, TTRs, and other required reports that relate to the activities of any entity in the group. The DRE receives transaction and customer data from all group entities, aggregates it, and lodges the required reports centrally.

For SMR purposes, the obligation to report is triggered when any entity in the group forms a suspicion — but the lodgement may be made by the DRE on the group's behalf. The DRE must have visibility into the compliance activities of all group entities so that SMR obligations triggered anywhere in the group are captured and reported within the required timeframes.

IFTI and TTR reporting through a DRE requires robust data feeds from all group entities that process international transfers or large cash transactions. Automated reporting feeds ensure that the DRE receives complete and timely transaction data for lodgement within the 10-business-day deadline.

The DRE model creates a concentration of compliance responsibility and data in one entity. This has governance implications: the DRE must have adequate resources, systems, and oversight to manage the consolidated reporting function. If the DRE fails to lodge required reports, all group entities may be affected. The DRE's management must understand and accept these responsibilities.

Operating a reporting group imposes specific governance obligations beyond those applicable to individual reporting entities. These obligations reflect the increased responsibility that comes with shared compliance functions and consolidated reporting.

A group-level AML/CTF Program must cover all entities in the reporting group. The Program must address the specific risks and designated services of each entity, while operating as an integrated group document rather than a collection of separate entity-level programs. The group Program must be approved by the governing body of the DRE and reviewed at least every three years as part of the independent audit.

A group compliance officer must be appointed. Unlike entity-level compliance officers who may be the same person wearing multiple hats, a group compliance officer carries responsibility for compliance across multiple entities with potentially different risk profiles and service types. They must have the seniority, authority, and resources to discharge this responsibility effectively.

The independent audit obligation applies to the group Program as a whole. The audit must review the adequacy and effectiveness of the group's AML/CTF compliance across all entities. Given the scope of a group audit, engaging an external auditor with specific AML/CTF expertise is standard practice.

Changes in group membership — entities joining or leaving the reporting group — must be managed carefully. New entities joining the group must be assessed for their individual compliance status, their CDD records must be integrated into the group's systems, and AUSTRAC must be notified of the change in group composition.

AUSTRAC notification of the reporting group arrangement is required. The AML/CTF Rules specify what information must be provided to AUSTRAC and when, including changes to group membership and changes in the designated reporting entity.