Key privacy takeaways from the OAIC’s updated AML/CTF guidance

Practical privacy steps for reporting entities 8 min read

Updated guidance released by the Office of the Australian Information Commissioner (OAIC) has sharpened the focus on how businesses balance AML/CTF risk with their privacy obligations.  

From 31 March 2026, the record-keeping obligations in the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act) will be amended and apply to all current reporting entities as part of the simplification and modernisation of the AML/CTF Act. Following that, from 1 July 2026, the AML/CTF Act will apply to new sectors, including law firms, real estate professionals and accountants, that typically provide professional services. These 'Tranche 2 entities' will have new obligations under the AML/CTF regime, including the requirement to conduct initial and ongoing customer due diligence and to keep records of these procedures.

The OAIC’s guidance confirms that AML/CTF obligations must be balanced with the requirements of the Privacy Act 1988 (Cth) (Privacy Act), including the Australian Privacy Principles (APPs).

In this Insight, we outline the key privacy considerations and practical steps for businesses navigating this balancing act.

Key takeaways 

• Compliance with the AML/CTF regime requires the collection and verification of personal information that is commensurate with the ML/TF risk of the customer. However, privacy obligations limit the scope of what can be collected for this purpose.
• The OAIC expects consent to be obtained for the use of biometric ID verification for 'Know Your Customer (KYC) purposes. Organisations will need to consider alternatives where consent is not provided.
• From 31 March 2026, retaining copies of identity documents in order to comply with AML/CTF requirements will no longer be justified. Organisations should ensure their AML/CTF record-keeping processes align with these changes.
• The small business exemption in the Privacy Act will not apply to reporting entities and their authorised agents in respect of AML/CTF activities.
• When implementing privacy compliance measures, including transparency obligations under APPs 1 and 5 and responding to the personal information access regime under APP 12, organisations must ensure this does not create a 'tipping off' risk (ie ensuring the organisation does not disclose the existence of 'Suspicious Matter Reports' to the customer).¹

Collection: KYC and what is reasonably necessary

From 31 March 2026, all reporting entities must retain records that are reasonably necessary to demonstrate compliance with the customer due diligence (CDD) obligations under the AML/CTF Act.² The records must include: 

• sufficient and accurate records that demonstrate the type and content of data collected by the reporting entity; and
• records of analysis, identification or assessment of ML/TF risk or decision making by the reporting entity in relation to the customer for the purpose of complying with the CDD obligations.

These records must be retained for seven years after the end of a customer's relationship with the entity, and must be in English or in a form that is readily accessible and convertible into written English.

Reporting entities must perform CDD on a customer to whom a reporting entity provides, or proposed or proposes to provide, a designated service. Given this, the record-keeping obligations apply only where there is the prospect of a reporting entity providing a customer with a designated service.

It is clear that these amendments do not require reporting entities to keep copies of identity documents used throughout the CDD process. Instead, reporting entities are required to obtain records of what they did to identify a customer and the identifying information the customer presented.

In light of this obligation, the OAIC guidance focuses significant attention on what information collection is 'reasonably necessary' in the context of the AML/CTF Act and APP 3.

Consistent with its commentary in the APP Guidelines, in the AML/CTF guidance, the OAIC notes that the test as to whether collection is 'reasonably necessary' under APP 3.2 is objective: would a reasonable, properly informed person agree that the collection is required?

In the AML/CTF context, collection must be guided by an entity’s actual AML/CTF obligations and relevant regulatory guidance (such as the AUSTRAC guidance), and is subject to proportionate limits.

The guidance illustrates this through two contrasting examples of when KYC-related data collection for AML/CTF purposes may be reasonably necessary:

• On one hand, a multidisciplinary law firm is permitted to undertake AML/CTF onboarding at the outset of a matter because the initial instructions make it reasonable to conclude that a designated service may be provided, even though the transaction may never eventuate.
• In another scenario, it is not reasonably necessary for an accounting firm to undertake AML/CTF onboarding for a client who is not (at that time) receiving a designated service and is not (within the context of that engagement) likely to receive a designated service in the future.

The implication is that there must be a genuine nexus between the service being offered and an actual or potential designated service. This is consistent with how the record-keeping obligation is expressed in the AML/CTF Act. Performing CDD obligations on a customer for work that is not a designated service, simply as a matter of convenience or risk aversion, may breach APP 3.

Practically, this guidance may complicate client onboarding for Tranche 2 businesses in particular, where only some of their services may amount to 'designated services' under the AML/CTF Act. To implement this consistent with the guidance, businesses offering multiple service lines will need to implement processes to ensure clients that are onboarded for non-designated services are not funnelled into designated services without completing AML/CTF compliance procedures. This is likely more challenging than conducting this assessment at the outset of a relationship, whether or not the relevant service is or is related to a 'designated service'.

Collecting biometric information: is it authorised by law?

Biometric ID verification is increasingly common among reporting entities as it is an effective way to reduce fraud and establish that a customer is who they claim to be. However, clarity on its use from a privacy perspective would greatly assist compliance efforts.

The AML/CTF guidance on this point aligns closely with the OAIC's position on the collection and use of biometric information in its guidance regarding facial recognition technology and biometric information, confirming that 'consent should generally be sought from the individual before conducting biometric identification or verification for customer due diligence in the AML/CTF context'. It also emphasises the importance of proper notices.

While the guidance acknowledges that organisations may be 'required or authorised by law' to collect sensitive information under the AML/CTF regime, it stops short of confirming this can be relied on in the absence of consent. Entities may still choose to rely on this basis, but the OAIC's preferred position leaves open a clear risk in doing so.

Entities using biometric ID verification should therefore obtain consent and will need to consider how such consent is obtained. For instance:

• Is the consent bundled with consent to use or procure a service, or is it a standalone consent?
• Do vulnerability factors need to be taken into account when seeking consent?
• What alternative options are available to conduct ID verification if an individual declines consent?

Unfortunately, the AML/CTF guidance does not provide clear answers to this issue.

Only retain the record: APP 11 and ID documents

APP 11.3 requires entities to destroy or de-identify personal information once it is no longer needed, except where retention is required by law. The AML/CTF guidance helpfully clarifies how this obligation interacts with the AML/CTF Act:

• Prior to 31 March 2026, if a copy of an identification document was made by a reporting entity as part of a CDD process (noting the AML/CTF Act did not require that one be made), the reporting entity was taken to have made a record of the information in the document. That record must be retained in accordance with AML/CTF record retention obligations.
• After this date, reporting entities should not retain copies of full identity documents (such as passports or drivers' licences) for AML/CTF record-keeping purposes. Instead, entities should keep only the specific information required to demonstrate compliance. For example, full name, date of birth, address, document type and number, and the outcome of verification and risk assessment.

Reporting entities that have historically retained copies of identity documentation will need to ensure they update their AML/CTF record keeping processes.

Other issues

The guidance also contains helpful reminders about the interplay between the AML/CTF regime and privacy law:

• Small business reporting entities: a reporting entity will be caught by the Privacy Act in relation to its AML/CTF activities even if it is otherwise exempt under the 'small business' exception. This also applies to authorised agents of reporting entities in connection with AML/CTF obligations. While not a new obligation, Tranche 2 extends the scope by which small businesses may be brought within the ambit of the Privacy Act.
• Privacy and 'tipping off': AML/CTF Act secrecy provisions (eg 'tipping off' prohibitions) override Privacy Act obligations, but only to the extent necessary to avoid breaching the secrecy provision. Reporting entities will need to consider whether secrecy obligations are engaged when complying with different aspects of the Privacy Act, such as:
  • APP 5 and providing notice of the purpose of collection of information;
  • the notifiable data breach regime (particularly when notifying individuals); and
  • the information access regime under APP 12 (with secrecy provisions trumping any disclosure requirement of APP 12)  

What do you need to do?

The OAIC guidance is practical and action-oriented. Businesses preparing for the AML/CTF reforms should prioritise the following:

• Review privacy policy, collection notices and consents: ensure these are updated to accurately reflect:
  • what personal information is collected for AML/CTF purposes
  • why it is collected and under what legal authority
  • how long it will be retained
  • when it may be disclosed, including to regulators, counterparties and service providers.
• Minimise collection—and document your reasoning: map the personal information collected across client onboarding, ongoing due diligence and monitoring activities. For each data point, assess whether collection is reasonably necessary and document this assessment. Where risk-based judgements are involved, consider whether a privacy impact assessment (PIA) is appropriate.
• Understand your data flows: know where AML/CTF data is stored, who can access it, whether it is sent offshore and how long it is retained. This applies to both internal systems and third-party platforms. If the records are not kept in written form, ensure they are readily accessible and readily convertible into written English.
• Implement compliant record retention processes: review record retention processes to ensure copies of ID documents are not retained.
• Assess and manage third-party risk: ensure arrangements with third parties adequately address privacy and data-handling risks.
• Update training and incident response frameworks: staff involved in onboarding, compliance, IT and risk functions should be trained on the privacy dimensions of AML/CTF compliance.