Anti-Money Laundering Compliance and Privacy Obligations: What Reporting Entities Need to Know

Introduction

From 1 July 2026, amendments to the Anti‑Money Laundering and Counter‑Terrorism Financing Act 2006 (Cth) (AML/CTF Act) will bring a range of new industries within Australia’s anti‑money laundering regime for the first time. Real estate agents, lawyers, accountants, conveyancers and dealers in precious stones and metals will all become reporting entities, required to verify customer identities, monitor financial crime risks and report suspicious activity to the Australian Transaction Reports and Analysis Centre (AUSTRAC).

Critically, once a business becomes a reporting entity under the AML/CTF Act, it must also comply with the Privacy Act 1988 (Cth) (Privacy Act) in respect of all personal information collected for AML/CTF purposes - regardless of its annual turnover. This obligation applies irrespective of how the entity conducts identity verification - whether in‑house, through outsourced compliance providers, via Vertification of Identify (VOI) or biometric verification platforms, or by accessing the Document Verification Service (DVS). This article outlines the key privacy obligations of which new and existing reporting entities should be aware.

Background

The AML/CTF Act was enacted in 2006 to establish Australia's framework for preventing money laundering and terrorism financing. In 2024, Parliament passed the Anti‑Money Laundering and Counter‑Terrorism Financing Amendment Act 2024 (Cth), which introduced significant reforms to the regime. These reforms are being implemented in tranches. Tranche 1, which took effect on 31 March 2026, introduced updated requirements for existing reporting entities, including revised rules for value transfers, bearer negotiable instruments, AML/CTF programs and customer due diligence. Tranche 2, commencing 1 July 2026, will extend the AML/CTF regime to the following sectors for the first time:

• real estate businesses including real estate agents, buyer’s agents and property developers;
• dealers in precious stones, metals and products;
• lawyers, conveyancers and legal services; and
• professional service providers including accountants and trust and company service providers.

Under the Privacy Act, small businesses with an annual turnover of $3 million or less are generally exempt from compliance obligations, unless they fall within specified categories such as health service providers or businesses that trade in personal information. However, this small business exemption has never extended to AML/CTF reporting entities.

Since the AML/CTF Act's inception, reporting entities have been required to comply with the Privacy Act in respect of personal information collected for the purposes of meeting their obligations under the AML/CTF Act, regardless of their annual turnover. With the commencement of Tranche 2, many businesses that have previously relied on the small business exemption will, for the first time, be required to comply with the Privacy Act in respect of their AML/CTF‑related personal information handling. The expanded application of the Privacy Act to these entities reflects the sensitivity of identity‑verification information collected for AML/CTF purposes and the heightened risks associated with its misuse, over‑collection or inadequate protection. As part of these reforms, both new and existing reporting entities should review their privacy practices, particularly in relation to data minimisation and identification‑document retention.

Privacy Act Obligations for AML/CTF Reporting Entities

Once a business becomes a reporting entity, it must ensure that all personal information collected for AML/CTF purposes is handled in accordance with the Australian Privacy Principles (APPs). This includes:

• limiting the personal information collected to what is reasonably necessary to comply with its obligations under the AML/CTF framework;
• ensuring information is accurate, secure and up‑to‑date;
• destroying or de-identifying information once it is no longer required, subject to any applicable record retention obligations under the AML/CTF Act (which generally requires reporting entities to retain certain records, including customer identification records, for seven years after the end of the relevant relationship or transaction);
• maintaining a clear and accessible privacy policy; and
• providing collection notices, except where doing so would breach tipping‑off prohibitions.

The Office of the Australian Information Commissioner (OAIC) emphasises that AML/CTF obligations and privacy obligations operate together, and neither can be treated in isolation. 

Particular Considerations for Reporting Entities

(a) Limiting Information Collection

The OAIC highlights that reporting entities may only collect personal information that is reasonably necessary to fulfill their AML/CTF obligations or legitimate organisational functions. Collecting additional information ‘just in case’ is not permitted and may breach APP 3.

(b) Retention of Identification Documents

The AML/CTF Act does not require entities to retain full copies of identification documents (eg passports or driver’s licences). Unnecessary retention of these documents creates significant privacy risks and may breach APP 11, which requires entities to take reasonable steps to destroy or de‑identify personal information when it is no longer needed for any lawful purpose. Rather than retaining full copies of identification documents, reporting entities should consider the following measures to satisfy their record‑keeping obligations while minimising privacy risk:

• recording only the minimum information reasonably necessary to demonstrate that identity verification was performed - for example, the document type, document number, issuing authority and date of verification;
• where available, using the DVS or similar electronic verification methods, which enable identity attributes to be checked against government records without the need to store copies of the underlying documents; and
• implementing secure destruction or de identification processes to ensure that any identification documents initially sighted or collected during onboarding are disposed of once verification is complete and the information is no longer required for any lawful purpose.

(c) Privacy Policies

Reporting entities must have an up‑to‑date privacy policy that accurately reflects their AML/CTF practices. Because AML/CTF obligations involve collecting identification information, conducting customer due diligence, verifying identity attributes and sometimes disclosing information to the AUSTRAC, a compliant privacy policy should clearly explain:

• what personal information is collected for AML/CTF purposes;
• how and why that information is used;
• who the information may be disclosed to (including AUSTRAC);
• how the information is stored, protected and eventually destroyed; and
• how individuals may access or correct their information.

Privacy policies should be updated whenever AML/CTF processes change, such as when an entity:

• adopts new technologies (including verification tools that rely on artificial intelligence (AI));
• modifies its onboarding procedures; or
• updates its reporting systems.

(d) Collection Notices

Where a reporting entity collects personal information for AML/CTF purposes, it must, where appropriate, provide individuals with a collection notice that explains the kinds of personal information being collected, the purposes of collection, and any third parties to whom the information may be disclosed (including AUSTRAC). Collection notices should be provided at or before the time of collection, or as soon as practicable afterwards.

(e) Tipping Off

Notwithstanding paragraph (d) above, where providing a collection notice would breach the AML/CTF Act's tipping off provisions, the entity is not required to provide that notice (in fact, it is prohibited from doing so). This includes circumstances that may give rise to a suspicious matter report filing, where disclosure would, or could reasonably be expected to, prejudice any potential investigation.

(f) Use of AI and Facial Recognition Technology

Many reporting entities now use AI‑based identity verification tools, including facial recognition technology (FRT). In practice, this can involve capturing a live image of a person’s face, converting it into a biometric template, and comparing it against the photo on the identification document submitted by the individual (such as a passport or driver's licence) to verify their identity. The OAIC confirms that biometric information is considered sensitive information under the Privacy Act, and it will attract stricter handling requirements. For example, entities that use FRT will need to ensure:

• any collection of biometric information is necessary and proportionate in the circumstances; and
• the individual provides their consent, or collection is required or authorised under Australian law.

(g) Use of Third-Party Service Providers and Software Platforms

Where a reporting entity engages a third party service provider or software platform to perform aspects of its AML/CTF obligations - such as identity verification, customer due diligence or transaction monitoring - the entity remains responsible for ensuring that all personal information collected, used or disclosed in connection with those services is handled in accordance with the APPs. A reporting entity cannot avoid its obligations under the Privacy Act by outsourcing functions to an external provider. If a third party provider collects personal information on behalf of the entity without providing adequate collection notices, without obtaining necessary consents, or in a manner that is otherwise inconsistent with the APPs, the reporting entity may be liable for those deficiencies. Reporting entities should therefore take reasonable steps to satisfy themselves that any third party providers they engage have appropriate privacy practices in place, including through contractual requirements and ongoing oversight.

Key Takeaways

• AML/CTF obligations automatically trigger Privacy Act compliance, regardless of annual turnover.
• Small businesses cannot rely on the $3 million turnover exemption when handling AML/CTF information.
• The OAIC expects strict adherence to data‑minimisation, security and destruction requirements.
• Entities using AI‑based verification face heightened obligations.

For many small businesses entering the AML/CTF regime, this will be their first encounter with the Privacy Act. To prepare effectively, businesses should begin:

• developing or updating privacy policies and collection notices;
• implementing secure data‑handling systems and destruction processes;
• training staff on AML/CTF and privacy obligations; and
• ensuring the collection of personal information during client onboarding complies with both AUSTRAC and OAIC expectations.

How we can help 

Russell Kennedy’s expert Privacy team advises organisations across all sectors on navigating the expanding AML/CTF regime and its intersection with privacy law. We can assist by:

• assessing whether your business will be captured as a Tranche 2 reporting entity and identifying the practical implications;
• preparing or updating privacy policies and collection notices to ensure they accurately describe AML/CTF‑related handling of personal information; and
• assessing and mitigating privacy impacts of AI‑based identity‑verification tools, including FRT.

If you’d like to stay up to date with Russell Kennedy Alerts and Events, you can subscribe to our mailing list here.

The information contained in this Insight is intended as general commentary and should not be regarded as legal advice. Should you require specific advice on the topics or areas discussed please contact the Russell Kennedy team.