Privacy Policy

Identity Verification and Compliance Checks

To provide our services, AML Assured uses secure third-party identity verification and compliance screening vendors to perform Know Your Customer (KYC), sanctions screening, Politically Exposed Person (PEP) checks, and adverse media searches.

In order to complete these checks, certain personal information and identity documentation may be securely shared with these third-party providers. These providers process information solely for the purpose of performing identity verification and regulatory compliance services on our behalf and are required to maintain appropriate security and confidentiality standards.

1. When We Handle Your Information

We may collect and process personal information about you in two circumstances:

On behalf of a Current Provider: A real estate agent, buyer's agent, conveyancer, lawyer, accountant, or other entity legally required to conduct AML/CTF checks under the AML/CTF Act 2006. We act strictly on their instructions as their authorised agent. In this case, their privacy policy applies, and you should contact them directly for queries or access requests.

For potential Future Providers: With your authorisation, we may securely retain your verification information for use by other service providers who also have AML/CTF obligations, in accordance with Applicable Laws. This Policy applies in those cases.

2. Information We Collect and Disclose

We may collect the following categories of personal information directly from you, from your Current Provider, from documents you provide, or from third-party verification sources:

We may share this information, where necessary, with:

• Your Current Provider (who requested the CDD check);
• Our Service Providers;
• Future Providers (if authorised by you and permitted by law).

3. Data Retention

Under the AML/CTF Act 2006 (section 116), reporting entities are required to retain records for a minimum of 7 years from the date the record is made or the relevant business relationship ends (whichever is later). We retain personal information for this period to meet our Clients' legal obligations. Once information is no longer required for any authorised purpose and the retention period has expired, we securely destroy or de-identify the information in accordance with APP 11.2.

4. Use and Disclosure

We use your personal information to:

• Conduct CDD, KYC, and KYB checks as required under the AML/CTF Act 2006;
• Screen against sanctions lists (DFAT Consolidated List and UN Security Council lists) and PEP databases — under Schedule 2 of the AML/CTF Amendment Act 2024, sanctions screening is formally part of our Clients' terrorism financing risk management obligations;
• Conduct adverse media screening;
• Assign a risk rating to customers based on the information collected (see Automated Decision-Making below);
• Prevent fraud, money laundering, terrorism financing, and proliferation financing;
• Comply with legal and regulatory obligations, including reporting obligations to AUSTRAC;
• Respond to enquiries, complaints, or disputes.

We may disclose personal information to:

• Regulatory, government, or law enforcement agencies, if required or authorised by law — this includes AUSTRAC (suspicious matter reports and other mandatory reports), the Department of Foreign Affairs and Trade (DFAT) in relation to sanctions matters, and the Australian Federal Police (AFP);
• Verification sources, such as the Document Verification Service (DVS), VEVO, and sanctions screening databases;
• Professional advisers (legal, accounting, auditing) where necessary to obtain advice or meet legal obligations;
• Successors in the event of a merger, acquisition, or restructure.

We will never sell your personal information.

5. Security and Storage

We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure (APP 11.1). Our security measures include:

• Customer data is hosted on secure servers located in Australia (AWS Sydney region), operated by providers meeting ISO 27001 and SOC 2 standards.
• Data is encrypted at rest (AES-256) and in transit (TLS 1.2+).
• Access is strictly role-based, with multi-factor authentication required for all personnel.
• Access is logged and audited.
• All personnel undertake ongoing security awareness training.
• Regular penetration testing and vulnerability assessments are conducted.

6. Overseas Disclosures

We aim to keep all personal information within Australia. However, in limited cases, information may be disclosed to an overseas recipient if:

• Verification of a foreign identity document, visa, or address is required (the verification request may be processed by the infrastructure of our secure third-party vendors, which may operate globally);
• A Client's authorised personnel are based overseas; or
• We are required by law to disclose information to an overseas regulatory or law enforcement authority.

Before disclosing personal information overseas, we take reasonable steps to ensure that the overseas recipient handles the information in accordance with the APPs, or that an exception under APP 8 applies.

7. Access, Correction & Complaints

You may request access to, or correction of, your personal information by contacting us. We will respond within 30 days. Where the information is held on behalf of a Client, we will refer your request to that Client. In limited circumstances, we may deny access (for example, if disclosure would reveal the existence of a suspicious matter report lodged with AUSTRAC, in accordance with APP 12.3(h)).

Complaints should be directed to AML Assured in the first instance. If you are dissatisfied, you may escalate to the Office of the Australian Information Commissioner (OAIC): www.oaic.gov.au.

8. Automated Decision-Making

AML Assured uses automated systems, including computer programs powered by rule-based algorithms, to process personal information and assist in making decisions that may affect your rights or interests. In accordance with APPs 1.7, 1.8, and 1.9 (as inserted by the Privacy and Other Legislation Amendment Act 2024, commencing 10 December 2026), we disclose the following:

Kinds of personal information used in the operation of our automated systems

Identity verification results, document authenticity results, biometric match scores, PEP screening results, sanctions screening results, adverse media results, source of funds declarations, transaction value, payment method, customer type, country of residence, nationality, and occupation.

Kinds of decisions made or substantially influenced by automated systems

• Customer risk rating (Low, Medium, or High) — assigned by the platform's scoring engine based on the information collected during the CDD process.
• CDD level assignment (Simplified, Standard, or Enhanced) — determined by the customer risk rating.
• Hard block decisions — the platform automatically blocks a customer relationship where a confirmed sanctions match is detected (this is a legal obligation under the Autonomous Sanctions Act 2011 and Charter of the United Nations Act 1945, and is also a terrorism financing offence under Schedule 2 of the AML/CTF Amendment Act 2024) or where identity verification fails.

Where a decision is made that adversely affects you (for example, a high-risk rating that triggers enhanced due diligence, or a hard block), you may contact the relevant reporting entity (your Current Provider) to request a review. Policy-based hard blocks (other than confirmed sanctions matches and identity verification failures) may be overridden by the Client's senior management with documented rationale.

1. Information We Collect

We may collect:

Directly provided information: Name, contact details, job title, business information, ABN/ACN, AUSTRAC enrolment status, enquiry forms, emails.

Automatically collected information: IP address, device details, browser type, usage analytics.

Cookies and tracking technologies: To improve website performance and personalise services. You can manage cookie preferences through your browser settings.

We do not knowingly collect personal information from children under 16.

2. How We Use & Share Your Information

We process this information to:

• Provide, maintain, and improve our compliance platform services;
• Improve our website and offerings;
• Communicate with you, including marketing (which you may opt out of at any time);
• Ensure system security and comply with legal requirements.

We do not sell personal information. We may share it with Service Providers or regulators where required.

3. Your Rights

Subject to law, you may request to:

• Access or correct your information (APP 12 and APP 13);
• Request deletion or de-identification (where the information is no longer required for any authorised purpose and the 7-year AML/CTF retention period has expired);
• Withdraw consent to marketing communications at any time;
• Deal with us anonymously or by pseudonym (APP 2), except where we are required by law to verify your identity for AML/CTF purposes.

4. Notifiable Data Breaches

AML Assured complies with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act. If we become aware of, or have reasonable grounds to suspect, an eligible data breach has occurred that is likely to result in serious harm to any individual whose personal information is involved, we will take reasonable steps to contain the breach and mitigate any harm, conduct an assessment, and if serious harm is likely, notify the OAIC and affected individuals as soon as practicable. We will also notify the affected Client where the breach relates to customer data held on their behalf.

AML Assured Pty Ltd ABN 27 693 940 706 | ACN 693 940 706

Email: support@amlassured.com

Website: www.amlassured.com