The Office of the Australian Information Commissioner (OAIC) has released an updated edition of its Privacy Guidance for Reporting Entities under the AML/CTF Act, last updated April 2026. This guidance is essential reading for every business that holds AML/CTF obligations in Australia — from banks and fintechs to lawyers, accountants, real estate agents and dealers in precious metals. The April update introduces 12 substantive changes, including a brand-new regulatory approach section, a detailed transitional framework for ID document retention, and a new privacy collection notice template.
Key Dates You Cannot Miss
- 31 March 2026 — Changes to AML/CTF obligations commence for Tranche 1 reporting entities (financial services, bullion, gambling, digital currency).
- 1 July 2026 — AML/CTF obligations extend to Tranche 2 entities: real estate professionals, lawyers, conveyancers, accountants and trust & company service providers.
- 30 June 2026 — Recommended deadline for immediate compliance actions under the April 2026 guidance update (see action checklist below).
What Is the OAIC Privacy Guidance and Why Does It Matter?
Under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act), reporting entities must comply with a range of obligations to detect and deter financial crime. What many businesses do not realise is that the Privacy Act 1988 applies simultaneously — regardless of whether your business is a small business ordinarily exempt from privacy law.
The OAIC’s guidance explains exactly how the Australian Privacy Principles (APPs) interact with your AML/CTF obligations. It covers everything from how you collect customer information at onboarding, to how long you can retain copies of identity documents, to what happens when you use a third-party provider for customer due diligence.
Failure to comply with both frameworks simultaneously is a real risk. The April 2026 update provides important new clarity — and some important new obligations — that every compliance officer and AML/CTF program owner must understand.
Who Must Comply?
The guidance applies to all reporting entities under the AML/CTF Act and their authorised agents. This includes:
- Banks, credit unions, and other authorised deposit-taking institutions
- Fintech and digital currency exchange (DCE) businesses
- Bullion dealers and gambling operators
- Money remitters and financial advisers
- From 1 July 2026 (Tranche 2): real estate professionals, solicitors, conveyancers, accountants, and trust and company service providers
Critically, the Privacy Act applies to AML/CTF-related information-handling activities even if your business has an annual turnover of less than $3 million — the threshold that ordinarily exempts small businesses from privacy law. If you are a reporting entity or an authorised agent of one, privacy obligations apply to your AML/CTF activities in full.
The OAIC’s Regulatory Approach: A Proportionate, Harm-Focused Regulator
One of the most significant additions in the April 2026 update is a new dedicated section on the OAIC’s regulatory philosophy. The OAIC has confirmed it takes a risk-based and harm-focused approach to regulation. In plain English, this means:
- The OAIC will direct its enforcement attention to activities most likely to cause harm to individuals.
- The OAIC recognises that new AML/CTF requirements represent significant change for many businesses, and that aligning systems and processes takes time.
- The OAIC will exercise its regulatory powers proportionately, taking into account the size, nature, and complexity of an entity and the scale of the changes required.
This does not mean privacy obligations are optional or flexible. It means that a well-documented, good-faith effort to comply — including a written transition plan — will carry significant weight if the OAIC ever considers enforcement action. Entities without a documented approach to compliance have no such protection.
Your Key Privacy Obligations Under the APPs
The guidance provides practical, AML/CTF-specific guidance across all relevant Australian Privacy Principles. Here is a summary of the core obligations every reporting entity must have in place:
Privacy Policy and Governance (APP 1)
You must have a clearly expressed and current APP privacy policy covering how you manage personal information for AML/CTF purposes. You need internal practices, procedures and systems to receive and respond to privacy complaints within 30 days. If you are a small business that would otherwise be exempt from the Privacy Act, your policy only needs to address AML/CTF-related information handling.
Collecting Personal Information (APP 3)
You may only collect personal information that is reasonably necessary to carry out your AML/CTF obligations. The AML/CTF Act does not give you a blank cheque to collect whatever information you wish. The ‘reasonably necessary’ test is objective — a reasonable, informed person must agree the collection is justified. This means reviewing your onboarding forms and due diligence questionnaires to remove fields that collect more than is needed.
Customer Notification (APP 5)
Before collecting personal information (or as soon as practicable after), you must notify customers why their information is being collected, how it will be used and disclosed, and who may receive it. You are not required to provide this notice where doing so would breach your tipping off obligations under the AML/CTF Act. The OAIC has now published a privacy collection notice template specifically for AML/CTF reporting entities — this is a practical resource you should download and adapt immediately.
Use and Disclosure (APP 6)
Personal information collected for AML/CTF purposes may only be used or disclosed for that primary purpose, or where an exception applies. The AML/CTF Act itself authorises many uses and disclosures — for example, submitting suspicious matter reports (SMRs) to AUSTRAC — so these will generally be permitted. Any other secondary use requires consent or another applicable exception.
Overseas Disclosure (APP 8)
If you disclose customer information to an overseas contractor or service provider (for example, for identity verification), you must take reasonable steps to ensure the overseas recipient complies with the APPs. You remain accountable for how that third party handles the information. Exceptions apply where the AML/CTF Act requires or authorises the disclosure.
Security (APP 11.1)
You must take reasonable technical and organisational steps to protect personal information from misuse, interference, loss, and unauthorised access or disclosure. AML/CTF entities are high-value targets for cybercriminals because they hold large volumes of sensitive identity data. Minimum steps include multi-factor authentication, audit logs, encryption, and a documented data breach response plan.
Retaining and Destroying Personal Information (APP 11.2) — Major Changes in April 2026
This is the area of greatest change in the April 2026 update. From 31 March 2026, the AML/CTF Act no longer requires entities to retain scanned copies or photocopies of identity documents. You must now transition to retaining only specific data fields — name, date of birth, residential address, expiry date, document number, document type, verification outcome, and ML/TF risk assessment.
The OAIC recognises that for many Tranche 1 entities, this transition requires significant systems and process changes. The April 2026 guidance introduces a nuanced transitional framework, including the concept of placing information “beyond use” as an interim compliance measure where immediate destruction is not technically possible.
Read our detailed breakdown of all 12 changes, including the full ID document retention framework →
Access and Correction (APPs 12 & 13)
Customers have the right to access their personal information you hold and to have inaccurate information corrected. You must respond to access requests within 30 days. Note that tipping off obligations mean you cannot disclose the existence of an SMR or related investigation to the individual requesting access — you may refuse access on this basis without explaining why.
Third-Party Providers: You Remain Accountable
Many reporting entities use third-party providers for identity verification, KYC platforms, or customer due diligence services. The guidance confirms that you remain accountable under the Privacy Act for how those providers handle your customers’ information. Before engaging any third party, you should review their privacy policy and data breach response plan, include specific privacy obligations in your contract, and conduct periodic reviews of how they handle personal information on your behalf.
What’s New in the April 2026 Update?
The April 2026 update introduces 12 substantive changes across four thematic areas:
- A new regulatory approach section — confirming the OAIC’s risk-based, proportionate enforcement philosophy during the AML/CTF reform transition period.
- Major reforms to ID document retention (Section J) — including a transitional framework, documented plan requirements, senior management oversight expectations, and the new ‘beyond use’ interim compliance concept.
- New practical tools — a published privacy collection notice template and updated references to the OAIC’s regulatory priorities.
- Structural improvements — the table of contents, section titles and introductory language have been updated to better reflect the scope of your obligations.
See the full change-by-change analysis with practical effect for each →
Immediate Action Checklist (by 30 June 2026)
Based on the April 2026 update, every reporting entity should take the following steps now:
Immediate (by 30 June 2026)
- Download and adapt the OAIC’s new privacy collection notice template for AML/CTF entities; update your customer-facing collection notices if not already APP 5 compliant.
- Review the OAIC’s Statement of Regulatory Approach and Regulatory Priorities to understand how the proportionality framework applies to your entity.
- If you are a Tranche 1 entity that still retains copies of ID documents: prepare a documented transition plan with reasons why immediate destruction is not possible, the steps you are taking, and a target completion date. Obtain senior management sign-off.
Transition Period
- For ID documents collected from 31 March 2026: update systems and processes to record only the specific data fields required under s.111 of the AML/CTF Act, not full document copies.
- Where technical constraints prevent immediate destruction of legacy ID document copies: consider placing those copies ‘beyond use’ (access-restricted, encrypted, with a committed destruction timeline) as an interim APP 11.2 compliance measure.
- Update your data retention schedule to separately track pre-31 March 2026 copies (retain 7 years) versus post-31 March 2026 data-field records.
- Tranche 2 entities: the same transitional framework applies from 1 July 2026 — begin planning now.
Governance
- Update your AML/CTF program and privacy policies to reflect the new ID document retention framework.
- Maintain a personal information inventory that separately identifies pre- and post-31 March 2026 records and their applicable retention and destruction obligations.
- Add ID document destruction progress as a standing agenda item at senior management or board level until your transition plan is fully executed.
Frequently Asked Questions
What is the OAIC privacy guidance for AML/CTF reporting entities?
The OAIC’s privacy guidance explains how the Privacy Act 1988 and the Australian Privacy Principles (APPs) apply to businesses that hold obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act). It covers how to collect, use, retain and destroy customers’ personal information in a way that satisfies both AML/CTF and privacy law simultaneously. The April 2026 edition is the current version.
Who does the OAIC privacy guidance apply to?
The guidance applies to all reporting entities under the AML/CTF Act and their authorised agents. This includes banks, fintechs, digital currency exchanges, money remitters, bullion dealers and gambling operators (Tranche 1 — obligations from 31 March 2026), and from 1 July 2026, Tranche 2 entities: real estate professionals, solicitors, conveyancers, accountants, and trust and company service providers. Importantly, the Privacy Act applies to AML/CTF activities even if your business would otherwise be exempt as a small business with annual turnover under $3 million.
What changed in the April 2026 OAIC privacy guidance update?
The April 2026 update introduced 12 substantive changes across four areas. The most significant are: a new section on the OAIC’s risk-based, proportionate regulatory approach; a detailed transitional framework for ID document retention including the new ‘beyond use’ concept and documented transition plan requirements; and a new OAIC privacy collection notice template specifically for AML/CTF reporting entities. No existing obligations were removed or weakened. See our full change-by-change analysis for details.
Do I still need to keep copies of identity documents for AML/CTF compliance?
No — from 31 March 2026 (Tranche 1) and 1 July 2026 (Tranche 2), the AML/CTF Act no longer requires or authorises retaining scanned copies or photocopies of identity documents. You must now record only specific data fields: the customer’s name, date of birth, residential address, document type, document number, expiry date, verification outcome, and ML/TF risk assessment. Copies of identity documents collected before the commencement date remain valid AML/CTF records and must be kept for the required 7-year retention period.
What is the ‘beyond use’ concept in the April 2026 guidance?
‘Beyond use’ is a new interim compliance pathway introduced in the April 2026 update for entities that cannot immediately destroy legacy identity document copies due to technical constraints. An entity places information ‘beyond use’ by: restricting all access to it, encrypting it, ensuring no other entity can access it, and making a documented commitment to irretrievably destroy it as soon as technically possible. This satisfies the APP 11.2 obligation in the interim period while the entity works towards full destruction.
Does my small business need to comply with the Privacy Act for AML/CTF purposes?
Yes. The Privacy Act’s small business exemption (for businesses with annual turnover under $3 million) does not apply to AML/CTF-related information-handling activities. If your business is a reporting entity under the AML/CTF Act — or an authorised agent of one — you must comply with the Australian Privacy Principles in full when collecting, using, retaining and disclosing personal information for AML/CTF purposes.
What is a documented transition plan for ID document retention and do I need one?
The April 2026 guidance requires any Tranche 1 entity that currently retains full copies of identity documents to have a written transition plan. The plan must explain why immediate destruction is not currently possible, set out the specific steps being taken, include a target completion date, and have senior management sign-off. Without a documented plan, an entity risks being found non-compliant with APP 11.2 even if it intends to transition eventually. The same requirement will apply to Tranche 2 entities from 1 July 2026.
When do Tranche 2 entities need to comply with the new AML/CTF privacy obligations?
Tranche 2 entities — real estate agents, conveyancers, solicitors, accountants, and trust and company service providers — become reporting entities under the AML/CTF Act from 1 July 2026. From that date, the Privacy Act applies in full to their AML/CTF activities. The OAIC’s April 2026 guidance applies equally to Tranche 2 entities, including the ID document retention framework and the transitional provisions. Tranche 2 entities should be preparing their privacy governance, collection notices, and AML/CTF programs now, ahead of commencement.
What is the OAIC’s enforcement approach during the AML/CTF transition period?
The OAIC has confirmed in the April 2026 guidance that it takes a risk-based and harm-focused approach to regulation. It will exercise its powers proportionately, taking into account the scale of the AML/CTF reforms, the nature and size of the entity, and the steps the entity has taken in good faith. This does not mean obligations are optional — it means that entities with documented, active compliance programs will be treated differently from those that have taken no steps at all.
Where can I get help implementing the OAIC privacy guidance for my AML/CTF program?
The AML Consultant provides specialist advice on implementing the OAIC’s privacy guidance across all sectors affected by the AML/CTF reforms. Whether you need a privacy gap assessment, a documented transition plan, updated AML/CTF program documentation, or help drafting a compliant privacy collection notice, we can assist. Contact us to discuss your specific compliance needs.
Need Help Implementing the OAIC Privacy Guidance?
Navigating the intersection of privacy law and AML/CTF obligations is complex — and the consequences of getting it wrong can include regulatory action from both AUSTRAC and the OAIC. The AML Consultant provides expert, practical guidance to help reporting entities implement these requirements efficiently and with confidence.
Whether you need a privacy gap analysis, a documented transition plan for ID document retention, updated AML/CTF program documentation, or end-to-end implementation support, we can help. Contact Us to Discuss Your Compliance Needs →
Source: Office of the Australian Information Commissioner (OAIC), Privacy guidance for reporting entities under the AML/CTF Act, last updated April 2026. This article is for informational purposes only and does not constitute legal advice. Entities should seek professional guidance specific to their circumstances.
Related reading: Full Change Analysis: What Changed in the OAIC’s April 2026 AML/CTF Privacy Guidance