Submission to AUSTRAC responding to consultation on proposed amendment to the Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No 1): Customer Due Diligence provisions

25 September 2013

Mr Richard Bunting
A/Director Domestic Policy
Legal and Policy Branch
PO Box 5516
West Chatswood NSW 1515

Dear Mr Bunting

Consultation on possible enhancements to the requirements for customer due diligence

Thank you for providing the Office of the Australian Information Commissioner (OAIC) with the opportunity to comment on the Consideration of possible enhancements to the requirements for customer due diligence: Discussion paper (discussion paper). Please note the following comments in response to the discussion paper.

Introduction of the Australian Privacy Principles

From 12 March 2014 the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Amendment Act)amends the Privacy Act 1988 (Privacy Act) to remove the Information Privacy Principles (IPPs) and National Privacy Principles (NPPs) and introduce the Australian Privacy Principles (APP). The APPs will apply to both Australian Government and Norfolk Island agencies and organisations. The OAIC notes that the discussion paper references the National Privacy Principles. If amendments to the Anti-Money Laundering and Counter Terrorism Finance Rules will be made post 12 March 2014 the Australian Transaction Reports and Analysis Centre (AUSTRAC) should ensure compliance with the Australian Privacy Principles. In particular it would be relevant for AUSTRAC to consider the implications of APP 1 – open and transparent management of personal information, APP 5 – notification of the collection of personal information and APP 11 – security of personal information.

Undertaking a Privacy Impact Assessment

Under the proposed amendments outlined in the discussion paper, the collection of information would be expanded for reporting entities. Given this expansion of information collection, the OAIC recommends that AUSTRAC conduct a Privacy Impact Assessment (PIA) to identify and analyse relevant privacy impacts and to make recommendations about appropriate measures to minimise or prevent any privacy impacts. Conducting a PIA will allow AUSTRAC to manage any negative privacy impacts and help to ensure that any amendments comply with privacy law and other legislative requirements and with broader community privacy expectations.

Identifying beneficial owners

One of the proposed amendments that may result in an expansion of collected information is a proposal that the AML/CTF rules be amended to require reporting entities to identify beneficial owners. The OAIC notes that this has the risk of reducing the privacy of individual customers.

However the OAIC acknowledges that it is difficult for reporting entities to assess risk without identifying clients. On that basis the OAIC does not oppose the cascading measures outlined by the FATF standard as a reasonable approach, but strongly suggests that this issue is considered as part of the PIA, with a focus on reducing the impact on privacy as a result of this proposed amendment.

Information to be up–to–date and relevant

The OAIC strongly supports the proposal to enhance customer due diligence (CDD) by requiring reporting entities to keep CDD information up–to–date and relevant. This requirement would reinforce APP 10 – quality of personal information that requires APP entities to take reasonable steps to ensure that personal information that the entity:

  • collects is accurate, up–to–date and complete
  • uses or discloses is accurate, up–to–date, complete and relevant.

Reliance on due diligence undertaken by third parties

The discussion paper also sets out proposals to limit the regulatory burden of the reforms. One of the proposals recommends allowing reporting entities to rely on due diligence undertaken by third parties. The discussion paper acknowledges that this proposal may present obstacles by way of privacy considerations through the sharing of information.

These considerations, or risks, may include:

  • not providing individuals with sufficient notice about when and to whom their personal information will be disclosed
  • the extent of sharing of the information
  • the security of the information transfers.

The OAIC notes that at this point there is little detail about how this proposal would work in practice but that it may require specific safeguards to protect privacy. If this proposal is to be progressed the OAIC suggests AUSTRAC undertake a further detailed PIA analysis once there is sufficient detail to work with.

If you have any questions or would like to discuss any matters raised further please do not hesitate to contact Ben Gollan, Assistant Director, Regulation and Strategy Branch at [redacted] or on [redacted].

Yours sincerely

Timothy Pilgrim
Australian Privacy Commissioner
25 September 2013

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at