Learn about data breaches and AML/CTF obligations.

data breach is when unauthorised people access, disclose or expose sensitive or personal information. Data breaches, particularly when they involve personal information, increase the risk of identity crime, fraud and cyber-enabled crimes.

According to the Office of the Australian Information Commissioner (OAIC), data breaches are increasing in complexity, scale and impact. 

About this guidance

This guidance is relevant to all regulated entities. It’s designed to help you:

  • understand your anti-money laundering and counter-terrorism financing (AML/CTF) obligations when it comes to data breaches
  • take steps to protect your business and customers from the potential heightened money laundering, terrorism financing and proliferation financing risks (we refer to these as ML/TF risks) and other serious crime risks arising from data breaches.

This guidance applies to you if your business has been:

  • directly affected by a data breach
  • impacted by an external data breach that affects your services or customers.

This guidance focuses on your AML/CTF obligations in the context of data breaches, in accordance with the:

  • Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (the Act)
  • Anti-Money Laundering and Counter-Terrorism Financing Rules 2025 (the Rules).

You should read this guidance and our core guidance on AML/CTF obligations. This guidance is general and not tailored to a specific data breach.

Visit the Australian Cyber Security Centre (ACSC) and the OAIC for:

  • broader guidance on how to detect, prepare for and respond to a data breach
  • assistance with a data breach involving personal information.

Review your risk assessment

It’s essential you regularly review your ML/TF risk assessment and AML/CTF policies to make sure the systems and controls you have in place:

  • reflect current ML/TF risks
  • are working to identify and appropriately manage and mitigate these risks.

Data breaches may increase the ML/TF risks your business faces. Criminals may misuse sensitive or personal information drawn from data breaches to exploit your business and avoid detection. For example, by using personal information or credentials obtained via a data breach incident to gain access to an account, system or network.

Your risk assessment should be flexible enough to identify the increased ML/TF risks that could arise from a data breach. This includes a direct data breach or an external data breach that may affect your business.

We encourage you to proactively identify data breaches that may affect you. You may do this by:

  • using details of publicly known data breaches to determine if new or existing customers have had their personal information compromised
  • hearing about a data breach directly from an affected organisation, publicly available materials or through registering with the ASD’s Alert Service.

Review your AML/CTF policies

Your ML/TF risk assessment should inform the AML/CTF policies you implement to respond to ML/TF risks. This includes the risk of identity crime, fraud and cyber-enabled crimes.

Your systems and controls could include monitoring for:

  • changes to customer details (such as their mobile number) prior to large transaction requests that are inconsistent with the customer’s profile
  • when customers change their telephone, email and address all at once or in quick succession
  • new customers who use the same identification numbers and/or name and date of birth as an existing customer when you onboard them.

Your processes could also include:

  • proactively engaging with customers to verify account activity that is inconsistent with their profile
  • using multi-factor authentication.

You could confirm that a customer is the same person in identification documents by:

  • checking signatures, photographs or other identifiers
  • asking the person to upload a photograph of themselves holding their photo identification.

You could also choose to only allow a combination of the customer’s name, document identification type and document number to be used once to create a customer profile online. This prevents criminals from creating multiple profiles with a single set of identity details.

You could also implement procedures for customers who continue to be high-risk or suspicious, such as:

  • payment suspension
  • flags to prevent withdrawals
  • stops on the account.

These procedures would allow you to scrutinise future suspicious transactions before they are completed. They could also be used to ensure that a customer cannot move or withdraw funds without you collecting further identification information.

This isn’t an exhaustive list and doesn’t replace the need for you to identify and appropriately manage and mitigate the ML/TF risks according to your risk assessment.

Monitor ongoing customer risks

It's important to remain vigilant to the impact of data breaches when you monitor customer risk. This includes the potential increased risk of someone misusing personal information to facilitate ML/TF and other serious crimes.

You should pay particular attention to the indicators of identity crime, fraud and cyber-enabled crime. These are some of the most common crimes that arise from data breaches. A non-exhaustive list of these indicators is provided below.

This list may also assist you to determine whether particular customers or transactions pose a high ML/TF risk.

No single indicator will be a definitive way to determine this. You should consider these indicators combined with knowledge of your business to monitor, mitigate and manage ML/TF risk and suspicious activity.

Customer profile indicators

Indicators related to a customer’s profile could include a customer:

  • changing their telephone number, email and/or address details online all at once or in quick succession
  • requesting to change their details prior to requesting large transactions inconsistent with their profile
  • attempting to open multiple accounts over a short period
  • providing inconsistent or invalid details, such as disconnected mobile numbers
  • providing a billing or delivery address in a different region or country to their residential address
  • favouring email or web chat to communicate.

Indicators could also include online activity that is inconsistent with a customer’s history or profile. For example, when a customer:

  • uses different IP ranges or multiple IP addresses
  • registers new devices
  • deregisters a previous device
  • accesses the account via multiple electronic devices
  • does not answer the security questions correctly on a number of occasions
  • operates in time zones outside of Australia
  • uses a Virtual Private Network (VPN) for online banking services.

Account or transaction activity indicators

Indicators in a customer’s account or transaction activity could include:

  • large deposits and cash withdrawals inconsistent with their customer profile
  • making significant deposits or withdrawals from newly opened accounts
  • attempting to conduct transactions of large value and/or volume.

Customer document indicators

Indicators related to a customer’s documents could include a person:

  • providing information that matches an existing customer when requesting to set up a new account. For example, identification numbers, name, residential address, email address and date of birth
  • attempting to provide identification or other documents that appear falsified or forged. For example, the same photograph appearing on different identification documents, inconsistent fonts, or a letter with a missing or unusual letterhead
  • using adjusted bank statements and bank proof of balance across multiple accounts when the name, address and account details have changed but the listed balance remains the same.

Mitigate and manage ongoing customer risks

You should consider your AML/CTF obligations when responding to the above indicators and other emerging customer risks. This includes considering whether you must:

It’s important to make sure your staff are trained and know what to do if they:

  • suspect information or documents are fraudulent
  • identify other suspicious behaviour.

This should form part of your mandatory AML/CTF training program.

Your personnel due diligence program will also help identify, mitigate and manage internal fraud and exploitation risks. This will protect your business from staff who may facilitate ML/TF.

Re-verify a customer’s identity

You must not provide a designated service to a customer until you have established the identity of the customer and identified the ML/TF risk of the customer on reasonable grounds. We expect your AML/CTF policies to include processes and procedures for establishing these matters for customers who may have been the victim of a data breach.

You’re only required to re-verify the identity of existing customers in accordance with your AML/CTF policies and in certain other circumstances.

If you established a customer’s identity and identified their ML/TF risk on reasonable grounds before a data breach, you may determine that this hasn’t changed as a result of the data breach. In this case, you may continue to apply ongoing customer due diligence measures in accordance with your AML/CTF policies.

However, you must re-verify that customer’s identity if at any time you:

  • suspect on reasonable grounds they are not who they claim to be
  • doubt the truth or adequacy of information you used to identify or verify their identity.

Learn more about customer due diligence.

Comply with AML/CTF record-keeping obligations

When fulfilling your AML/CTF record-keeping obligations, you must store the required records securely. Storing records securely will also help you:

  • reduce the risk of being targeted or involved in a data breach
  • manage the risk of your business being exploited for ML/TF.

Learn more about record keeping.

Your record-keeping practices must also comply with the Privacy Act 1988. Visit the OAIC website to learn more about your obligations under the Privacy Act 1988.

Report your data breach

You may also have responsibilities to report the data breach that fall outside the AML/CTF regime. 

Learn more about the notifiable data breach scheme and how to report a data breach at the OAIC website.

As a matter of good practice, you could also notify the Australian Cyber Security Centre

Related pages

This guidance sets out how we interpret certain Australian legislation, along with associated Rules and regulations. Australian courts are ultimately responsible for interpreting these laws and determining if any provisions of these laws are contravened. 

The examples and scenarios in this guidance are meant to help explain our interpretation of these laws. They’re not exhaustive or meant to cover every possible scenario.

This guidance provides general information and isn't a substitute for legal advice. This guidance avoids legal language wherever possible and it might include generalisations about the application of the law. Some provisions of the law referred to have exceptions or important qualifications. In most cases your particular circumstances must be taken into account when determining how the law applies to you.

Last updated: 31 Mar 2026

Was this page helpful?

Please note that feedback you provide here will be used only for the purpose of improving our website. If you have a specific question about your AML/CTF obligations, please contact us.