- Noticing changes to customer details prior to large transactions?
- Onboarding new customers who use the same identification numbers or name and date of birth as existing customers
- Customers who are changing their address, email and phone number in quick succession?
These are just some of the indicators you have a problem.
If your business has been directly affected by a data breach, or impacted by an external data breach that affects your services or customers, this article is pertinent to you.
All AUSTRAC Reporting Entities should have an adequate understanding of their anti-money laundering and counter-terrorism financing (AML/CTF) obligations and take proactive measures to safeguard against the potential for heightened ML/TF crimes arising from data breaches.
In the event of a data breach impacting your business, it's possible that unauthorised individuals may have access to the personal information of your customers. Consequently, it is important for you to provide ascertain and be satisfied with your customer's identity. You must not provide (or continue to provide) a designated service to a customer until you are reasonably satisfied the customer is who they claim to be.
Recommended Actions
Review your risk assessment
Data breaches can increase the ML/TF risks your business faces. conduct regular reviews of your risk assessment and AML/CTF program, and consider the potential exposure resulting from a data breach.
Ensure that your systems and controls reflect current ML/TF risks and effectively identify, mitigate and manage these risks. It is essential that your systems are flexible and capable of addressing the ever-evolving challenges and presented by ML/TF risks and new technologies.
Review your systems and controls
Implementing effective systems and controls is crucial to respond to ML/TF risks such as identity crime, fraud and cyber-related crimes. Risk assessments should guide the systems and controls you implement to respond to ML/TF risks. Effective systems and controls will allow you to scrutinise future suspicious transactions before they are completed.
In the wake of a data breach, things to look out for include:
- changes to customer details prior to large transactions;
- new customers who use the same identification numbers or name and date of birth as existing customers; and
- customers changing their address, email and phone number in quick succession.
Monitor ongoing customer risks
Stay vigilant about the impact of data breaches when monitoring customer risk. Pay particular attention to the indicators of identity crime, fraud and cyber-enabled crime. These are some of the most common crimes that arise from data breaches. A non-exhaustive list of these indicators is provided in AUSTRAC's Guidance.
Mitigate and manage ongoing customer risks
Consider your AML/CTF obligations when responding to indicators of ongoing customer risks:
- Should I conduct enhanced customer due diligence?
- Do I need to enhance or adjust our transaction monitoring and ongoing customer due diligence (OCDD) processes?
- Does a suspicious matter report (SMR) need to be submitted to AUSTRAC?
- Do our AML/CTF controls and processes need to be strengthened to effectively deal with the identified ML/TF risk?
- Should staff complete an employee AML/CTF risk awareness training program?
Re-verify a customer's identity
Following a data breach, if you are not reasonably satisfied that the customer is who they claim to be, then you must not provide a designated service to that customer and you should re-verify the customer's identity.
You must also re-verify a customer's identity if at any time you:
- have reasonable grounds to suspect that the customer is not who they claim to be; or
- doubt the truth or adequacy of information used for identification.
Comply with AML/CTF record-keeping obligations
Reporting entities are required to store records securely tor educe the risk of being targeted in a data breach. Compliance with AML/CTF record-keeping obligations helps reduce the risk of data breaches and manage the risk of businesses being exploited for ML/TF criminal activity.
Report your data breach
Reporting entities have responsibilities under the Privacy Act 1988 to report eligible data breaches to the Office of the Australian Information Commissioner (OAIC). An eligible data breach occurs when:
- personal information an entity holds is accessed or disclosed without authorisation, or is lost;
- this is likely to result in serious harm to one or more of the individuals whose information is impacted; and
- an entity has not been able to prevent the likely risk of serious harm with remedial action.
Additionally, notifying AUSTRAC and the Australian Signals Directorate's Australian Cyber Security Centre (for cyber-related incidents) is considered good practice. By following these guidelines, reporting entities can enhance their resilience against data breaches and protect both themselves and their customers from criminal activity.
Background
A data breach occurs when unauthorised individuals gain access to, disclose, or expose sensitive or personal information. According to the OAIC, these breaches are on the rise in terms of complexity, scale and impact. Data breaches, especially those involving personal information, heighten the risks of identity crime, fraud, and cyber-enabled crimes.
You should refer to the guidance provided by the Australian Signals Directorate's (ASD) Australian Cyber Security Centre (ACSC) and the OAIC if you are seeking:
- broader guidance on how to detect, prepare for and respond to a data breach
- assistance with a data breach involving personal information.
