AML/CFT Act vs Privacy Act

Q4 2021 Quarterly Training

Lan’s Enterprise Limited Training Program

Training Objectives

What you’ll learn today

  • Understand the hierarchy of laws and how legislation ranks in authority
  • Recognize how the AML/CFT Act overrides Privacy Act in specific circumstances
  • Identify privacy principles that still apply during AML/CFT compliance
  • Learn best practices for client communication about information requirements
  • Understand privacy breach protocols and internal processes

Laws Function in Order of Authority

From highest to lowest authority:

  1. Constitution - Founding legal document
  2. Statutes/Legislation - Acts passed by Parliament
  3. Regulations - Rules made under Acts
  4. Procedures & Code of Conduct - Industry guidelines

Key principle: AML/CFT Act obligations outrank professional codes of conduct.

The Overriding Effect

Section 24 of the Privacy Act 2020

The principle: Other laws may require personal information to be collected, used, and disclosed in specific ways.

What this means:

  • AML/CFT Act overrides Privacy Act where specified
  • If AML/CFT is silent, Privacy Act principles still apply
  • This is not a free pass to ignore privacy obligations

What Still Applies?

Privacy Principles During AML/CFT Compliance

You must still:

  • Collect information directly from the individual where possible (Principle 2)
  • Inform clients of reasons and purposes for collection (Principle 3)
  • Use lawful, fair, and non-intrusive collection methods (Principle 4)
  • Ensure security and proper storage of information (Principle 5)

Why We Collect AML/CFT Information

Explaining Requirements to Clients

The Law: Anti-Money Laundering and Countering Financing of Terrorism Act 2009

Our obligation: Assess money laundering and terrorism financing risks

Customer Due Diligence (CDD) requires:

  • Full name, date of birth, residential address
  • For entities: company details, directors, shareholders, beneficial owners
  • Nature and purpose of the business relationship
  • Source of funds for transactions

Information Collection Standards

Lawful and Fair Practices

General rule: Collect personal information directly from the individual

Exceptions allowed when:

  • Unreasonable or impracticable to do so
  • Specifically authorized by law

Critical requirement: Provide notice about information collection purposes

Keeping Information Accurate

Ongoing Obligations

Reporting entities must:

  • Ensure information is accurate, up-to-date, and complete when collected
  • Verify accuracy when using or disclosing information
  • Keep records current and relevant to their purpose

Why it matters: Accurate information supports informed decision-making and effective risk assessment.

SAR Filing and Privacy

Protected Disclosure

Question: Is filing a Suspicious Activity Report a Privacy Act breach?

Answer: No. AML/CFT Act requirements override Privacy Act obligations.

Legal protection: When you submit a SAR in good faith and per AML/CFT Act obligations:

  • No civil proceedings
  • No criminal proceedings
  • No disciplinary proceedings

Information Security Requirements

Protecting Personal Data

Security measures include:

  • Physical and personnel security controls
  • Computer, network, and voice system protections
  • Prevention of misuse, interference, and unauthorized access
  • Secure destruction when information no longer needed

Retention: Maintain AML/CFT records per regulatory requirements

Access to Information

Privacy Principle 6

General rule: Individuals have the right to access their personal information

Limited exceptions apply:

  • Reporting entities may deny access to SARs filed with FIU
  • Other specified circumstances under Privacy Act

Balance: Maintain individual rights while protecting investigation integrity

Privacy Breach Protocol

Internal Process Steps

When a potential breach is identified:

  1. Inform the Privacy Officer immediately
  2. Submit a Breach or Potential Breach Report Form
  3. Conduct timely internal assessment of severity and damages
  4. Determine if an actual breach occurred

Client notification: Only after confirming actual breach, provide details on nature, reason, ramifications, and mitigation actions.

Key Takeaways

Remember These Points

  1. AML/CFT Act takes precedence over Privacy Act, but doesn’t eliminate all privacy obligations
  2. Still follow privacy principles for collection methods, transparency, and security
  3. SARs are protected disclosures - no legal liability when filed in good faith
  4. Maintain information accuracy through regular verification and updates
  5. Follow breach protocols - assess internally before notifying clients

Contact & Resources

For Further Information

  • AML Compliance Team: aml@gmfinance.co.nz
  • Emergency Hotline: +64 09-309-8808
  • Training Program: Lan’s Enterprise Limited

Questions?

Thank You

Stay Vigilant, Stay Compliant