When most professionals think about the AML/CTF reforms taking effect from 1 July 2026, their attention goes to AUSTRAC — enrolment deadlines, risk assessments, customer due diligence programs. What's less understood is that there are key new privacy obligations in respect of their AML/CTF activities, even if they are a small business (under $3M turnover) that would normally be exempt from the Privacy Act 1988 (Cth).

It is imperative that tranche 2 entities understand your privacy obligations to ensure that the processes for handling personal information collected for your AML/CTF processes are compliant. This includes where you rely on a third party to manage those processes for you.

Many commercially available “solutions” are based on reselling harvested personal information and in turn harvest and store the information collected from your customers to onsell it. These practices are plainly no longer acceptable under the new regime, which puts customer consent and control of their data at the centre of AML/CTF processes. The OAIC guidance published in February 2026 is worth reading in full: https://www.oaic.gov.au/__data/assets/pdf_file/0021/261336/OAIC-Guide-to-privacy-for-reporting-entities-under-the-AML-CTF-Act.pdf

Two Regulators, One Set of Client Onboarding Processes

For most professional services firms, Privacy Act obligations have historically not applied unless annual turnover exceeded $3 million. That small business exemption does not apply to personal information collected for the purposes of, or in connection with, your AML/CTF obligations.

From 1 July 2026, if your business provides a designated service under the AML/CTF Act, you must comply with the Privacy Act in respect of all personal information collected for AML/CTF purposes — regardless of your revenue.

For many smaller accounting practices, boutique law firms, and independent conveyancers, this will be their first encounter with federal privacy law. Authorised agents and third-party providers carrying out customer due diligence functions on a reporting entity's behalf carry the same obligations.

What the OAIC Guidance Requires

1. Have a Privacy Policy 

You must have a clearly expressed Privacy Policy covering how personal information is collected, held, used, and disclosed in connection with your AML/CTF obligations. For small businesses entering the Privacy Act via the AML/CTF pathway, the policy only needs to address your AML/CTF-related information handling — not all other business activities. You must also be able to receive and respond to privacy complaints, with the OAIC recommending a 30-day response timeframe.

2. Collect Only What Is Reasonably Necessary 

The Privacy Act requires you to limit collection to what is "reasonably necessary" to carry out your AML/CTF obligations — an objective test based on what a reasonable, properly informed person would consider necessary. Your AML/CTF obligations do not give you a blank cheque to collect personal information from all prospective clients. Three worked examples from the guidance illustrate where the line sits:

• A law firm onboarding a client who may need conveyancing should conduct customer due diligence at the point of onboarding, even if the property sale doesn't eventuate — the collection was reasonably necessary at the time.
• An accountant consulting with a client on non-designated services does not need to conduct customer due diligence, as it isn't yet reasonably necessary.
• A real estate agent must conduct customer due diligence on the vendor and successful buyer — not on every person who inspects the property or bids at auction.

The OAIC also recommends reviewing your onboarding forms to limit free-text fields that may result in clients providing more information than you need.

3. Stop Keeping Copies of Full Identity Documents 

From 1 July 2026, Tranche 2 entities should not retain scanned copies or photocopies of identity documents for AML/CTF record-keeping. The AML/CTF Act does not require you to hold the document itself — only the relevant information extracted from it: name, date of birth, residential address, document type, number, expiry date, the verification steps taken, and the outcome of the verification and risk assessment.

Note: Copies collected before 1 July 2026 remain AML/CTF records and must be retained for 7 years. That exception is historical — the practice must cease from commencement date.

4. Notify Clients About Collection 

Before (or as soon as practicable after) collecting personal information, you must notify clients of the purpose of collection, the legal basis (the AML/CTF Act), who you may disclose the information to (including AUSTRAC and third parties), whether overseas disclosure is likely, and how clients can access and correct their information. The tipping-off carve-out applies: where providing a collection notice would breach your AML/CTF secrecy obligations, you are not required — and are prohibited from — providing it.

5. Use and Disclose Information Only for Its Collected Purpose 

Personal information collected for AML/CTF purposes can only be used or disclosed for those same purposes unless an exception applies or consent is obtained. AML/CTF-required disclosures — such as submitting a suspicious matter report to AUSTRAC — are permitted without consent, as they are authorised by the AML/CTF Act. Any other secondary use, such as marketing, will require a valid exception or explicit consent.

6. Secure What You Hold — and Have a Data Breach Plan

The OAIC notes that AML/CTF data is an attractive target for criminal actors. Recommended controls include multi-factor authentication, regular software patching, audit logs, role-based access controls, and clear contractual terms with any third-party service providers covering their information handling obligations.

All entities subject to the Privacy Act are also covered by the Notifiable Data Breaches (NDB) scheme. If a data breach is likely to result in serious harm, you must notify both affected individuals and the OAIC — unless notification would breach the AML/CTF Act's secrecy or tipping-off provisions.

7. Destroy Information Once You No Longer Need It 

Once personal information is no longer required for an AML/CTF or other permitted purpose, you must destroy or de-identify it. Practical steps include retention schedules with automated destruction alerts, staff training on destruction requirements, and documented arrangements with third-party providers specifying retention periods and destruction obligations.

8. Clients Have Rights to Access and Correct Their Information 

Clients can request access to the personal information you hold about them, and you must respond within 30 days. You must also have a process for correcting inaccurate KYC information, which the OAIC notes complements your existing AML/CTF obligations around ongoing CDD updates. Access may be refused in limited circumstances, including where it would breach tipping-off obligations, but any refusal requires a written notice explaining how the individual can complain.

9. Manage Your Third-Party Providers 

If you outsource CDD or client onboarding to a third party, you remain responsible for how that provider handles personal information — including where they are located overseas. Before engaging any provider, the OAIC recommends reviewing their privacy policy, security policy, and data breach response plan; including specific contractual obligations; and obtaining written confirmation of data deletion at contract end.

10. Biometric Verification Carries Heightened Obligations

The OAIC confirms that biometric information — including facial images used for verification — is sensitive information under the Privacy Act, attracting stricter handling requirements. Consent is generally required before conducting biometric identification or verification for CDD. If you are evaluating these tools, review the OAIC's facial recognition guidance alongside the AML/CTF guide.

The Privacy Essentials Checklist: Are You Ready?

The OAIC's checklist asks Tranche 2 entities to confirm they have addressed each of the following before 1 July 2026:

• A designated person or team responsible for privacy management
• An APP-compliant privacy policy covering AML/CTF information handling
• A process for recording and escalating privacy risks
• A due diligence process for assessing third-party providers
• Client collection notices (where tipping-off obligations allow)
• Data minimisation practices in client onboarding
• Controls on secondary use and disclosure of personal information
• A personal information inventory
• Cyber security controls including MFA, access monitoring, and patching
• A data breach response plan aligned to the NDB scheme
• Retention schedules and a destruction/de-identification process
• Processes for handling access and correction requests within 30 days
• Staff training on privacy and cybersecurity fundamentals

What If You're Not a Tranche 2 Entity?

If you provide services to accounting firms, law practices, or real estate businesses — as a technology vendor, outsourced compliance provider, or referral partner — the OAIC guidance still applies to you. Third-party providers engaged to carry out CDD functions hold the same Privacy Act obligations as the reporting entity itself. And even firms outside the Tranche 2 scope are increasingly being assessed against the privacy standards this guidance sets as a baseline.

How VerifiMe Supports Compliant, Privacy-Aligned Identity Verification

VerifiMe is a Government Gateway Service Provider (GSP) to Australia's Document Verification Service (DVS), built on government-grade verification infrastructure. Our model is designed around consent and data minimisation — which maps directly to the OAIC's requirements:

• Clients provide explicit consent before any verification is conducted
• Verification checks against government-held records — no copies of identity documents are stored by your business
• The outcome of the verification, not the document, is returned to your records — consistent with what the OAIC says you need to retain
• All data is stored in Australia, under Australian law
• Our contractual framework supports the third-party due diligence obligations the OAIC expects of reporting entities

For Tranche 2 entities building a CDD process that satisfies both AUSTRAC and the OAIC, VerifiMe is designed to make that straightforward.

Resources

• OAIC: Privacy guidance for reporting entities under the AML/CTF Act (February 2026)
• OAIC: Privacy Essentials Checklist
• OAIC: Privacy Foundations self-assessment tool
• AUSTRAC: AML/CTF Program Starter Kits
• Australian Cyber Security Centre: Small Business Cyber Security Guide

This article is for general informational purposes and does not constitute legal or compliance advice. We recommend consulting with a lawyer specialising in AML/CTF compliance and privacy law for advice specific to your business.

Ready to build a client verification process that satisfies both AUSTRAC and the OAIC?

Talk to the VerifiMe team → | hello@verifime.com |