How we use AFCX data
The data collected under this program will be used to:
- protect taxpayer accounts from identity crime and unauthorised access by implementing safeguarding controls to enable pre-lodgment detection and treatments to victims of fraud, as a preventative measure
- identify, detect, monitor and treat new emerging risks and behaviour patterns which may significantly impact the integrity of the tax and superannuation systems
- compare to our records and other data holdings, as part of the methodologies, including risk modelling outcomes, by which we select taxpayers for compliance activities
- provide insights through models and analysis that support our regulatory approach, to reduce the impact of financial scam and crime.
Previous related programs
Evidence from a pilot program indicated that the AFCX data can improve and strengthen our controls to detect, disrupt and deter tax fraud more efficiently and effectively in near-real time.
The continued collection of AFCX data will be used to enhance our fraud detection capabilities to protect taxpayer accounts.
The data helps us to:
- increase knowledge and understanding of scam, fraud and financial crime threats pose to the tax and superannuation systems
- measure the effectiveness of fraud treatment programs
- bring consequences to perpetrators of fraud.
Data providers
We are the matching agency and, in most cases, the sole user of the data obtained during this data-matching program.
Data will be obtained from the AFCX. The AFCX is a key initiative of the Scam-Safe Accord that requires all member banks of the Australian Banking Association and Customer Owned Banking Association to join the AFCX. This is to strengthen the wider financial ecosystem to disrupt, detect, and respond to scams and financial crimes.
Eligibility as a data provider
We adopt a principles-based approach to ensure that our selection of data providers is fair and transparent.
- The AFCX coordinates the sharing of data and intelligence across the public and private sector to combat scams and financial crime.
- The AFCX operates a business in Australia that is governed by Australian law.
- The data owner provides data-sharing services for the years in focus.
- There are no alternative legislated providers on the market.
The data provider for this program will be reviewed annually against the eligibility principles.
AFCX data disclosure
The disclosure of this data is in accordance with a Participant Services Agreement between AFCX and ATO.
Privacy Act
Data will only be used within the limits prescribed by Australian Privacy Principle 6 (APP6) contained in Schedule 1 of the Privacy Act and in particular:
- APP6.2(b) – the use of the information is required or authorised by an Australian law
- APP6.2(e) – the ATO reasonably believes that the use of the information is reasonably necessary for our enforcement-related activities.
Data elements we collect
We collect various datasets from AFCX including bank account details and IP addresses used in fraudulent activities identified and reported by AFCX members.
The data is obtained from AFCX in accordance with the Participant Services Agreement between AFCX and ATO. The collected data may contain all, or a selection of, the following fields.
Client identification details – individuals
Client identification data elements for individuals that we collect may include:
- given and surname(s)
- date(s) of birth
- addresses (residential, postal, other)
- Australian business number (if applicable)
- email address
- contact phone numbers
- identity verification document details
- employment details
- IP addresses.
Client identification details – non-individuals
Client identification data elements for non-individuals that we collect may include:
- business name
- addresses (business, postal, registered, other)
- Australian business number
- email address
- contact phone numbers
- IP addresses.
Bank account transaction data elements
Bank account transaction data elements we collect may include:
- bank account details
- transaction date
- transaction time
- amount
- IP address.
Number of records
We expect to collect approximately 500k records annually. AFCX data contains entity level identifiable and personal information in non-mandatory fields. Approximately 70k individuals are expected to be affected by this data collection each financial year.
Data retention
We collect data under this program for all financial years from 2024–25 financial year to 2026–27 financial year. AFCX data is collected weekly in the 2024–25 financial year and is made available for use in the ATO's enterprise data environment. Daily ingestion of the data is expected to be in place from the 2025–26 financial year.
We retain each financial year’s data for 5 years from receipt of the final instalment of verified data files from the data provider.
The data is required for this period for the protection of public revenue as:
- a retention period of 5 years enables us to cross-reference taxpayer records retrospectively who might be subject to identity takeover or victims of scam or fraud
- the data enhances our ability to identify taxpayers who may not be complying with their tax and super obligations or promoting unlawful behaviour, which is integral to protecting the integrity of the tax and superannuation systems
- retaining data for 5 years supports our general compliance approach of reviewing an assessment within the standard period of review and aligns with the requirements for taxpayers to keep their records
- the data is also used in multiple risk models, including models that establish retrospective profiles over multiple years aligned with period of review
- the 5-year retention period enables us to perform extended analyses of trends and changes in financial crime behaviours and typologies
- destruction of the data would inhibit our ability to identify taxpayers who may be subject to administrative action and therefore result in loss of public revenue.
While increased data retention periods may increase the risk to privacy, we have a range of safeguards to manage and minimise this. Our systems and controls are designed to ensure the privacy and security of the data we manage.