Your questions answered

A: AUSTRAC doesnot generally indemnify reporting entities for potential privacy breaches.In fact, the guidance explicitly states that all reporting entities must complywith the Privacy Act 1988 (Privacy Act).

However, there is a specificstatutory provision regarding voluntary information sharing that offers"relief" from certain privacy laws under specific conditions.

The following details outlineyour liability and obligations regarding privacy:

1. General Obligation to Complywith the Privacy Act

• Mandatory Compliance: All reportingentities must comply with the Privacy Act 1988. Even if you are a smallbusiness that might otherwise be exempt, you have obligations under the PrivacyAct because you are a reporting entity under the AML/CTF Act.
• Outsourcing: If you outsource AML/CTFfunctions, you generally remain legally liable for any breaches of yourobligations. You must ensure you are complying with your Privacy Actobligations when disclosing "know your customer" (KYC) information toa third party.
• Reliance: When relying on a third party forcustomer identification, you must consider whether you need to obtain thecustomer’s consent before disclosing KYC information to ensure compliance withthe Privacy Act.

2. Specific Relief for VoluntaryInformation Sharing (Section 49C)

• Section 49C: Under newinformation-gathering powers, the AUSTRAC CEO can authorise people tovoluntarily share information with AUSTRAC.
• Protection Provided: Unlike a compulsion toreport, this section allows for voluntary sharing and "gives relief fromthe Privacy Act 1988 and other laws and any general law obligation of confidence" regarding that specific sharing of information.

3. Record Keeping

• You must store sensitive records securely (suchas customer identification and suspicious matter reports). Failure to do soincreases the risk of non-compliance with obligations, such as avoiding"tipping off".

If you require specificassistance understanding your obligations under the Privacy Act, AUSTRAC recommends contacting the Office of the Australian Information Commissioner.

A: You are prevented from submitting all matters as suspicious because you arerequired to form a specific suspicion based on "reasonablegrounds" before submitting a report.

The guidance outlines several factors that restrict blanket reporting:

• The"Reasonable Grounds" Standard: You must only submit asuspicious matter report (SMR) if you suspect on "reasonable grounds"that the information is relevant to a crime or that a person is not who theyclaim to be. This is an objective standard, meaning a reasonable person in yourposition — reviewing the same material with similar knowledge — would form the same suspicion based on the available facts and circumstances.‍
• Assessment of Legitimate Reasons: You are expected to review relevant material todecide if there are reasonable grounds for suspicion. This includes consideringif there are legitimate reasons for unusual behaviour or transactions.Unusual activity alone does not automatically equate to suspicious activity,and one indicator on its own may not be sufficient to form a suspicion.‍
• Ineffective Reporting: The guidance explicitly identifies reporting "just incase it might be suspicious" as an example of anineffective description of grounds for suspicion.‍
• Outcomesof Assessment: If your initial assessment determines there are noreasonable grounds for suspicion, you are instructed that no furtheraction is required regarding the submission of an SMR (though you maychoose to record your reasons for not reporting). If you are suspicious butlack enough information to confirm reasonable grounds, you are expected tocontinue monitoring and investigating rather than submitting a report immediately.

The goal of the regime is forbusinesses to report valuable information that helps detect and prosecute criminal activity, rather than submitting indiscriminate reports regarding all matters.

A: The AML/CTF regimeinteracts with the duty of confidentiality by distinguishing between thegeneral duty of confidentiality and the specific protection of LegalProfessional Privilege (LPP). While the regime compels the disclosure ofcertain information, it preserves protections for privileged communications.

Here is how the duty ofconfidentiality sits with the AML/CTF regime:

1. General Duty ofConfidentiality vs. Statutory Obligations

The general duty of confidentiality owed to a client is not absolute. Unlike LPP, the duty of confidentiality has exceptions that allow professionals to disclose information when compelled by law.

• ‍Compelled Disclosure: The AML/CTF Act compels reporting entities to providespecific information to AUSTRAC, such as Suspicious Matter Reports (SMRs) andThreshold Transaction Reports (TTRs).‍
• RetainerAgreements: To manage this tension, practices are expected to includeclauses in their retainer agreements that explicitly allow the practice toreport suspicious matters despite confidentiality obligations.

2. Legal Professional Privilege(LPP) Protections

The regime creates a specificcarve-out for LPP, which offers stronger protection than generalconfidentiality. The Act does not affect the right of a person to refuseto give information or documents if they are privileged.

• ‍Scope of Protection: LPP protects confidential communications (written andverbal) between lawyers and clients. However, it does not protect informationcreated for an illegal or improper purpose.‍
• Withholding Information: If a reporting obligation (such as an SMR) involvesprivileged information, you are entitled to withhold that specific information.
  
  • If all information forming the grounds for suspicion in an SMR is subject toLPP, you do not need to submit the SMR or an LPP form.
  • If only some information is privileged, you must submit the SMR containingthe non-privileged information and submit an LPP form to AUSTRAC regardingthe withheld material.

• ‍LPPForm: This is a new requirement under the reforms. It is a writtennotice specifying the basis on which information is being withheld. Submittingthis form does not waive privilege.

3. Tipping Off Provisions

The regime imposes strict"tipping off" provisions which limit what you can disclose to yourclient, overriding normal transparency.

• ‍Prohibition: Itis a criminal offence to disclose to a client (or anyone else) that an SMR hasbeen filed or that an investigation is underway if it could prejudice theinvestigation.‍
• Managing the Relationship: While you cannot tell a client you have reportedthem, you are permitted to ask for further information to complete customer duediligence (CDD) or clarify a transaction. If a client asks why, you shouldstate it is required to meet AML/CTF obligations, without disclosing that asuspicion has been formed.

4. Privacy Act Interaction

The regime also interacts withthe Privacy Act 1988.

• ‍Compliance: Reportingentities must generally comply with the Privacy Act.‍
• Voluntary Information Sharing: A new power (Section 49C) allows the AUSTRAC CEO to authorize the voluntary sharing of information. This authorization provides relief from the Privacy Act and general law obligations of confidence for those who wish to share information to assist AUSTRAC.