Proactive identification of external data breach impacts on customers will be necessary 4 min read
The Australian Transaction Reports and Analysis Centre (AUSTRAC) has published new guidance recommending that reporting entities assess the potential impact of data breaches on the money laundering and terrorism financing (ML/TF) risks they face. They should also ensure they adopt measures to mitigate and manage these risks, including actively monitoring for data breaches that may impact their customers.
The publication of AUSTRAC's data breaches guidance was published just ahead of the recent report issued by the Financial Action Task Force addressing 'Illicit Financial Flows from Cyber-Enabled Fraud'.
In this Insight, we explain the new guidance and what it means for reporting entities.
Key takeaways
- AUSTRAC is the latest Australian regulator to assert jurisdiction over how its regulated population identifies, mitigates and manages risks generated by data breaches and related cyber and identity crime. Incidents and failures in risk management in these areas increasingly involve scrutiny from a range of different regulators.
- The guidance puts reporting entities on notice that AUSTRAC expects them to assess the impact of internal and external data breaches in their ML/TF risk assessments, and ensure they adopt controls to mitigate and manage these risks. This includes proactively identifying data breaches that may impact their customers. Compliance with the guidance will require a significant change for many reporting entities in how they approach ML/TF identification and risk management. It will also require close collaboration with colleagues and experts in cyber and data teams.
- With the rate of increase in data breaches and cyber and identity crimes showing no sign of abatement, we expect reporting entities' handling of data breaches to become an area of priority for AUSTRAC in its regulatory supervision and enforcement efforts in the coming years. Particular areas of focus may include how a reporting entity responds to a large and high-profile data breach that involves theft of its customer data, as well as the reporting entity's vulnerability to scam activity.
How can data breaches increase ML/TF risk?
Data breaches usually occur when there is unauthorised access to, or disclosure or loss of, data, which may include personal information. It can also sometimes refer to the unauthorised alteration of data held by an organisation.
Criminals can misuse personal information obtained from data breaches to facilitate serious financial and other crimes. For example, scammers may use stolen personal information to access an account, system or network, or make fraudulent transactions and transfer money undetected. Data breaches also increase the risk of 'mule accounts' (accounts opened using stolen identities, used to facilitate money laundering while masking the true owner or controller of the account).
In short, data breaches can facilitate ML/TF.
A data breach that facilitates ML/TF using a reporting entity's products and services can involve obtaining and misusing internal data held by a reporting entity about its customer, or data held by an external organisation about the reporting entity's customer.
What can businesses do to mitigate risk?
Under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) and the Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument (No.1) 2007 (Cth) (the AML/CTF Rules), reporting entities have an obligation to ensure a customer is who they say they are and to monitor the customer.
AUSTRAC has provided high-level guidance to assist reporting entities to comply with their AML/CTF obligations in relation to data breaches. It expects businesses to:
- Review AML/CTF risk assessments and AML/CTF programs to ensure they are flexible and proactively identify ML/TF risks arising from both internal and external data breaches.
- Review AML/CTF systems and controls to ensure they adequately address the risk of identity crime, fraud and cyber-enabled crime. This may include taking appropriate steps to ensure a customer's identity is verified, monitoring for suspicious changes in customer details, monitoring for inconsistent account activity, and implementing procedures for customers who continue to be high risk or suspicious.
- Monitor ongoing customer risks and remain alive to the ML/TF risks arising from data breaches. Pay particular attention to the indicators of identity crime, fraud and cyber-enabled crime.
- Mitigate and manage ongoing customer risks by considering whether to conduct enhanced due diligence, enhance or adjust transaction monitoring and ongoing customer due diligence processes, submit a suspicious matter report to AUSTRAC or strengthen AML/CTF controls.
- Re-verify a customer's identity at any time it is suspected on reasonable grounds they are not who they say they are and / or there is doubt as to the truth or adequacy of the information used to identify or verify their identity.
- Comply with AML/CTF record-keeping obligations to reduce the risk of being targeted in a data breach and manage the risk of being exploited for money laundering.
- Report eligible data breaches as required under the Privacy Act 1988 (Cth).
What does this mean for reporting entities?
The release of this guidance signals a focus from AUSTRAC on how reporting entities identify, mitigate and manage ML/TF risk associated with data breaches, both within the organisation and externally.
Reporting entities should ensure their Part A Program takes into account this guidance in accordance with paragraph 8.7.1 or 9.7.1 of the AML/CTF Rules, including to ensure that their ML/TF risk assessment process and controls identify, mitigate and manage ML/TF risks arising from data breaches. This is likely to require close coordination and collaboration between financial crime compliance and data and cyber teams.
With the increase in data breaches and cyber and identity crimes unlikely to abate in the near future, reporting entities should expect AUSTRAC to apply an increasing focus on the identification, mitigation and management of these risks in its regulatory supervision and enforcement activities.