From onboarding to deletion: Privacy-ready AML/CTF programs

Article
Published: 

As Australia enters the next phase of Anti‑Money Laundering and Counter‑Terrorism Financing (AML/CTF) reform, thousands of lawyers and accountants will be brought within the regulatory perimeter as reporting entities for the first time. While much of the focus has been on risk assessments, know‑your‑customer (KYC) processes and client onboarding, the privacy obligations that sit alongside AML/CTF compliance are equally critical.

In February 2026, the Office of the Australian Information Commissioner (OAIC) released updated guidance outlining how reporting entities must approach the handling of personal information collected and used for AML/CTF compliance. The message is clear: privacy must be embedded into AML/CTF programs from day one.

Specifically, small businesses, who are defined in the Privacy Act 1988 (Privacy Act) as having an annual turnover of $3 million or less, are generally not covered by the Privacy Act. However, if captured within the Tranche 2 reform, they will now have obligations relating to the activities they undertake to comply with the AML/CTF Act.

Examples of ‘activities’ for the purposes of, or in connection with, obligations under the AML/CTF Act and AML/CTF Rules include:

  • Collection, use and storage of personal information for customer due diligence
  • Collection, use, storage and disclosure of personal information for monitoring and reporting obligations
  • Holding personal information for AML/CTF record keeping obligations
  • Collection, use and storage of personal information for personnel due diligence (where the employee record exemption under the Privacy Act does not apply).

Personal information - collect only what you need

While the OAIC emphasises that the Privacy Act does not prevent you from collecting personal information to meet AML/CTF obligations, it reiterates that reporting entities must limit the collection of personal information to only what is reasonably necessary to meet AML/CTF obligations.

For newly captured professions such as legal and accounting services, real estate professions, and dealers in precious stones and metals, this means designing client onboarding forms, beneficial ownership checks, and politically exposed person (PEP) screening workflows that avoid over collection while still meeting AML/CTF requirements. This principle aligns with AUSTRAC’s expectation of risk based, proportionate due diligence. Unnecessary personal information creates unnecessary compliance risk.

Protecting sensitive information

The guidance makes clear that sensitive information that is collected for the purposes of complying with the AML/CTF Act is afforded a high level of privacy protection.

Personal information refers to any detail that can be used to identify an individual, whether directly (such as a name or date of birth) or indirectly (such as a client file reference or a combination of data points). It covers a broad range of information commonly collected during AML/CTF onboarding such as ID documents, addresses, contact details, employment information and beneficial ownership data.

Sensitive information, on the other hand, is a special category of personal information that carries a higher risk if mishandled. It includes details such as political affiliations, racial or ethnic background, religious beliefs, health information, and biometric identifiers. Because of the potential impact on an individual’s privacy, this type of information is subject to stricter protection requirements under privacy law.

In practice, sensitive information demands stronger safeguards, tighter access controls and heightened justification for collection, particularly for new Tranche 2 reporting entities adjusting to formal AML/CTF data handling requirements.

For professional services firms, where client confidentiality is already paramount, this requires uplift in areas such as:

  • Access controls and role-based permissions
  • Data breach response plans
  • Secure information storage and encryption
  • Vendor due diligence
  • Document retention and destruction protocols aligned with AML/CTF timeframes.

Deletion and retention

The updated guidance highlights the importance of knowing when personal information can and must be deleted.

You should only keep the information necessary for your AML/CTF obligations. For instance, if you need to retain records to show you have completed customer due diligence, you should limit what you record from identity documents to the specific details required for compliance. This may include the customer’s name, date of birth, residential address, and document reference, along with the document type, the steps you took to verify their identity, the verification outcome and your assessment of AML/CTF risk.

From 31 March 2026 (or 1 July 2026 for Tranche 2 entities), you must not retain full copies of identity documents such as scanned passports or driver licences. The AML/CTF Act does not require you to keep photocopies or digital copies of these documents, only the essential information needed for record keeping.

Organisations must ensure systems, policies and procedures are in place for the destruction of personal information when no longer needed for AML/CTF or any other permitted purpose under the Privacy Act.

Transparency and client communication

The OAIC guidance encourages reporting entities to be explicit with clients about what information is collected, why, and how it will be managed. Updating privacy notices, engagement letters, and client intake processes will be essential.

Existing reporting entities

For financial institutions and other long standing reporting entities, the updated guidance signals that privacy expectations under the AML/CTF Act continue to mature. The OAIC’s focus on clarity, proportionality and safeguarding reinforces the need for continuous uplift, particularly as customer data volumes and technology complexity grow.

This guidance represents a step change for new reporting entities, who make up the bulk of incoming Tranche 2 obligations and are a timely reminder for existing reporting entities that privacy compliance must continually evolve.

How BDO can help  

BDO is a trusted adviser providing forensic services support, including preventative financial crime risk management across a broad range of sectors. Our forensic services team conduct AML/CTF independent reviews and proactive financial crime risk assessments for highly regulated institutions to ensure they comply with their requirements under the AML/CTF Act. If you would like to learn more about our services or need support embedding AML/CTF best practice across your organisation, contact us today.

Key takeaways

Privacy obligations must be embedded into AML/CTF programs from day one
  • Updated OAIC guidance makes clear that privacy compliance is a core component of AML/CTF obligations, not an add‑on. For newly captured Tranche 2 entities, including legal and accounting services, privacy must be designed into client onboarding, monitoring and record‑keeping processes from the outset.
Collect and retain only what is reasonably necessary for AML/CTF compliance
  • Reporting entities are required to limit the collection of personal information to what is reasonably necessary to meet AML/CTF obligations. This includes avoiding over‑collection during onboarding and ensuring sensitive information is subject to higher safeguards, access controls and justification.
Deletion, retention and transparency are critical risk areas
  • The guidance highlights clear expectations around when personal information must be destroyed, including restrictions on retaining full copies of identity documents after specified dates. Organisations must also update privacy notices and client communications to clearly explain what information is collected, why it is needed and how it will be managed.

Subscribe to receive the latest insights.

Authors

Huey Lam smiling at the camera.
Huey Lam
Senior Manager, Forensic Services
Filter by: