From 1 July 2026, law firms, accountants, real estate professionals and other designated non-financial businesses will become subject to Australia's Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) regime for the first time. These are known as the "Tranche 2" reforms.

Most of the focus has been on the AML/CTF obligations themselves. This includes enrolling with AUSTRAC, building an AML/CTF program and conducting customer due diligence and Know Your Customer (KYC) checks. But there is a second compliance layer that many businesses may not have turned their attention to. The Privacy Act 1988 (Cth) (Privacy Act) will also apply to AML/CTF and KYC activities from the same date, even for businesses that have always been exempt as small businesses.

Does the Privacy Act apply to Tranche 2 businesses?

Yes. Under section 6E of the Privacy Act, where a small business operator is also a reporting entity under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth)(AML/CTF Act), the Privacy Act applies to their personal information handling activities carried out for the purposes of, or in connection with, their AML/CTF obligations. It does so as if the business were a large organisation.

The small business exemption (which otherwise applies to businesses with annual turnover below $3 million) does not protect a business from Privacy Act obligations that arise from its AML/CTF activities.

For many Tranche 2 businesses, including smaller law firms, accounting practices and real estate agencies, this will be the first time they have been subject to formal privacy compliance obligations.

What Privacy Act obligations apply to AML/CTF and KYC activities?

Businesses captured by the Tranche 2 reforms will need to comply with the Australian Privacy Principles (APPs) in relation to:

• collection and verification of identity information for KYC purposes

• use of electronic or biometric identity verification tools

• AML/CTF record-keeping

• retention, security and destruction of identity information

AML/CTF compliance cannot be treated as a standalone exercise. Privacy obligations sit alongside AML/CTF obligations and need to be addressed together.

What does the OAIC expect from AML/CTF reporting entities?

In its privacy guidance for reporting entities under the AML/CTF Act, published on 27 February 2026, the Office of the Australian Information Commissioner (OAIC) set out how reporting entities must handle personal information collected and used for AML/CTF purposes.

Data minimisation. Businesses should collect only the identity information that is reasonably necessary to meet their AML/CTF obligations. Collecting more than is required does not become permissible simply because it is convenient for onboarding.

Identity document retention. Businesses should not retain copies of full identity documents after they are no longer needed. The obligation is to keep a record of the relevant information from the document: name, date of birth, document type and number. Keeping a copy of the document itself goes beyond what is required.

Biometric verification. Consent is required before using biometric or electronic verification tools for KYC purposes. Businesses must also have a process for customers who cannot or will not consent.

Privacy documentation. Businesses must have clear, accessible privacy documentation explaining how KYC information is collected and handled. The OAIC has published a template privacy collection notice for AML/CTF reporting entities as a practical starting point.

The OAIC has been explicit that compliance with AML/CTF obligations does not justify unchecked collection or retention of personal information. Unnecessary retention creates privacy risk for individuals and regulatory risk for businesses.

What should Tranche 2 businesses review before 1 July 2026?

AML/CTF programs are often built first, with privacy considerations added later. That sequencing tends to leave gaps. Businesses preparing for Tranche 2 should be asking:

• Does the business have a privacy policy that covers AML/CTF-driven collection and verification? If not, one is needed before 1 July 2026. The OAIC's template collection notice is a useful starting point.

• Do customer onboarding materials explain why identity information is collected and how it will be used?

• Do ID verification and record-keeping practices align with the OAIC's data minimisation expectations?

• Are internal access controls and information destruction practices appropriate for the sensitivity of the identity information being held?

Frequently asked questions

Do the AML/CTF Tranche 2 reforms apply to Australian law firms?

Yes. From 1 July 2026, law firms providing certain designated services (including conveyancing, company formation and trust and company service provider activities) must enrol with AUSTRAC and comply with the AML/CTF Act 2006 (Cth).

Does the Privacy Act small business exemption still apply after Tranche 2?

Not for AML/CTF-related activities. Under section 6E of the Privacy Act 1988 (Cth), small business operators that are also AML/CTF reporting entities must comply with the Privacy Act in connection with their AML/CTF obligations, regardless of annual turnover.

When do Tranche 2 businesses need to enrol with AUSTRAC?

Enrolment with AUSTRAC opened on 31 March 2026. Tranche 2 businesses must comply with the full AML/CTF Act from 1 July 2026.

Can Tranche 2 businesses keep copies of identity documents for AML/CTF purposes?

No, not as a general practice. The OAIC's February 2026 guidance is clear that businesses should retain a record of the relevant information from identity documents, not copies of the documents themselves.

What is a privacy collection notice for AML/CTF purposes?

A privacy collection notice tells individuals what personal information is being collected, why it is being collected, and how it will be handled. The OAIC has published a template specifically for AML/CTF reporting entities.

What are the Australian Privacy Principles (APPs)?

The APPs are the 13 principles in Schedule 1 of the Privacy Act that govern how organisations collect, use, disclose, store and provide access to personal information. From 1 July 2026, Tranche 2 AML/CTF entities must comply with the APPs in relation to their AML/CTF activities.

How Sierra Legal can help

We offer a fixed-fee privacy readiness review for businesses preparing for Tranche 2 obligations. It covers your proposed KYC processes against the APPs, identifies any gaps in your privacy policies or collection notices, and gives you a short action list to work through before July.

Get in touch to discuss whether it's the right fit for your business.

‍

‍