Publication
Financial services monthly wrap-up: October 2024
In October 2024, the Australian Securities and Investments Commission (ASIC) was successful in its action against a life insurer in relation to misleading statements.
Australia | Publication | April 2023
This article was co-authored by Liam Shiel-Dick.
The Australian Attorney-General’s Department has recently released the Privacy Act Review Report (Report), which recommends significant changes to the Privacy Act 1988 (Privacy Act). The proposed changes aim to strengthen and modernise privacy protections for Australians by introducing a range of new rights for individuals, and additional obligations for businesses that handle personal information. Some of the proposed reforms have implications for compliance with the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act).
This article analyses a number of significant proposals from the Report which could have an impact on AML/CTF compliance. We assess how these proposals might affect businesses and suggest steps to take to comply with both the Privacy Act and the AML/CTF Act.
The proposed reforms to the Privacy Act are comprehensive and aimed at providing improved protection of personal information. The three proposals that are most relevant to AML/CTF compliance are:
Strengthened notice requirements for businesses when collecting personal information.
Currently, the Australian Privacy Principles (APP) require APP entities to notify individuals if their personal information is likely to be disclosed to an overseas recipient.
APP 8.1 requires the disclosing entity to take reasonable steps to ensure that the overseas recipient of personal information does not breach the APPs in relation to the information. However, disclosing entities do not need to comply with APP 8.1 if they obtain express consent from an individual (whose information is being disclosed) that APP 8.1 will not apply to the disclosure.
The Report proposes amending these principles in the following ways:
These proposed changes may create tension with the existing obligations and practices of reporting entities under the AML/CTF Act. The AML/CTF Act requires companies to gather certain personal information from customers, such as name, date of birth, and address, to authenticate identity and scrutinise transactions for suspicious activity.
This information is regularly shared by reporting entities with their overseas operations. For instance, many reporting entities maintain offshore hubs to conduct customer due diligence. It is quite possible that those jurisdictions do not have the same robust privacy regime as Australia. The tension between these practices and the proposed changes will therefore need to be managed carefully by reporting entities which are covered by both regimes.
Additional obligations for entities handling employee records
Until now, private sector employers have been exempt from the operation of the Privacy Act with respect to employee records. This exemption was put in place because the handling of employee records was originally believed to be better addressed under workplace relations legislation.
Proposal 7.1 of the Report recommends expanding privacy safeguards to private sector employees, to accomplish the following objectives:
Proposal 7.1 of the Report notes that further consultation should be undertaken with employer and employee representatives on how the employee records protections should be implemented in legislation, and developing privacy codes of practice through a tripartite process to clarify obligations regarding collection, use and disclosure of personal and sensitive information.
Companies subject to AML/CTF reporting requirements regularly conduct employee due diligence programs, which are designed to screen both current and potential employees to identify and mitigate the risk of money laundering and terrorism financing by employees. Such programs typically include:
The information garnered by these due diligence programs would stand to be captured by the safeguards outlined under Proposal 7.1 of the Report. If Proposal 7.1 is adopted and extends privacy protections to private sector employees, employers may need to review their AML/CTF due diligence procedures on employees to ensure they comply with the revised privacy obligations. This may involve conducting a risk assessment of the collection, use, and storage of employee information, including whether consent is required for collecting sensitive information, and updating policies and procedures accordingly.
Dealing with personal information that is no longer necessary
APP 11.2 provides that if an entity no longer needs to hold an individual’s personal information, the entity must take reasonable steps to destroy or de-identity the information (subject to retention requirements in other Australian laws or court order).
Proposal 21.5 of the Report suggests enhancing the current OAIC Guidelines in relation to APP 11.2, to provide detailed guidance that more clearly articulates the reasonable steps for APP entities to undertake to destroy or de-identify personal information that is no longer required to be held.
The Report noted that many entities do not take active steps to determine appropriate retention policies. Proposal 21.7 of the Report therefore recommends that APP entities establish their own maximum and minimum retention periods for the personal information they hold, considering the type, sensitivity, and purpose of the information, as well as the entity’s organisational needs and any legal obligations.
Under the AML/CTF Act, reporting entities must keep records related to their AML/CTF program and customer due diligence (CDD) procedures for at least seven years from the transaction date. This includes records of customer identification and verification (e.g., name, date of birth, and address), ongoing customer due diligence, and suspicious matter reports.
AML/CTF reporting entities are also required to have appropriate systems and processes to ensure the integrity, accuracy, and accessibility of their records, including controls to prevent alteration, destruction, or loss of records, and ensuring the ability to retrieve and provide records to regulators and law enforcement agencies upon request.
Therefore, similar to the proposals mentioned above, it will be necessary for reporting entities to examine their policies for storing and retaining personal information to ensure that they conform to the updated privacy requirements.
The frameworks for AML/CTF and privacy regulation mutually require the reporting of data breaches and unlawful financial activities involving personal information. To ensure compliance with both the Privacy Act and the AML/CTF Act, entities will require clarity and guidance on the collection, use, and disclosure of personal information in the context of the AML/CTF Act.
The Report acknowledges the varied retention requirements already placed on organisations. To this end, the Report recommends:
Assuming the proposals become law, businesses must take active steps to comply with both sets of legislation. AML/CTF reporting entities should familiarise themselves with the proposed changes and how they may interact with their existing obligations under the AML/CTF Act. They should also conduct a risk assessment to identify potential privacy or AML/CTF risks, including assessing the types of personal information they collect, how it is collected, and how it is stored and protected.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023