The e-verification provisions in section 35A of the AML/CTF Act expressly permit the use and disclosure of credit reporting information for electronic identity verification purposes to satisfy obligations under the AML/CTF Act, instead of documents, provided the reporting entity has obtained express and informed consent from an individual prior to making a verification request.
A breach of these requirements is a breach of section 13A Privacy Act: section 35L AML/CTF Act.
In summary the e-verification provisions:
• permit a reporting entity to disclose specified personal information (including name, date of birth and residential address) to a credit reporting agency (CRA) for identity verification purposes with the express consent of the individual whose identity is being verified;
• permit a CRA to conduct a matching process between personal information provided to it by a reporting entity and the personal information held on its own files and provide an assessment to the reporting entity of the outcome of the verification process;
• require reporting entities to notify their customers, or other individuals required to be identified under the AML/CTF Act, of unsuccessful attempts to verify identity using credit reporting data;
• require credit reporting agencies and reporting entities to retain information about verification requests and assessments for 7 years from the date of the request for CRAs and for 7 years after ceasing to provide designated services to a customer for reporting entities and to delete it at the end of those periods;
• require a CRA to keep information about verification requests separate from the individual’s credit information file;
• create offences to address unauthorised access to, and disclosure of, verification information.
The use of personal information contained in a credit information file is limited to verification of identification information for customers, or other individuals the reporting entity is required to identify, who are natural persons.
Reporting entities are required to obtain express and informed consent from an individual prior to making a verification request: express consent can be indicated in writing (eg in an account application), online, or on the phone. However, records must be retained to evidence the process followed and the consent given by the individual.
In an online context a customer may be required to ‘check’ a box indicating that the customer has read the information and consents but a failure to opt out (by unchecking a ticked consent box) will not indicate consent.
To ensure that the consent is informed, the consent must be specifically about the disclosure of personal information by the reporting entity to the CRA and use by the CRA of the personal information contained in credit information files for an assessment. The consent must specify that the reporting entity will only use the assessment by the reporting entity for the purpose of verifying the individual’s identity for the purposes of the AML/CTF Act: a general consent to the use of information to verify identity will not be sufficient. If an individual other than the customer is being identified, that person will also have to consent to the process.
The individual must be given information about the reason for making the request for verification, the personal information that may be provided to the CRA, and the fact that the reporting entity is seeking, and the CRA may provide an assessment of whether the personal information matches (in whole or in part) information on the individual’s credit information file.
To ensure that the consent is genuine, paragraph 35A(2)(c) requires that the individual must be given another option, not reliant upon credit reporting information, for verifying their identity.
The reporting entity must retain a record containing specified information relating to a verification request. Section 35F of the AML/CTF Act requires a reporting entity to retain this information for a period starting from the date of the verification request and ending 7 years after the reporting entity ceased providing a designated service to the individual, and must delete it at the end of that period.
The record must contain the name of the CRA to which the request was made, the personal information provided to the CRA, the assessment received, and any other information specified in the AML/CTF Rules.
An individual has the right to:
• Choose whether to agree to verification using information held on their credit information file (section 35A of the AML/CTF Act).
• Be advised if a verification attempt is unsuccessful (section 35C of the AML/CTF Act), including details of which CRA was involved, and offered an alternative means of verification.
• Access information relating to verification requests from the reporting entity and from the CRA (section 35G of the AML/CTF Act).
