Mr Paul Jevtovic APM
Chief Executive Officer
By email: email@example.com
Dear Mr Jevtovic
Submission on Draft Amendments to Chapter 4 of the AML/CTF Rules
The Office of the Australian Information Commissioner (OAIC) welcomes the opportunity to comment on the draft amendments to Chapter 4 of the Anti-Money Laundering and Counter-Terrorism Financing Rules (the draft AML/CTF Rules). The OAIC has previously engaged with AUSTRAC on a previous draft of the AML/CTF Rules in its letters dated 25 September 2013 and 28 January 2014.
In making the comments below, the OAIC appreciates the benefits to reporting entities (as defined by the Anti-Money Laundering and Counter-Terrorism Financing Act 2006) in providing additional flexibility to identify individuals when undertaking their customer due diligence requirements. However, as the process of identifying individuals involves the handling of individuals’ personal information, it is important to ensure that these processes incorporate appropriate privacy protections.
With this in mind, the OAIC provides the following comments on the draft AML/CTF Rules. The comments relate to the proposed amendment that allows for the broadening of collection of identification information from sources other than customers.
Broadening of collection of identification information
The OAIC understands that the proposed amendments aim to broaden the collection of identification information about an individual from sources other than the customer. Currently the AML/CTF Rules require reporting entities to collect information ’from’ the customer to which that personal information relates. The proposed amendments will in contrast require reporting entities to collect information ’about’ a customer, whether directly from the customer or by other means. There appears to be no restriction within the AML/CTF rules on the sources from which identification information can be collected about a customer.
Collection of identification information by APP entities that are organisations
Australian Privacy Principle (APP) 3.6 states that an APP entity (which includes organisations and certain government agencies) must collect personal information about an individual only from that individual, unless certain exceptions apply. This enables individuals to exercise greater control over their personal information and decide how much personal information will be shared or revealed to others.
Relevantly for those AML/CTF reporting entities captured under the definition of an organisation (s 6C of the Privacy Act 1988), organisations may collect personal information about an individual, from someone other than the individual, only if it is ‘unreasonable or impracticable’ to collect it from that individual. As noted in the OAIC’s guidance on APP 3 – Collection of solicited personal information, whether it is ‘unreasonable or impracticable’ to collect information from an individual will depend on the particular circumstances of the collection. Paragraph 3.65 of the APP Guidelines provides considerations that may be relevant for whether it is ‘unreasonable or impracticable’ to collect personal information only from the individual concerned.
Organisations that collect information about a customer from a third party under the AML/CTF rules will need to consider their APP 3.6 obligation to collect information about a person from that person directly, except where it is unreasonable or impractical for the organisation to do so.
Collection of identification information by APP entities that are agencies
There are two exceptions to the requirement for agencies (defined in s 6C of the Privacy Act 1988) to collect personal information only from an individual. These exceptions are where the individual consents to the collection, or the collection is required or authorised by law. As such, the draft amendments to the AML/CTF Rules may enable collection of personal information by agencies, from sources other than that individual, under the APP 3.6(a)(ii) exception.
In those circumstances it is important to ensure that the draft AML/CTF Rules authorise the handling of personal information in a way that impacts on individuals’ privacy only to the extent that is necessary to achieve a legitimate objective, and that the amendment is drafted narrowly.
The OAIC therefore suggests that careful consideration is given to whether the proposed amendments appropriately take into account individuals’ privacy interests. This may be done by carrying out a Privacy Impact Assessment (PIA), discussed below.
Privacy Impact Assessment
The OAIC suggests that AUSTRAC consider undertaking a PIA on the proposed amendments, to ensure that the AML/CTF Rules are designed with necessary privacy protections built in. This would allow AUSTRAC to address the privacy issue raised above. The PIA should consider the privacy impact of the proposed amendments, including what additional privacy safeguards may be necessary where any authorising legislation would derogate from the protections afforded by the APPs. The OAIC has recently published a guide on undertaking privacy impact assessments that you may find useful. It would be appreciated if the OAIC is kept informed as to whether a PIA will be undertaken and its progress.
The OAIC also notes that should the amendments to the AML/CTF Rules proceed as currently proposed, further consideration will need to be given to whether the privacy policies and notices of reporting entities will require amendment to reflect the changes.
Should you require any further information, please do not hesitate to contact Annan Boag, A/g Director, on [contact details redacted].
Australian Privacy Commissioner
16 July 2015
 Submission to AUSTRAC responding to consultation on proposed amendment to the Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No 1): Customer Due Diligence provisions
 Submission to AUSTRAC on the proposed amendment to the Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No 1): Customer Due Diligence provisions
 Chapter 3: APP 3 — Collection of solicited personal information
 Guide to undertaking privacy impact assessments
Was this page helpful?
If you would like to provide more feedback, please email us at firstname.lastname@example.org