On September 22, 2022, a cyberattack on Optus (Optus Data Breach) resulted to the disclosure of its customers’ confidential information. Names, birth dates, email addresses, driver’s licence numbers, Health card numbers, and passport numbers of Optus subscribers might have been compromised. Although the Anti-Money Laundering and Counter-Terrorism Financing Act of 2006 does not apply to telecommunication service providers, AUSTRAC-regulated companies may face increased risks of money laundering, terrorism financing, and criminal activity if customers personal information is disclosed. 

The Australian Government created a document on the Optus data breach, describing government measures being taken to secure the customers’ identities and offering advice for affected Optus customers. 

Implications for businesses subject to AUSTRAC legislation 

When conducting electronic client identity verification, reporting entities should be cautious about the effects of the data breach given the potential for increased risk of money laundering, terrorism funding, and other serious crimes. 

AUSTRAC advises reporting entities to think about putting safeguards in place to address the increased risk of identity theft, especially when taking on new clients and keeping an eye out for current clients whose personal identifiable information (PII) may have been compromised. The systems and controls that the reporting companies put in place might consist of—but not be limited to—mechanisms that obstruct unauthorised access to a customer’s account, like the requirement of two-factor authentication. 

Only on a risk-based basis are reporting entities required to re-verify the identification of current clients. It will typically be sufficient to continue applying ongoing customer due diligence measures in accordance with the reporting entity’s AML/CTF Program where a reporting entity verified a customer’s identity prior to the data breach and remains reassuringly satisfied that a customer is who they claim to be. 

However, a reporting entity is required to re-verify a customer’s identity if it has any reason to believe that they are not who they say they are, or if they have any concerns about the accuracy or sufficiency of any documents or information that were previously used to identify or verify the customer. Reporting organisations must first have reasonable assurance that a customer is who they say they are before offering a designated service to them.  

Personal Data breach reporting 

A reporting entity is required to submit a Suspicious Matter Report (SMR) to AUSTRAC if it believes that a customer or transaction may be important to the investigation of a crime, including when it has a reasonable suspicion that an individual is not who they claim to be or is the victim of a crime (including fraudulent or stolen documents). AUSTRAC asks that reporting entities use the reference “FA43407” when sending Suspicious Matter Report (SMRs) and other reports about the data breach. 

How can NameScan help? 

This data breach has highlighted the importance of compliance and why it is required for a business to maintain its data protection, availability, and integrity.  

To achieve this goal, NameScan offers Complete Pay-As-You-Go risk management solutions for organisations worldwide. The Identity Verification (IDV) and Know Your Customer (KYC) solutions offered by NameScan can help secure your businesses’ digital activities.  

NameScan meets the most stringent data protection and compliance requirements as a specialist provider for highly regulated industries such as the financial and insurance industries, legal sector, accounting, as well as the real-estate industry. Contact our team to find out more about our offerings.