Data breaches and AML/CTF considerations
About this guidance
This guidance is relevant to all AUSTRAC-regulated entities. It is designed to help you:
- understand your anti-money laundering and counter-terrorism financing (AML/CTF) obligations when it comes to data breaches
- take steps to protect your business and customers from the potential heightened money laundering and terrorism financing (ML/TF) and other serious crime risks arising from data breaches.
This guidance applies to you if your business has been:
- directly affected by a data breach
- impacted by an external data breach that affects your services or customers.
A data breach occurs when unauthorised people access, disclose or expose sensitive or personal information.
According to the Office of the Australian Information Commissioner (OAIC), data breaches are increasing in complexity, scale and impact. Data breaches, particularly when they involve personal information, increase the risk of identity crime, fraud and cyber-enabled crimes.
This guidance focuses on your AML/CTF obligations in the context of data breaches, in accordance with the:
- Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act)
- Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1) (AML/CTF Rules).
You should read this guidance alongside AUSTRAC’s core obligations guidance on how to comply and report. This guidance is general and not tailored to a specific data breach.
You should refer to guidance provided by the Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC) and the OAIC if you are seeking:
- broader guidance on how to detect, prepare for and respond to a data breach
- assistance with a data breach involving personal information.
On this page
- Disclaimer
- Review your risk assessment
- Review your systems and controls
- Monitor ongoing customer risks
- Mitigate and manage ongoing customer risks
- Re-verify a customer’s identity
- Comply with AML/CTF record-keeping obligations
- Report your data breach
- Related pages
Disclaimer
AUSTRAC provides this guidance for educational purposes only and it does not constitute legal advice. The information in this guidance should be read together with, and not as a substitute for, the AML/CTF Act and Rules.
AUSTRAC does not guarantee, nor accept any legal liability whatsoever arising from, or connected to, the use or reliance of any material contained in this guidance.
For further information please refer to our Disclaimer.
Review your risk assessment
It is essential for you to regularly review your ML/TF risk assessment and AML/CTF program to make sure the systems and controls you have in place:
- reflect current ML/TF risks
- are working effectively to identify, mitigate and manage these risks.
Data breaches may increase the ML/TF risks your business faces. Criminals may misuse sensitive or personal information drawn from data breaches to exploit your business and avoid detection. For example, by using personal information or credentials obtained via a data breach incident to gain access to an account, system or network.
Your risk assessment should be flexible enough to identify the increased ML/TF risks that could arise from a data breach. This includes a direct data breach or an external data breach that may affect your business.
AUSTRAC encourages reporting entities to proactively identify data breaches that may affect them. You may do this by:
- using details of publicly known data breaches to determine if new or existing customers have had their personal information compromised
- hearing about a data breach directly from an affected organisation, publically available materials or through registering with the ASD’s Alert Service.
Review your systems and controls
Your risk assessment should inform the systems and controls you implement to respond to ML/TF risks. This includes the risk of identity crime, fraud and cyber-enabled crimes.
You must not provide a designated service to a customer until you are reasonably satisfied the customer is who they claim to be. The systems and controls you implement should reasonably satisfy you as to your customer’s identity.
Your systems and controls could include monitoring for:
- changes to customer details (such as their mobile number) prior to large transaction requests that are inconsistent with the customer’s profile
- when customers change their telephone, email and address all at once or in quick succession
- new customers who use the same identification numbers and/or name and date of birth as an existing customer when you on-board them.
Your systems and controls could also include:
- proactively engaging with customers to verify account activity that is inconsistent with their profile
- using multi-factor authentication.
You could confirm that a customer is the same person in identification documents by:
- checking signatures, photographs or other identifiers
- asking the person to upload a photograph of themselves holding their photo identification.
You could also choose to only allow a combination of the customer’s name, document identification type and document number to be used once to create a customer profile online. This prevents criminals from creating multiple profiles with a single set of identity details.
You could also implement procedures for customers who continue to be high-risk or suspicious, such as:
- payment suspension
- flags to prevent withdrawals
- stops on the account.
These procedures would allow you to scrutinise future suspicious transactions before they are completed. They could also be used to ensure that a customer cannot move or withdraw funds without you collecting further identification information.
This is not an exhaustive list and does not replace the need for you to identify and manage ML/TF risks according to your risk assessment.
Monitor ongoing customer risks
It is important to remain vigilant to the impact of data breaches when you monitor customer risk. This includes the potential increased risk of someone misusing personal information to facilitate ML/TF and other serious crimes.
You should pay particular attention to the indicators of identity crime, fraud and cyber-enabled crime. These are some of the most common crimes that arise from data breaches. A non-exhaustive list of these indicators is provided below.
This list may also assist you to determine whether particular customers or transactions pose a high ML/TF risk.
No single indicator will be a definitive way to determine this. You should consider these indicators combined with knowledge of your business to monitor, mitigate and manage ML/TF risk and suspicious activity.
Customer profile indicators
Indicators related to a customer’s profile could include a customer:
- changing their telephone number, email and/or address details online all at once or in quick succession
- requesting to change their details prior to requesting large transactions inconsistent with their profile
- attempting to open multiple accounts over a short period
- providing inconsistent or invalid details, such as disconnected mobile numbers
- providing a billing or delivery address in a different region or country to their residential address
- favouring email or web chat to communicate.
Indicators could also include online activity that is inconsistent with a customer’s history or profile. For example, when a customer:
- uses different IP ranges or multiple IP addresses
- registers new devices
- deregisters a previous device
- accesses the account via multiple electronic devices
- does not answer the security questions correctly on a number of occasions
- operates in time zones outside of Australia
- uses a Virtual Private Network (VPN) for online banking services.
Account or transaction activity indicators
Indicators in a customer’s account or transaction activity could include:
- large deposits and cash withdrawals inconsistent with their customer profile
- making significant deposits or withdrawals from newly opened accounts
- attempting to conduct transactions of large value and/or volume.
Customer document indicators
Indicators related to a customer’s documents could include a person:
- providing information that matches an existing customer when requesting to set up a new account. For example, identification numbers, name, residential address, email address and date of birth
- attempting to provide identification or other documents that appear falsified or forged. For example, the same photograph appearing on different identification documents, inconsistent fonts, or a letter with a missing or unusual letterhead
- using adjusted bank statements and bank proof of balance across multiple accounts when the name, address and account details have changed but the listed balance remains the same.
Mitigate and manage ongoing customer risks
You should consider your AML/CTF obligations when responding to the above indicators and other emerging customer risks. This includes considering whether you must:
- conduct enhanced customer due diligence
- enhance or adjust your transaction monitoring and ongoing customer due diligence (OCDD) processes
- submit a suspicious matter report (SMR) to AUSTRAC
- strengthen your AML/CTF controls and processes to deal with the identified ML/TF risk.
It is important to make sure your staff are trained and know what to do if they:
- suspect information or documents are fraudulent
- identify other suspicious behaviour.
This should form part of your mandatory employee AML/CTF risk awareness training program.
Your employee due diligence program will also help identify, mitigate and manage internal fraud and exploitation risks. This will protect your business from staff who may facilitate ML/TF.
Re-verify a customer’s identity
You must not provide a designated service to a customer until you are reasonably satisfied the customer is who they claim to be.
You are only required to re-verify the identity of existing customers on a risk basis.
If you have verified a customer’s identity before a data breach, and remain reasonably satisfied that a customer is who they claim to be, it is sufficient to continue to apply ongoing customer due diligence measures in accordance with your AML/CTF program.
However, you must re-verify that customer’s identity if at any time you:
- suspect on reasonable grounds they are not who they claim to be
- doubt the truth or adequacy of information you use to identify or verify their identity.
For more information, visit customer identification and verification.
Comply with AML/CTF record-keeping obligations
When fulfilling your AML/CTF record-keeping obligations, you must store the required records securely. Storing records securely will also help you:
- reduce the risk of being targeted or involved in a data breach
- manage the risk of your business being exploited for ML/TF.
For more information on the records you must keep and how long you must keep them, visit record-keeping.
Your record-keeping practices must also comply with the Privacy Act 1988. Visit the OAIC website to learn more about your obligations under the Privacy Act 1988.
Report your data breach
You also have responsibilities under the Privacy Act 1988 to report eligible data breaches to the OAIC. An eligible data breach occurs when:
- personal information your business holds is accessed or disclosed without authorisation, or is lost. This is likely to result in serious harm to any of the individuals whose information is impacted.
- you have not been able to prevent the likely risk of serious harm with remedial action.
When someone uses personal information they had already obtained to circumvent your identity verification processes, this may still be an eligible data breach. For example, information obtained through another data breach. The OAIC recommends masking personal information within customer accounts to reduce the risk if someone accesses it without authorisation.
As a matter of good practice, you should also notify:
Related pages
- Preventing financial crime using a risk-based approach
- Money laundering/terrorism financing risk assessment
- Customer identification and verification
- Employee AML/CTF risk awareness training
- Employee due diligence
- Enhanced customer due diligence (ECDD) program
- Suspicious matter reports
- Record-keeping
The content on this website is general and is not legal advice. Before you make a decision or take a particular action based on the content on this website, you should check its accuracy, completeness, currency and relevance for your purposes. You may wish to seek independent professional advice.