Know your privacy obligations under the Anti-Money Laundering / Counter-Terrorism Financing (AML/CTF) Act: Updated OAIC guidance | OAIC

Know your privacy obligations under the Anti-Money Laundering / Counter-Terrorism Financing (AML/CTF) Act: Updated OAIC guidance | OAIC We use cookies on this site We use cookies to analyse traffic and to improve your browsing experience on our website. To find out more, read our privacy policy . Close Skip to main content If you have been impacted by the Instructure (Canvas) cyber incident, please view our statement . Know your privacy obligations under the Anti-Money Laundering / Counter-Terrorism Financing (AML/CTF) Act: Updated OAIC guidance Published: 27 February 2026 The Office of the Australian Information Commissioner (OAIC) has released updated Privacy guidance for reporting entities under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) . The guidance provides clear direction to businesses about what personal information they may collect, how they must protect it, and when it must be deleted, supporting stronger integrity and transparency across the AML/CTF regulatory framework. The updated guidance is designed to support an expanded range of businesses that will soon fall under the Privacy Act 1988 (Privacy Act) as part of the AML/CTF reforms. From 1 July 2026, real estate professionals, dealers in precious metals and stones, and professional service providers such as lawyers, conveyancers, accountants, and trust and company service providers (also known as ‘Tranche 2’ entities) will be brought into the Privacy Act. Changes for current reporting entities (‘Tranche 1’ entities) will also take effect from 31 March 2026, which may affect the types and volume of personal information that is handled for AML/CTF purposes, depending on the customer risk. The guidance clarifies that reporting entities must only collect personal information that is reasonably necessary to comply with AML/CTF obligations and perform their broader organisational functions. From 31 March 2026, and from 1 July 2026 for tranche 2 entities, businesses should not retain copies of full ID documents for AML/CTF record-keeping purposes. The AML/CTF regime does not require copies full ID documents to be kept, and entities obligations under the Privacy Act require them to minimise the data they’re retaining. Entities must also have clear and accessible privacy policies and collection notices explaining how personal information is handled – unless issuing a notice would breach statutory tipping‑off restrictions. Privacy Commissioner Carly Kind said the updated guidance supports the OAIC’s regulatory priorities of addressing excessive collection and retention of personal information. "One of the most significant risks to Australians’ privacy is the unnecessary retention of ID documents, which are some of the most important pieces of personal information Australians possess. Holding onto copies of ID documents not only creates risks to individuals, it creates risks for businesses, which will be more exposed in the event of a data breach. This new guidance provides important clarity of expectations that AML/CTF rules do not require such records.” “Privacy obligations don’t limit an entity’s ability to meet its AML/CTF responsibilities. They operate alongside them. Entities can collect, use and disclose the personal information required to meet their obligations, but they don’t have a blank cheque to collect any personal information without considering what is reasonably necessary. They must also handle personal information transparently and securely.” “For many small businesses new to the Privacy Act, this guidance provides clear, practical steps: collect only what you need, keep it safe, don’t hold onto full ID documents, and delete information when it’s no longer required.” “We’ve listened closely to industry concerns, particularly around the retention of identification documents. This guidance clarifies that previous allowances to keep full ID documents apply only to documents collected before the AML/CTF reforms. That practice should cease from 31 March 2026, unless another law requires it.” The OAIC has developed a Privacy Essentials Checklist for AML/CTF reporting entities to prepare for key privacy obligations. The OAIC encourages all reporting entities and their authorised agents to review the guidance along with the Australian Privacy Principles Guidelines , AUSTRAC’s guidance on AML/CTF reforms as well as AUSTRAC’s Program Starter Kits . This will help to ensure a consistent and compliant approach. Did you find this helpful? Yes No We'd love to hear more! Please tell us more Rate your experience We'd love to hear more about your rating What did you come here to do? How can we improve this information? ⨯ Share Facebook Twitter Linkedin Site map Copyright Terms and conditions Privacy policy Accessibility Contact us 1300 363 992 Monday to Thursday 10 am to 4 pm (AEST/AEDT) Language Please select… العربية 繁體中文 ελληνικός Italiano Español ภาษาไทย Tiếng Việt ਪੰਜਾਬੀ ကညီကျိာ် 简体中文 ܐܵܬܘܿܪܵܝܵܐ नेपाली Filipino هزارگی Easy English Follow us Acknowledgement of Country The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present. © Commonwealth of Australia