A lot of businesses are about to discover that privacy compliance is no longer something that only happens to “big business”.
As part of Australia’s anti-money laundering and counter-terrorism funding (AML/CTF) reforms, a new wave of businesses will come under AUSTRAC regulation from 1 July 2026.
The new laws will expand regulation into new “tranche 2” industries that are recognised domestically and globally as high-risk for criminal exploitation, including:
• real estate professionals
• dealers in precious stones, metals and products
• lawyers
• conveyancers
• accountants
• trust and company service providers.
At the same time, current reporting entities will face changed AML/CTF obligations from 31 March 2026, which may affect the way they handle personal information. The OAIC’s updated guidance sets this out and is aimed at both existing and incoming reporting entities.
That matters for one very important reason:
If you are a reporting entity under the AML/CTF Act, the Privacy Act applies to your AML/CTF-related handling of personal information — even if you are otherwise a small business that would usually be exempt. The OAIC’s guidance and small business privacy material both make this clear.
So What Does That Actually Mean?
For many “tranche 2” businesses, this is not just a new AML/CTF compliance project. It is also a privacy wake-up call.
A lot of smaller firms in real estate and professional services have never had to think deeply about whether the Privacy Act applies to them. Soon, many will need to.
And the reality is: if your business is going to start collecting more identity information, verifying customers, retaining compliance records, and interacting with AUSTRAC-regulated obligations, then your privacy posture cannot stay informal.
That means privacy can no longer live in a generic website policy and a hopeful assumption that “we’re probably fine.” It needs to become operational.
The practical expectations are not mysterious. The Privacy Commissioner, Carly Kind, has already summarised the basics in a way that should make every small business sit up a little straighter:
“For many small businesses new to the Privacy Act, this guidance provides clear, practical steps: collect only what you need, keep it safe, don’t hold onto full ID documents, and delete information when it’s no longer required.”
That sounds simple. Because it is.
But simple does not mean easy, especially for businesses that have historically handled customer information through a combination of paper forms, inboxes, local drives, shared folders and “the way we’ve always done it.”
In practice, the new environment means businesses need to get serious about a few things very quickly.
1. Collect only what you actually need
One of the biggest privacy risks in AML/CTF settings is over-collection.
When obligations expand, businesses often respond by gathering too much “just in case.” Full identity documents get copied and stored when only certain details are needed. Forms ask for more information than the process requires. Records get duplicated across systems. And no one steps back to ask the very obvious question:
Do we actually need all of this?
The OAIC’s guidance is pushing businesses to be more disciplined. Collect what is required. Not what feels administratively comforting.
2. Know where personal information is going
For many small and mid-sized businesses, this is where the trouble starts. Information may be collected:
• in person
• via email
• through web forms
• through practice management tools
• via external identity verification providers
• by outsourced service providers
• across multiple office locations or team members
If you do not have visibility over where personal information is stored, who has access to it, and how long it is retained, then you do not have a privacy program. You have a filing problem with legal consequences.
3. Stop treating retention like a vague future task
The Commissioner’s warning about not holding onto full ID documents and deleting information when it is no longer required is a big one. Because this is exactly where many businesses drift into risk.
Documents get saved “for now.” Old files pile up. Systems are never cleaned up properly. No one owns deletion. And suddenly a business is sitting on years of highly sensitive personal information it no longer needs, which is exactly the kind of thing that turns a security incident into a full-blown privacy disaster.
You cannot breach what you have already deleted.
4. Privacy notices and internal processes need to reflect reality
This is not just about what you do. It is also about what you tell people.
If your collection practices change because of AML/CTF obligations, your privacy notices, internal procedures and staff instructions may need to change too. The OAIC’s APP 1 guidance requires covered entities to manage personal information in an open and transparent way and have practices, procedures and systems in place to comply with the APPs. That means:
• your privacy policy should reflect your real practices
• staff should know what information is being collected and why
• people should understand how to handle identity information securely
• complaint handling and access/correction processes should not be improvised on the day
If your privacy documentation says one thing and your staff are doing something else, that is a problem.
5. Small business exemption does not mean “not our problem”
This is probably the most important message for organisations newly entering the regime.
Many businesses have historically assumed the Privacy Act is something for banks, tech giants and large corporates. But the OAIC is very clear that small businesses that are reporting entities under the AML/CTF Act are covered for that handling of personal information.
So if your business is one of the new “tranche 2” entities, privacy is now your problem too. Not in a dramatic, panic-and-rewrite-the-entire-business way. But certainly in a “you now need proper systems, visibility and accountability” way.
What Businesses Should Do Now
The good news is that there is still time to prepare. A sensible next step looks something like this:
First, work out whether the AML/CTF reforms are actually going to apply to your business. AUSTRAC has a checker and guidance for that.
Then, if they do, start asking:
• what personal information will we collect for AML/CTF purposes?
• where will it be stored?
• who will access it?
• how long do we need it?
• what do our privacy notices currently say
• what internal processes need to change?
• who is accountable for making sure this all works?
If the answers are fuzzy, you are not alone. But fuzzy will not be a great defence later.
This Is Really About Maturity
The deeper story here is not just that more businesses are falling under the Privacy Act. It is that more businesses are being pushed into a more mature way of handling personal information. That means moving from:
• ad hoc collection
• unclear storage practices
• inconsistent deletion
• generic privacy notices
• low visibility across systems
…to something more structured, deliberate and defensible. In other words: a privacy program that actually works.
Taking Privacy Laws Seriously
The AML/CTF reforms are not just changing who needs to think about money laundering and identity verification. They are also expanding the number of businesses that need to take privacy law seriously in a practical, operational way.
For real estate professionals, lawyers, conveyancers, accountants and others entering the reporting entity regime, this is the time to get ahead of the change, not wait until the first complaint, breach or regulator question forces the issue.
Because privacy gets much easier when you build the system before the pressure arrives.
Need Help Getting Your Ducks In A Row?
de.iterate helps organisations turn privacy and compliance obligations into something structured, practical and manageable, without the spreadsheet sprawl, policy chaos and last-minute panic.
If your business is about to fall under the Privacy Act as part of the AML/CTF reforms, now is the time to put the right system in place.
Get started today and see how de.iterate can help you manage the compliance drama before it starts.
Got questions? We can help. Get in touch today.