AUSTRAC Guidance on Data Breaches

Data Breaches and AML/CTF Considerations

The incidents of large-scale cyber-attacks and data breaches continue to occur, leading to the theft and hacking of huge amounts of customer data and personal information. Such incidents can happen against or impact a reporting entity too.

Misuse of customer data (including personal information) unlawfully acquired in such breaches can result in increase in identity theft, unauthorised access to customer accounts and unauthorised transactions and fraud. The consequences of some incidents continue to reverberate for a long time for the affected company and many other entities and customers in the broader ecosystem and stakeholder community.

While a breach may have happened at one organisation (organisation X), it could result in potential scenarios of increased fraud and unauthorised access in the accounts of the impacted customers of organization X maintained with various other financial and other service providers.

Impact for Reporting entities, and their Obligations

For reporting entities, the potential misuse of such unlawfully acquired customer data and personal information can include transactions that could amount to money laundering or terrorist financing (ML/TF).

A reporting entity hit by a data breach, or impacted by an external data breach affecting its customers or services, has a range of obligations in this regard, advised under the AUSTRAC Guidelines. These include reviewing and updating the AML program and risk assessment, monitoring ongoing customer risks, strengthening controls and processes to mitigate ML/TF risks, undertaking enhanced customer due diligence and transaction monitoring where required, lodging SMRs, and re-verifying a customer’s identity in case of suspicion. The reporting entity should also consider its risk based approach, and the nature, size and complexity of its business in identifying, assessing, controlling and mitigating ML/TF risks.

The entity must also consider its obligations under the Privacy legislation / other legislation and guidelines (e.g., APRA CPS 234; Critical Infrastructure legislation), as well as appropriate reporting and governance procedures internally.

Conclusion

In the event of a cyber incident / data breach, reporting entities must consider a range of regulatory provisions that are attracted, including AUSTRAC guidelines.

While there is no specific regulatory requirement for reporting entities to report a breach (or data breach, for that matter) to AUSTRAC, it would be prudent to consider whether the reporting entity should voluntarily report the matter to the regulator after considering the circumstances, the nature of the breach and the impact on customers.

Additionally, it would be useful to keep the above in mind even in cases of attempted data breaches, that did not result in actual data breaches but could have.

Regulatory references:

AUSTRAC Guidance on data breaches and AML/CTF considerations – click here

Office of the Australian Information Commissioner (OAIC) guidance on data breaches – click here.

27 Nov 2023

Compliense Advisors is an AML and FinCrime compliance and risk management advisory services provider. We provide solutions aligned with your business profile to minimise and mitigate risks associated with money laundering and finCrime activities, and achieve compliance.

Our experience includes Austrac registration/ enrollment; setting up, implementing, uplifting AML program; risk assessment; preparing and documenting procedures and framework; and a range of other AML and FinCrime compliance and risk matters.

This article provides an awareness overview of the AUSTRAC Guidance on the above subject, and is for general informational purposes only. It is not to be relied on as full provisions of the law or regulatory requirements. You should carefully evaluate your circumstances, and seek professional advice for your specific needs. You are responsible for your compliance obligations, and for any action taken or omitted. We are not a law firm and do not provide legal advice.