Privacy Obligations

The Office of the Australian Information Commissioner (OAIC) issued privacy guidance for AML/CTF reporting entities.

Many small businesses in Australia (with an annual turnover below $3 million) are generally exempt from the Privacy Act 1988. However, this exemption does not apply when those businesses are AML/CTF reporting entities. When handling personal information for AML/CTF purposes — including client due diligence and staff due diligence — reporting entities must comply with the Privacy Act and the Australian Privacy Principles (APPs), even if they would otherwise qualify for the small business exemption.

Only collect information that is reasonably necessary

You should ensure to collect only the personal information that is reasonably necessary to comply with your AML/CTF obligations. Collecting excessive or unnecessary data is a misuse of resources, and it increases cybersecurity exposure for both your business and your clients.

When assessing whether information is reasonably necessary, consider:

• whether the designated service could be provided without collecting the information, or with less information, and

• whether collecting the information is proportionate to the purpose of providing the designated service.

Be transparent about why information is collected

Under the APPs, businesses must be open and transparent about their information-handling practices. Clients should generally be notified about:

• the identity and contact details of the organisation collecting the information

• the fact and purpose of the collection

• whether the collection is required or authorised by law (in this case, the AML/CTF Act and AML/CTF Rules)

• the consequences of not providing the information (for example, that you may not be able to provide the service)

• the usual disclosures of the personal information (such as AUSTRAC or an independent evaluator)

• the likelihood of cross-border disclosure, if any third-party service providers are located overseas

• how individuals can access and correct their information

Protect the personal information you hold

‍You must take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification or disclosure. ‍The specific safeguards can be proportionate to the size and nature of the business. However, even small businesses are expected to take meaningful steps to protect the information they hold.

‍The OAIC suggests practical measures such as:

• implementing two-factor authentication

• installing software updates and security patches

• restricting access to personal information to staff who need it

• ensuring secure storage and transmission of client information.

In addition, businesses should implement a data breach response plan.

Have a data breach response plan

A data breach response plan helps organisations respond quickly and effectively if an incident occurs. In general, such a plan should include:

1. Assess the incident
Assign a responsible person or team to investigate the breach and determine the likelihood and severity of harm.

‍2. Notify if serious harm is likely
If the breach is likely to result in serious harm, the organisation must notify the OAIC and the affected individuals.

‍3. Prevent future incidents
If the breach is not likely to cause serious harm, the organisation should still review the incident, update policies and procedures where necessary, and ensure staff are trained on the changes.

‍Allow access and delete information when required

Finally, you must ensure that individuals can access their personal information on request, typically within 30 days. You must also comply with AML/CTF record-keeping obligations, which generally require client records to be kept for seven years after the end of the business relationship. Once the statutory retention period expires, you should take reasonable steps to securely destroy or de-identify the information.

Final thoughts

‍Privacy compliance is not separate from AML/CTF compliance. The two frameworks work together: AML/CTF laws require the collection of personal information, while privacy laws ensure that this information is collected responsibly and protected appropriately. Understanding both frameworks early will help you implement compliance processes that are effective, proportionate, and trusted by clients.

A key step is understanding exactly what your AML/CTF obligations are, and avoiding going beyond what is required. This includes:

• Identifying which of your services are designated services and ensuring you do not collect unnecessary information from clients who are not receiving those services.

• Developing a clear understanding of what constitutes a high-risk client or situation, so enhanced customer due diligence is applied appropriately and only when required.

• Becoming familiar with customer due diligence requirements, so you collect the right information without exceeding regulatory expectations.

Taking the time now to understand these requirements will help your business build efficient compliance processes while minimising unnecessary data collection and privacy risks.

‍If you would like support preparing your business for the AML/CTF reforms, including risk assessments, policies and procedures, and staff training, feel free to get in touch or book a call.