On 1 July 2026 the tranche 2 reforms to Australia’s anti-money laundering and counter-terrorism financing (AML/CTF) regime commenced. An estimated 80,000 to 100,000 previously unregulated businesses now carry AML/CTF obligations, including real estate agents, conveyancers, accountants, law firms, trust and company service providers, and dealers in precious metals and stones. A business providing designated services from 1 July must complete AUSTRAC enrolment by 29 July 2026.
Most commentary has focused on the AUSTRAC side of the ledger: enrolment, compliance programs, customer due diligence and suspicious matter reporting. Less attention has been paid to what those obligations create. Every newly regulated business is about to accumulate a substantial holding of identity data, and a second legal regime attaches to that holding. The same reforms bring these businesses under the Privacy Act for their AML/CTF data handling regardless of turnover, so the small business exemption does not shield this activity. The obligation to collect arrives together with the liability for holding.
What tranche 2 businesses must now collect and hold
Customer due diligence requires a business to verify who its customer is before providing a designated service. In practice that means names, dates of birth, residential addresses and identity document details, beneficial ownership information for companies and trusts, and in higher-risk cases the source of a customer’s funds or wealth. Records of that verification must be kept for seven years after the business relationship or transaction ends. Multiplied across a client book, a suburban conveyancer or two-partner firm quickly holds a database that resembles, in kind if not in scale, the ones compromised at Optus and Latitude Financial.
Why AML/CTF customer records are a data breach risk
Identity data is now being distributed across tens of thousands of businesses with a fraction of the security capability of the banks that have carried these obligations since 2006. Each new holding is a honeypot for cyberattacks. The Optus breach demonstrated that document numbers alone are enough to cause lasting harm to the individuals concerned. Criminals follow the data, and the number of soft targets holding it has just multiplied.
The liability side is no longer theoretical. Serious privacy failures can attract penalties of $50 million or more, the regulator can issue infringement notices of up to $66,000 for matters as basic as a deficient privacy policy, and since June 2025 individuals have held a direct statutory right to sue for serious invasions of privacy. The Federal Court imposed the first civil penalty under the Privacy Act in October 2025, ordering Australian Clinical Labs to pay $5.8 million, and the Office of the Australian Information Commissioner (OAIC) began a compliance sweep of privacy policies in January 2026.
How the AML/CTF Act and the Privacy Act fit together
The discipline that satisfies both regimes is data minimisation. The AML/CTF Act prescribes what must be collected and how long it must be kept. The Privacy Act limits collection to what is reasonably necessary and requires you to protect what you hold and destroy or de-identify it once the need has passed. OAIC guidance for reporting entities is direct on the most common failure: verify identity and record the outcome, but do not retain copies of passports or driver licences unless another law requires it. Retained document copies are the single largest avoidable exposure in this regime.
What newly regulated businesses should do now
- Map your services against the designated services list and confirm which parts of your practice trigger the obligations.
- Collect to the statutory minimum. Nothing in either regime rewards gathering more than your AML/CTF program requires.
- Verify, record the verification outcome, and do not keep copies of identity documents.
- Secure what you must keep. Access controls, encryption and separation from general working files are the baseline, and the Privacy Act now expressly requires technical and organisational measures.
- Calendar destruction. Seven years is a retention period, not a suggestion to keep records indefinitely.
- Check your vendors. Outsourced verification does not outsource accountability, and the Privacy Act holds your business responsible for personal information your providers hold on its behalf.
- Update your privacy policy and collection notices. The OAIC is actively reviewing policies, and a deficient one is now infringement notice territory.
For most newly regulated businesses this is their first contact with either regime, and the habits formed in the first year will determine their exposure for the next decade. You cannot lose what you do not hold. Where the law compels you to hold, protect it properly and destroy it on schedule.
SLK Lawyers advises businesses on AML/CTF onboarding, privacy compliance and data breach response. Contact Blaine Hattie to discuss your obligations.
Book an appointment with one of our Lawyers to discuss your specific needs.
Book a ConsultationA Note on the Information We Share
Reading this information does not create a lawyer-client relationship between you and SLK Lawyers. This only occurs with a formal written agreement. Content is current at publication and applies to Victorian law unless stated otherwise. It is general information only and not a substitute for specific legal advice. Strict time limits apply to legal claims. You should seek immediate legal advice on your specific situation to ensure your rights are protected.