Identity verification

57.129 Credit providers and other businesses have statutory obligations to verify the identity of their customers, including under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act).[130] One possible source of data for electronic identity verification is credit reporting information held by credit reporting agencies. The use and disclosure of credit reporting information for the purposes of satisfying obligations under the AML/CTF Act was an issue of significant concern to many stakeholders.

Anti-Money Laundering and Counter-Terrorism Financing Act 2006

57.130 The AML/CTF Act covers the financial sector, gambling sector, bullion dealers and other professionals or businesses (‘reporting entities’) that provide particular ‘designated services’. The Act imposes a number of obligations on reporting entities when they provide designated services. These include obligations with respect to customer identification and verification of identity, record keeping, establishing and maintaining an AML/CTF program, and ongoing customer due diligence and reporting.

57.131 The customer identification procedures required of reporting entities are set out in Part B of the Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1) (the AML/CTF Rules). For example, with respect to individuals and where the money laundering and terrorism financing risk is medium or lower, the AML/CTF Rules provide for an ‘electronic-based safe harbour procedure’.[131]

57.132 In brief, this ‘safe harbour’ (in terms of compliance with the AML/CTF Rules) is available to reporting entities if they collect the customer’s full name; the customer’s date of birth; the customer’s residential address; and verify:

(a) the customer’s name and the customer’s residential address using reliable and independent electronic data from at least two separate data sources; and either

(b) the customer’s date of birth using reliable and independent electronic data from at least one data source; or

(c) that the customer has a transaction history for at least the past 3 years.[132]

57.133 The customer identification procedures in the AML/CTF Act supersede identification procedures set out in the Financial Transaction Reports Act 1988 (Cth). The Financial Transaction Reports Act provided prescriptive rules, including the ‘100 point’ identity verification test under which identifying information from various sources is worth a certain number of points.[133] By comparison, the AML/CTF procedures are described as ‘risk-based’, leaving each institution to make an assessment of the information it needs to gather from its customers.[134]

57.134 Industry stakeholders noted that adopting the ‘safe harbour’ procedure would be cost-effective because it would streamline the processing of credit applications and eliminate the need for identity verification using physical documents.[135] Electronic identity verification is particularly important for the competitive position of credit providers that do not have branch networks and rely on the internet or brokers to market and distribute their financial products.

Early adopters of new electronic verification systems, that will allow them to meet their customer identification requirements using online technology, hope to get more out of their investment than a tick from the regulator. They are hoping to win business by making ID checks faster and more convenient and by using the technology to move into new market segments.[136]

57.135 ING Bank summarised the importance of electronic identity verification for reporting entities under the AML/CTF Act:

  • Electronic verification is important to maintain competitive neutrality—This is to ensure that institutions without a branch network have a viable alternative to face-to-face identification.

  • Electronic verification is essential to maintain existing channels for customers to apply for financial services—Electronic banking is a rapidly developing section of the financial services industry …

  • Electronic verification is cost effective—Electronic verification can streamline the application process, removing the need to deal with customers face to face and allowing for greater efficiency of systems. This is important because it reduces the costs arising from the verification process and means savings can be passed on.

  • Electronic verification provides a robust way of verifying a customer’s identity—as it involves conducting verification against the records of a number of independent third parties.[137]

Credit reporting information and identity verification

57.136 Identity verification is a fundamental part of any credit application process. A first step in assessing the eligibility of an individual for credit is to establish the identity of that individual. Other use and disclosure of credit reporting information authorised by Part IIIA—for example, to assess an application for credit, the risk in purchasing a loan by means of a securitisation arrangement or an application for commercial credit—appears to involve the use of credit reporting information in identity verification by a credit provider.

57.137 Sections 18K and 18L of the Privacy Act, however, place detailed limits on the disclosure of personal information by credit reporting agencies and the use of personal information by credit providers respectively, and make no express provision for identity verification. Electronic identity verification for the purposes of the AML/CTF Act using credit reporting information is not authorised under Part IIIA because it involves the disclosure of information to reporting entities, as defined in the AML/CTF Act,[138] a category which is much broader than credit providers, as defined by the Privacy Act.

57.138 Further, electronic identity verification may be for purposes other than those for which use or disclosure of credit reporting information is authorised—for example, under the AML/CTF Act identity verification may be required in order to accept a deposit, issue a debit or stored value card, issue a life insurance policy or opening a savings account, or provide a safe deposit box.[139]

57.139 The fact that credit reporting information might be used in electronic identity verification in order to comply with the AML/CTF Act is not sufficient to render disclosure for this purpose by a credit reporting agency ‘required or authorised by or under law’ for the purposes of Part IIIA.[140]

Discussion Paper question

57.140 The ALRC understands that, in the early stages of planning for the new anti-money laundering legislation, the Australian Government considered a proposal that the Australian Transaction Reports and Analysis Centre would certify third party identity verification services, or direct the establishment of a central source of data for identity verification.[141] The Mortgage and Finance Association of Australia stated that when the AML/CTF legislation was proposed ‘it was envisaged that independent electronic means would be available to verify individuals’ but that these sources have not become available as envisaged.[142]

57.141 In DP 72, the ALRC considered that it needed more information about the risks and benefits of, and possible alternatives to, the use of credit reporting information in electronic identity verification before making any proposal to address the issue. The ALRC asked, if such use and disclosure were not authorised under the new Privacy (Credit Reporting Information) Regulations, what other sources of data might be used by credit providers to satisfy obligations under the AML/CTF Act and similar legislation.[143]

Submissions and consultations

57.142 Industry stakeholders submitted that the new Privacy (Credit Reporting Information) Regulations should permit the use and disclosure of credit reporting information for identity verification purposes to satisfy obligations under the AML/CTF Act.[144]

57.143 Stakeholders emphasised the utility for business and consumers of using credit reporting information for electronic identity verification.[145]

In order to achieve an appropriate balance between business process efficiency and consumer privacy protection, ANZ is of the view that credit reporting information should be available for the purposes of identity verification for both credit and retail based products. The possibility of using several data sources electronically to create an identity match represents a real benefit, particularly for those businesses where face-to-face interaction with customers is minimal or non-existent. It would also benefit remote customers who do not have access to a bank branch and must use alternative and more onerous methods of providing their identification.[146]

57.144 Veda Advantage submitted that ‘electronic verification as a process is considerably less privacy intrusive than documentary based verification’ and that the use of personal information in credit reporting ‘for identity verification purposes when opening accounts is likely to be well within the reasonable expectations of the consumer’. Veda favoured making specific provision for the use and disclosure of credit reporting information for the purposes of complying with the AML/CTF Act in the Privacy Act, as this would make the ‘policy intention clear’. Veda also emphasised that the ALRC should not ‘pass this issue back to the Government unresolved’.

The difficulties faced by service providers in efficiently conducting electronic identity verification has significant effect—on the businesses themselves, on the cost of service provision, the end users, the economy, and Australia’s competitiveness and international standing. There is an urgent need to have the best datasets for identity verification available. Additional delay or recommendation for further Government review of identity management systems and data is not appropriate.[147]

57.145 Stakeholders noted that credit reporting information is used in comparable jurisdictions for electronic identity verification,[148] and that the use of credit reporting databases has key advantages because they are ‘a regulated source, with comprehensive coverage and commercial electronic accessibility’.[149] Other arguments advanced in favour of allowing this use of credit reporting information included that:

  • electronic identity verification is essential in promoting greater competition in the banking and financial services market, by ensuring competitive neutrality among financial institutions, removing barriers to entry to the market, reducing regulatory burden and administrative costs and increasing convenience for customers;[150] and

  • the Australian Government, having provided for identity verification under the AML/CTF Act, has a ‘reciprocal obligation to provide the means for industry to do so’ by allowing access to both public and private sector information.[151]

Addressing privacy concerns

57.146 Stakeholders suggested ways to address privacy concerns arising from the use of credit reporting information in electronic identity verification. These included: enacting new restrictions on access to credit reporting information and new penalties for unauthorised access; requiring individual consent to electronic identity verification; limiting the disclosure of credit reporting information to the information needed to verify identity under AML/CTF procedures; ensuring information verified by a credit provider is first obtained from the individual directly; and ensuring that any access for AML/CTF purposes is logged.[152]

57.147 ING Bank proposed that electronic identity verification using credit reporting information should operate with the consent of the individual concerned and the response provided by the credit reporting agency would be

limited to whether the customer’s name, address, date of birth as provided by the reporting entity matches that held by the credit reporting agency, along with the age of the file where a match was found. The response will be in the form of a ‘match’ or ‘no match’ response or a single code that represents what has been matched … The reporting entity will not otherwise be able to obtain the name, address or date of birth from the credit reporting agency, nor will it obtain any other information from the credit reporting agency’s file (other than age of file for a match).[153]

Other sources of electronic identity verification

57.148 One key consideration in addressing the use and disclosure of credit reporting information for the purposes of the AML/CTF Act is what other sources of data might be used by reporting entities for electronic identity verification.

57.149 ING Bank provided a comprehensive survey of the possible alternative sources of data for electronic identity verification. These included sources of data held by the Australian Government,[154] state and territory government,[155] and the private sector.[156] In conclusion, ING Bank stated that it had been

unable to identify any comprehensive data sources for date of birth that are able to support high volume, real-time electronic response. As a result, industry cannot utilise the electronic verification safe harbour provisions in the AML/CTF Rules.[157]

57.150 In DP 72, the ALRC referred to the Australian Government’s Document Verification Service (DVS).[158] The DVS enables an agency to verify that a document, which is presented to the agency by an individual to prove his or her identity, was issued by the document issuing agency claimed on the face of the document.[159]

57.151 ING Bank noted that the DVS is premised on the reporting entity first obtaining the physical identification documents from the customer, then utilising the service to verify the authenticity of the documents against government databases.

This will still be reliant on the customer sending in identification documentation, therefore it will not support online electronic verification and also does not remove the risk of sensitive documents being lost or intercepted via mail where the customer opts for the convenience of a non face to face channel.[160]

57.152 The AFC observed that, while there are some electronic databases, including the electoral roll and telephone directories, that are currently accessible to verify name and residential address, there are ‘few, if any, avenues of easily and efficiently verifying a transaction history by e-means’.[161]

57.153 There are also inadequacies in the available date of birth information. The AFC advised that the ‘only data source currently available to our financier members to validate date of birth’ is the state-based Certificate Validation Service (CVS), based on data from state and territory registers of births, deaths and marriages.

While the CVS has been useful in terms of AML/CTF compliance it has a number of limitations which put at issue its ‘reliability’. For example, the CVS requires input of a certificate or registration number which a customer is unlikely to carry in their wallet as they would a driver’s license.[162]

57.154 The AFC noted that its members are more likely to use electronic identity verification products offered by an information broker (for example, Veda Advantage or FCS OnLine) than develop a system for themselves.[163]

57.155 Some stakeholders with an interest in providing electronic identity verification services questioned the suitability and reliability of credit reporting information for this purpose. The Global Data Company stated that credit reporting information may require some form of ‘washing’ or further verification before it can be used for identity verification purposes; and noted that it is not held or administered by a government agency. Further,

if credit reporting information is to be used for identity verification purposes, it must be available to Reporting Entities, or service providers to Reporting Entities, on a relatively free and fair basis. Given that such information is currently held exclusively by private entities with a pecuniary interest in maintaining some degree of control and monopoly over the data, it is unlikely that this fundamental requirement could be achieved. The possibility that certain commercial entities could enjoy a massive financial windfall purely as a consequence of being able to utilise individuals’ personal data (which was collected for an entirely unrelated purpose) is fundamentally inconsistent with any proper implementation of the principles underpinning the AML/CTF Act.[164]

57.156 FCS OnLine stated that the use of credit reporting information in electronic identity verification is inappropriate

as its collection and verification is subject to no publicly known quality control checks. The information is apparently secondary in nature, compiled from indeterminate sources, and would never have been completely verified against an authoritative government database (as there has not been any available—eg for DOB information).[165]

57.157 These stakeholders emphasised the availability of alternative sources of data, if existing restrictions on access to this data were lifted. The Global Data Company submitted that providing additional sources of date of birth information would be preferable to permitting access to credit reporting information for electronic identity verification.

First, date of birth information is likely to be more reliable and independent because it would originate from a legitimate government source … Second, date of birth information is static, in contrast to credit reporting information which necessarily requires ongoing update. Third, access to date of birth information can be easily arranged given that it can be obtained from the Electoral Roll (which is already a current source of name and address information).[166]

57.158 The Global Data Company observed that

it is currently not possible to access date of birth information on individuals in Australia, notwithstanding that such data is collected and stored by a multitude of state and federal government agencies. This is puzzling given the fact that the AML/CTF Rules explicitly contemplate such data as a source for identity verification purposes.[167]

Opposition to use or disclosure for electronic identity verification

57.159 A number of stakeholders opposed the use or disclosure of credit reporting information for electronic identity verification,[168] or considered that any proposal to permit such use or disclosure would be premature, or inappropriate in the context of a privacy review.[169]

57.160 The Cyberspace Law and Policy Centre noted that, despite many submissions on the issue, ‘the previous government chose not to accommodate any relaxation of or exemption from the Privacy Act’ in relation to the AML/CTF Act. The Centre submitted that:

The ALRC should not take a position in relation to wider use of credit reporting information for identity verification outside the context of credit assessment, other than to recommend that it be considered in the context of wider identity management strategies.[170]

57.161 The Australian Privacy Foundation opposed the use of credit reporting information for the purposes of the AML/CTF Act and stated that, given the Australian Government’s previous decision not to provide for reporting entities to have access to credit reporting information, changes to the Privacy Act should not be made to allow for ‘back door’ access by credit providers.[171]

57.162 The OPC stated that the credit reporting system should not be subject to expanded uses and disclosures that are unrelated to the reason for which credit reporting information was originally collected—namely, the assessment of individuals’ eligibility for credit. The OPC reiterated that the use of credit reporting information for electronic identity verification would be ‘inconsistent with the original intent of Parliament and it would represent a substantial change in terms of individuals’ expectations about how credit information would be used and to whom it would be disclosed’.[172]

57.163 The OPC submitted that proposals to expand the use of the credit reporting system in this way should be the subject of a separate review by the Australian Government. As part of this review, the OPC suggested the following matters be considered:

  • the breadth of organisations that would have access to the credit reporting system for electronic identity verification purposes;

  • what information would be used and disclosed for identity verification purposes;

  • what limitations would be in place regarding secondary use and disclosure of this information;

  • how privacy protections such as openness, consent and accuracy would be complied with under such a proposal.[173]

ALRC’s view

57.164 The AML/CTF Act imposes obligations on reporting entities with respect to customer identification and verification of identity. In some circumstances, the procedures prescribed by the AML/CTF Rules allow for electronic identity verification, which has a range of advantages for reporting entities. Stakeholders have expressed concern that they are not authorised to obtain electronic data, including credit reporting information, that would enable them to use electronic identity verification effectively.

57.165 The AML/CTF Rules provide flexibility with regard to the means of identity verification. As noted above, verification of information collected about a customer may be based on: reliable and independent documentation; reliable and independent electronic data; or a combination of these.[174]

57.166 A range of sources of information could potentially be used for electronic identity verification. These sources include those that are currently available, such as the electoral roll and registers maintained by ASIC; and those to which access is restricted by regulation or administrative practice, such as credit reporting information, the Integrated Public Number Database maintained by Telstra; and state and territory registries of births, death and marriages.

57.167 There are arguments in favour of allowing credit reporting information to be used and disclosed for electronic identity verification. These include that credit reporting information comes from a regulated source with relatively comprehensive coverage, it is easily accessible electronically, and it is an important source of date of birth information.[175]

57.168 The use and disclosure of credit reporting information for electronic identity verification cannot be considered in isolation. Other data sources and the broader identity management strategies of government and private sector bodies must also be considered. Arguments may be advanced in favour of allowing the use and disclosure of personal information from other data sources in preference, or in addition, to credit reporting information. For example, while the Commonwealth Electoral Act 1918 (Cth) allows the Electoral Commission to provide reporting entities with the names and addresses of individuals on the electoral roll,[176] it prohibits disclosure of individuals’ occupations, sex or date of birth.[177] Consideration could be given to allowing the Australian Electoral Commission to provide reporting entities with date of birth information, which might reduce the need to use credit reporting information.

57.169 The OPC submitted that the question of access to credit reporting information for AML/CTF identity verification should be examined through a separate consultative process that considers the potential benefits and risks of the proposal in greater detail.[178] In Chapter 16, the ALRC recommends that the statutory review of the AML/CTF regime[179] should consider a number of matters, including whether the use of the electoral roll by reporting entities for the purposes of identification verification is appropriate.[180] While the use of credit reporting information for electronic identity verification could be left for consideration as part of that review, the review does not have to be conducted until 2013.

57.170 There was opportunity to provide specific authorisation for the use of credit reporting information during the legislative process that led to the enactment of the AML/CTF Act and the issuing of the AML/CTF Rules, but this was not done. Rather, the ALRC understands that the Government deferred consideration of the use and disclosure of credit reporting information for identity verification until after the completion of this Inquiry. In these circumstances, the ALRC considers that it must reach a concluded view on the question.

57.171 On balance, the ALRC considers that, while the use and disclosure of credit reporting information for electronic identity verification would constitute a significant ‘function creep’, it should be authorised specifically under the AML/CTF Act. The reasons for this view include that:

  • electronic identity verification provides significant advantages for both credit providers and individuals;

  • electronic identity verification is less privacy intrusive than the need to present physical records to verify identity; and

  • there are limited alternative sources of accessible data suitable for electronic identity verification.

57.172 Following amendment of the AML/CTF Act, the use and disclosure of credit reporting information would be ‘required or authorised by or under law’ for the purposes of the new Privacy (Credit Reporting Information) Regulations. It would, therefore, fall within the list of circumstances in which a credit reporting agency or credit provider may use or disclose credit reporting information.

57.173 The ALRC notes that, before this recommendation can be implemented a wide range of issues require further consideration. These include whether: legislation should prohibit the secondary use or disclosure by reporting entities of credit reporting information obtained for identity verification purposes; reporting entities should have positive obligations to seek consent from individuals before using credit reporting information to verify identity; and reporting entities should be required to have processes in place to resolve mismatches between the information individuals provide and credit reporting information.[181]

57.174 An alternative approach would be to authorise the use and disclosure of credit reporting information for electronic identity verification in the new Privacy (Credit Reporting Information) Regulations. This would replicate, in broad terms, the approach taken by the Commonwealth Electoral Act, which provides for the disclosure of electoral information to reporting entities.[182]

57.175 In the ALRC’s view, however, this would introduce undesirable complexity into the new Privacy (Credit Reporting Information) Regulations, given the need for additional provisions dealing with the specific categories of credit reporting information that may be disclosed, and with the other matters referred to above. Further, the use or disclosure of personal information for the purposes of the AML/CTF Act is broadly for law enforcement purposes—namely, to combat money laundering and the financing of terrorism. It is not the approach of the Privacy Act to provide expressly for such exceptions, but to deal with them under the general ‘required or authorised by or under law’ exception (or through exemptions for law enforcement agencies).

Recommendation 57-4 The use and disclosure of credit reporting information for electronic identity verification purposes to satisfy obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act) should be authorised expressly under the AML/CTF Act.

[130] The AML/CTF Act and its relationship with the Privacy Act is also discussed in Ch 16. Identity verification may also be required under other legislation such as the Telecommunications Act 1997 (Cth): see, eg, Australian Communications and Media Authority, Telecommunications (Service Provider—Identity Checks for Pre-paid Public Mobile Telecommunications Services) Determination 2000.

[131] See, Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No 1) (Cth) pt 4.2, [4.2.12]–[4.2.13].

[132] See, Ibid pt 4.2, [4.2.13].

[133]Financial Transaction Reports Regulations 1990 (Cth) r 4(1). A credit report was worth 35 points under the 100 point identity verification test: Financial Transaction Reports Regulations 1990 (Cth) r 4(1)(a)(v). Such reports, however, were provided directly to institutions by the individuals concerned, with consent. The ALRC does not propose that the new regulations prevent the disclosure by individuals of their own credit reporting information for identity verification purposes.

[134]J Kavanagh, ‘ID Checks Create New Market’, The Sheet (online), 21 December 2007, <www.thesheet
.com>
.

[135]ING Bank (Australia) Limited, Submission PR 420, 7 December 2007; Australian Finance Conference, Submission PR 398, 7 December 2007.

[136]J Kavanagh, ‘ID Checks Create New Market’, The Sheet (online), 21 December 2007, <www.thesheet
.com>
.

[137]ING Bank (Australia) Limited, Submission PR 420, 7 December 2007.

[138]Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) s 5.

[139] See definition of ‘designated services’: Ibid s 6.

[140]Privacy Act 1988 (Cth) s 18K(1)(m).

[141] J Kavanagh, ‘Credit Files May Provide Identity’, The Sheet (online), 2 October 2007, <www.thesheet
.com>.

[142] Mortgage and Finance Association of Australia, Submission PR 344, 19 November 2007.

[143]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Question 53–3.

[144]GE Money Australia, Submission PR 537, 21 December 2007; Optus, Submission PR 532, 21 December 2007; Confidential, Submission PR 517, 21 December 2007; Veda Advantage, Submission PR 498, 20 December 2007; HBOS Australia, Submission PR 475, 14 December 2007; ANZ, Submission PR 467, 13 December 2007; ING Bank (Australia) Limited, Submission PR 420, 7 December 2007; National Australia Bank, Submission PR 408, 7 December 2007; Dun & Bradstreet (Australia) Pty Ltd, Submission PR 401, 7 December 2007; Australian Finance Conference, Submission PR 398, 7 December 2007; Australasian Retail Credit Association, Submission PR 352, 29 November 2007; Mortgage and Finance Association of Australia, Submission PR 344, 19 November 2007; Abacus–Australian Mutuals, Submission PR 278, 10 April 2007; Institute of Mercantile Agents, Submission PR 270, 28 March 2007; Experian Asia Pacific, Submission PR 228, 9 March 2007.

[145]For example, ANZ, Submission PR 467, 13 December 2007; ING Bank (Australia) Limited, Submission PR 420, 7 December 2007; Australian Finance Conference, Submission PR 398, 7 December 2007; Mortgage and Finance Association of Australia, Submission PR 344, 19 November 2007.

[146]ANZ, Submission PR 467, 13 December 2007.

[147]Veda Advantage, Submission PR 498, 20 December 2007.

[148]Confidential, Submission PR 517, 21 December 2007; ING Bank (Australia) Limited, Submission PR 420, 7 December 2007. Consumer credit reports are used to verify identity in the US and the United Kingdom: ING Bank (Australia) Limited, Submission PR 420, 7 December 2007.

[149]Confidential, Submission PR 517, 21 December 2007; ING Bank (Australia) Limited, Submission PR 420, 7 December 2007.

[150]Confidential, Submission PR 517, 21 December 2007.

[151]Optus, Submission PR 532, 21 December 2007.

[152]Confidential, Submission PR 517, 21 December 2007; ING Bank (Australia) Limited, Submission PR 420, 7 December 2007.

[153]ING Bank (Australia) Limited, Submission PR 420, 7 December 2007.

[154] For example, held by the Australian Electoral Commission (electoral roll); the Department of Foreign Affairs and Trade (relating to resident non-citizens) and ASIC.

[155] For example, registries of births, deaths and marriages and motor vehicle registries.

[156] For example, the Telstra Integrated Public Number Database.

[157]ING Bank (Australia) Limited, Submission PR 420, 7 December 2007.

[158]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [53.86].

[159] Australian Government Attorney-General’s Department, Identity Security—National Document Verification Service (DVS) <www.ag.gov.au/www/agd/agd.nsf/Page/Crimeprevention_Identitysecurity> at 5 May 2008.

[160]ING Bank (Australia) Limited, Submission PR 420, 7 December 2007. ING Bank also noted that ‘there has been no clear timetable for delivering DVS and access by commercial organisations has also not been confirmed nor assessed for suitability’.

[161]Australian Finance Conference, Submission PR 398, 7 December 2007.

[162]Ibid. In addition, the CVS does not cover individuals born in either Tasmania or the Northern Territory and coverage is limited by date of birth in other jurisdictions (eg, for individuals born in Western Australia, the data is only available for those born after 1974): Australian Finance Conference, Submission PR 398, 7 December 2007.

[163]Australian Finance Conference, Submission PR 398, 7 December 2007.

[164]Global Data Company, Submission PR 409, 7 December 2007.

[165]FCS OnLine, Submission PR 441, 10 December 2007.

[166]Global Data Company, Submission PR 409, 7 December 2007.

[167]Ibid.

[168] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Office of the Privacy Commissioner, Submission PR 281, 13 April 2007; Min-it Software, Submission PR 236, 13 March 2007.

[169]Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[170]Ibid.

[171]Australian Privacy Foundation, Submission PR 553, 2 January 2008.

[172]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[173]Ibid.

[174]Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No 1) (Cth) [4.2.7].

[175] One possible limitation of credit reporting information as a source of ‘independent’ electronic data, however, is that credit reporting information used by a reporting entity to verify identity may have come from the same reporting entity in the first place—because credit reporting agencies aggregate information provided by their credit provider members.

[176]Commonwealth Electoral Act 1918 (Cth) s 90B(4), items 6 and 7.

[177]Ibid s 90B(7).

[178]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[179]Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) s 251.

[180] See Rec 16–4.

[181] As suggested by the OPC: Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[182]Commonwealth Electoral Act 1918 (Cth) s 90B, items 6 and 7.