AML/CTF TRANCHE 2 – PRIVACY COMPLIANCE
The privacy obligation hiding inside AML Tranche 2
From 1 July 2026, small practices below the $3 million threshold that become AML/CTF reporting entities come under the Privacy Act for the first time.
Most do not know it yet, and no other training product addresses it.
AML PRIVACY TOOLKIT FOR PROPERTY PRACTICES AVAILABLE NOW FOR IMMEDIATE DOWNLOAD
$990 per practice
AICNSW, AIC (Tas) and AIC (NT): your association package is coming. All other practices, individual packages are available now.
DOES THIS APPLY TO YOUR PRACTICE?
The $3 million threshold – what changes for you
Whether the Privacy Act is new to your practice depends on your size. Both small and large practices have important obligations from 1 July, but the starting point is different. For small practices who provide designated services under AML/CTF, this is the first time the Privacy Act applies to you
Under $3M revenue
New Privacy Act obligations
Small practices have previously benefited from the small business exemption under the Privacy Act. From 1 July 2026, if you become an AML/CTF reporting entity, that exemption no longer applies to your AML-related identity data. For many, this is the first time the Privacy Act has applied to your practice at all.
Over $3M revenue
Updated obligations
Larger practices already comply with the Privacy Act. However, AML/CTF Tranche 2 introduces specific new obligations around the identity data you now collect, including a conflict with existing VOI practices, new data minimisation requirements, and updated breach notification standards.
THE GAP NO-ONE IS TALKING ABOUT
AML training is everywhere.
The privacy consequence is not.
The government estimates that 90,000 small businesses are newly subject to the Privacy Act as a result of Tranche 2. Most have no privacy policy, no collection notice, no data retention procedure and no awareness of the legal requirements to take reasonable steps to protect personal information. OAIC regulatory penalties for Privacy Act non-compliance are not covered by PI insurance.
What existing AML training covers
✔ AUSTRAC enrolment obligations
✔ Customer due diligence basics
✔ Suspicious matter reporting
✔ Record keeping requirements
❌ Privacy Act obligations on identity data
❌ The VOI vs Privacy Act conflict
❌ Ready-to-use privacy policy templates
❌ Data breach notification obligations
What Law and Cyber covers
✔ Why AML Tranche 2 triggers Privacy Act obligations
✔ What identity data you must and must not retain
✔ Reconciling the VOI/Privacy Act conflict (unique to this course)
✔ Collection notices and privacy policy requirements
✔ Data retention limits and deletion obligations
✔ Data breach response and NDB scheme obligations
✔ Digital ID as a privacy-compliant alternative
✔ Ready-to-use governance templates
WHO IS THIS FOR?
Tailored for impacted professions
-
Property lawyers and conveyancers face the most complex compliance picture. You know VOI obligations under the Real Property Act and ARNECC, but those rules were built before the Privacy Act applied to small practices. There is a direct conflict between what VOI requires and what the Privacy Act now prohibits.
VOI requires you to hold copies of identity documents. The Privacy Act says you must not retain copies.
Many practices are currently storing scanned passports they should not be holding.
Your 7-year ARNECC retention obligation and Privacy Act deletion obligations must be reconciled.
Even if you only handle property matters incidentally in family law or wills matters, these requirements now apply to you.
-
Photocopying a client's passport may now be a Privacy Act breach. Most practices do not know this.
Your existing privacy policy almost certainly does not address AML-related data handling.
OAIC regulatory penalties for Privacy Act non-compliance are not covered by most PI policies.
Every staff member who handles client identity data needs to understand these obligations.
-
Most real estate agencies under $3M in revenue have had no Privacy Act obligations until now. From 1 July they will be collecting identity verification data from every client under a regime they have never had to navigate. For principal agents, the personal exposure is real.
Most small agencies have no privacy policy at all. One must be in place before 1 July.
Collection notices must be given to clients at or before the point of collecting their information.
Every staff member handling identity data needs to understand their obligations.
OAIC regulatory penalties for Privacy Act non-compliance are not covered by most PI policies.
-
-
Item description
THE PACKAGE
Everything your practice needs to be compliant
-
Privacy Policy Template
Profession-specific privacy policy addressing AML/CTF data handling, with compliant collection notice wording as an addendum. Ready to customise and use immediately.
-
Governance Toolkit
Data governance checklist, data retention and destruction schedule, principal governance checklist, and a draft cyber incident response plan for practices of any size.
Eight Documents. Full Coverage.
The pack is structured in two parts: essential background knowledge, followed by eight ready-to-use implementation documents.
Part A
Your Privacy Obligations Explained
Concise plain-language guidance on your privacy obligations
A plain-language guide to your privacy obligations as an AML/CTF reporting entity. Explains how the Privacy Act applies to your practice, what the Australian Privacy Principles require, and how your AML/CTF and privacy obligations interact.
| Document | Purpose | Audience |
|---|---|---|
| Privacy Collection Notice | Tells clients what personal information is collected, why it is needed, who it may be shared with, and how to access or correct their records. Provided at client onboarding. | Clients |
| Privacy Policy | The practice's primary public-facing privacy document. Covers all Australian Privacy Principles, offshore disclosure obligations and the practice's position under the GDPR. Published on the practice website. | Clients / Public |
| Internal Privacy Policy | Explains what staff must do to meet APP obligations. Covers why the practice is subject to the Privacy Act regardless of annual turnover. | Staff |
| Privacy and Data Handling Procedures | Ten step-by-step procedures covering client onboarding, verification of identity, access requests, complaints handling, use of offshore tools, services to UK/EU/EEA clients, and breach response. | Staff |
| Data Breach Response Plan | Step-by-step guide to managing a breach from containment through to OAIC notification. Includes a decision tree for assessing whether a breach is notifiable under the NDB scheme. | Principal / Senior staff |
| Third-Party Disclosure Register | Working register of every third-party provider receiving personal information from the practice. Records data residency and the legal basis for each disclosure. | Principal |
| Personal Information Destruction Schedule | Working register tracking when each category of personal information must be destroyed or de-identified. Includes a destruction log meeting the OAIC's requirement for documented destruction processes. | Principal |
| GDPR and UK GDPR Privacy Notice | Provided to clients who identify as UK, EU or EEA residents. Sets out their additional rights and the lawful basis on which their personal information is processed. | UK / EU / EEA clients |
Part B: Implementation Documents
All documents are available for immediate download and implementation
ABOUT LAW & CYBER
Australia's leading specialist in cyber risk and privacy for the legal profession
Law and Cyber was founded by Simone Herbert-Lowe, a practising solicitor with 30 years experience in professional indemnity, cyber risk governance and legal practice regulation. Prior to founding Law and Cyber, Simone was Manager of Strategy and Innovation at Lawcover. She has authored articles and regulatory submissions on professional responsibility, cyber risk and resilience and Digital ID and contributed expert evidence to the Joint Parliamentary Committee on Law Enforcement in 2024.
10,000+
Course completions across legal, financial services and property sectors
8 YEARS
Specialist expertise at the intersection of cyber risk, privacy and legal practice
FOR PROFESSIONAL ASSOCIATIONS
Sector-wide compliance for your members
Law and Cyber offers institutional licensing for professional bodies, industry associations and insurers seeking to provide members with a coordinated compliance pathway following the changes that took effect on 1 July 2026. AICNSW has engaged Law and Cyber for its sector-wide AML Privacy Governance Framework.
-
Customised materials
Profession-specific framework and templates tailored to your membership
-
Co-branded delivery
Presented under your association's name with Law and Cyber acknowledgement
-
Implementation webinar
Live session for your members to ensure effective uptake
-
Annual renewal
Regulatory updates delivered annually as the landscape evolves
The law changed on 1 July - the small business privacy exception no longer applies if you provide designated services under AML
The practice package is available now - staff privacy training coming soon
Materials are provided for general educational and guidance purposes only and do not constitute legal advice. They reflect the regulatory framework as at the date of publication. Copyright 2026 Law and Cyber Pty Ltd (ABN 68 629 258 377). Liability limited by a scheme approved under Professional Standards Legislation.