The Office of the Australian Information Commissioner (OAIC) has released updated Privacy guidance for reporting entities under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act).
The guidance provides clear direction to businesses about what personal information they may collect, how they must protect it, and when it must be deleted, supporting stronger integrity and transparency across the AML/CTF regulatory framework.
The updated guidance is designed to support an expanded range of businesses that will soon fall under the Privacy Act 1988 (Privacy Act) as part of the AML/CTF reforms.
From 1 July 2026, real estate professionals, dealers in precious metals and stones, and professional service providers such as lawyers, conveyancers, accountants, and trust and company service providers (also known as ‘Tranche 2’ entities) will be brought into the Privacy Act.
Changes for current reporting entities (‘Tranche 1’ entities) will also take effect from 31 March 2026, which may affect the types and volume of personal information that is handled for AML/CTF purposes, depending on the customer risk.
The guidance clarifies that reporting entities must only collect personal information that is reasonably necessary to comply with AML/CTF obligations and perform their broader organisational functions. From 31 March 2026, and from 1 July 2026 for tranche 2 entities, businesses should not retain copies of full ID documents for AML/CTF record-keeping purposes. The AML/CTF regime does not require copies full ID documents to be kept, and entities obligations under the Privacy Act require them to minimise the data they’re retaining.
Entities must also have clear and accessible privacy policies and collection notices explaining how personal information is handled – unless issuing a notice would breach statutory tipping‑off restrictions.
Privacy Commissioner Carly Kind said the updated guidance supports the OAIC’s regulatory priorities of addressing excessive collection and retention of personal information.
"One of the most significant risks to Australians’ privacy is the unnecessary retention of ID documents, which are some of the most important pieces of personal information Australians possess. Holding onto copies of ID documents not only creates risks to individuals, it creates risks for businesses, which will be more exposed in the event of a data breach. This new guidance provides important clarity of expectations that AML/CTF rules do not require such records.”
“Privacy obligations don’t limit an entity’s ability to meet its AML/CTF responsibilities. They operate alongside them. Entities can collect, use and disclose the personal information required to meet their obligations, but they don’t have a blank cheque to collect any personal information without considering what is reasonably necessary. They must also handle personal information transparently and securely.”
“For many small businesses new to the Privacy Act, this guidance provides clear, practical steps: collect only what you need, keep it safe, don’t hold onto full ID documents, and delete information when it’s no longer required.”
“We’ve listened closely to industry concerns, particularly around the retention of identification documents. This guidance clarifies that previous allowances to keep full ID documents apply only to documents collected before the AML/CTF reforms. That practice should cease from 31 March 2026, unless another law requires it.”
The OAIC has developed a Privacy Essentials Checklist for AML/CTF reporting entities to prepare for key privacy obligations. The OAIC encourages all reporting entities and their authorised agents to review the guidance along with the Australian Privacy Principles Guidelines, AUSTRAC’s guidance on AML/CTF reforms as well as AUSTRAC’s Program Starter Kits. This will help to ensure a consistent and compliant approach.
