Last updated: 18 April 2024

The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act), and the Anti-Money Laundering and Counter-Terrorism Financing Rules (AML/CTF Rules) aim to prevent money laundering and the financing of terrorism by imposing a number of obligations on the financial sector, gambling sector, remittance (money transfer) services, digital currency exchange services, bullion dealers and other professionals or businesses (known as ‘reporting entities’) that provide particular services (known as ‘designated services’). These obligations include collecting and verifying certain ‘know your customer’ (KYC) information about a customer’s identity when providing those services.

Businesses that are required to comply with the AML/CTF Act are also required to comply with the Privacy Act 1988 when handling personal information collected for the purposes of compliance with their AML/CTF Act obligations.

The Australian Transaction Reports and Analysis Centre (AUSTRAC) is the Australian Government agency responsible for ensuring compliance with the AML/CTF Act.

The AML/CTF Act requires the AUSTRAC CEO to consult with the Australian Information Commissioner in relation to matters that relate to privacy functions[1] and to have regard to privacy in performing his or her functions under the AML/CTF Act. [2]

Privacy obligations of small business ‘reporting entities’

Small businesses (defined in the Privacy Act as having an annual turnover of $3 million or less) are generally not covered by the Privacy Act. However, small businesses that are reporting entities for the purposes of AML/CTF Act are required to comply with the Privacy Act when handling personal information collected for the purposes of complying with obligations under the AML/CTF Act and the AML/CTF Rules. This includes small businesses that may be exempt from obligations under the Privacy Act in terms of other business activities they undertake.

If a small business is brought into the Privacy Act because they are reporting entities under the AML/CTF Act and then are later exempted from reporting obligations due to rules issued by AUSTRAC under the AML/CTF Act, the small business is still a reporting entity within the meaning of the Privacy Act. Therefore, in relation to activities it carried on for the purpose of complying with the AML/CTF Act or AML/CTF Rules, the small business continues to have all the Privacy Act obligations it had before the exemption was granted.

Identity verification using the credit system

Division 5A of Part 2 of the AML/CTF Act authorises the use and disclosure of certain personal information held by a credit reporting body (CRB) to a reporting entity for the purpose of verifying the individual’s identity under the AML/CTF Act.

The AML/CTF Act enables a CRB to prepare an assessment, upon the request of a reporting entity, of whether certain personal information provided to it by that reporting entity matches certain types of identification information held by the CRB. The matching process is limited to the individual’s name, residential address and date of birth details. This means that a CRB that has received a verification request from a reporting entity, is only permitted to consider name, residential address and birth date details when making that assessment. A CRB will not be permitted to consider any other consumer credit-related personal information that it holds.

Importantly, a CRB may only provide an overall assessment of the extent of the match between the personal information provided by the reporting entity and the personal information held by the CRB. The CRB is not permitted to provide separate assessments of the match between the particular categories of personal information provided by the reporting entity.

Under Division 5A, a reporting entity must not make a verification request unless, it has first:

  • given the individual whose identity is being verified, information about the proposed verification process, including the reasons for making the request and
    the personal information about the individual that may be disclosed to the CRB
  • obtained the individual’s express consent, and
  • made available an alternative means of identity verification.

A breach of a requirement of Division 5A by a CRB or a reporting entity constitutes an interference with the privacy of the individual for the purposes of the Privacy Act. An individual affected by an alleged breach may complain to the Office of the Australian Information Commissioner.

More information about the AML/CTF Act is available from the AUSTRAC website.

[1] s 212(2)(a)(vi) of the AML/CTF Act.

[2] s 212(3)(h) of the AML/CTF Act.