Australia’s anti-money laundering and counter-terrorism financing (AML/CTF) regime operates under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (the AML/CTF Act) and is regulated by AUSTRAC. The regime seeks to deter and prevent money laundering and terrorism financing activities on Australian shores.
AUSTRAC has long regulated businesses that provide financial, gambling, bullion, remittance and digital currency exchange services (Tranche 1 Services), requiring them to implement systems and controls to manage risk and protect both their operations and the broader community from criminal abuse.
From 1 July 2026, obligations under the AML/CTF Act will apply to additional ‘Designated Services’ that are typically provided by real estate professionals, dealers in precious metals and stones, and professional service providers (including lawyers, conveyancers, accountants, trust and company service providers) (Tranche 2 Services).
As part of these reforms:
- from 31 March 2026, all businesses providing Tranche 1 Services, and
- from 1 July 2026, all businesses providing Tranche 2 Services,
will need to comply with the Privacy Act 1988 (Cth) (the Privacy Act).
The Privacy Act provisions are intended to complement and not replace the reporting obligations under the AML/CTF Act.
The Office of the Australian Information Commissioner (OAIC) has recently published guidance explaining how privacy obligations apply to reporting entities under the AML/CTF Act. The guidance emphasises that privacy obligations are intended to strengthen integrity, transparency and data minimisation across the AML/CTF framework. In particular, it reinforces that reporting entities must only collect personal information that is reasonably necessary to meet their AML/CTF obligations and their broader organisational functions.
Among other things, the OAIC guidance:
- provides practical direction on what personal information businesses may collect, how it must be protected, and when it must be deleted
- clarifies that where a ‘small business’ (defined in the Privacy Act as having an annual turnover of $3 million or less) handles personal information for the purposes of, or in connection with, its AML/CTF obligations, it must comply with the Privacy Act regarding those activities
- recognises that while reporting entities must collect and verify certain personal information about a customer before providing Designated Services, those obligations do not give a blanket authorisation to collect any personal information from all prospective clients without regard to what is ‘reasonably necessary’. This is an objective test: whether a reasonable person who is properly informed would agree the collection is necessary
- clarifies that, from 31 March 2026 (for Tranche 1 Services) and 1 July 2026 (for Tranche 2 Services), businesses should not keep copies of full identification documents for AML/CTF record-keeping purposes (such as driver licences or passports) unless required by another law. However, records collected before these dates must still be retained for seven years after the end of the business relationship or seven years after the date of the last occasional transaction
- clarifies that businesses must have and maintain a clear, up-to-date and accessible privacy policy, and appropriate privacy collection notice(s) explaining how personal information is handled – unless issuing a notice would breach statutory tipping-off restrictions. The OAIC is also expected to release a template APP 5 privacy collection notice, for use by AML/CTF businesses at the point of data collection, and
- makes clear that third-party arrangements should clearly address how personal information will be handled, including each party’s obligations under the Privacy Act.
Privacy Commissioner Carly Kind has stated that the guidance supports the OAIC’s regulatory priorities of addressing excessive collection and retention of personal information, noting:
“One of the most significant risks to Australians’ privacy is the unnecessary retention of ID documents, which are some of the most important pieces of personal information Australians possess. Holding onto copies of ID documents not only creates risks to individuals, it creates risks for businesses, which will be more exposed in the event of a data breach. This new guidance provides important clarity of expectations that AML/CTF rules do not require such records.”
The message from the OAIC guidance for businesses providing Tranche 1 and Tranche 2 Services is clear:
- collect only the personal information that is needed
- protect that personal information appropriately
- avoid retaining full identification documents, and
- delete information when it is no longer required to comply with your AML/CTF obligations or for another permitted purpose.
These changes reinforce the importance of transparency, clear privacy policies and privacy collection notices, strong governance controls (particularly regarding identification documentation), and clearly defined data retention practices.
Organisations that provide Tranche 1 and Tranche 2 Services are encouraged to review the updated guidance published by the OAIC and AUSTRAC’s AML/CTF reform materials to ensure a consistent and compliant approach.
This article was written by Special Counsel Hayley Bowman and Solicitor Matt Watson. Please contact Hayley or Matt if you have any questions or would like more information.


Meet our Team
View our Insights