AML/CTF and privacy

Businesses that are reporting entities under the AML/CTF Act are authorised by section 35A of the Act to disclose personal information of individuals for identity verification purposes.

If your business is considered to be a reporting entity for the purposes of the AML/CTF Act, it will have obligations under the Privacy Act including the requirement to comply with the National Privacy Principles, even if it is otherwise exempt from the Privacy Act.

For example, businesses with a turnover of $3 million or less are usually exempt from the Privacy Act.

But all small businesses that are reporting agencies for AML purposes are covered by the Privacy Act regardless of their annual turnover.

If your business falls into this category, the Privacy Act will only apply to personal information collected and disclosed handled for AML/CTF purposes, such as identity verification.

What do you need to do?

  • You should only collect the minimum amount that is necessary to meet ‘Know Your Customer’ obligations.
  • NPP 1 requires businesses to take reasonable steps to tell individuals why they are collecting their personal information, including whether it is required by a law, as well as how they will handle it.
  • In addition, organisations are required by NPP 5 to make available a privacy policy that provides anyone with general information on how personal information might be handled by that organisation.
  • There may be times however when it might not be appropriate to inform a customer that you have collected personal information, particularly in regard to suspicious transactions. Businesses need to consider the prohibitions in the AML/CTF Act against ‘tipping off’ customers concerning suspicious matters information.
  • Personal information collected for AML purposes must be kept secure.
  • NPP 4 also requires that organisations take reasonable steps to destroy or permanently de-identify personal information when it is no longer required.
  • Reporting entities also need to take reasonable steps to ensure that personal information is accurate and up-to-date.
  • AML information should not be used for by reporting entities for other purposes (eg marketing).
 

Your Compliance Support Plan

We understand you need a cost-effective way to keep up to date with regulatory changes. Talk to us about our fixed price plans.