These reforms introduce a range of new categories of ‘designated services’ which will now be captured under the AML/CTF Act, including:

• services which are related to:
  • bullion, precious metals and stones;
  • real estate; and
  • the establishment and operation of companies and trusts; and
• professional services such as those provided by lawyers, conveyancers and accountants

The reporting entities captured under the new classes of designated services (tranche 2 entities) will be required to comply with the majority of their AML/CTF obligations from 1 July 2026.

This means that, from 1 July 2026, tranche 2 entities, including real estate professionals, dealers in precious metals and stones, and professional service providers such as lawyers, conveyancers, accountants, and trust and company service providers must also comply with certain obligations under the Privacy Act when carrying out their AML/CTF obligations. 

What does this mean for privacy compliance?

With some specific exemptions, the majority of Australian small businesses are excluded from the application of the Privacy Act under the ‘small business exemption’. This exemption generally applies to businesses with an annual turnover of less than $3 million. 

However, entities or their authorised agents that are required to comply with the AML/CTF Act must also comply with the Privacy Act when handling personal information for the purposes of carrying out their AML/CTF obligations. 

This means that, where an entity is only regulated under the Privacy Act because of its AML/CTF obligations, it will have to comply with the Privacy Act in connection with its handling of personal information for:

• customer due diligence;
• monitoring, reporting and record-keeping obligations; and
• personnel due diligence (where the employee record exemption under the Privacy Act does not apply).

What does this mean in practice for newly regulated tranche 2 entities? 

Although many tranche 2 entities may already be caught by the Privacy Act, the AML/CTF reforms will result in small businesses that did not previously meet the threshold being required to comply with the Privacy Act for the first time (newly regulated entities). 

Where newly regulated entities handle personal information in connection with their AML/CTF obligations, they must ensure they are complying with the Privacy Act and the APPs.

If you are a newly regulated entity, you must take steps to consider your existing internal compliance frameworks, and ensure you are able to comply with your new obligations under the Privacy Act and APPs.  In summary, this will require consideration of the following key privacy obligations:

• Transparency and openness (APP 1)
  • You must take reasonable steps to implement practices and procedures to comply with the APPs when carrying out AML/CTF obligations.
     
  • This means you must implement a compliant privacy policy and privacy collection notices which clearly describe how you handle personal information to comply with your AML/CTF obligations.
     
  • You do not need to provide a collection notice where to do so would be inconsistent with your AML/CTF obligations.  
• Collection (APP 3)
  • You must generally only collect personal information which is reasonably necessary to comply with your AML/CTF obligations, and other functions and activities of your organisation.
     
  • In some cases you may be required by law to collect sensitive information to comply with your AML/CTF obligations. This type of information is generally afforded a higher level of protection under the Privacy Act.
• Notification of collection (APP 5)
  • You must provide individuals with an APP 5 Privacy Collection Notice with details about how the information that is collected will be handled for the purposes of AML/CTF obligations.
     
  • As above, a Privacy Collection Notice is not required where to do so would be inconsistent with your AML/CTF obligations (i.e. tipping off obligations).
• Use and disclosure (APP 6)
  • You generally cannot use or disclose personal information collected in connection with your AML/CTF obligations for any other purpose or function, unless an exemption applies.
     
  • Where personal information will be disclosed to an overseas recipient (including to a third party service provider) you must generally comply with obligations to ensure that the personal information continues to be handled in accordance with the Privacy Act and the APPs, unless an exemption applies. In some cases, offshore disclosure may be required or authorised by the AML/CTF Act or the AML/CTF Rules.
• Security, retention and destruction (APP 11)
  • You must take reasonable steps to protect any information you hold from misuse, interference and loss, and from unauthorised access, modification and disclosure.
     
  • You must take reasonable steps to destroy or de-identify information after it is no longer needed. 
• Access and correction (APPs 12 and 13)
  • Ensure you have processes and procedures in place to appropriately escalate and action any requests to access or correct personal information that you hold in connection with your AML/CTF obligations.
• Mandatory Notifiable Data Breaches Scheme
  • Ensure you have processes and procedures in place to enable you to comply with the Mandatory Notifiable Data Breaches Scheme under the Privacy Act.
     
  • It is critical to have a data breach response plan in place so you can respond quickly in the event of a data breach.
     
  • You should ensure that key stakeholders within the business are familiar with your data breach response plan, and that appropriate training is being delivered regularly. 

Tips from the OAIC 

The OAIC has issued detailed guidance for newly regulated entities to assist them to meet their AML/CTF and associated privacy obligations. The OAIC’s guidance provides important tips that entities, especially newly regulated entities, should consider. It has also published a template privacy collection notice to assist newly regulated entities with meeting their obligations under APP 5.

Specific risk areas

Managing third party risk:

If you are engaging a third party in connection with your AML/CTF obligations, or to handle personal information on your behalf, ensure appropriate contractual obligations are imposed to ensure you are able to meet your Privacy Act obligations. 

Retention of personal information:

Over-collection and unnecessary retention of personal information are key risk areas, particularly in the context of a data breach.  You must generally only collect and retain the minimum amount of personal information that you need. OAIC guidance cautions against collecting copies of full identification documents (such as driver’s licences or passports) and there is no longer any requirement to retain scanned copies of the documents themselves. Instead it is recommended that you only collect identification information that is directly required to comply with AML/CTF record-keeping obligations. The information you will be required to collect will vary depending on a risk-based assessment of your specific circumstances, including:

• the kinds of designated services that you provide;
• your customers and their risk profiles;
• the delivery channels through which your services are provided; and
• the countries and jurisdictions with which you deal.

However, generally speaking details such as name, date of birth, residential address, date of expiry and passport/licence number may be collected as part of AML/CTF compliance. 

Identity verification:

Where you intend to verify an individual’s identity from a credit reporting body, you must first inform the individual about the verification process, obtain their consent and make available an alternative means of verification.