Commonwealth Numbered Acts Commonwealth Numbered Acts
Anti-Money Laundering and Counter-Terrorism Financing Act 2006
1 Section 5
Insert:
"assessment , " in relation to an individual, means an assessment prepared or provided by a credit reporting agency under paragraph 35B(1)(a) in relation to the individual.
2 Section 5
Insert:
"credit information file" has the same meaning as in the Privacy Act 1988 .
3 Section 5
Insert:
"credit reporting agency" has the same meaning as in the Privacy Act 1988 .
4 Section 5
Insert:
"personal information" has the same meaning as in the Privacy Act 1988 .
5 Section 5
Insert:
"verification request" , in relation to an individual, means a request made by a reporting entity under paragraph 35A(1)(b) for an assessment in relation to the individual.
6 After Division 5 of Part 2
Insert:
(1) A reporting entity may, to assist in verifying the identity of an individual for the purposes of this Act, the regulations or the AML/CTF Rules:
(a) disclose any or all of the following personal information to a credit reporting agency for the purposes of making a request referred to in paragraph (b):
(i) the individual's name;
(ii) the individual's residential address;
(iii) the individual's date of birth; and
(b) request the credit reporting agency to provide an assessment of whether the personal information so disclosed matches (in whole or part) personal information contained in a credit information file in the possession or control of the credit reporting agency.
(2) A reporting entity must not make a verification request in relation to an individual unless, before making the request:
(a) the individual was given information about:
(i) the reasons for making the request; and
(ii) the personal information about the individual that may be disclosed to the credit reporting agency; and
(iii) the fact that the reporting entity may request the credit reporting agency to provide an assessment of whether the personal information matches (in whole or part) personal information contained in a credit information file in the possession or control of the credit reporting agency; and
(iv) the fact that the credit reporting agency may prepare and provide to the reporting entity such an assessment; and
(v) the fact that the credit reporting agency may use the personal information about the individual, and the names, residential addresses and dates of birth contained in credit information files of other individuals, for the purpose of preparing such an assessment; and
(b) the individual expressly agreed to the making of the request and the disclosure of the personal information; and
(c) an alternative means of verifying the identity of the individual was made available to the individual.
(3) A disclosure of personal information under paragraph (1)(a) is taken to be authorised by law for the purposes of paragraph 2.1(g) of National Privacy Principle 2 in Schedule 3 to the Privacy Act 1988 .
(1) A credit reporting agency that receives a verification request from a reporting entity in relation to an individual may:
(a) prepare and provide to the reporting entity an assessment in accordance with this section of whether any or all of the following personal information matches (in whole or part) personal information contained in a credit information file in the possession or control of the credit reporting agency:
(i) the individual's name;
(ii) the individual's residential address;
(iii) the individual's date of birth; and
(b) use the personal information about the individual, and the names, residential addresses and dates of birth contained in credit information files of other individuals, for the purpose of preparing the assessment.
(2) An assessment provided under subsection (1) to a reporting entity:
(a) must be an overall assessment of the extent of the match between the personal information disclosed by the reporting entity and personal information contained in a credit information file in the possession or control of the credit reporting agency; and
(b) must not include separate assessments of the match between particular categories of that personal information.
(3) To the extent that providing an assessment in relation to an individual involves a disclosure of personal information contained in an individual's credit information file to a person, body or agency other than the individual, the disclosure is taken to be authorised by law for the purposes of paragraph 18K(1)(m) of the Privacy Act 1988 .
35C Reporting entities to notify inability to verify identity
(1) This section applies if:
(a) a reporting entity makes a verification request in relation to an individual; and
(b) an assessment is provided in relation to the individual; and
(c) the reporting entity is unable to verify the identity of the individual, having regard to the assessment.
(2) The reporting entity must give a written notice to the individual:
(a) stating that the reporting entity is unable to verify the identity of the individual having regard to the assessment; and
(b) specifying the name of the credit reporting agency that provided the assessment; and
(c) offering the individual an alternative means of verifying the identity of the individual.
35D Verification information not to be included on credit information file
(1) A credit reporting agency must not include on an individual's credit information file personal information that relates to a verification request or an assessment in relation to the individual.
(2) This section has effect despite subsection 18K(5) of the Privacy Act 1988 .
35E Retention of verification information--credit reporting agencies
(1) A credit reporting agency that receives a verification request in relation to an individual must retain the following information for 7 years after the request was received:
(a) the name of the reporting entity that made the request;
(b) the date on which the request was made;
(c) the personal information about the individual that was provided by the reporting entity to the credit reporting agency;
(d) the date on which the credit reporting agency provided an assessment (if any) in relation to the individual;
(e) such other information about the verification request as is specified in the AML/CTF Rules.
(2) A credit reporting agency that retains information under subsection (1) must delete the information at the end of the 7 year period referred to in that subsection.
Civil penalty
(3) Subsections (1) and (2) are civil penalty provisions.
35F Retention of verification information--reporting entities
(1) A reporting entity that makes a verification request in relation to an individual must make a record of the following;
(a) the name of the credit reporting agency to which the request was made;
(b) the personal information about the individual that was provided by the reporting entity to the credit reporting agency;
(c) the assessment (if any) provided by the credit reporting agency in relation to the individual;
(d) such other information about the verification request as is specified in the AML/CTF Rules.
(2) The reporting entity must retain the record, or a copy of the record, until the end of the first 7 year period:
(a) that began at a time after the verification request was made; and
(b) throughout the whole of which the reporting entity did not provide any designated services to the individual.
(3) A reporting entity that retains a record, or a copy of a record, under subsection (2) must delete the record at the end of the 7 year period referred to in that subsection.
Civil penalty
(4) Subsections (1), (2) and (3) are civil penalty provisions.
Designated business groups
(5) If:
(a) a reporting entity is part of a designated business group; and
(b) such other conditions as are specified in the AML/CTF Rules are satisfied;
the obligation imposed on the reporting entity by subsection (2) or (3) may be discharged by any other member of the group.
35G Access to verification information
A credit reporting agency or a reporting entity in possession or control of personal information, or other information of a kind referred to in subsection 35E(1), that relates to a verification request or an assessment in relation to an individual must take reasonable steps to ensure that the individual can obtain access to the information.
35H Unauthorised access to verification information--offence
(1) A person commits an offence if:
(a) the person obtains access to information; and
(b) the information is personal information that relates to a verification request or an assessment in relation to an individual.
Penalty: 300 penalty units.
(2) Subsection (1) does not apply if the access is obtained in accordance with, or as otherwise authorised by, this Act or any other law.
Note: A defendant bears an evidential burden in relation to the matter in subsection (2) (see subsection 13.3(3) of the Criminal Code ).
35J Obtaining access to verification information by false pretences--offence
A person commits an offence if:
(a) the person obtains access to information; and
(b) the information is personal information that relates to a verification request or an assessment in relation to an individual; and
(c) the information is obtained by false pretence.
Penalty: 300 penalty units.
35K Unauthorised use or disclosure of verification information--offence
(1) A person commits an offence if:
(a) the person uses or discloses information; and
(b) the information is personal information that relates to a verification request or an assessment in relation to an individual.
Penalty: 300 penalty units.
(2) Subsection (1) does not apply if the use or disclosure is in accordance with, or as otherwise authorised by, this Act or any other law.
Note: A defendant bears an evidential burden in relation to the matter in subsection (2) (see subsection 13.3(3) of the Criminal Code ).
35L Breach of requirement is an interference with privacy
A breach of a requirement of this Division in relation to an individual constitutes:
(a) in the case of a breach by a credit reporting agency--an act or practice involving an interference with the privacy of the individual for the purposes of section 13 of the Privacy Act 1988 ; or
(b) in the case of a breach by a reporting entity--an act or practice involving an interference with the privacy of the individual for the purposes of section 13A of the Privacy Act 1988 .
Note: These acts or practices may be the subject of complaints under section 36 of that Act.
7 Subsection 37(1)
After "procedure", insert "or an identity verification procedure".
8 Subsection 37(2)
After "procedures", insert "or identity verification procedures".
9 Subsection 37(3)
After "procedure", insert "or an identity verification procedure".
10 At the end of section 37
Add:
(4) This section does not otherwise limit the operation of the principles of agency for the purposes of this Act.
11 Subsection 6(1)
Insert:
"authorised agent" of a reporting entity means a person authorised to act on behalf of the reporting entity as mentioned in section 37 of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 .
12 Subsection 6(1)
Insert:
"reporting entity" has the same meaning as in the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 .
13 Subsection 6E(1A)
Omit "(within the meaning of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 )", substitute " or an authorised agent of a reporting entity".
14 Subsection 6E(1A)
Omit "for the purpose of compliance with", substitute " for the purposes of, or in connection with, activities relating to".
15 Section 13 (note)
After "Note", insert "1".
16 At the end of section 13 (after the note)
Add:
Note 2: A breach of a requirement of Division 5A of Part 2 of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 by a credit reporting agency is an interference with the privacy of an individual and is covered by this section (see section 35L of that Act).
17 Subsection 13A(1) (note)
After "Note", insert "1".
18 At the end of subsection 13A(1)(after the note)
Add:
Note 2: A breach of a requirement of Division 5A of Part 2 of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 by a reporting entity is an interference with the privacy of an individual and is covered by this section (see section 35L of that Act).
19 Subsection 49(1)
Before "or a credit reporting offence", insert ", an AML/CTF verification offence".
20 Subsection 49(4)
Insert:
"AML/CTF verification offence (short for anti-money laundering and counter-terrorism financing " offence) means an offence against section 35H, 35J or 35K of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 .