AML/CTF TRANCHE 2  – PRIVACY COMPLIANCE

The privacy obligation hiding inside AML Tranche 2

From 1 July 2026, small practices below the $3 million threshold that become AML/CTF reporting entities come under the Privacy Act for the first time.

Most do not know it yet, and no other training product addresses it.

AML PRIVACY TOOLKIT FOR PROPERTY PRACTICES AVAILABLE NOW FOR IMMEDIATE DOWNLOAD

$990 per practice

AICNSW, AIC (Tas) and AIC (NT): your association package is coming. All other practices, individual packages are available now.

DOES THIS APPLY TO YOUR PRACTICE?

The $3 million threshold – what changes for you

Whether the Privacy Act is new to your practice depends on your size. Both small and large practices have important obligations from 1 July, but the starting point is different. For small practices who provide designated services under AML/CTF, this is the first time the Privacy Act applies to you

Under $3M revenue
New Privacy Act obligations

Small practices have previously benefited from the small business exemption under the Privacy Act. From 1 July 2026, if you become an AML/CTF reporting entity, that exemption no longer applies to your AML-related identity data. For many, this is the first time the Privacy Act has applied to your practice at all.

Over $3M revenue
Updated obligations

Larger practices already comply with the Privacy Act. However, AML/CTF Tranche 2 introduces specific new obligations around the identity data you now collect, including a conflict with existing VOI practices, new data minimisation requirements, and updated breach notification standards.

THE GAP NO-ONE IS TALKING ABOUT

AML training is everywhere.
The privacy consequence is not.

The government estimates that 90,000 small businesses are newly subject to the Privacy Act as a result of Tranche 2. Most have no privacy policy, no collection notice, no data retention procedure and no awareness of the legal requirements to take reasonable steps to protect personal information. OAIC regulatory penalties for Privacy Act non-compliance are not covered by PI insurance.

What existing AML training covers

✔  AUSTRAC enrolment obligations

✔  Customer due diligence basics

✔  Suspicious matter reporting

✔  Record keeping requirements

❌   Privacy Act obligations on identity data

❌   The VOI vs Privacy Act conflict

❌   Ready-to-use privacy policy templates

❌   Data breach notification obligations

What Law and Cyber covers

✔  Why AML Tranche 2 triggers Privacy Act obligations

✔  What identity data you must and must not retain

✔  Reconciling the VOI/Privacy Act conflict (unique to this course)

✔  Collection notices and privacy policy requirements

✔  Data retention limits and deletion obligations

✔  Data breach response and NDB scheme obligations

✔  Digital ID as a privacy-compliant alternative

✔  Ready-to-use governance templates

WHO IS THIS FOR?

Tailored for impacted professions

THE PACKAGE

Everything your practice needs to be compliant

  • Privacy Policy Template

    Profession-specific privacy policy addressing AML/CTF data handling, with compliant collection notice wording as an addendum. Ready to customise and use immediately.

  • Governance Toolkit

    Data governance checklist, data retention and destruction schedule, principal governance checklist, and a draft cyber incident response plan for practices of any size.

Eight Documents. Full Coverage.

The pack is structured in two parts: essential background knowledge, followed by eight ready-to-use implementation documents.

Part A

Your Privacy Obligations Explained

Concise plain-language guidance on your privacy obligations

A plain-language guide to your privacy obligations as an AML/CTF reporting entity. Explains how the Privacy Act applies to your practice, what the Australian Privacy Principles require, and how your AML/CTF and privacy obligations interact.

Document Purpose Audience
Privacy Collection Notice Tells clients what personal information is collected, why it is needed, who it may be shared with, and how to access or correct their records. Provided at client onboarding. Clients
Privacy Policy The practice's primary public-facing privacy document. Covers all Australian Privacy Principles, offshore disclosure obligations and the practice's position under the GDPR. Published on the practice website. Clients / Public
Internal Privacy Policy Explains what staff must do to meet APP obligations. Covers why the practice is subject to the Privacy Act regardless of annual turnover. Staff
Privacy and Data Handling Procedures Ten step-by-step procedures covering client onboarding, verification of identity, access requests, complaints handling, use of offshore tools, services to UK/EU/EEA clients, and breach response. Staff
Data Breach Response Plan Step-by-step guide to managing a breach from containment through to OAIC notification. Includes a decision tree for assessing whether a breach is notifiable under the NDB scheme. Principal / Senior staff
Third-Party Disclosure Register Working register of every third-party provider receiving personal information from the practice. Records data residency and the legal basis for each disclosure. Principal
Personal Information Destruction Schedule Working register tracking when each category of personal information must be destroyed or de-identified. Includes a destruction log meeting the OAIC's requirement for documented destruction processes. Principal
GDPR and UK GDPR Privacy Notice Provided to clients who identify as UK, EU or EEA residents. Sets out their additional rights and the lawful basis on which their personal information is processed. UK / EU / EEA clients

Part B: Implementation Documents

All documents are available for immediate download and implementation

ABOUT LAW & CYBER

Australia's leading specialist in cyber risk and privacy for the legal profession

Law and Cyber was founded by Simone Herbert-Lowe, a practising solicitor with 30 years experience in professional indemnity, cyber risk governance and legal practice regulation. Prior to founding Law and Cyber, Simone was Manager of Strategy and Innovation at Lawcover. She has authored articles and regulatory submissions on professional responsibility, cyber risk and resilience and Digital ID and contributed expert evidence to the Joint Parliamentary Committee on Law Enforcement in 2024.

10,000+

Course completions across legal, financial services and property sectors

8 YEARS

Specialist expertise at the intersection of cyber risk, privacy and legal practice

FOR PROFESSIONAL ASSOCIATIONS

Sector-wide compliance for your members

Law and Cyber offers institutional licensing for professional bodies, industry associations and insurers seeking to provide members with a coordinated compliance pathway following the changes that took effect on 1 July 2026. AICNSW has engaged Law and Cyber for its sector-wide AML Privacy Governance Framework.

  • Customised materials

    Profession-specific framework and templates tailored to your membership

  • Co-branded delivery

    Presented under your association's name with Law and Cyber acknowledgement

  • Implementation webinar

    Live session for your members to ensure effective uptake

  • Annual renewal

    Regulatory updates delivered annually as the landscape evolves

The law changed on 1 July - the small business privacy exception no longer applies if you provide designated services under AML

The practice package is available now - staff privacy training coming soon

Materials are provided for general educational and guidance purposes only and do not constitute legal advice. They reflect the regulatory framework as at the date of publication. Copyright 2026 Law and Cyber Pty Ltd (ABN 68 629 258 377). Liability limited by a scheme approved under Professional Standards Legislation.