7 December, 2015
Introduction
The Australian Transaction Reports and Analysis Centre (AUSTRAC) has released a Privacy Impact Assessment (PIA) examining the implications under Australian privacy law of its proposed amendments to Chapter 4 of the Anti-Money Laundering and Counter-Terrorism Financing Rules (AML/CTF Rules), which will allow reporting entities to collect know-your-customer (KYC) information from sources other than the customer.
Background
From 10 June to 8 July 2015, AUSTRAC published draft amendments to Chapter 4 of the AML/CTF Rules to its website for public consultation. The draft amendments:
- amend electronic safe harbour procedures for customers;
- allow reporting entities to collect KYC information from sources other than the customer; and
- extend current exemptions in relation to KYC for beneficial owners and PEPs.
The second of these proposed amendments is the subject of the PIA just released by AUSTRAC. Specifically, the proposed amendment allows reporting entities the discretion to collect KYC information 'about' a customer, rather than 'from' a customer. A copy of the draft rules can be accessed here.
The Australian Privacy Commissioner has raised concerns that the proposed amendments will have a privacy impact on individuals (about whom personal information will be collected by the reporting entity for the purposes of carrying out the applicable customer identification procedure (ACIP)). The Commissioner has subsequently recommended that an assessment be undertaken and AUSTRAC has therefore published the PIA containing its findings and inviting industry input.
AUSTRAC's findings and questions for industry
AUSTRAC's recently released PIA sets out many of the ways in which reporting entities may need to implement revised practices, procedures and systems to ensure they are complying with the requirements of the Privacy Act 1998 (Cth) and, by way of subsection 6E(1A) of that Act, the Australian Privacy Principles (APP). Of these, AUSTRAC considers that APP 3 (Collection of solicited personal information) is particularly relevant to reporting entities.
A copy of the PIA is available here. It is recommended that reporting entities consider the privacy implications set out on pages 9 to 11 of the PIA in particular.
In addition, we note that AUSTRAC has posed the following questions to industry stakeholders as part of its PIA:
1.Do you anticipate collecting information about a customer from sources other than the customer? If so, please provide examples of:
a) what sort of customer information will be collected from other sources;
b) which other sources you propose to use to collect this information; and
c) when you will collect customer information from other sources, rather than from the customer directly.
2. Do you anticipate amending your existing privacy policies and documentation relevant to the Australian Privacy Principles 1 to 13, if the new process is adopted? If so, please provide examples of proposed changes that will reduce or mitigate any privacy risks that may result from the proposed amendments. If not, please provide examples of existing policies and documentation that will accommodate the proposed amendments.
Conclusion and next steps
We are assisting many of our clients with their submissions to AUSTRAC in relation to this issue.
If you are uncertain about the requirements, have a question about the PIA, or would otherwise like to make a submission in response to AUSTRAC's questions to industry, please do not hesitate to get in touch with a member of our team.
Supplementary information
Click here to view to view the PIA.
Click here to view the AML/CTF Rules.
For further information, please contact:
Astrid Raetze, Partner, Baker & McKenzie
astrid.raetze@bakermckenzie.com
