AML/CTF Tranche 2 — Privacy & Data Compliance.
From 1 July 2026, up to 90,000 Australian businesses enter the AML/CTF regime for the first time.
Alongside their program obligations, they face a parallel set of privacy and data compliance requirements that are easy to overlook — and costly to get wrong.
OVERVIEW
The Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 introduces what is widely known as the Tranche 2 reforms — bringing lawyers, accountants, conveyancers, real estate agents and other designated service providers into Australia's AML/CTF framework for the first time. AUSTRAC enrolment for Tranche 2 entities opened on 31 March 2026, with full compliance obligations commencing 1 July 2026.
For many of these businesses, the focus has understandably been on their AML/CTF program requirements: customer due diligence, transaction monitoring, AUSTRAC enrolment and suspicious matter reporting. What is frequently overlooked is the parallel set of privacy and data compliance obligations that arise the moment you begin collecting and handling personal information for compliance purposes.
The personal information gathered in customer due diligence processes is subject to the Privacy Act 1988. The systems used to store it, the third parties engaged to verify it and the retention periods applied to it all carry obligations under the Australian Privacy Principles — obligations that exist independently of the AML/CTF framework and carry their own regulatory consequences if breached.
This is where Law & Cyber assists. We are not general AML/CTF compliance advisers — for specialist AML program development and AUSTRAC engagement, we will refer you to the right practitioners. What we provide is the privacy and data compliance layer that sits alongside your Tranche 2 obligations: the frameworks, policies and practical tools that govern how your organisation handles the personal information your AML program requires you to collect.
What we advise on.
-
We develop and review the privacy frameworks that newly designated businesses need to handle customer due diligence data compliantly — including privacy policies, collection notices, data retention policies and internal data handling procedures tailored to your AML obligations.
-
The personal information collected under a Tranche 2 AML/CTF program is subject to the Australian Privacy Principles. We advise on how those obligations apply to your compliance processes and how to structure your data handling to meet both sets of requirements simultaneously.
-
AML/CTF obligations require you to retain certain records for specified periods. Those retention obligations need to be balanced against your Privacy Act obligations to not retain personal information longer than necessary. We advise on how to manage that tension compliantly.
-
The shift to digital customer verification raises specific privacy considerations. We advise on the privacy obligations that apply to digital identity verification processes and how to implement them in a way that satisfies both your Tranche 2 and Privacy Act requirements.
-
For businesses new to AML/CTF obligations, building staff awareness of their data handling responsibilities is often the most practical first step. We provide tailored training that covers the privacy dimensions of Tranche 2 compliance — clearly and practically, without unnecessary complexity.
Who is this for?
Legal practices, accounting firms, conveyancers, real estate agencies and other businesses newly designated as reporting entities under the Tranche 2 reforms — particularly those working through the privacy and data compliance implications of their new obligations for the first time. Given that full compliance obligations commence 1 July 2026, the time to act is now.