Banks and other financial institutions conducting customer due diligence under their anti-money laundering and counter-terrorism financing obligations are now allowed to gather information about a customer from sources other than the customer. But according to regulatory guidance on the new rule, reporting entities must still collect the information from the customer unless it is unreasonable to do so.Austrac has issued guidance to help reporting entities manage privacy issues that may arise as a result of implementation of its new customer identification rules, which took effect in September.Information that can now be obtained from independent sources includes name, address, date of birth and telephone number.Under the old rules, information about a customer collected for customer due diligence had to be sourced from the customer.Austrac's guidance says reporting entities are required to comply with the Privacy Act when carrying out their AML/CTF activities."Where personal information about an individual is collected by reporting entities from sources other than the individual, there are privacy implications as the individual no longer has control over the quality of information a reporting entity may collect," Austrac said.Personal information must only be collected by lawful and fair means. It must be collected from the individual concerned unless it is "unreasonable or impractical" to do so.And it may only be collected where it is "reasonably necessary" for the organisation's functions or activities and not for a secondary purpose, such as marketing.In determining what is unreasonable and impractical, factors to be considered include the time and cost involved.Consent does not need to be obtained from the individual. However, if an individual has been informed by a reporting entity that their information will, in certain circumstances, be collected from other sources and has consented to that collection, "this factor will help assess whether the unreasonable and impractical exception applies."Where information is contained in a public register, such as the Australian Securities and Investments Commission registry, a "consent exception" would apply.