The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act), and the Anti-Money Laundering and Counter-Terrorism Financing Rules (AML/CTF Rules) aim to prevent money laundering and the financing of terrorism by imposing a number of obligations on the financial sector, gambling sector, remittance (money transfer) services, bullion dealers and other professionals or businesses (known as ‘reporting entities’) that provide particular services (known as ‘designated services’). These obligations include collecting and verifying certain ‘know your customer’ (KYC) information about a customer's identity when providing those services.
Businesses that are required to comply with the AML/CTF Act are also required to comply with the Privacy Act 1988when handling personal information collected for the purposes of compliance with their AML/CTF Act obligations.
The Australian Transaction Reports and Analysis Centre (AUSTRAC) is the Australian Government agency responsible for ensuring compliance with the AML/CTF Act.
Privacy obligations of small business ‘reporting entities’
Small businesses (defined in the Privacy Act as having an annual turnover of $3 million or less) are generally not covered by the Privacy Act. However, small businesses that are reporting entities for the purposes of AML/CTF Act are required to comply with the Privacy Act when handling personal information collected for the purposes of complying with obligations under the AML/CTF Act and the AML/CTF Rules. This includes small businesses that may be exempt from obligations under the Privacy Act in terms of other business activities they undertake.
If a small business is brought into the Privacy Act because they are reporting entities under the AML/CTF Act and then are later exempted from reporting obligations due to rules issued by AUSTRAC under the AML/CTF Act, the small business is still a reporting entity within the meaning of the Privacy Act. Therefore, in relation to activities it carried on for the purpose of complying with the AML/CTF Act or AML/CTF Rules, the small business continues to have all the Privacy Act obligations it had before the exemption was granted.
Identity verification using the credit system
Division 5A of the AML/CTF Act authorises the use and disclosure of personal information contained in an individual’s credit information file by a credit reporting agency (CRA) to a reporting entity for the purpose of verifying the individual’s identity under the AML/CTF Act.
The AML/CTF Act enables a CRA to prepare a report for a reporting entity as to whether the personal information it was provided with matches information that it holds on a credit information file. The matching process involves the individual’s name, residential address and date of birth details provided by the reporting entity. A CRA that has received a verification request from a reporting entity is not permitted to consider other aspects of an individual’s credit file beyond the details that correspond with the information provided by the reporting entity. A CRA may only provide an overall assessment of the extent of the match between the personal information provided by the reporting entity and the personal information contained in an individual’s credit information file. The CRA is not permitted to provide a separate assessment of the match between the name, address and date of birth information provided by the ‘reporting entity’.
Under Division 5A, a ‘reporting entity’ must not make a verification request unless:
- it has first given the individual whose identity is being verified, information about the proposed process
- obtained the individual’s express consent
- made available an alternative means of identity verification.
A breach of a requirement of Division 5A by a CRA or a reporting entity constitutes an interference with the privacy of the individual for the purposes of the Privacy Act. An individual affected by an alleged breach may complain to the Office of the Australian Information Commissioner.
The AUSTRAC Privacy Consultative Committee
Subsection 212(2)(a)(vi) of the AML/CTF Act requires the AUSTRAC CEO to consult with the Australian Information Commissioner in performing his or her functions. Subsection 212(3)(h) requires the AUSTRAC CEO to have regard to privacy in performing his or her functions under the AML/CTF Act. The Privacy Consultative Committee (the Committee) is one of the means by which the AUSTRAC CEO fulfills these obligations.
The Committee meets at least twice a year and its role includes providing comment and advice to the AUSTRAC CEO on privacy and civil liberties matters. The Committee comprises representatives of:
- the Attorney-General’s Department
- relevant public interest groups that include consumer, privacy and civil liberty entities
- the Office of the Australian Information Commissioner
- designated agencies including but not restricted to the Australian Taxation Office, the Australian Federal Police, the Australian Crime Commission and the Australian Customs & Border Protection Service.
More information about the AML/CTF Act is available from the AUSTRAC website.