The OAIC released an updated edition of its Privacy Guidance for Reporting Entities under the AML/CTF Act in April 2026, replacing the February 2026 edition. The update contains 12 substantive changes — five additions, five modifications, and two clarifications — across four thematic areas. This article sets out each change, what it replaces, and what it means for your compliance program. No obligations have been removed or weakened.
← Back to overview: OAIC Privacy Guidance for AML/CTF Reporting Entities (April 2026)
The 12 Changes at a Glance
| # | Section | Type | Summary |
|---|---|---|---|
| 1 | Table of Contents / Section J title | Modification | Section J retitled to reflect full APP 11.2 scope: “destroying/de-identifying”, not just “deleting”. |
| 2 | Introduction — capitalisation | Clarification | ‘tranche 2’ updated to ‘Tranche 1’ / ‘Tranche 2’ to align with AML/CTF Transitional Rules 2026. |
| 3 | Key Points — ID documents | Modification | Direction on ID document retention updated from a firm prohibition to a transitional ‘reasonable steps’ standard. |
| 4 | OAIC’s Regulatory Approach section | Addition | Entirely new section confirming the OAIC’s risk-based, proportionate enforcement philosophy during reform transition. |
| 5 | Relevant Resources | Addition | Two new resources added: OAIC Statement of Regulatory Approach and OAIC Regulatory Priorities. |
| 6 | Section J — ‘Reasonable steps’ factors | Addition | Detailed, concrete list of factors for assessing what constitutes ‘reasonable steps’ for destruction/de-identification. |
| 7 | Section J — Tranche 1 transitional acknowledgment | Addition | OAIC expressly acknowledges legacy ID retention practices of Tranche 1 entities and use of ACIP during transition. |
| 8 | Section J — Documented transition plan | Addition | New requirement: entities must have a written plan with reasons, steps, timeframe, and senior management oversight. |
| 9 | Section J — ‘Beyond use’ concept | Addition | New interim compliance pathway for entities unable to immediately destroy ID copies due to technical constraints. |
| 10 | Section J — Financial advisor worked example | Addition | New worked example clarifying the transition framework for a financial advisor entity. |
| 11 | Section J — s.111 AML/CTF Act record types | Modification | Expanded to clarify that records under s.111 include data type/contents, ML/TF risk analysis, and decision-making records. |
| 12 | Section E / Checklist — Collection notice template | Addition | OAIC’s new privacy collection notice template for AML/CTF entities added to Section E and the Privacy Essentials Checklist. |
Theme 1: Structural and Introductory Changes (Changes 1–3)
The April 2026 edition reorganises the front-matter and updates the table of contents. These changes affect navigation and framing but do not alter underlying obligations.
Change 1 — Section J Retitled (Modification)
What changed: Section J was titled “Retaining and deleting personal information (APP 11)” in the February 2026 edition. It is now titled “Retaining and destroying/de-identifying personal information (APP 11).”
Why it matters: The revised title accurately reflects the full scope of APP 11.2. The Privacy Act requires entities to destroy or de-identify personal information — not merely “delete” it. This is substantively different. Deletion in a digital environment often leaves recoverable data; destruction and de-identification require a more rigorous approach. The change signals that the OAIC expects entities to treat this as a genuine data governance obligation, not a box-ticking exercise.
Change 2 — Capitalisation of ‘Tranche 1’ and ‘Tranche 2’ (Clarification)
What changed: References to ‘tranche 2’ (lower-case) have been updated to ‘Tranche 1’ and ‘Tranche 2’ (upper-case) throughout the introductory section.
Why it matters: The upper-case form aligns with the terminology in the AML/CTF Transitional Rules 2026. While cosmetic, it signals that the OAIC is aligning its guidance with the formal legislative framework.
Change 3 — Key Points: ID Document Retention Direction Softened (Modification)
What changed: The February 2026 edition stated entities “should not keep copies of full identification documents” for AML/CTF record keeping — framed as a firm direction with no transitional acknowledgment. The April 2026 edition updates this to state entities “should take reasonable steps to destroy (or de-identify) copies” and explicitly acknowledges that the OAIC recognises transition time may be needed.
Why it matters: This is a significant compliance relief for Tranche 1 entities with legacy systems. It confirms that the obligation is not to achieve immediate perfect compliance, but to take reasonable steps toward it — and to document those steps. However, entities that take no action cannot claim the benefit of this softened standard.
Theme 2: OAIC’s Regulatory Approach — New Section (Changes 4–5)
This is the most significant structural addition in the April 2026 update: an entirely new section articulating the OAIC’s enforcement philosophy.
Change 4 — New Regulatory Approach Section (Addition)
What changed: A new section, “OAIC’s regulatory approach,” has been inserted immediately before the Privacy Act coverage discussion. It was entirely absent from the February 2026 edition. The section confirms that the OAIC takes a risk-based and harm-focused approach, and that it will take into account the scale and significance of the AML/CTF reforms when exercising its regulatory powers proportionately.
Why it matters: This section provides meaningful regulatory certainty for entities undergoing transition. It explicitly signals that the OAIC will not take a zero-tolerance approach during the reform period. Instead, regulators will consider the nature and size of an entity, the complexity of the changes required, and the steps the entity has taken in good faith. For Tranche 2 entities commencing obligations from 1 July 2026, this section is particularly important — it confirms that a proportionate compliance program, developed in good faith, will be viewed favourably. The corollary is equally important: entities that have made no effort to comply will receive no such protection.
Change 5 — Two New Resources Added (Addition)
What changed: The Relevant Resources section at the end of the guidance now includes two additional items that were absent from the February 2026 edition: the OAIC Statement of Regulatory Approach and the OAIC Regulatory Priorities.
Why it matters: These documents underpin the new regulatory approach section. Any entity seeking to understand how the OAIC will exercise its enforcement discretion — and how to demonstrate good-faith compliance — should review both documents.
Theme 3: ID Document Retention — Major Substantive Changes (Changes 6–11)
Section J is the most heavily revised section of the guidance. The February 2026 edition provided a relatively simple prohibition on retaining full ID document copies. The April 2026 edition introduces a detailed transitional framework that every reporting entity must understand and implement.
Background: What the Law Now Requires
From 31 March 2026, the AML/CTF Act no longer requires — or authorises — entities to retain scanned copies or photocopies of identity documents for record-keeping purposes. Instead, under s.111 of the AML/CTF Act, entities must retain only specific data fields from those documents:
- Full name
- Date of birth
- Residential address
- Document expiry date
- Document number (passport number, driver licence number, etc.)
- Document type
- Verification outcome
- ML/TF risk assessment
For Tranche 2 entities, this obligation applies from 1 July 2026. Copies of ID documents made before these commencement dates remain records under the AML/CTF Act and must be retained for 7 years from the end of the business relationship (or 7 years from the date of the last occasional transaction). The new framework applies only to documents collected on or after the commencement date.
Change 6 — New ‘Reasonable Steps’ Factors (Addition)
What changed: The February 2026 edition did not specify what factors determine whether an entity has taken ‘reasonable steps’ to destroy or de-identify personal information. The April 2026 edition adds a concrete list of factors the OAIC will consider:
- The amount and sensitivity of the personal information held
- The nature, size, resources and complexity of the organisation
- The possible adverse consequences for individuals if their information is not destroyed
- Information handling practices, including whether handling is outsourced to third parties
- The practicability of destruction, including time and cost — however, cost or inconvenience alone is not a sufficient reason to avoid the obligation
- The recency and scale of new and changed AML/CTF requirements, and the scale of the task required to align destruction practices with those requirements
Why it matters: The explicit inclusion of “recency and scale of new AML/CTF requirements” as a relevant factor is highly significant. It formally embeds the transitional reality into the compliance standard itself. Entities can reference this factor in demonstrating why full compliance has not yet been achieved — but only if they are actively taking documented steps to get there.
Change 7 — Tranche 1 Transitional Acknowledgment (Addition)
What changed: The April 2026 edition inserts a new paragraph expressly acknowledging that many Tranche 1 entities and their agents have longstanding practices of retaining ID document copies. It also acknowledges that some Tranche 1 entities are currently using the Applicable Customer Identification Procedures (ACIP) framework under transitional rules, rather than the new initial CDD framework.
Why it matters: This is a statement of regulatory realism. The OAIC is recognising that existing Tranche 1 entities (banks, fintechs, money remitters, etc.) have built systems and processes around the old framework. This acknowledgment does not excuse non-compliance, but it strongly signals that a documented, good-faith transition plan will be viewed sympathetically by the regulator.
Change 8 — Documented Transition Plan Requirements (Addition)
What changed: No documented transition plan requirements existed in the February 2026 edition. The April 2026 edition creates a de facto compliance framework for entities that cannot immediately cease retaining full ID document copies. To demonstrate compliance with APP 11.2, an entity must:
- Commit to destroying or de-identifying copies as soon as practically possible
- Have a written, documented plan that is actively being worked toward, covering:
- The reasons why immediate destruction is not possible
- The specific technical and organisational steps being taken
- A target timeframe for completion
- Ensure senior management has oversight of progress against the plan
- Consider privacy risks to individuals during the transition period, and take steps to mitigate them
Why it matters: If your entity retains full ID document copies and does not have a documented transition plan with senior management sign-off, you are exposed to regulatory risk. This requirement elevates ID document retention from an operational issue to a governance matter. Boards and senior leadership teams must be briefed and must actively oversee progress.
Change 9 — The ‘Beyond Use’ Concept (Addition)
What changed: The April 2026 edition introduces a new interim compliance pathway — placing information “beyond use” — for entities that cannot immediately destroy personal information due to technical constraints. This concept was entirely absent from the February 2026 edition.
Personal information is considered ‘beyond use’ if the organisation:
- Is not able to, and will not attempt to, use or disclose the information
- Cannot give any other entity access to the information
- Surrounds the information with appropriate technical, physical and organisational security controls (for example, encryption and strict access restrictions)
- Makes and maintains a documented commitment to irretrievably destroy the information once technically possible
Why it matters: This is one of the most practically significant additions in the April 2026 update. Many entities — particularly those using legacy banking or document management systems — cannot simply delete historical ID document records at the click of a button. The ‘beyond use’ concept provides a legally recognised interim pathway that satisfies the APP 11.2 obligation without requiring immediate technical remediation. Entities should begin implementing access controls and encryption on legacy ID document stores immediately, paired with a committed destruction timeline.
Change 10 — Financial Advisor Worked Example (Addition)
What changed: A new worked example has been added to Section J. It illustrates the transition framework for a financial advisor that was required, before 31 March 2026, to collect and retain certified copies of identification documents. The example confirms that:
- Pre-31 March 2026 copies can continue to be retained for the 7-year period required under the old AML/CTF framework, without violating APP 11.
- For documents collected from 31 March 2026, the entity must update its AML/CTF program and take reasonable steps to record only the required data fields, not the document copy itself.
Why it matters: This example resolves the ambiguity that the February 2026 edition left unresolved. Many entities were uncertain whether the new framework required them to proactively destroy historical copies. The answer is clear: historical copies collected before the commencement date remain authorised AML/CTF records and do not need to be destroyed under APP 11 (they must still be destroyed at the end of the 7-year retention period).
Change 11 — s.111 AML/CTF Act Record Types Clarified (Modification)
What changed: The description of what constitutes a record under s.111 of the AML/CTF Act has been expanded. The February 2026 edition stated entities should retain “information that is reasonably necessary to demonstrate compliance with customer due diligence obligations.” The April 2026 edition adds that this includes “records which demonstrate the type and contents of the data collected and records of analysis, identification or assessment of ML/TF risk or decision making undertaken.”
Why it matters: This clarification helps entities understand the minimum data footprint required for AML/CTF record-keeping compliance. You do not need to retain the original identity document — you need records of what was verified, what the risk assessment determined, and what decision was made. This is important for designing data minimisation policies and updating AML/CTF programs.
Theme 4: New Practical Tools and Resources (Change 12)
Change 12 — Privacy Collection Notice Template Published (Addition)
What changed: The February 2026 edition’s Privacy Essentials Checklist contained a placeholder noting a privacy collection notice template was “coming soon.” The April 2026 edition confirms the template is now live and available. The OAIC has developed a privacy collection notice template specifically for AML/CTF reporting entities, referenced in both Section E (Customer Notification, APP 5) and the Privacy Essentials Checklist.
Why it matters: Many reporting entities — particularly smaller Tranche 2 businesses such as accounting and legal firms — do not have the in-house resources to draft a legally compliant APP 5 collection notice from scratch. The OAIC’s template provides a starting point that reduces both the cost and the risk of a deficient notice. All reporting entities should review this template and adapt it for their specific business context. Note that the template is a starting point, not a one-size-fits-all solution — entities with complex information-handling arrangements (for example, those using overseas verification providers) will need to customise it.
Key Obligations That Have Not Changed
The following core obligations remain identical across both editions and are confirmed as current. If you have built your compliance program around the February 2026 edition, these areas require no substantive changes:
- Privacy Act coverage: All reporting entities and authorised agents must comply with the Privacy Act for AML/CTF activities, including small businesses under $3M turnover.
- Collection (APP 3): Collection must be limited to what is ‘reasonably necessary’. The AML/CTF Act does not authorise collection of everything about a customer.
- Biometric information: Consent is generally required before using biometric identification or verification for CDD purposes.
- Customer notification (APP 5): Collection notices must be provided before or at collection, subject to tipping off exceptions.
- Use and disclosure (APP 6): Information may only be used or disclosed for the primary purpose of collection, or where an exception applies.
- Overseas disclosure (APP 8): Entities remain accountable for overseas providers’ handling of personal information.
- Security (APP 11.1): Reasonable technical and organisational security measures are required. A data breach response plan is essential.
- Notifiable Data Breaches (NDB scheme): Applies to all entities with privacy obligations; notification obligations interact with AML/CTF secrecy provisions.
- Access (APP 12): Access requests must be responded to within 30 days, subject to tipping off exceptions.
- KYC correction (APP 13): APP 13 correction obligations complement (and do not replace) AML/CTF Act review obligations under s.30.
Practical Action Checklist — Based on the April 2026 Changes
Immediate Actions (by 30 June 2026)
- Download the OAIC’s new privacy collection notice template for AML/CTF entities. Review whether your existing collection notices are APP 5 compliant and update them if needed.
- Read the OAIC’s Statement of Regulatory Approach and Regulatory Priorities. Understand the proportionality framework that will apply if the OAIC considers enforcement action against your entity.
- If you are a Tranche 1 entity still retaining copies of ID documents: prepare a documented transition plan. It must include:
- The reasons why immediate destruction is not currently possible
- The specific technical and organisational steps you are taking
- A target completion date
- Senior management sign-off
Transition Period Actions
- For ID documents collected from 31 March 2026 (Tranche 1) or from 1 July 2026 (Tranche 2): update systems to record only the required data fields under s.111 — no full document copies.
- Where technical constraints prevent immediate destruction of legacy copies: implement the ‘beyond use’ framework — restrict access, apply encryption, document a destruction commitment, and implement a timeline.
- Update your data retention schedule to separately track:
- Pre-commencement ID document copies (retain for 7 years from end of business relationship)
- Post-commencement data-field records (retain only required fields under s.111, destroy copies)
- Tranche 2 entities: the same transitional framework applies from 1 July 2026. Begin planning now — do not wait until your obligations commence.
Governance Actions
- Update your AML/CTF program documentation and privacy policy to reflect the new ID document retention framework and the updated ‘reasonable steps’ factors.
- Maintain a personal information inventory that separately identifies pre- and post-commencement ID document records, with applicable retention periods and destruction obligations clearly noted.
- Add ID document destruction progress as a standing agenda item at senior management or board level until your transition plan is fully executed and your entity is fully compliant.
Is Your AML/CTF Program Ready for the April 2026 Privacy Guidance?
The intersection of privacy law and AML/CTF compliance is one of the most technically complex areas of Australian regulatory law. The April 2026 OAIC guidance update introduces real new obligations — particularly around ID document retention, documented transition plans, and senior management governance — that many entities are not yet equipped to implement.
The AML Consultant works with reporting entities across all sectors to assess, design, and implement practical compliance solutions. Our services include:
- Privacy and AML/CTF gap assessments
- Documented transition plans for ID document retention
- AML/CTF program updates aligned with the 2026 reforms
- Privacy collection notice review and drafting
- Board and senior management briefings on the April 2026 changes
Contact Us to Discuss Your Compliance Program →contact us
Source: This analysis is based on a comparison of the February 2026 and April 2026 editions of the OAIC’s Privacy guidance for reporting entities under the AML/CTF Act (oaic.gov.au). This article is for informational purposes only and does not constitute legal advice. Entities should seek professional guidance specific to their circumstances.
Related reading: OAIC Privacy Guidance for AML/CTF Reporting Entities — Overview (April 2026)