AUSTRAC has issued Draft guidance – Privacy implications of collecting know your customer (KYC) information from sources other than from the customer for consultation, which:

• discusses the AML/CTF Rules amendments that allow reporting entities to collect information ‘about’ a customer rather than ‘from’ the customer;
• explains the interaction with Australian Privacy Principle (APP) 3 (and other APPs generally);
• highlights the importance of complying with APP 3.6 when collecting information from sources other than the individual concerned.

As a result of the amendments in Anti-Money Laundering and Counter-Terrorism Financing Rules Amendment Instrument 2016 (No. 1), from 16 September 2016 reporting entities now have the option to collect KYC information from sources other than the customer in relation to:

• individual customers;
• beneficial owners of non-individual customer entities and politically-exposed persons (PEPs); and
• individuals who are not customers of reporting entities, but are associated with a customer a reporting entity (for example, directors of companies in the identification of companies).

Normally, where personal information is collected directly from an individual, the individual has greater control over what, and how much, personal information is shared or revealed to a reporting entity. However, where personal information about an individual is collected by reporting entities from sources other than from the individual, there are privacy implications as the individual no longer has control over the quality of, or what, information a reporting entity may collect or which third party source the reporting entity will use.

APP 3 provides that personal information about an individual:

• must only be collected by lawful and fair means;
• must only be collected from the individual concerned unless it is unreasonable or impracticable to do so (or one of the other exceptions applies); and
• may only be collected where it is reasonably necessary for the organisation’s functions or activities (and not for a secondary purpose, unless consent is obtained).

The draft guideline states that when a reporting entity which decides to collect personal information from sources other than from the customer will need to consider the following to ensure that its identification procedures comply with Privacy Act requirements:

•  Implementing revised practices, procedures and systems in relation to the collection, use, security, storage and disclosure of personal information about individuals, especially for information collected from other sources and about individuals who may not be customers of the reporting entity (for example, beneficial owners and in some circumstances, PEPs). This may include having a revised privacy policy;
• Ensuring that only personal information which is ‘reasonably necessary’ for one or more of the reporting entity’s functions or activities is collected from third party sources about an individual;
• Ensuring that personal information is collected from third parties only when it is unreasonable or impracticable to collect it directly from an individual;
• Checking whether there have been appropriate and timely notifications to, and consents from, affected individuals in relation to the collection of personal information from third party sources;
• Re-evaluating whether, and how, a reporting entity ‘bundles’ together multiple requests for an individual’s consent to a wide range of collections, uses and disclosures of personal information, especially in relation to obtaining information from third party sources. This is also relevant where a reporting entity uses personal information collected about non-customers for direct marketing;
• Ensuring compliance with all other APPs in relation to personal information collected from other sources, particularly for personal information relating to non-customers of a reporting entity.