Last Updated: 3rd July 2026
The short version: BNDRY is responsible for the platform. Your organisation is responsible for your program, and for how you configure the platform to run it. We provide the software and technical processing, not legal or compliance advice, and we are not your AML/CTF compliance officer.
BNDRY is configurable software. Your organisation may have obligations under three areas of law:
- as a reporting entity, under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) and the AML/CTF Rules
- as an APP entity, under the Privacy Act 1988 (Cth) and its Australian Privacy Principles (APPs)
- when you use the platform to verify a person's identity, under the Identity Verification Services Act 2023 (Cth) and the Identity Verification Services Rules 2024, which require the person's express consent
This page shows where our responsibility ends and yours begins, so you can answer due diligence questions accurately and configure the platform to match your obligations.
Why this split exists
Under the AML/CTF Act, the duties to run an AML/CTF program, conduct customer due diligence, keep records and report to AUSTRAC sit with the reporting entity. Your program is built on your money laundering, terrorism financing and proliferation financing (ML/TF/PF) risk assessment, which is yours to produce and maintain. AUSTRAC's guidance is clear that using a third party does not change any of this. BNDRY helps you meet these duties in house; it does not transfer them to us or give you a safe harbour.
Under the Privacy Act, every organisation that handles personal information is bound by the APPs directly. There is no controller and processor distinction that shifts responsibility between parties. You collect the personal information from your customers, so the privacy policy and collection notices have to be yours. Our Data Processing Agreement is a contractual commitment on top of that and does not change who the law holds responsible.
Identity verification runs on the individual's express consent, which you capture, and on strict limits on access, use and disclosure. We operate the capability, keep each verification auditable, and maintain the disclosure page at bndry.net/legals/identity-verification. Your own consent flow, disclosure and alternative verification path stay with you.
Who is responsible for what
Everything sits in the matrix below. Where a row sits with you, the answer to a due diligence question comes from your own program, configuration or policies, and we cannot answer it for you.
| Area | Who | What this means |
|---|---|---|
| AML/CTF program and ML/TF/PF risk assessment | You | You design, approve and maintain your program, a single program made up of your ML/TF/PF risk assessment and your AML/CTF policies. We do not review, advise on or approve it. That is for your compliance officer and your own advisers, starting from AUSTRAC's guidance for your sector. |
| Platform configuration | You | Your rules, thresholds and automated actions, including whether a match or no-match result approves or refuses access, services, accounts or membership. The platform has no such default. |
| Effect of automated decisions | You | Whether an automated outcome has a legal or similarly significant effect on an individual depends on how you configure and use the platform, and you make the resulting disclosures in your privacy policy. Transparency obligations for automated decisions can apply even where a staff member acts on the result. We can describe what the platform does technically. You determine the effect. |
| Deciding what personal information is collected | You, with detail from us | You set the collection to match your program and risk assessment. We can describe the fields the platform captures. |
| Your privacy policy and collection notices | You | You are the APP entity collecting from your customers, so you maintain your own APP-compliant privacy policy and your APP 5 collection notices. Our privacy statement covers our own conduct and does not stand in for yours. The OAIC publishes a template collection notice for reporting entities that you can adapt. |
| Working alerts and suspicious matter reporting | You | Alerts surface issues for human judgment. Working them to a determination, and how quickly, is part of your program. Forming suspicion and the content and timing of any report to AUSTRAC are yours, wherever the report is drafted or submitted. Your access controls keep investigation and reporting material contained, consistent with your tipping-off obligations. |
| Data you import and export | You | You are responsible for the accuracy and lawful collection of data you sync in from your systems, and for protecting any data you export out of the platform. |
| Identity verification and consent | Shared | We provide the capability, including government document verification services, reusable digital identity, and biometric checks such as liveness detection and face matching where you enable them. We maintain the disclosure page at bndry.net/legals/identity-verification. You disclose to the individual as you obtain their express consent, keep your collection notices and consent flow consistent with that page, and offer an alternative verification path where one exists. |
| Identity document copies and record retention | You | Your customer due diligence records, kept for the 7-year minimum, capture the fact and result of the verification. They do not need to include copies of the identity documents, such as photos or scans, and the AML/CTF Act does not require you to store those. Under the Privacy Act, do not collect or keep copies of identity documents unless reasonably necessary, and destroy or de-identify any you hold once they are no longer needed. |
| User access and roles | Shared | We enforce role permissions on every request, offer a range of sign-in options from passwords and multi-factor authentication to single sign-on (OIDC or SAML) and API access, and keep the audit trail. You choose your authentication method and level of security, decide which staff hold which role, keep your user list current, and control who you invite into a Workspace. |
| Security incident and breach notification | Shared | We notify your nominated privacy, legal, risk or compliance contact of a security incident affecting your data within the timeframe committed in our Data Processing Agreement, and not through the public status page. You then assess the breach and make any notifications the Privacy Act requires to the OAIC and affected individuals. |
| Platform operation and security | BNDRY | We operate and secure the platform under our certified information security management system, covering encryption, activity logging and secure hosting. You can rely on these controls in the technology part of your AML/CTF program. The detail, with summaries of our audit reports and certifications, is at trust.bndry.net to show your board, auditors or regulator. |
| Sub-processors and data storage locations | BNDRY | Our current list, including locations, is at trust.bndry.net, and we give you prior notice of changes that affect processing of your data. We process personal information only on your documented instructions, as set out in our Data Processing Agreement. |
| Services under your own contracts | You and the provider | Some integrated services run under a contract you hold directly with the provider, and your order form or contract identifies which. Our sub-processor list covers the providers we engage, and your own agreements cover the rest. |
Last reviewed 2 July 2026. It reflects Australian law as at that date. This is a plain-language summary. If there is any inconsistency, the Terms and Conditions, Data Processing Agreement and any Data Sharing Agreement between us prevail.