The imminent commencement of the Tranche 2 reforms to the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act) from 1 July 2026 mean that real estate agents and developers, trust and company services providers, legal professionals, accountants, and dealers in precious metals and stones offering ‘designated services’ should be well advanced in bedding down their proposed approach to compliance with their AML/CTF obligations.

Further guidance and practical steps can be explored in recent MinterEllison updates, specifically for tranche 2 services and the countdown to the commencement of AML/CTF.

For Tranche 2 entities that are also 'small businesses' for the purposes of the Privacy Act 1988 (Cth) (that is, have an annual turnover of less than $3 million or less), the commencement of the reforms will also necessitate an uplift in their privacy compliance. This is because the Privacy Act is deemed to apply to small businesses in relation to their activities carried for the purpose of, or in connection with, compliance with the AML/CTF Act (section 6E(1A), Privacy Act).

Amongst other matters, this means that Tranche 2 small businesses must comply with the Australian Privacy Principles (APPs) in connection with the personal information that they collect, hold and use as part of their AML/CTF compliance procedures, including customer due diligence. They will also be required to comply with the notifiable data breach scheme.

Previously, entities governed by the AML/CTF Act were required to keep records of all documents collected for, and related to, their customer due diligence processes, and this obligation overrode Privacy Act obligations. As a result, many reporting entities retained copies of photo IDs provided by their customers. Since 31 March 2026, section 111 of the AML/CTF Act has narrowed the record keeping obligation: a reporting entity must now keep only those records necessary to demonstrate compliance with its customer identification obligations. On one view, that may be no more than the outcome of the verification and a record of how it was carried out. The likely result is that AML/CTF record keeping obligations will no longer pre-empt an organisation's Privacy Act obligations in the way they once did.

The Office of the Australian Information Commissioner (OAIC) has published (and recently updated) specific guidance for reporting entities, which sets out the OAIC's expectations regarding privacy compliance in connection with AML/CTF compliance. This is essential reading for all entities subject to AML/CTF reporting and obligations, no matter their size or sophistication – and is particularly useful for small businesses who may be considering privacy compliance for the first time.

While there are a number of steps to ensuring compliance with the Privacy Act, as a starting point, Tranche 2 small businesses should:

1. Prepare and adopt an APP compliant privacy policy.
2. Prepare and adopt sufficiently detailed collection notices to provide to their customers in the context of collecting or requestion the collection of personal information.
3. Review what personal information is collected for AML/CTF purposes and ensure that collection is limited to what is reasonably necessary for the entity's functions or activities, consistent with APP 3. The narrowing of section 111 is a prompt to reassess historical practices – for example, whether retaining full copies of photo ID remains justifiable, or whether recording the outcome of the verification and the means by which it was carried out is sufficient.
4. Review information flows and consider whether any information collected for AML/CTF purposes will be transferred offshore, including to third party service providers. Where this occurs, APP 8 requires the entity to take reasonable steps to ensure that the overseas recipient does not breach the APPs – typically through contractual protections supported by appropriate due diligence.
5. Review data security practices, and implement a data breach response plan.
6. Review data retention policies and record keeping obligations to ensure that steps are taken to destroy or permanently de-identify personal information once it is no longer needed for any purpose for which it may be used or disclosed under the Privacy Act

Noting the OAIC's increased focus on enforcement and broad range of enforcement tools (which we recently addressed in an update on consequences about privacy), ensuring that privacy compliance is uplifted in connection with AML/CTF compliance is a must for small businesses.

The small business exemption to the Privacy Act may well be repealed in the next tranche of privacy reforms. Uplifting privacy compliance now – on top of the work required to implement the AML/CTF reforms – may seem onerous, but it is likely to put Tranche 2 businesses in a strong position if those amendments come into effect. Privacy compliance is also an essential component of customer trust, and mature privacy practices can be a genuine market differentiator.

If you need assistance in uplifting your business' privacy compliance ahead of the Tranche 2 AML/CTF reforms, MinterEllison's integrated team of privacy legal and consulting experts are ready to partner with you to ensure that you are meeting your legal obligations and public expectations when it comes to collecting, holding and using personal information.