From 1 July 2026, thousands of Australian businesses will be required to comply with the Privacy Act 1988 (Cth) (Privacy Act) for the first time. This change arises from the extension of Australia’s anti money laundering and counter terrorism financing (AML/CTF) framework to additional designated services. Businesses that become reporting entities under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act) will be required to handle personal information in accordance with the Australian Privacy Principles (APPs) when that information is collected, used, or disclosed for AML/CTF purposes, even if they might otherwise fall under the small business exemption in the Privacy Act.

In addition to the work that these businesses will need to do in preparation for the application of AML/CTF laws, they will also need to make sure that they are in a position to comply with the APPs for the first time.

Scope and scale of the reforms

Tranche 2 of the AML/CTF reforms expand the regime beyond the financial sector. From 1 July 2026, AML/CTF obligations will apply to the following designated services, known as tranche 2 entities:

• real estate professionals (including real estate agents, buyer’s agents, and property developers);
• lawyers;
• conveyancers;
• accountants and trust and company service providers; and
• dealers in precious metals, stones, and products.

Many businesses in these sectors are small businesses (defined in the Privacy Act as having an annual turnover of $3,000,000 or less for the previous financial year),¹ and have historically not been required to comply with the Privacy Act under the small business exemption.² However, that exemption will no longer apply to personal information handling in connection with AML/CTF obligations. Estimates by the Office of the Australian Information Commissioner (OAIC) indicate that more than 100,000 small businesses will be affected by this change.

Why the Privacy Act applies to AML/CTF activities

Under the AML/CTF reforms, businesses that provide the above designated services will now become ‘reporting entities’ for the purposes of the AML/CTF Act. AML/CTF obligations require reporting entities to collect and handle personal information (including identity information) to meet customer identification procedures³ and ongoing customer due diligence requirements.⁴

Where individuals are required to provide personal information to reporting entities, there is a corresponding privacy obligation to ensure that personal information is handled in a lawful, fair, and secure manner. The Privacy Act applies to reporting entities’ handling of personal information for AML/CTF purposes, even if the business would otherwise qualify for the small business exemption under the Privacy Act.⁵ This means that many small businesses will, for the first time, be required to comply with the APPs, including obligations relating to transparency, data security, retention and destruction.

Recent amendments to the Privacy Act have strengthened the Privacy Commissioner’s enforcement powers and expanded the range of civil penalties available for non‑compliance, including penalties for failures to meet foundational obligations such as maintaining a compliant privacy policy. This enforcement focus is already evident. The OAIC is currently conducting its first privacy policy compliance sweep, reviewing whether selected organisations’ privacy policies clearly and accurately explain how personal information is collected, used, disclosed and retained.

Key privacy obligations for Tranche 2 reporting entities

Only connect what is necessary (APP 3)

Organisations may collect personal information only where it is reasonably necessary to meet AML/CTF obligations. Collection should be clearly linked to a specific requirement and limited in scope, including for sensitive information.

Avoid retaining identity documents (APPs 3 and 11)

The AML/CTF regime does not require copies of passports or driver licences to be retained. From 31 March 2026 (for existing entities) and 1 July 2026 (for tranche 2 entities), entities should record only the minimum details needed to evidence verification, unless another law requires retention of copies.

Ensure transparency at collection (APPs 1 and 5)

Entities must maintain a compliant privacy policy and take reasonable steps to notify individuals about the collection and use of their information, unless doing so would breach AML/CTF tipping‑off restrictions.

Protect, retain and dispose of information appropriately (APP 11)

Personal information must be secured against misuse and unauthorised access, retained only for as long as required by law, and destroyed or de‑identified when no longer needed.

Prepare for data breaches (Part IIIC)

Where the Privacy Act applies, reporting entities must assess suspected data breaches and notify the OAIC and affected individuals where required. A documented breach response plan supports compliance.

Preparing for compliance

Businesses that will be captured by tranche 2 of the AML/CTF reforms should begin preparing now. Key steps include:

• mapping what personal information is collected for AML/CTF purposes;
• reviewing identity verification and record keeping practices;
• updating or developing privacy policies and procedures;
• training staff on privacy obligations alongside AML/CTF requirements; and
• reviewing security and breach response arrangements.

Early preparation will help organisations reduce risk and ensure smoother compliance when the reforms commence.

HWL Ebsworth’s privacy team has extensive experience in advising businesses regarding privacy compliance, regulatory obligations, and risk management. If you are concerned about how tranche 2 of the AML/CTF reforms will affect your privacy obligations, please contact us for further information on how we can assist you.

This article was written by Daniel Kiley, Partner, and Jasper Dowdell, Law Graduate.

¹ Privacy Act 1988 (Cth) s 6D(1).

² Ibid s 6C(1).

³ Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) s 32.

⁴ Ibid s 36.

⁵ Privacy Act 1988 (Cth) s 6E(1A).