Financial service providers in Australia have several obligations when it comes to identity verification and record keeping. The Anti-Money Laundering and Counter Terrorism Finance Act 2006 requires financial service providers to perform identity verification, also known as Know Your Client (KYC), under Part B of the Act. However, financial service providers must also comply with several other pieces of legislation related to privacy, data breaches, and consumer data rights.
Legislation Requirements:
In addition to the Anti-Money Laundering and Counter Terrorism Finance Act 2006, financial service providers in Australia must also comply with the following legislation:
• The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022
• The Privacy (Tax File Number) Rule 2015
• Privacy Amendment (Notifiable Data Breaches) Act 2017
• General Data Protection Regulations (Regulation (EU) 2016/679)
• Consumer Data Rights
• Corporations Act 2001
Retention of Records:
The retention of Identity documents for 7 years is often misunderstood to be a requirement under the Anti-Money Laundering and Counter Terrorism Finance Act 2006. However, the act does not explicitly require financial service providers to keep copies of Identity documents for 7 years. Instead, the act allows for a written record to be retained for this duration.
Under Part B of the Anti-Money Laundering and Counter Terrorism Finance Act 2006, financial service providers are recommended to capture the following information before providing any designated service to individuals with low to medium risk:
• Full name
• Residential address or date of birth
• Sight original or certified copies of primary or secondary documents and record who sighted the document, what document was sighted, the date and time sighted
• For electronic verification utilising Government Document Verification Service such as One Click Verify, record the transaction date of the verification
For individuals with high risk, financial service providers are recommended to capture the following information:
• Full name
• Residential address or date of birth
• Electronic verification utilising Government Document Verification Service such as One Click Verify, record the transaction date of the verification
• Verify mobile number, email address by sending a code or activation link
• Verify bank account or credit card by crediting and debiting the account and having the client provide the amount
• Social media identification by having the client verify or authenticate their user credentials
It is important to note that sighting of documents and file noting is not satisfactory for high-risk individuals. Document validation/verification is required.
Conclusion: As a financial service provider, it is crucial to comply with various legislations related to privacy, data protection, and anti-money laundering and counter-terrorism financing. While it is important to perform identity verification or KYC under Part B of the AML/CTF Act, it is equally important to remember our obligations under the Privacy Act 1988 and other related laws. Additionally, the retention of records for seven years is generally applicable for reporting entities with AML/CTF programs under Part A, but the requirement is less onerous for AFSLs under Part B. As outlined in the paper, specific information needs to be captured and recorded for individuals of low to medium risk and high risk, respectively. Finally, One Click Verify have sort additional guidance from AUSTRAC and ATO to ensure compliance with all relevant laws and regulations are met.
Record keeping obligations for customer identification procedure records
AUSTRAC provides guidance to industry on their Record-keeping obligations including for customer identification procedure records. You can also refer to the relevant sections of the AML/CTF Act and relevant chapters of the AML/CTF Rules.
The AUSTRAC website states the following (under the link above): A reporting entity using the Document Verification Service (DVS) as part of their applicable customer identification procedures, must keep a record of the results. This could include printing, saving, scanning or making a file note of the results of their search.
-Specialist, Industry Education and Outreach
25th January 2023
We and the TPB do not recommend retaining identification documents. Retaining identification documents may increase your risk of being targeted by criminals undertaking identity theft. Instead, you should maintain contemporaneous records to demonstrate that proof of identity steps were undertaken.
From TPB website: Record Keeping
The TPB does not require or recommend that registered tax practitioners retain copies or originals of identification documents (listed in Table 3) used as evidence to establish the identity of a client or their individual representative. This recognises that the retention of identification documents may increase the risk of registered tax practitioners being targeted by criminals undertaking identity theft.[10] Accordingly, what the TPB requires is a contemporaneous record (for example, a checklist) to demonstrate that proof of identity steps were undertaken by registered tax practitioners.
-Digital Partnerships Planning & Governance
17th January 2023
Financial service providers in Australia have several obligations when it comes to identity verification and record keeping. The Anti-Money Laundering and Counter Terrorism Finance Act 2006 requires financial service providers to perform identity verification, also known as Know Your Client (KYC), under Part B. However, financial service providers must also comply with several other pieces of legislation related to privacy, data breaches, and consumer data rights.
This white paper aims to provide clarity on the retention of Identity documents for 7 years, which is often misunderstood to be a requirement under the Anti-Money Laundering and Counter Terrorism Finance Act 2006. The act does not explicitly require financial service providers to keep copies of Identity documents for 7 years, but it does allow for a copy of Identity document to form a record to be retained for this duration. The paper provides specific guidance on what information needs to be captured for individuals with low to medium risk and high-risk customers.