The compliance obligation hiding inside the Tranche 2 AML reforms

Key insights:

From 1 July 2026, an estimated 90,000 Australian businesses become reporting entities under Tranche 2 of the AML/CTF reforms. Most have been focused on the anti-money laundering obligations themselves. Far fewer have noticed what arrives at the same time: for most of these businesses, 1 July also marks the first time the Privacy Act 1988 (Cth) has ever applied to them.

This affects lawyers, conveyancers, accountants, real estate professionals, and dealers in precious metals, gemstones and bullion. If your business provides designated services under the AML/CTF Act, read on.

The small business exemption no longer protects you

Under the Privacy Act, businesses with annual turnover below $3 million have historically been exempt from compliance. That exemption disappears the moment you become a reporting entity.

Section 6E(1A) of the Privacy Act is unambiguous: any reporting entity under the AML/CTF Act must comply with the Australian Privacy Principles (APPs) when handling personal information for AML/CTF purposes, regardless of turnover. There is no size threshold or phase-in.

The OAIC confirmed this in its February 2026 and April 2026 guidance, and went further: where personal information is collected for both an AML/CTF purpose and a business purpose simultaneously, which describes virtually every client onboarding, the Privacy Act applies to all of it.

Why this is not a separate project

Here is the thing most businesses are missing - AML/CTF compliance requires you to collect, verify and store sensitive personal information from clients: names, dates of birth, addresses, document details, beneficial ownership structures, and sometimes information about political exposure. That collection is the trigger for your privacy obligations. The two regimes do not sit alongside each other. They overlap at exactly the point where your client relationship begins.

Addressing both together is not more work. It is the same work done properly, once.

What you need to have in place

The APPs that matter most for Tranche 2 businesses are practical, not abstract.

APP 1 requires a current, published privacy policy covering how you collect, hold, use and disclose personal information for AML/CTF purposes. APP 5 requires a collection notice given to clients at or before the point of collecting their personal information. For most businesses, this sits in the engagement letter or onboarding form. APP 6 governs what you can do with information once you have it: you can use it for the purpose you collected it, and you can disclose it to AUSTRAC when required, but other uses need either consent or an applicable exception. APP 8 requires you to take reasonable steps to ensure that overseas recipients of client data, including cloud software providers with offshore servers, handle it in accordance with the APPs. APP 11 requires active security measures and a process for destroying or de-identifying personal information once you no longer need it.

Document retention – key challenges

On document retention, the OAIC’s guidance is specific and important. From 1 July 2026, the AML/CTF Act does not require Tranche 2 businesses to keep scanned copies or photocopies of identity documents such as driver licences or passports. What you need to keep is a record of the relevant information extracted from the document: name, date of birth, residential address, document type, expiry date, passport or licence number, what you did to identify the customer, the outcome of the verification and analysis, and your identification or assessment of AML/CTF risk. Keeping more than this creates privacy risk without adding compliance value. The OAIC acknowledges that it may take time for businesses to update their systems and processes. The obligation under APP 11.2 is to take steps that are reasonable in the circumstances, having regard to the nature, size and complexity of your business and the scale of the task involved.

While this general guidance will be useful to many professionals caught under Tranche 2, the guidance does not take into account legal requirements on conveyancers and property lawyers to collect and store verification of identity (VOI) records under e-conveyancing rules and real property legislation. Nor does the guidance address requirements of professional rules such as the Conveyancing Rules and Australian Solicitors Rules in relation to file retention, which involves a statutory minimum of 7 years, except where there are client instructions or legislation to the contrary. Unlike many professionals, because of issues of latent defects in title, conveyancers and property lawyers sometimes face professional negligence claims many years after the usual six year limitation period, meaning an understandable reluctance to destroy files even after seven years.

Suspicious matter reports and the tipping-off problem

Filing a suspicious matter report (SMR) with AUSTRAC is lawful under APP 6. Disclosing to a client that you have done so, or are considering doing so, is not. The tipping-off prohibition in section 123 of the AML/CTF Act overrides normal privacy transparency obligations.

This has a direct consequence for access requests. If a client asks to see their file and SMR-related material is on it, you cannot provide it and cannot explain why. Your written refusal must not identify the reason. This is an area where staff training matters before the obligations commence and underscores the importance of having an appropriately worded privacy collection notice and privacy policy.

The current enforcement landscape

The OAIC is not a passive regulator. In Australian Information Commissioner v Australian Clinical Labs Limited [2025] FCA 36, the Federal Court upheld civil penalty proceedings commenced by the OAIC against ACL, ordering a $5.8 million civil penalty for failing to take reasonable steps to protect personal information and for failing to promptly investigate and report a notifiable data breach. The deficiencies found by the Court included incident response playbooks that were poorly designed, untested, and unknown to the relevant IT Team Leader, who lacked any formal cybersecurity or incident response training; MFA was not required for VPN access; and communications planning was minimal. Taken together, and given the volume and sensitivity of health information ACL held, these deficiencies left individuals exposed to a foreseeable and serious risk of unauthorised access and disclosure. This was the first civil penalty under the Privacy Act, and it sets a clear indicator of where the threshold sits.

The penalty framework under the Privacy Act is tiered. At the most serious end, penalties reach $50 million, or three times the benefit obtained, or 30% of adjusted annual turnover. For businesses coming under the Privacy Act for the first time on 1 July, the Notifiable Data Breaches scheme applies immediately: eligible data breaches must be notified to the OAIC and affected individuals as soon as practicable, with a 30-day window to complete your assessment once you have reasonable grounds to suspect a breach.

One further development worth noting, is that a statutory tort of serious invasion of privacy was introduced in June 2025. Unlike the APP framework, it applies to any individual or organisation, not just APP entities, and plaintiffs do not need to prove financial loss to sue. For businesses now holding large volumes of sensitive identity information, documented privacy governance is the most practical protection available.

What to have ready before 1 July 2026

In order to comply with the Privacy Act, if your business provides designated services under the AML/CTF tranche 2, at a minimum, your business needs:

A current privacy policy that reflects the reasons why you are collecting information

• A client-facing collection notice for use at onboarding

• Internal procedures for staff on handling, storing and destroying personal information and adequate cybersecurity processes

• A data breach response plan covering the NDB notification process

• A register of third-party providers who receive client data, including cloud providers

• A personal information destruction schedule that aligns with your AML/CTF retention obligations (all of the above are included in Law & Cyber’s Privacy Compliance Pack)

If your business offers services to individuals located in the European Union, United Kingdom or European Economic Area, the EU GDPR or UK GDPR may apply to you directly, depending on whether you are offering goods or services to those individuals or monitoring their behaviour. This is a separate and additional obligation. If any of your clients are based in those jurisdictions, obtain advice on whether these regimes apply to your practice.

The OAIC has published a Privacy Essentials Checklist for AML/CTF reporting entities, which is a useful starting point for assessing where your business currently sits.

Law & Cyber's Privacy Compliance Pack contains all of these documents, ready to deploy into your business before 1 July. Learn more about our Privacy Compliance Pack.

The bottom line

Businesses providing designated services have been rightly focused on getting their AML/CTF programs in order. The privacy obligation has had less attention - that needs to change before 1 July.

The good news is that the work is largely the same work. Client onboarding, identity verification, document handling, ongoing monitoring: if you are doing it for AML, you are already doing it in a way that engages your privacy obligations. The question is whether you also have the governance framework around it.

AUTHOR

Simone Herbert-Lowe

Simone Herbert-Lowe is a lawyer, digital risk specialist and director of Law & Cyber. Law & Cyber advises businesses and professional practices on technology law, privacy, cyber resilience and AML/CTF privacy compliance.

The Law & Cyber Privacy Compliance Pack contains all eight documents, ready to deploy into your business before 1 July. Learn more about the Privacy Compliance Pack - contact us here.