This notice compliments the Cosca Privacy Policy and explains how the Cosca Group meets its obligations under the AML/CTF Act 2006 (Cth) and the AML/CTF Rules 2025 (Cth).

Certain services that we provide are regulated under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act) and the Anti-Money Laundering and Counter-Terrorism Financing Rules 2025 (Cth) (AML/CTF Rules) (together, AML/CTF laws).

The AML/CTF laws are designed to prevent money laundering, terrorism financing and proliferation financing by imposing obligations on reporting entities to detect, report and mitigate financial crime risks.

The AML/CTF laws may require Cosca Accountants Pty Ltd (and other members of the Cosca Group reporting under the same AML/CTF program) (Cosca, us, we, our) to undertake due diligence on new and existing clients. This may necessitate the collection of additional information from you, including personal information regulated under the Privacy Act 1988 (Cth) (Privacy Act), to undertake that due diligence.

This notice sets out our obligations under the AML/CTF laws, and how client information will be collected, handled and disclosed in accordance with our obligations under the AML/CTF laws and the Privacy Act. It supplements our general Privacy Policy, which is available at cosca.com.au/privacy.

1. What is Customer Due Diligence

The AML/CTF laws require us to conduct initial and ongoing customer due diligence on clients where we expect to provide certain transactional services or advice (Customer Due Diligence, or CDD).

We are required to verify the identity of our clients and certain associated persons (including beneficial owners, directors, partners, trustees and authorised representatives), and to understand the money laundering, terrorism financing and proliferation financing risks associated with providing those services to the client.

2. Why we need to collect your information

We collect your personal information to comply with the Customer Due Diligence requirements in the AML/CTF Act. This includes to:

• establish and verify your identity before providing certain services to you or the person you are acting on behalf of;
• assess and manage potential money laundering, terrorism financing, proliferation financing or related compliance risks associated with the provision of our services;
• make reports required by law under the AML/CTF Act (including Suspicious Matter Reports and Threshold Transaction Reports); and
• meet record-keeping obligations under the AML/CTF Act and AML/CTF Rules.

3. Personal information we collect for Customer Due Diligence

We are required to collect certain information to conduct Customer Due Diligence, known as Know Your Customer information (KYC information), which may include:

• your full name, date of birth and residential address; and
• individual identification documents such as your passport, driver’s licence or Medicare card.

For clients that are not individuals, we may also collect the following information (although it may not be personal information for the purposes of the Privacy Act):

• company structure charts and ownership diagrams;
• business names;
• address of principal place of business and/or registered office;
• identification numbers such as ACN, ABN and ARBN; and
• governing documents such as trust deeds, shareholder agreements, company constitutions and member registers.

We may also collect sensitive information from you if required, including whether you are a member of any political associations, professional or trade associations which may be used to verify your occupation or determine whether you are a politically exposed person (PEP).

4. How we collect your information

Where possible, we will collect information required for Customer Due Diligence from the client directly. We may also collect information about clients from publicly available sources or related parties where we are permitted to do so under the Privacy Act, including where it is impractical or unreasonable to collect from the client or relevant person directly.

We may collect your personal information from other sources such as registers of companies, trusts or public records (including court records, regulatory filings and land registries), from financial institutions, or from professional intermediaries (such as your solicitor, mortgage broker or other adviser).

We may engage third-party service providers to assist us in complying with our obligations under the AML/CTF laws.

EasyAML

We currently engage the AML/CTF platform provider EasyAML Pty Ltd (EasyAML) to assist us with Customer Due Diligence. We may decide to change our AML provider, which might change the way in which your KYC information is handled, and the location in which it is stored and processed.

EasyAML may request and collect the types of information set out in this notice from you on our behalf, to assist us with complying with the AML/CTF laws. This may include sending you requests for information and undertaking verification of your identification.

EasyAML, its contractors and its service providers will use the information collected on our behalf to monitor and assess AML/CTF risk. We may use the information and analysis generated by EasyAML to form an opinion about whether a client presents an AML/CTF risk and to notify law enforcement bodies such as AUSTRAC.

For further information regarding EasyAML’s privacy obligations and practices, EasyAML’s Privacy Policy and Collection Notice can be found on its website at easyaml.com/privacy-policy.

5. Identity verification

We may engage identity verification partners to conduct an online identity verification. EasyAML engages Scantek Solutions Pty Ltd (Scantek) as a sub-processor to undertake online verification of identity (VOI) services. Scantek is an Australian-accredited Government Gateway Service Provider with direct access to the Australian Government Document Verification Service (DVS).

EasyAML will disclose your personal information to Scantek so that Scantek can verify your identity and provide the results of that verification to us. We are authorised to disclose personal information to Scantek for the purpose of verifying an individual’s identity under section 35A of the AML/CTF Act.

Scantek’s verification process may involve checks against:

• the Document Verification Service (DVS) for Australian-issued identity documents;
• Visa Entitlement Verification Online (VEVO) for visa status, where applicable;
• the Australian Criminal Intelligence Commission (ACIC) where required for the file; and
• sanctions and politically exposed person (PEP) watchlist services.

Further information about how Scantek handles personal information for VOI purposes is available in its Privacy Policy at scantek.com/privacy-policy.

6. What happens if we cannot collect your information

If you do not provide us with the information we request, or we otherwise do not have the information we require to conduct Customer Due Diligence, we may not be able to verify your identity and complete the required AML/CTF checks. In that case we may not be able to provide you (or the person you are acting on behalf of) with the services you have requested.

7. Who we may share your information with

We may disclose your KYC information and other personal information required for AML/CTF compliance to our third-party service providers who process and manage our AML/CTF program (or part of our AML/CTF program) on our behalf. For example, we routinely disclose personal information to EasyAML to assist us in complying with our AML/CTF obligations, and to Scantek to assist with identity verification.

We may also disclose your AML/CTF information between members of the Cosca Group as part of the operation of our Reporting Group AML/CTF program — for example, so that a verified client file held by one member can be relied on by another member of the Group for a related engagement. Information sharing within the Reporting Group is conducted in accordance with the AML/CTF laws and the Privacy Act.

Some of our AML/CTF service providers, or sub-processors used by them, may store or process your personal information overseas. In particular:

• EasyAML’s primary data hosting is in Sydney, Australia (Amazon Web Services), with limited overseas disclosure where required for cross-border identity verification, where a service provider stores or accesses data from outside Australia, or where a third party relies on our CDD under section 37A or 38 of the AML/CTF Act with overseas systems or personnel.
• Where the Cosca Group engages other professional service providers (for example, certain back-office processing or technology providers) that operate from India, the Philippines or other locations, we take reasonable steps to ensure those recipients are bound by privacy obligations substantially similar to the Australian Privacy Principles.

We may also disclose your AML/CTF information to government and law enforcement agencies, including to AUSTRAC, to meet our legal and regulatory obligations under the AML/CTF Act and AML/CTF Rules. For example, we are required to report certain cash transactions of A$10,000 or more (Threshold Transaction Reports) and certain matters where we form a suspicion on reasonable grounds (Suspicious Matter Reports).

8. How long do we hold your AML/CTF information

We are required to keep records under the AML/CTF laws about certain transactions and our identity verification procedures. We are generally required to keep such records for at least seven years, although we may hold those records for longer in certain circumstances (for example, where they form part of a broader client file, or where required by another law).

9. Your privacy rights and our Privacy Policy

Our general Privacy Policy contains further information about how we will handle your personal information and how you can access and correct your personal information. It also outlines how to lodge a complaint and how that complaint will be managed if you are concerned about how we handled your information.

Our Privacy Policy can be found on our website at cosca.com.au/privacy, or you can request a physical copy from us via the contact details below.

10. How to contact us about your privacy

If you have queries about how we collect, use or disclose your personal information, or if you would like to make a privacy complaint, please refer to our Privacy Policy on our website at cosca.com.au/privacy.

You have rights to seek access to, and correction of, the personal information that we hold about you. Further information can be found in our Privacy Policy.

11. Contact details

If you would like further information about the way we manage your personal information, or if you have a privacy-related complaint or request, please contact us:

We will endeavour to respond to all requests within a reasonable time.

More information about your rights and our obligations in connection with your personal information is available from the Office of the Australian Information Commissioner at oaic.gov.au.

Effective: 1 July 2026  ·  Version: 1.0