Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth)

Overview of the requirements of the AML/CTF Act

Background

16.155 The AML/CTF Act received Royal Assent on 12 December 2006. The Act requires a ‘reporting entity’ to carry out a procedure to verify a customer’s identity before providing a ‘designated service’ to the customer.[220] In addition, reporting entities must give the Australian Transaction Reports and Analysis Centre (AUSTRAC) reports about suspicious matters;[221] and must develop and comply with an anti-money laundering and counter-terrorism financing program.[222]

16.156 The AML/CTF Act is the result of an extensive consultation process. On 16 December 2005, the AGD released the exposure draft Anti-Money Laundering and Counter-Terrorism Financing Bill (the exposure Bill) along with draft Rules.[223] The AGD received 120 submissions on the exposure Bill. The exposure Bill was referred to the Senate Legal and Constitutional Legislation Committee. The Committee reported on its inquiry on 13 April 2006.[224] The Committee concluded that an independent PIA of the Bill should be conducted. The Committee also recommended that the Bill should contain a statement that is reflective of the intention to allow federal, state and territory agencies to access and utilise AUSTRAC data for purposes that may not be related to anti-money laundering or counter-terrorism financing, such as detecting tax and social security fraud.[225]

16.157 The AGD released a revised exposure draft Anti-Money Laundering and Counter-Terrorism Financing Bill 2006 (Cth) (revised AML/CTF Bill 2006) and draft Rules for a further period of consultation, which ended on 4 August 2006.[226] The Department received a further 70 submissions on the revised AML/CTF Bill 2006. Submissions in response to the revised AML/CTF Bill 2006 raised a number of privacy issues.

16.158 In September 2006, an independent PIA was conducted, in which 96 recommendations were made.[227] The Australian Government then published a Privacy Impact Statement which responded to the PIA findings and recommendations. The Government adopted 30 of the 96 recommendations.[228]

16.159 The final version of the Anti-Money Laundering and Counter-Terrorism Financing Bill 2006 (Cth) (AML/CTF Bill 2006) was introduced in the Australian Parliament on 1 November 2006. The final version of the Bill required that designated agencies, including state and territory agencies, comply with the IPPs in respect of the accessed AUSTRAC information.

16.160 After its introduction, the AML/CTF Bill was referred to the Senate Legal and Constitutional Legislation Committee. Submissions to the Senate Committee continued to raise privacy issues. The Committee reported on its inquiry on 28 November 2006. The Committee recommended that the Australian Government consider amending the Bill to include further threshold value limits, to exclude low risk, low value services (such as the provision of travellers cheques and foreign currency transactions) from the definition of ‘designated services’ and that consideration be given to indexing these thresholds every five years. The Committee also recommended that the OPC conduct periodic audits of AUSTRAC’s compliance with privacy obligations in its administration of the Bill.[229]

Current requirements under the AML/CTF Act

16.161 The AML/CTF Act is intended to enable individual businesses to manage money laundering and terrorism financing risks. The Act sets out the primary obligations of ‘reporting entities’ when providing ‘designated services’. A ‘reporting entity’ is a financial institution, or other person that provides ‘designated services’.[230] A large number of ‘designated services’ are listed in the Act including opening an account, making a loan, and supplying goods by way of hire purchase.[231]

16.162 As stated above, the Act requires a reporting entity to carry out a procedure to verify a customer’s identity before providing a designated service to the customer.[232] Reporting entities must give AUSTRAC reports about suspicious matters;[233] and must develop and comply with an anti-money laundering and counter-terrorism financing program.[234] The Act also imposes various record-keeping requirements on reporting entities.[235] For example, a reporting entity must make a record each time it provides a designated service and must retain the record for seven years.[236]

16.163 Part 11 of the Act relates to secrecy and access. Except as permitted by the Act, certain individuals—including an AUSTRAC official, a customs officer or a police officer—must not disclose information or documents obtained under the Act.[237] Further, a reporting entity must not disclose that it has reported, or is required to report, information to AUSTRAC; or that it has formed a suspicion about a transaction or matter. The Part also provides that the ATO and certain other ‘designated agencies’ may obtain access to AUSTRAC information. The phrase ‘designated agencies’ is defined in s 5 to include a large number of Australian Government agencies as well as some state and territory agencies. Designated agencies may obtain access to AUSTRAC information for the purposes of performing that agency’s functions and exercising the agency’s powers.[238] The Act requires designated agencies, including state and territory agencies, to comply with the IPPs in respect of AUSTRAC information.[239]

16.164 The Anti-Money Laundering and Counter-Terrorism Financing (Transitional Provisions and Consequential Amendments) Act 2006 (Cth) was assented to on the same day as the AML/CTF Act. The Anti-Money Laundering and Counter-Terrorism Financing (Transitional Provisions and Consequential Amendments) Act introduced s 63(1A) into the Privacy Act. This provision has the effect of making a small business operator that is a reporting entity (a person who provides a designated service under the AML/CTF Act) an organisation for the purposes of the Privacy Act. This ensures that all reporting entities are subject to the Privacy Act in relation to their obligations to collect personal information under the AML/CTF Act.

16.165 The Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2007 (Cth)made a number of amendments to the AML/CTF Act and other legislation. In particular, it amended the Commonwealth Electoral Act 1918 to provide that a prescribed person or organisation, that under an arrangement with a reporting entity or the agent of a reporting entity, provides information for the purpose of facilitating the carrying out of the applicable customer identification procedures under the AML/CTF Act, will have access to the electoral roll ‘equivalent to that which is currently provided for the purposes of the Financial Transactions Reports Act 1988’.[240]

16.166 The AML/CTF Act represents the first tranche of reforms under the anti-money laundering and counter-terrorism legislative scheme, which covers the financial and gambling sectors.[241] The second tranche of reforms is currently being developed.[242] The second tranche will extend the existing regulatory obligations to specified transactions ‘conducted by real estate agents, specified transactions conducted by dealers in precious metals and precious stones and specified legal, accounting and trust and company services’.[243] Draft legislative provisions which will amend the AML/CTF Act to implement the second tranche of reforms were publicly released in August 2007.[244] Public submissions have now closed and the AGD is consulting with peak bodies representing the relevant professions about the draft legislative provisions.[245]

Concerns about the AML/CTF legislation

16.167 In DP 72, the ALRC noted that stakeholders had raised a number of issues in relation to the AML/CTF Act. Concerns were raised that privacy was not adequately protected under the AML-CTF legislation and that its measures would lead to pervasive monitoring of the financial affairs of ordinary citizens. Another concern was that state and territory agencies may obtain access to information collected by AUSTRAC without being subject to the same accountability under the Privacy Act as Australian Government agencies. Also raised was that designated agencies had been granted access to AUSTRAC data, using information for purposes outside of the intentions of anti-money laundering and counter-terrorism financing legislation. A further issue was the need for the $10,000 mandatory reporting thresholds to be reviewed to reflect price inflation and minimise the unnecessary collection of personal information.[246]

16.168 A number of submissions from financial institutions and peak industry bodies noted that the AML/CTF Act requires a reporting entity to carry out a procedure to verify a customer’s identity prior to providing a designated service, but does not expand access to available databases for identity verification purposes.[247] Some submissions raised the issue of using credit reporting information for the purposes of identity verification.[248]

Statutory review

16.169 In DP 72, the ALRC noted that there have been several recent inquiries that have considered the AML/CTF Act, in which issues of concern have been comprehensively put to government. The ALRC, therefore, restricted its consideration of the Act to issues raised in submissions to this Inquiry. The ALRC indicated that it shares many of the concerns raised by stakeholders in relation to the AML/CTF Act.

16.170 The ALRC noted that, under s 251 of the AML/CTF Act, the Minister responsible for the Act must cause a review to be conducted of the operation of the Act, the regulations and the AML/CTF Rules, before the laws have been in operation for seven years.

16.171 In DP 72, the ALRC proposed that the review under s 251 should examine whether:

  • reporting entities and designated agencies are handling personal information appropriately under the legislation;

  • the number and range of transactions for which identification is required should be more limited than currently provided for under the legislation;

  • it remains appropriate that reporting entities are required to retain information for seven years; and

  • it is appropriate that reporting entities are able to use the electoral roll for the purpose of identification verification.[249]

16.172 The use of the electoral roll for the purpose of complying with the AML/CTF Act is discussed above.

Submissions and consultations

16.173 The majority of stakeholders who commented on this issue supported the ALRC’s proposal.[250] The OPC submitted that the review also should include the handling of information by AUSTRAC, particularly as it relates to the provision of access to other bodies, including those overseas. The OPC commented that it was prudent for relevant stakeholders, including AUSTRAC and the OPC, to begin retaining appropriate data to assist in the review.[251]

16.174 A number of stakeholders, however, called for the ALRC to make recommendations in relation to possible amendments to the AML/CTF Act to protect privacy better. For example, the Law Council of Australia indicated that, while it understood the reluctance of the ALRC to ‘reignite debate on an Act that was only passed relatively recently and which was the subject of extensive consultation and discussion’,[252]

the current AML/CTF Act represents stage one of a two stage reform process. It will soon be amended to cover the provision of a broader range of services, including legal and accounting services. It is of limited assistance to those currently engaged in consultation on the form and content of stage two reforms to note that the ALRC acknowledges privacy concerns with the existing Act but believes that they should only be the subject of review in six years time …

The Law Council would welcome more immediate guidance from the ALRC on how the AML/CTF Act could be brought into line with the Privacy Act. [253]

16.175 The ABA noted that banks already have to comply with these laws, and that the statutory review under s 251 of the AML/CTF Act would not occur until 2014.[254] The ABA and the National Australia Bank called for the ALRC to reconcile the existing AML/CTF legislation with proposed privacy reforms.[255]

16.176 The ABA cited two examples of possible inconsistency between the AML/CTF laws and existing privacy law and practice. First, the ABA contended that OPC guidance on the AML/CTF Act was at odds with s 123 of the Act, which requires a reporting entity not to make a disclosure to a person in relation to suspicious matters. The ABA stated that it has been advised by the AGD that the AML/CTF Act overrides the Privacy Act.[256]The ABA submitted that banks are concerned about branch staff being caught between the two in absence of case law on point.[257]

16.177 Secondly, in relation to employee due diligence, the ABA noted that the AML/CTF Rules include a note referring reporting entities to the Privacy Commissioner’s information sheet in relation to the handling of employee information, but no specific information sheet exists. The ABA pointed out that a risk-based Employee Due Diligence program could be inconsistent with NPP collection obligations.[258]

ALRC’s view

16.178 It is clear that there is a high level of concern about the erosion of privacy generated by the AML/CTF Act. While the ALRC has been requested by stakeholders to address the issues raised by the Act, in the ALRC’s view, it should not accede to this request for two reasons. First, a number of recent inquiries have considered the issues raised by the AML/CTF Act. Secondly, while the ALRC shares many of the concerns raised by stakeholders in relation to the AML/CTF Act, to review comprehensively the AML/CTF Act is beyond the scope of this Inquiry. For these reasons, the ALRC has restricted its consideration of the Act to some of the issues raised in submissions to this Inquiry.

16.179 The ALRC suggests that the OPC review its guidance on the AML/CTF Act so as to address the concerns expressed by the ABA about inconsistencies between this guidance and the requirements of the Act itself. The ALRC notes, for example, that the guidancepublished by the OPC states:

What are my reporting obligations in relation to providing individuals with access?

Access should be provided, unless there is a legitimate exception. For example, a reporting entity may be able to deny access to a suspicious matter report lodged with AUSTRAC under NPP 6.1(h).

Reporting entities are required to tell individuals why they are denying access to some or all of their personal information.[259]

16.180 There is a reasonable argument that, if a reporting entity advised an individual that it could not disclose personal information which formed part of a suspicious matter report, it would be in breach of s 123 of the AML/CTF Act. In relation to the second point raised by the ABA, however, the ALRC notes that Information Sheet 16 issued by the OPC, deals with disclosure of personal information about employees in the context of due diligence.[260]

16.181 The ALRC is concerned about the pervasive nature of the monitoring that is to occur due to the mandatory reporting threshold of $10,000. As suggested by the OPC, the threshold should be reviewed to reflect price inflation and minimise the unnecessary collection of personal information.

16.182 The statutory review under s 251 of the AML/CTF should examine: whether reporting entities and designated agencies are appropriately handling personal information under the legislation; whether the number and range of transactions for which identification is required should be more limited than currently provided for under the legislation; and whether it remains appropriate that reporting entities are required to retain information for seven years.

16.183 The review also should consider whether the use of the electoral roll by reporting entities for the purpose of identity verification is appropriate.[261] Consideration should also be given to allowing the AEC to provide reporting entities with other information—for example, date of birth information—so as to reduce the need for credit reporting information to be used for the purposes of identity verification under the AML/CTF Act.[262]

16.184 The ALRC agrees with the OPC that the review under s 251 of the AML/CTF Act also should consider the handling of information by AUSTRAC, particularly as it relates to the provision of access to other bodies, including those overseas.

Recommendation 16-4 The review under s 251 of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) should consider, in particular, whether:

(a) reporting entities and designated agencies are handling personal information appropriately under the legislation;

(b) the number and range of transactions for which identification is required should be more limited than currently provided for under the legislation;

(c) it remains appropriate that reporting entities are required to retain information for seven years;

(d) the use of the electoral roll by reporting entities for the purpose of identification verification is appropriate; and

(e) the handling of information by the Australian Transaction Reports and Analysis Centre is appropriate, particularly as it relates to the provision of access to other bodies, including bodies outside Australia.

State and territory agencies

16.185 In DP 72, the ALRC stated that it also was concerned about the number of designated agencies granted access to AUSTRAC data collected under the AML/CTF Act, and the limited protection offered by s 126(3) of the Act. The ALRC expressed the preliminary view that, due to the amount of personal information that will be made available to the agencies, it is appropriate that these agencies should have to comply with the relevant privacy principles in relation to that information.

16.186 The ALRC noted that, while the agencies must agree to be bound by the IPPs, the Privacy Commissioner does not have the power to audit or enforce compliance with the IPPs by state and territory agencies. The ALRC proposed, therefore, that the AML/CTF Act should be amended to provide that state and territory agencies that have access to personal information provided to AUSTRAC, be regulated under the Privacy Act in relation to the handling of that personal information, except where they are covered by obligations under a state or territory law that are, overall, at least the equivalent of all the relevant obligations in the Privacy Act.[263]

Submissions and consultations

16.187 The OPC supported this proposal, as did a number of other stakeholders.[264] The OPC noted that, currently, only some states and territories have privacy regulation applying to their own agencies.

As this personal information is compulsorily acquired during the course of an expanding range of transactions, in some instances without the knowledge of the individual, it seems reasonable to expect that agencies which receive it are subject to binding privacy obligations. Currently, state and territory agencies in a number of jurisdictions represent a gap in the privacy protections afforded to AML/CTF information, in particular since the enactment of provisions to bring small business reporting entities within the coverage of the Privacy Act. Essentially, all participating private sector organizations and Australian Government agencies are covered by enforceable privacy regulation, though not all State and Territory agencies.

16.188 The OPC also proposed that it have responsibility for assessing whether state and territory legislation contains obligations that are at least the equivalent of all the relevant obligations in the Privacy Act.[265] The Queensland Government submitted that this issue should be considered within the context of developing and implementing a nationally consistent approach.[266]

ALRC’s view

16.189 The ALRC is concerned about the number of designated agencies that have been granted access to AUSTRAC data collected under the AML/CTF Act and the limited protection offered by s 126(3) of the Act. Due to the amount of personal information that will be made available to such agencies, it is appropriate that these agencies comply with the model UPPs.

16.190 This is most appropriately addressed by the ALRC’srecommendation that the states and territories should enact legislation regulating the handling of personal information in that state or territory’s public sector that applies the model UPPs.[267] Further, the ALRC recommends that the Australian Government initiate a review in five years from the commencement of the amended Privacy Act to consider whether the recommended intergovernmental cooperative scheme has been effective in achieving national consistency.[268]

16.191 Until such a cooperative scheme is in place, when AUSTRAC provides a state or territory agency with access to AUSTRAC data collected under the AML/CTF Act, it should ensure that a memorandum of understanding or other arrangement is in place to ensure compliance with the privacy requirements of the AML/CTF Act. The OPC should monitor compliance with the privacy requirements of the AML/CTF Act by such state and territory agencies. This is consistent with the general approach recommended by the ALRC.[269]

[220]Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) pt 2. The terms ‘reporting entity’ and ‘designated service’ are considered below.

[221] Ibid pt 3.

[222] Part A of an anti-money laundering and counter-terrorism financing program is a program that is designed to identify, mitigate and manage the risk a reporting entity reasonably may face when providing designated services in Australia that might involve or facilitate money laundering or financing of terrorism. Part B of an anti-money laundering and counter-terrorism financing program sets out the applicable customer identification procedures for customers of the reporting entity: Ibid s 80.

[223] See Australian Government Attorney-General’s Department, Anti-money laundering <http://www.ag.gov
.au/www/agd/agd.nsf/Page/Anti-money_laundering> at 6 May 2008.

[224] Parliament of Australia—Senate Legal and Constitutional Legislation Committee, Exposure Draft of the Anti-Money Laundering and Counter-Terrorism Financing Bill 2005 (2006).

[225] Ibid, [4.72]–[4.76].

[226]Revised Exposure Draft Anti-Money Laundering and Counter-Terrorism Financing Bill 2006 (Cth).

[227] Salinger & Co, Privacy Impacts of the Anti-Money Laundering and Counter-Terrorism Financing Bill and Rules (2006). See Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [13.105] for a summary of the key recommendations.

[228] Australian Government Attorney-General’s Department, Privacy Impact Statement: Anti-Money Laundering and Counter-Terrorism Financing Bill and Rules (2006).

[229] Parliament of Australia—Senate Standing Committee on Legal and Constitutional Affairs, Anti-Money Laundering and Counter-Terrorism Financing Bill 2006 [Provisions] and Anti-Money Laundering and Counter-Terrorism Financing (Transitional Provisions and Consequential Amendments) Bill 2006 [Provisions] (2006). None of these recommendations have been implemented to date.

[230] Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) s 5.

[231] Ibid s 6.

[232] Ibid pt 2.

[233] Ibid pt 3.

[234] Part A of an anti-money laundering and counter-terrorism financing program is a program that is designed to identify, mitigate and manage the risk a reporting entity may reasonably face when providing designated services in Australia that might involve or facilitate money laundering or financing of terrorism. Part B of an anti-money laundering and counter-terrorism financing program sets out the applicable customer identification procedures for customers of the reporting entity: Ibid s 80.

[235] Ibid pt 10.

[236] Ibid s 107.

[237] Ibid pt 11, div 2.

[238] Ibid s 126.

[239] Ibid s 126(3).

[240] Explanatory Memorandum, Anti-Money Laundering and Counter-Terrorism Financing Amendment Bill 2007 (Cth), item 54; Commonwealth, Parliamentary Debates, House of Representatives, 15 February 2007, 1 (P Ruddock—Attorney-General) Anti-Money Laundering and Counter-Terrorism Financial Amendment Bill 2007 Second Reading Speech, 1.

[241] Australian Government Attorney-General’s Department, Second Tranche of Reforms—Second Tranche of AML/CTF Reforms (2007) <www.ag.gov.au/www/agd/agd.nsf/Page/Anti-moneylaundering_
SecondTrancheofReforms> at 1 April 2008
.

[242] Ibid.

[243] Ibid.

[244] Ibid.

[245] Ibid.

[246] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [13.110]–[13.116].

[247] Ibid, [13.117].

[248] This issue is discussed briefly below and in detail in Ch 57.

[249]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 13–3.

[250] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; GE Money Australia, Submission PR 537, 21 December 2007; National Legal Aid, Submission PR 521, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.

[251] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[252] Law Council of Australia, Submission PR 527, 21 December 2007.

[253] Ibid.

[254] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008.

[255] Ibid; National Australia Bank, Submission PR 408, 7 December 2007.

[256] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008.

[257] Ibid.

[258] Ibid.

[259] Office of the Privacy Commissioner, Privacy and the AML/CTF Act—some FAQs for your business, October 2007, 2.

[260] Office of the Privacy Commissioner, Application of Key NPPs to Due Diligence and Completion when Buying and Selling a Business, Information Sheet 16 (October 2002), 3.

[261] The Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2007 (Cth) amended the Commonwealth Electoral Act 1918 to provide that a prescribed person or organisation, that under an arrangement with a reporting entity or the agent of a reporting entity, provides information for the purpose of facilitating the carrying out of the applicable customer identification procedures under the AML/CTF Act, will have access to the electoral roll.

[262] The use of credit reporting information for the purposes of electronic identity verification is discussed in Ch 57. There is an argument that it may be preferable, for example, to allow the use of personal information from the electoral roll for the purposes of electronic identity verification, rather than allowing the use of credit reporting information for this purpose.

[263]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 13–4.

[264] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; GE Money Australia, Submission PR 537, 21 December 2007; National Legal Aid, Submission PR 521, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; P Youngman, Submission PR 394, 7 December 2007.

[265] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[266] Queensland Government, Submission PR 490, 19 December 2007.

[267] Rec 3–4.

[268] Rec 3–6.

[269] Rec 17–1.