ARTICLE
17 December 2025

Compliance Crossroads: Managing Privacy Requests And Tipping Off Risks As An AML/CTF Reporting Entity

KL
Herbert Smith Freehills Kramer LLP

Contributor

Herbert Smith Freehills Kramer LLP logo
Herbert Smith Freehills Kramer is a world-leading global law firm, where our ambition is to help you achieve your goals. Exceptional client service and the pursuit of excellence are at our core. We invest in and care about our client relationships, which is why so many are longstanding. We enjoy breaking new ground, as we have for over 170 years. As a fully integrated transatlantic and transpacific firm, we are where you need us to be. Our footprint is extensive and committed across the world’s largest markets, key financial centres and major growth hubs. At our best tackling complexity and navigating change, we work alongside you on demanding litigation, exacting regulatory work and complex public and private market transactions. We are recognised as leading in these areas. We are immersed in the sectors and challenges that impact you. We are recognised as standing apart in energy, infrastructure and resources. And we’re focused on areas of growth that affect every business across the world.
Explore Firm Details
Reporting entities are already familiar with the real challenges that can arise when seeking to meet their customer due diligence and ML/TF risk management obligations without engaging in "tipping off".
Australia Privacy
Bryony Adams,Alice Molan,Kaman Tsoi
+1 Authors
 Your Author LinkedIn Connections
Herbert Smith Freehills Kramer LLP are most popular:
  • within Privacy, Transport and Environment topic(s)
  • in Europe

Reporting entities are already familiar with the real challenges that can arise when seeking to meet their customer due diligence and ML/TF risk management obligations without engaging in "tipping off". While recent changes to the "tipping off" restrictions may have lessened those challenges, this may in turn have created new complications when the customer requests their personal information.

This article notes the intersection between the Australian AML/CTF and privacy frameworks and gives guidance to reporting entities on managing competing risks in that context.

Customer due diligence and personal information

The need for robust ongoing customer due diligence (OCDD)should be well understood as a cornerstone for any reporting entity that is serious about identifying, mitigating and managing its financial crime risk and meeting its compliance requirements under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act).

By necessity, the process of robust OCDD will involve creating and retaining records that address a range of highly sensitive data about each of the reporting entity's customers. For example, aside from customer identity records, the OCDD process may typically be expected to generate records of:

  • the customer's individual financial crime "risk rating" and the rationale for that rating;
  • the customer's status in terms of political exposure and sanctions;
  • publicly available information about the customer (such as court records or media mentions);
  • when (and how) the customer's activities have triggered the reporting entity's transaction monitoring program;
  • associated internal investigations and analysis of the customer's activities, with the view to determining whether or not those activities may warrant filing a suspicious matter report (SMR) with AUSTRAC; and
  • associated enhanced customer due diligence (ECDD) steps in respect of the customer, setting out any concerns about the customer's identity, activities, affiliations and broader profile and potentially considering whether or not the customer relationship should be terminated.

It is a matter of obvious and recognised importance that the data and analysis being recorded as part of the OCDD process is kept appropriately confidential, both from the customer(s) to whom it relates and from others who may seek to exploit that information for nefarious purposes (such as by using it to gauge the parameters of any controls being relied on by the reporting entity to mitigate and manage the risk of financial crime through their business).

The role of the "tipping off" restrictions

One regulatory provision that has traditionally prevented customers from accessing their customer due diligence records is the "tipping off" prohibition at section 123 of the AML/CTF Act.

Until recently, that prohibition was extremely onerous: not only did it make it a criminal offence for reporting entities to disclose to anyone (aside from AUSTRAC) that they had filed, or were required to file, an SMR, but it also made it an offence for them to disclose (with some limited exceptions) any information from which it could reasonably be inferred that they had filed, or were required to file, an SMR. Having regard to the serious consequences of non-compliance, reporting entities have understandably taken a traditionally cautious approach to interpreting the ambit of what documents may reasonably lead to such an inference.

The arduous scope of the "tipping off" prohibition gave rise to its own difficulties. For example, it created real obstacles (sometimes insurmountable) for reporting entities who needed to explain to their customers the very legitimate reasons why they may have determined to suspend or terminate their relationship, freeze their accounts or take other necessary actions. Correspondingly, it became commonplace for reporting entities to clarify in their customer terms and conditions that they could take these steps without providing the customer with any reasons.

Against that background, it was in some ways a welcome development that earlier this year the ambit of section 123 was amended, including by removing the "reasonable inference" restriction. The change means that, in essence, the tipping off offence prohibits the disclosure of the fact of filing, or requirement to file, an SMR only insofar as that disclosure would, or could reasonably be expected to, prejudice an investigation of an offence against Commonwealth, State or Territory laws.

Intersection with privacy laws

Unfortunately, one potential by-product of the relaxation of the "tipping off" prohibition may be an increase in the time that it takes reporting entities to manage customer requests for their personal information under the Privacy Act 1988 (Cth) (Privacy Act) and the complexity of this process.

Australia Privacy Principle (APP) 12 provides individuals with a general right of access to their personal information. A reporting entity that receives a request for that information must respond in a reasonable time. Failure to comply with APP 12 is an "interference with the privacy of an individual" and may attract civil penalties.

Of course, the customer's right to their personal information is not absolute and reporting entities may refuse access to that information insofar as doing so is consistent with the exemptions provided for at APP 12.3. However, in view of the changes to the "tipping off" regime, whereas it may once have been appropriate to simply withhold customer due diligence information from any response to a privacy request on the basis that denying access was required or authorised by Australian law (being section 123 of the AML/CTF Act), the evaluative process that reporting entities will need to go through is now likely to be more complicated. There are still a number of APP exceptions relating to matters such as unlawful activity, law enforcement and commercial sensitive decision-making processes that may be applicable, but these are likely to require analysis on a case-by-case basis.

Practical considerations

Precisely how a reporting entity should navigate these challenges will of course depend on the circumstances of the particular case.

However, there are several measures that reporting entities can put in place upfront to assist in navigating these risks. For example:

  • Consider your document management practices and whether these need refreshing. A good document management protocol and associated training will be key to ensuring that all information that is recorded about the customer is clear, measured, and accurate.
  • Consider how your AML/CTF program and associated procedural documents address the information that may (and may not) be provided to your customers in respect of the OCDD conducted on them. A clear and well documented position, adopted by reference to the need for managing your financial crime risk, will be particularly helpful in this context.
  • If you haven't done so already, refresh your documented process for navigating the current version section 123 of the AML/CTF Act (taking account of AUSTRAC's guidance) so that you are clear and consistent in determining what can and can't be shared with customers on that basis.
  • Consider whether your customer-facing policies, procedures, terms and conditions could benefit from further clarity about how you may seek to manage your risk appetite through your relationship with them.
  • Seek legal advice upfront on the various other aspects of the APP 12 exceptions that may be relevant to you in considering customer requests of this nature.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Bryony Adams
Bryony Adams
Photo of Alice Molan
Alice Molan
Photo of Maritsa Samios
Maritsa Samios
Photo of Kaman Tsoi
Kaman Tsoi
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More