Congratulations to our new Partners and Principal. Read more now.
22 Jun 20267 min read
This includes amendments to record-keeping obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act) and the removal of any general requirement to retain scanned copies or photocopies of identification documents.
Guidance from the Office of the Australian Information Commissioner (OAIC) reinforces that from their relevant commencement dates, existing and new reporting entities should not retain copies of full ID documents for AML/CTF record-keeping where the AML/CTF regime does not require those copies to be kept.
In April 2026, the OAIC issued privacy guidance for reporting entities under the AML/CTF Act. This guidance explains how organisations subject to the AML/CTF Act must comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) when handling personal information for AML/CTF purposes.
The guidance highlights that privacy and AML/CTF rules apply together, and that any organisation that is a reporting entity under the AML/CTF Act (or an authorised agent of one) is required to comply with the Privacy Act when handling personal information in relation to or in connection with AML/CTF purposes. This obligation applies regardless of business size and overrides the usual small business exemption under the Privacy Act for AML/CTF-related handling activities.
From 31 March 2026, changes to AML/CTF obligations take effect for existing ('Tranche 1') reporting entities, potentially altering the type and quantity of personal information handled, depending on customer risk. From 1 July 2026, a new group of businesses (‘Tranche 2' entities) are captured by the AML/CTF regime where they provide designated services, including real estate professionals, lawyers, accountants, conveyancers, trust and company service providers, and dealers in precious metals and stones. These entities will need to implement privacy-compliant processes to support their AML/CTF activities.
The OAIC clarifies that the Privacy Act does not prohibit reporting entities from fulfilling their AML/CTF obligations. Organisations may collect, use and disclose personal information (including sensitive information) where this is required or authorised by law. However, this does not remove the need to apply the APPs when handling personal information for AML/CTF purposes, except where a specific legal obligation or exception applies. For example, collection notices are generally required when collecting personal information, but may not be required where providing notice would be inconsistent with tipping-off obligations.
However, this authority is not unlimited. Privacy compliance requires a disciplined approach to data governance, and reporting entities must ensure that personal information collected for AML/CTF purposes is limited to what is reasonably necessary to comply with their legal obligations and other legitimate organisational functions (APP 3). The 'reasonably necessary' standard is objective, meaning organisations must be able to explain and defend how and why they collect information. The OAIC highlights that excessive or speculative collection of personal information increases privacy risk and heightens exposure to cyber‑security incidents, without delivering regulatory benefit.
The OAIC guidance also emphasises APP 11, including the need to take reasonable steps to secure personal information and to destroy or de-identify personal information that is no longer needed, unless an exception applies.
One of the most significant practical implications of the guidance concerns the handling of identity documents. The OAIC confirms that the AML/CTF regime does not require organisations to retain copies of full identity documents for record‑keeping purposes.
From 31 March 2026 for Tranche 1 entities, and from 1 July 2026 for Tranche 2 entities, reporting entities should not retain full ID copies for AML/CTF record-keeping where this is not required. They must also take reasonable steps to destroy or de‑identify personal information, including copies of full identification documents, when it is no longer needed unless an exception applies. This should not be read as requiring automatic destruction on the commencement date; rather, entities should assess whether each category of retained ID information remains required or otherwise lawfully needed.
The OAIC guidance emphasises that what is reasonably necessary depends on the AML/CTF obligation, customer risk and the entity’s functions. Instead of retaining full document copies (i.e. scanned or photocopied driver’s licences and passports), organisations should keep only the specific information necessary to satisfy AML/CTF record‑keeping requirements – for example the individual’s name, date of birth, residential address, document type and number, expiry date, verification steps taken, and the outcome of customer identification and money‑laundering or terrorism‑financing risk assessments. This shift reflects the Privacy Act’s requirement to reduce the volume and sensitivity of personal data held, while still enabling effective AML/CTF compliance.
The OAIC acknowledges that updating systems and processes will take time, and that what constitutes 'reasonable steps' to destroy or de‑identify information depends on factors such as organisational size, complexity, resources and the scale of change required. The guidance takes a pragmatic approach to transition, although it does not prescribe specific timeframes. Failure to take reasonable steps may increase exposure to regulatory scrutiny, privacy complaints, data breach risk and, in serious cases, civil penalties.
Identity document copies collected before 31 March 2026 may be retained as AML/CTF records for the standard retention period of seven years following the end of the business relationship or the last transaction. Once the applicable AML/CTF retention period ends, reporting entities should assess whether continued retention is lawful and necessary and take reasonable steps to destroy or de-identify the information if it is no longer needed.
The OAIC also reiterates expectations around security, disclosure and retention of personal and sensitive data. Organisations must take reasonable steps to protect personal information from misuse, loss and unauthorised access. Appropriate governance measures may include clear privacy accountability, a privacy policy, collection notices, privacy risk processes, third-party privacy risk assessments, data breach response planning, access and correction processes, and privacy-by-design for AML/CTF systems and workflows.
Where personal information is disclosed overseas, including through third‑party service providers, organisations must take reasonable steps to ensure that recipients handle the information in accordance with the APPs, unless an exception applies. This should be assessed carefully and should not be taken to mean that all overseas disclosures connected with AML/CTF compliance are automatically exempt from APP 8 requirements.
The guidance outlines the OAIC’s risk‑based and harm‑focused regulatory approach. The Commissioner recognises that AML/CTF reforms impose significant change, particularly for newly regulated sectors, and that compliance efforts will be assessed proportionately. Nonetheless, the guidance signals a clear regulatory expectation that organisations address excessive collection and retention practices and embed privacy‑by‑design into their AML/CTF programs.
Reporting entities should act now, having regard to the OAIC’s Privacy Essentials Checklist for AML/CTF reporting entities, by mapping AML/CTF personal information flows, updating privacy policies and collection notices, reviewing ID document retention settings, assessing third-party providers, and documenting the steps taken to align with the OAIC’s guidance.
*AML/CTF framework has undergone substantial transformation
From 1 July, the updated AML/CTF regime takes effect for Tranche 2 organisations including the real estate industry. There is already commentary, interpretation and subsequently confusion in the aged care market.
The AML/CTF Amendment Bill 2026 gives AUSTRAC new powers to restrict or prohibit the use of high‑risk mechanisms such as crypto ATMs by reporting entities.
Australia’s Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) regime continues to experience change.
