Do privacy laws and anti-money laundering reporting obligations clash?

The article is relevant to members in Australia and was current at the time of publication.

Australia’s expanded anti-money laundering and counter-terrorism financing (AML/CTF) laws are set to test accountants with demands for greater data collection and disclosure, while still adhering to privacy laws.

From 1 July, Tranche 2 entities must collect, assess and, in some cases, report client information while also complying with the Privacy Act 1988, regardless of the A$3 million small business exemption.

Where AML/CTF and privacy laws converge

Australia’s privacy framework is anchored in the Privacy Act and the Australian Privacy Principles (APPs). Both emphasise restraint: collect only what is reasonably necessary (APP 3), notify individuals about data use (APP 5), limit use and disclosure (APP 6), and secure personal information (APP 11). 

Here’s where the tension between the AML/CTF and privacy legislation arises.

Disclosure

AML/CTF laws require the reporting of suspicious matters, which may involve sensitive client information. While this would typically be restricted under APP 6, the “authorised by law” exception allows disclosure. The key is to clearly document the legal basis for any reporting.

Data collection

Know Your Client (KYC) processes may require identity documents, financial histories and risk profiling. However, APP 3 requires firms to justify each piece of information collected. Over-collection can be just as problematic as under-collection.

Retention obligations

AML/CTF rules often require records to be kept for up to seven years. In contrast, privacy law requires information to be destroyed or de-identified once it is no longer needed. You will need clear policies to distinguish between records that must be retained for seven years and those that should be deleted sooner.

Transparency and “tipping off”

APP 5 requires firms to explain how client data is handled. However, AML/CTF laws may restrict what can be disclosed if there is a risk of tipping off a client. Carefully worded client communications are, therefore, essential.

Cloud and offshore processing

Where data is stored or processed overseas, APP 8 requires firms to ensure recipients uphold comparable privacy standards.

$3 million threshold no longer applies

Even small accounting practices, that would otherwise be exempt from the Privacy Act under the “small business” exemption, will, from 1 July, become regulated by privacy laws if they are Tranche 2 entities. This is particularly relevant for client onboarding (KYC), ongoing monitoring, reporting and record-keeping.

Where the legislations align

Both AML/CTF and privacy frameworks require strong data security, governance, audit trails and a risk-based approach to compliance. Firms that invest in these fundamentals will be better positioned to meet both sets of obligations.

Solution: find the balance

Industry experts say the goal for Tranche 2 entities is to collect enough information to meet AML/CTF requirements without breaching privacy obligations. This starts with changing mindsets.

Break old habits

Anna Johnston, Director at privacy consultancy Helios Salinger, says the old approach of collecting and keeping data “just in case” is no longer sustainable.

“Over-collection and over-retention of data can cause significant privacy compliance risks as well as make organisations vulnerable to cyber attacks.”

The Office of the Australian Information Commissioner (OAIC) recently issued guidance for Tranche 2 entities. Johnston stresses that failing to understand your privacy obligations could cost you financially.

“Businesses face a tooled-up privacy regulator and a recently beefed-up civil penalty regime, which allow the Privacy Commissioner — who sits in the OAIC — to issue instant fines. And with the OAIC currently conducting a compliance sweep of privacy policies to check their compliance with the Privacy Act, now is the time to get your house in order.”

Johnston recommends locking in:

• a privacy policy that meets the requirements of APP 1.4
• collection notices at every point where personal data is collected for APP 5
• a retention policy on how long data should be kept and how to dispose of data safely
• training for staff to know what to collect and what not to say to clients 
• a data breach response procedure to prepare for a breach or a cyber attack.

Prepare for client pushback 

Neville Birthisel, Policy Advisor, Regulations and Standards CPA Australia says Tranche 2 entities also need to have a clear, consistent explanation for clients who question why more, or more sensitive, information is required.

“Accountants need to have a spiel in their back pocket, so clients understand why they have the obligation. Accountants also need to be ready to defend that position and explain the new regulatory obligation when feathers get ruffled — as this will likely happen.”

With the laws applying across the industry, Birthisel says clients will eventually realise they cannot shop around.

Privacy templates 

The OAIC has a template collection notice for AML/CTF reporting entities. CPA Australia has a wealth of information for practitioners that qualify as tranche 2 entities.