Help! I've Fallen into Quicksand

Like many people who grew up in the 1970s, one of my greatest childhood fears was falling into quicksand. Every adventure show seemed to feature an unsuspecting explorer stepping into a patch of sand and slowly disappearing beneath the surface. The harder they struggled, the deeper they sank.

Fast forward a few decades and many MDA providers are experiencing a remarkably similar feeling. Only this time it’s not quicksand it's governance, compliance, legislation, risk assessments, service mapping, designated services and reporting entity obligations.

If you are an MDA provider, Responsible Manager or AFSL holder trying to understand Australia's new AML/CTF regime, you may feel like you're sinking into a compliance quagmire. Every article you read seems to introduce another obligation, another acronym or another regulatory expectation.

Before you start kicking frantically, stop. Much like escaping quicksand, keeping a level head and understanding the terrain is the first step to getting out.

The good news is that the AML/CTF reforms are not impossible to navigate. The challenge is understanding what has changed, why it has changed, and where your obligations may begin and end.

The reforms are really asking one question: what services does your business actually perform? Answering that starts with service mapping. Until you understand the activities your business actually carries out, not simply the role it describes itself as performing, it’s difficult to determine where your AML/CTF obligations begin or end.

The Old Way Was Fine, Right? Why Are You Making Me Do This?

For many MDA providers, the historical position seemed relatively straightforward.

Most MDA services have traditionally operated through regulated investment platforms, custodians and administration providers. Client accounts were established through platform operators, customer identification procedures were conducted by platform providers, transaction processing occurred within regulated systems and client assets were held through established custodial arrangements.

As a result, many AFSL holders became comfortable with the belief that AML/CTF obligations largely sat elsewhere within the service chain.

In many respects, that assumption was understandable.

The platform knew the client.

The platform performed Know Your Customer checks.

The platform processed transactions.

The platform maintained records.

The platform monitored account activity.

The platform submitted reports where required.

Meanwhile, the MDA provider focused on what it did best: providing investment management services and exercising investment discretion on behalf of clients.

For many years, this approach appeared to work reasonably well, particularly for MDA operators utilising regulated platform arrangements commonly associated with platform-based investment arrangements.

Unfortunately, criminals are remarkably effective at identifying gaps between regulatory responsibilities.

Money laundering today rarely resembles the Hollywood stereotypes of suitcases full of cash. Criminal enterprises increasingly utilise sophisticated structures involving trusts, companies, advisers, investment accounts and multiple financial institutions to disguise the origin of funds and obscure beneficial ownership.

Regulators have recognised that relying upon assumptions regarding who is responsible creates opportunities for abuse. The reforms are therefore designed to ensure that businesses understand their own obligations rather than simply assuming another participant in the service chain has everything covered.

This brings us to two concepts that every MDA provider now needs to understand.

What Is a Designated Service?

The AML/CTF Act does not regulate businesses simply because they hold an AFSL or provide financial services.

Instead, the legislation regulates specific activities known as designated services. A designated service is a service identified within the AML/CTF Act that is considered vulnerable to money laundering, terrorism financing or other forms of financial crime.

The legislation contains numerous designated services covering a wide range of financial and transactional activities. Some relate to banking services, some relate to payments, some relate to custodial services and others relate to dealing in financial products.

Whether an organisation becomes subject to AML/CTF obligations depends largely upon whether it provides one or more designated services. This distinction is important. Many businesses have spent years asking whether they are an AFSL holder, adviser, platform operator, trustee or MDA provider.

The AML/CTF legislation asks a different question. What services do you actually perform? Understanding the answer requires looking beyond job titles, business descriptions and marketing material and examining what activities are actually being undertaken.

What Is a Reporting Entity?

Once a business provides a designated service, it may become what is known as a reporting entity. A reporting entity is an organisation that is subject to obligations under the AML/CTF Act because it provides one or more designated services.

Those obligations may include enrolment and registration with AUSTRAC, customer due diligence, transaction monitoring, suspicious matter reporting, record keeping, staff training, risk assessments and maintaining an AML/CTF Program.

In simple terms, designated services are the activities that trigger the legislation, while reporting entities are the organisations that become responsible for complying with it. This distinction may seem technical, but it sits at the centre of the questions many MDA providers are currently asking.

So, Am I a Reporting Entity?

This is where things become interesting. Many MDA providers have historically assumed they are not reporting entities because the platform performs customer onboarding and maintains the client account. The reality may not always be so simple.

To answer the question properly, an MDA provider must first undertake a process known as service mapping. Service mapping involves examining every stage of the client relationship and documenting exactly what services are being provided, who provides them and how they interact with other participants within the operating model. This process often reveals that an organisation performs activities that were never previously viewed through an AML/CTF lens.

The purpose is not to force every MDA provider into becoming a reporting entity. The purpose is to ensure the organisation understands why it is, or is not, one. Increasingly, regulators will expect businesses to demonstrate the reasoning behind their conclusions rather than relying upon assumptions.

Why Item 54 and Item 3 Are the Real MDA Questions

For many MDA providers, the key AML/CTF question is not simply whether a platform performs onboarding or custody. It is whether the AFSL holder is merely arranging for the client to receive another designated service, or whether it is separately managing the client’s money or property through discretionary authority.

The key question is no longer simply whether you use a platform. It is whether your business is merely arranging for another provider to deliver a designated service, or whether your own activities, particularly where you exercise investment discretion, require separate consideration under the AML/CTF framework.

At first glance, many MDA providers immediately recognise why this attracts attention. After all, discretionary portfolio management involves making investment decisions and arranging transactions on behalf of clients pursuant to an MDA Contract. The actual transaction may ultimately be executed through a broker, custodian or platform operator, but the MDA provider often directs, authorises or causes the transaction to occur.

Does this mean every MDA provider automatically becomes a reporting entity?

No.

But it does mean every MDA provider should carefully assess whether their activities fall within the scope of one or more designated services. The answer will depend heavily upon the operating model, on the actual activity, including whether the firm manages property or merely arranges access to another service

An MDA provider operating through a regulated platform may have a different analysis to an operator using direct custody arrangements. An externally advised MDA structure may differ from an internally managed model. Businesses utilising model managers, external advisers, brokers or separate custodians may also find that responsibilities differ across the service chain.

The key point is that assumptions are becoming increasingly dangerous. The question is no longer "We use a platform, so we're covered." The question is "What designated services are we providing and what evidence supports our conclusion?"

Three MDA Providers – Three Different Outcomes

One of the difficulties with the new AML/CTF regime is that there is no single answer that applies to every MDA Provider.

Two businesses may both describe themselves as MDA Providers, both hold an AFSL and both provide discretionary investment management services, yet they may arrive at different conclusions when determining whether they are providing a designated service.

The following examples are simplified illustrations only. They are not intended to provide legal advice or definitive regulatory outcomes. Rather, they demonstrate why every MDA Provider should undertake a documented service mapping exercise before concluding whether they are a reporting entity.

Example One – An MDA Provider That May Be Providing a Designated Service

ABC Private Wealth provides discretionary portfolio management directly to wholesale clients. It enters into MDA Contracts with each client, maintains the investment relationship, determines investment strategy and has authority to buy and sell securities without obtaining further instructions.

Client assets are held by an independent custodian, while transactions are executed through an executing broker. The MDA Provider determines when securities are to be acquired or disposed of and instructs the broker accordingly.

When ABC Private Wealth maps its services, it identifies that its role extends well beyond providing financial product advice. It is responsible for exercising discretion and arranging investment transactions on behalf of its clients. Following a detailed legal and compliance assessment, the business concludes that its activities may constitute one or more designated services under the AML/CTF Act and therefore requires further consideration as to whether it is a reporting entity.

The existence of an independent custodian or broker does not automatically determine the outcome. What matters is the nature of the services the MDA Provider itself performs.

Example Two – An MDA Provider That May Not Be Providing a Designated Service

DEF Wealth Advisory also provides Managed Discretionary Accounts and enters into MDA Contracts directly with its clients. Like many MDA Providers, it develops investment strategies, exercises investment discretion and manages client portfolios.

However, every client is onboarded through a regulated investment platform. The platform establishes the investment account, performs customer identification and verification, opens the investment facility, maintains custody of the assets, processes all cash movements and executes transactions through its own operating environment.

As part of its AML/CTF implementation project, DEF Wealth Advisory undertakes a comprehensive service mapping exercise. It carefully analyses the services performed by both itself and the platform provider and documents how responsibilities are allocated throughout the operating model.

Following that assessment, and after obtaining appropriate legal and compliance advice, DEF Wealth Advisory concludes that while it provides discretionary investment management services under the MDA Contract, it is not itself providing the relevant designated service that would make it a reporting entity. Instead, those designated services are provided by the platform operator.

The important point is not that every platform-based MDA arrangement will produce this outcome. Rather, it demonstrates that the existence of an MDA Contract alone does not answer the question. The operating model and the services actually performed remain the determining factors.

Example Three – The Grey Area That Many MDA Providers Are Now Assessing

GHI Wealth Management also operates a platform-based MDA service. Clients enter into an MDA Contract directly with the firm and provide discretionary authority for portfolio management. The firm's Investment Committee determines all investment decisions and portfolio changes, while the platform provides custody, administration and settlement services.

Unlike the previous example, however, GHI Wealth Management electronically initiates and transmits trade instructions through the platform whenever portfolio changes are required. The platform executes those instructions within its systems, but the investment decisions and transaction instructions originate from the MDA Provider.

When GHI Wealth Management undertakes its service mapping exercise, the analysis becomes considerably more complex. The business must consider whether its role in directing or arranging acquisitions and disposals of financial products may itself constitute a designated service, notwithstanding that the platform continues to perform custody, administration and other regulated functions.

This is where many MDA Providers currently find themselves. The answer is unlikely to be determined simply by asking whether a regulated platform is involved. Instead, the organisation must carefully examine the contractual arrangements, operational processes and legal responsibilities of each participant in the service chain before reaching a documented conclusion.

The Lesson

These examples illustrate why service mapping has become one of the most important governance exercises an MDA Provider can undertake.

The same business description does not necessarily produce the same regulatory outcome. The presence of a regulated platform does not automatically determine whether an MDA Provider is, or is not, a reporting entity. Likewise, issuing an MDA Contract or exercising investment discretion does not, of itself, answer the question.

The AML/CTF Act focuses on the services actually being provided, not the labels businesses use to describe themselves.

For that reason, MDA Providers should avoid making assumptions based on their business model or the involvement of other regulated entities. Instead, they should undertake a structured service mapping exercise, identify any designated services that may be provided, document their reasoning and, where appropriate, obtain specialist legal or compliance advice before determining whether they are a reporting entity.

Looking Beyond the Platform

One of the most significant misconceptions emerging from industry discussions is the belief that a regulated platform automatically removes AML/CTF obligations from the MDA provider.

Platforms undoubtedly play an important role in identifying clients, monitoring transactions and maintaining records. However, regulators are increasingly focused on understanding who actually controls the client relationship and who is best positioned to identify suspicious activity.

An MDA provider often possesses extensive knowledge of a client's circumstances, source of wealth, investment objectives and transaction behaviour. In many cases, the MDA provider may be better placed than any other participant in the service chain to identify behaviour that appears unusual or inconsistent with the client's profile.

This does not necessarily mean that all AML/CTF obligations transfer to the MDA provider. It does, however, explain why regulators are becoming increasingly uncomfortable with situations where every participant assumes somebody else is responsible. The reforms are intended to create accountability, transparency and clearly defined responsibilities throughout the financial services ecosystem.

If I Am a Reporting Entity, What Happens Next?

Once an organisation concludes that it provides a designated service and therefore qualifies as a reporting entity, the focus shifts from interpretation to implementation.

This begins with enrolment and registration with AUSTRAC, but registration is only the starting point.

The more significant challenge is embedding AML/CTF controls into the daily operation of the business. AUSTRAC and independent auditors are increasingly looking beyond policy documents and focusing on operational effectiveness. They want to see evidence that AML/CTF obligations have become part of the organisation's governance framework rather than simply existing as a compliance manual sitting on a shelf.

Effective organisations embed AML/CTF requirements into client onboarding, compliance monitoring, risk management, incident reporting, staff training and management oversight. The objective is not simply to satisfy a legislative requirement but to create a framework capable of identifying and responding to financial crime risks as they arise.

The organisations that will navigate the reforms most successfully are those that treat AML/CTF as part of the business rather than an additional administrative burden imposed upon it.

What Will Auditors Be Looking For?

Many businesses assume an auditor's primary focus will be the existence of an AML/CTF Program.

In reality, auditors are generally more interested in whether the program is actually operating.

They will want to understand how the organisation determined whether it was a reporting entity. They will expect to see documented service mapping, designated service assessments and evidence supporting management's conclusions.

They will examine governance arrangements and seek evidence that senior management understands its AML/CTF responsibilities. They will review risk assessments and assess whether they reflect the actual activities of the business. They will test customer due diligence processes, examine reliance arrangements with third parties and assess whether monitoring and escalation procedures operate effectively in practice.

Most importantly, they will seek evidence.

Evidence that procedures are followed.

Evidence that controls operate.

Evidence that staff understand their responsibilities.

Evidence that issues identified are remediated.

Policies may start the conversation, but evidence is what ultimately satisfies auditors and regulators.

Ultimately, the AML/CTF reforms are less about labels than they are about evidence. The question is not whether your business calls itself an MDA provider, AFSL holder or platform participant. The question is what services it actually performs, and whether it can demonstrate why it has reached that conclusion.

Don't Sink

There is no doubt that Australia's AML/CTF reforms will create additional obligations for many MDA providers. There will be new assessments to perform, new governance responsibilities to document and new procedures to implement.

However, there is also an opportunity.

Businesses that undertake proper service mapping, understand their designated services and embed AML/CTF controls into their operations will likely emerge with stronger governance frameworks, better risk management practices and greater regulatory resilience.

The greatest risk is not necessarily becoming a reporting entity. The greatest risk is assuming you aren’t one.

Like quicksand, the more you rely on assumptions, the deeper you may find yourself sinking. The better approach is to understand your business model; understand the services you provide and document the reasoning behind your conclusions. That understanding may ultimately prove to be the strongest branch available.

How MDA Guru and Assured Support Can Help

AML/CTF reform isn’t just a registration exercise. For MDA providers, the real challenge is proving how the rules apply to your actual operating model.

MDA Guru and Assured Support help AFSL holders, Responsible Managers and MDA providers map their service chain, assess potential designated services, review platform reliance and document defensible AML/CTF governance.

That may include:

• service mapping

• designated service assessments

• reporting entity analysis

• reliance and governance reviews

• AML/CTF Program development

• AUSTRAC readiness support

The earlier you test your assumptions, the easier it is to avoid costly rework, unclear accountability and last-minute compliance panic.

The goal isn’t compliance theatre. It’s a practical, scalable framework that protects clients, satisfies regulators and supports a stronger MDA business. Reach out to us for help achieving that goal.

This article is a general reflection only and does not determine whether any particular MDA provider is a reporting entity. Each firm should map its own services; assess the designated services it provides and obtain legal advice where appropriate.