Australia: AML/CTF Expansion and the Privacy Act "Trap Door"

As we approach the middle of 2026, a massive regulatory shift is looming for thousands of businesses across the Asia-Pacific region that operate within or service the Australian market. On 1 July, 2026, the Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Act will officially expand to cover "Tranche 2" entities.

This expansion brings real estate professionals, lawyers, conveyancers, accountants, trust and company service providers, and dealers in precious metals and stones into the AML/CTF regulatory fold for the first time.

But there is a hidden compliance "trap door" that many are missing: the moment you become a reporting entity under the AML/CTF Act, you are automatically bound by the Privacy Act 1988.

Here is what you need to know to ensure your business is prepared for the 1 July 2026 deadline.

1. The End of the Small Business Exemption

Historically, Australian businesses with an annual turnover of less than $3 million have been generally exempt from the Privacy Act. This exemption is about to vanish for Tranche 2 entities handling client verification data.

Under the updated guidance released by the Office of the Australian Information Commissioner (OAIC), any personal information collected for the purpose of meeting AML/CTF obligations falls strictly under the Privacy Act, regardless of your company's size or revenue.

Here is the example:
Up to now:
Consider a real estate agency or a small accounting firm that grosses under $3 million a year. Historically, they have operated outside the jurisdiction of the Privacy Act.

Starting 1 July, 2026, when they run a mandatory AML/CTF background check on a new property buyer or corporate client, they are instantly brought under the Privacy Act for that data. If they suffer a data breach involving that client information, they are no longer just dealing with an upset customer; they are subject to OAIC enforcement and potential multi-million dollar penalties.

2. The Ban on Hoarding Identification Documents

One of the most critical operational shifts in the OAIC's recent guidance is the explicit warning against retaining full copies of identification documents.

Historically, it was common practice for businesses to photocopy or scan a client's driver's license or passport and keep it on file as "proof" of verification. The OAIC has now made it clear: the AML/CTF Act does not require you to keep scanned copies of identity documents, and doing so violates the data minimization principles of the Privacy Act.

What You Must Do Instead:

Extract Data, Don't Copy: Collect only the specific data points reasonably necessary to verify identity (e.g., name, date of birth, license number, expiry date).

Verify and Destroy: Once the identity is verified through a secure system, any temporary images or copies of the physical document must be immediately destroyed or de-identified.

Keep Audit Logs: Maintain records of how you verified the individual, not the ID document itself.

3. Updating Your Privacy Architecture

With the OAIC shifting from a guidance-focused approach to active enforcement, July 2026 is the deadline to overhaul how your business handles customer onboarding.

If your business falls under Tranche 2—or if you are a tech vendor providing onboarding solutions to these industries, you must take the following steps immediately:

• Rewrite Privacy Policies: Your policies must transparently outline exactly what personal information is collected for AML/CTF purposes, how it is used, and how it is ultimately destroyed.

• Audit Third-Party Vendors: If you use a third-party software provider to run background checks or biometric identity verification, you are responsible for ensuring their privacy practices align with the Australian Privacy Principles (APPs).

• Implement Secure Destruction: Create automated data retention schedules that permanently purge unnecessary verification data from your local servers and cloud storage.

The Bottom Line

The 1 July, 2026 deadline is not a soft launch. The OAIC expects strict adherence to data minimization and security requirements from day one. Use the next few months to map your data flows, stop the practice of photocopying IDs, and ensure your compliance teams are ready for this new era of privacy enforcement.

We specialize in helping small and medium-sized businesses manage complex data regulations without enterprise-level complexity.

Whether you need to securely modernize your client onboarding infrastructure, stop the hoarding of ID documents, or automate your privacy workflows using platforms like OneTrust and iDataTrust (On-premise), Meta Connects Asia, we are here bridges the gap between your people and technology.

Contact us to safeguard your data, simplify your compliance, and ensure your business is entirely audit-ready for July 2026.