Australia: Electronic identity verification - AML/CTF Act and Privacy Act amended
Regulation and Compliance Update

New laws commenced on 28 June 2011 permitting verification of an identity using information held by a credit reporting agency. AML/CTF reporting entities should amend their privacy consents if they want to use this method.

The AML/CTF Act was amended by Combating the Financing of People Smuggling and Other Measures Act 2011. This Act introduced Div 5A to the AML/CTF Act which deals with 'e-verification'.

In summary, the provisions:

• permit a reporting entity to disclose specified personal information to a CRA for identity verification purposes with the express consent of the individual whose identity is being verified
• permit a CRA to conduct a matching process between personal information provided to it by a reporting entity and the personal information held on its own files and provide an assessment to the reporting entity of the outcome of the verification process
• require reporting entities to notify their customers, or other individuals required to be identified under the AML/CTF Act of unsuccessful attempts to verify identity using credit reporting data
• require credit reporting agencies and reporting entities to retain information about verification requests and assessments for 7 years from the date of the request for CRAs and for seven years after ceasing to provide designated services to a customer for reporting entities and to delete it at the end of those periods
• require a CRA to keep information about verification requests separate from the individual's credit information file
• create offences to address unauthorised access to, and disclosure of, verification information
• require 'express' consent from the customer. Austrac issued guidance 11/02 which says that this express consent might require ticking a box, and that a reporting entity should not rely on a failure to opt out. The customer must also be given another option for customer identification
• only AML/CTF reporting entities and their agents may use this method.

What do you need to do?

1. Amend privacy consent or obtain an express consent for e-verification
2. Amend your AML/CTF Program to permit e-verification
3. Establish a process to inform customers of unsuccessful matches specifying the name of the CRA and offering alternative means of identity verification
4. Arrange to hold data for seven years.

Gadens Lawyers can assist in amending privacy consents and AML/CTF Programs. Without express consent and authorisation in your AML/CTF Program, this method cannot be used.

Suggested clause for privacy consents or application forms

Verification of your identity using information at a credit reporting agency (CRA).To enable us to verify your identify, we may disclose personal information such as your name, date of birth, and address to a CRA to obtain an assessment of whether that personal information matches information held by the CRA. The CRA may give us a report on that assessment and to do so may use personal information about you and other individuals in their files. Alternative means of verifying you are available on request. If we are unable to verify your identity using information held by a CRA we will provide you with a notice to this effect and give you the opportunity to contact the CRA to update your information held by them or verify your identity using an alterative method acceptable to us.[DELETE THE ABOVE PARAGRAPH IF YOU DO NOT CONSENT TO US VERIFYING YOUR IDENTITY USING A CRA]

For more information, please contact:

This report does not comprise legal advice and neither Gadens Lawyers nor the authors accept any responsibility for it.