Updated OAIC Guidance on Privacy Obligations Under AML/CTF Reforms
The guidance provides practical direction on what personal information businesses may collect, how it must be protected, and when it must be deleted. It is intended to strengthen integrity, transparency and data minimisation across the AML/CTF regulatory framework.
Expanded Privacy Act Coverage
The update reflects significant AML/CTF reforms that will bring new sectors into scope of the Privacy Act 1988.
From 1 July 2026, real estate professionals, dealers in precious metals and stones, and professional service providers including lawyers, conveyancers, accountants, and trust and company service providers, commonly referred to as “Tranche 2” entities, will become subject to the Privacy Act.
Existing “Tranche 1” reporting entities will also face changes from 31 March 2026, potentially affecting the type and volume of personal information handled for AML/CTF purposes, depending on customer risk profiles.
Key Clarifications for Reporting Entities
The guidance reinforces that reporting entities must only collect personal information that is reasonably necessary to meet their AML/CTF obligations and broader organisational functions.
Importantly, from 31 March 2026, and from 1 July 2026 for Tranche 2 entities, businesses should not retain copies of full identification documents for AML/CTF record-keeping purposes unless required by another law. The AML/CTF regime does not mandate retaining full ID copies, and Privacy Act obligations require entities to minimise the personal data they hold.
Entities must also maintain clear and accessible privacy policies and collection notices explaining how personal information is managed, unless providing such notice would contravene statutory tipping-off provisions.
Focus on Data Minimisation and Risk Reduction
Privacy Commissioner Carly Kind emphasised that unnecessary retention of identification documents presents one of the most significant privacy risks to Australians. Excessive data holdings increase exposure in the event of a data breach and create avoidable compliance risks for businesses.
The OAIC has made clear that privacy obligations do not prevent entities from meeting AML/CTF requirements. Rather, they operate alongside them. Organisations may collect, use and disclose personal information necessary for compliance, but must carefully assess what is reasonably required and ensure transparent, secure handling.
For businesses newly captured by the Privacy Act, the message is straightforward: collect only what is needed, protect it appropriately, avoid retaining full ID documents, and delete information when it is no longer required.
Supporting Resources
To assist industry, the OAIC has published a Privacy Essentials Checklist for AML/CTF reporting entities. Reporting entities and authorised agents are encouraged to review the updated guidance alongside the Australian Privacy Principles Guidelines and AUSTRAC’s AML/CTF reform materials to ensure a consistent and compliant approach.
For records and information management professionals, these changes reinforce the importance of defensible retention practices, clear collection notices, and strong governance controls around identity documentation.