(1) This section applies if the AUSTRAC CEO has reasonable grounds to suspect that a reporting entity has contravened, is contravening, or is proposing to contravene, this Act, the regulations or the AML/CTF Rules.
(2) The AUSTRAC CEO may, by written notice given to the reporting entity, require the reporting entity to:
(a) appoint an external auditor; and
(b) arrange for the external auditor to carry out an external audit of whichever of the following is specified in the notice:
(i) the reporting entity's compliance with this Act, the regulations and the AML/CTF Rules;
(ii) one or more specified aspects of the reporting entity's compliance with this Act, the regulations and the AML/CTF Rules; and
(c) arrange for the external auditor to give the reporting entity a written report (the audit report ) setting out the results of the audit; and
(d) give the AUSTRAC CEO a copy of the audit report within:
(i) the period specified in the notice; or
(ii) if the AUSTRAC CEO allows a longer period--that longer period.
(3) The notice must specify:
(a) the matters to be covered by the audit; and
(b) the form of the audit report and the kinds of details it is to contain.
(4) The matters that may be specified under paragraph (3)(a) may include either or both of the following:
(a) an assessment of the reporting entity's existing capacity to comply with this Act, the regulations and the AML/CTF Rules;
(b) an assessment of what the reporting entity will need to do, or continue to do, to comply with this Act, the regulations and the AML/CTF Rules.
(5) Subsection (4) does not limit paragraph (3)(a).
Eligibility for appointment as an external auditor
(6) An individual is not eligible to be appointed an external auditor by a reporting entity if:
(a) the individual is an officer, employee or agent of the reporting entity; or
(b) both:
(i) the reporting entity belongs to a designated business group; and
(ii) the individual is an officer, employee or agent of another member of the designated business group.
(7) A person commits an offence if:
(a) the person is subject to a requirement under subsection (2); and
(b) the person engages in conduct; and
(c) the person's conduct breaches the requirement.
Penalty: Imprisonment for 12 months or 60 penalty units, or both.
Civil penalty
(8) A reporting entity must comply with a requirement under subsection (2).
(9) Subsection (8) is a civil penalty provision.