As businesses prepare for the upcoming changes to their financial obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act), it is crucial to consider the interplay between these obligations and those under the Privacy Act 1988 (Privacy Act).
From 1 July 2026, tranche 2 entities, including real estate professionals, accountants and dealers in precious metals, will need to start complying with the new regime.
All reporting entities under the AML/CTF Act, including small businesses with an annual turnover of less than $3 million, must comply with the Privacy Act when handling personal information for AML/CTF compliance.
This includes adhering to the Australian Privacy Principles (APPs), which govern the collection, use, disclosure and security of personal information. Importantly, the Privacy Act does not exempt small businesses from these obligations if they are reporting entities under the AML/CTF Act.
When outsourcing services, businesses must ensure third-party providers comply with the Privacy Act. Contracts should include specific terms regarding the handling of personal information, and due diligence should be conducted to assess the provider’s privacy and security practices.
AML/CTF compliance often requires collecting detailed personal information, particularly for customer due diligence. Personal information collected must be reasonably necessary to comply with AML/CTF obligations or other legitimate business activities.
We recommend businesses consider their onboarding forms, due diligence questionnaires and verification processes to ensure that they are proportionate and targeted. Over-collection increases exposure if there is a data breach and can lead to regulatory scrutiny.
The Office of the Australia Information Commissioner has released updated privacy guidance for reporting entities under the AML/CTF Act, including a Privacy Essentials Checklist for reporting entities.
Under the Privacy Act, businesses in most cases should clearly explain to customers:
This is usually done through a privacy collection notice.
AML/CTF laws prohibit “tipping off” individuals in circumstances where disclosure could prejudice an investigation. In those cases, businesses may be permitted, or required, to limit or delay privacy notifications.
Guidance on this point suggests that a privacy collection notice is not required where the provision of one would be inconsistent with an entity’s tipping off obligations. However, this needs to be managed carefully to ensure that neither privacy nor AML/CTF obligations are breached.
Under the newly reformed regime, businesses are generally no longer required to retain copies of full identification documents, such as passports or drivers licences for AML/CTF record keeping purposes. Instead, businesses should retain only the specific data points that are needed to demonstrate compliance, such as:
Holding unnecessary copies of identity documents can significantly increase cyber-security and privacy risks.
AML/CTF obligations can result in businesses holding large volumes of sensitive information over long periods of time. This makes the data particularly attractive to cyber criminals.
Privacy law requires businesses to take reasonable steps to protect personal information. What is “reasonable” will vary depending on the size and complexity of the business, but generally includes:
Businesses subject to AML/CTF obligations will also fall within the Notifiable Data Breaches scheme, requiring notification to regulators (and sometimes affected individuals) if a serious data breach occurs, which is subject again to AML/CTF “tipping off” obligations.
Individuals have rights to access and correct their personal information under privacy law, including that which is collected for AML/CTF purposes. Businesses must have processes in place to respond to these requests within a reasonable time frame.
However, access may need to be refused where providing the information would breach AML/CTF secrecy or tipping off obligations, which prohibit disclosure that could interfere with investigations under the AML/CTF Act.
The AML/CTF reforms represent a significant shift for many businesses for both financial risk and for personal information handling. Privacy compliance is inseparable from AML/CTF compliance.
Businesses that act early to align governance, data handling, security and staff awareness will be better placed to meet their obligations, minimise regulatory risk and maintain trust with customers as the new regime comes into force in 2026.
Jackson McDonald’s experienced regulatory and privacy team can assist your business navigate the AML/CTF regime, align with privacy obligations and implement practical, risk-based compliance solutions.
This article was written by , Tegan Hill Restricted Practitioner Corporate Commercial.