OAIC Privacy Guidance for AML/CTF Reporting Entities
The Office of the Australian Information Commissioner (OAIC) has issued comprehensive guidance to help businesses manage their privacy obligations while complying with the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act).
Key privacy requirements for Reporting Entities:
- Data minimisation: collection must be limited to what is “reasonably necessary” to comply with AML/CTF obligations.
- Identity document retention: the OAIC advises that entities should not keep scanned copies or photocopies of full identification documents (like driver’s licenses or passports) unless required by another specific law. Instead, they should record the specific data needed (e.g., name, DOB, document number) and the verification outcome.
- Transparency: entities must maintain an APP privacy policy and provide collection notices to customers, except where doing so would breach “tipping off” prohibitions.
- Security and data breaches: Reporting Entities must take reasonable steps to secure personal information and maintain a data breach response plan.
- Overseas disclosures: if disclosing personal information to overseas recipients (such as third-party service providers), Reporting Entities must generally ensure the recipient does not breach the Australian Privacy Principles (APPs). Read more here.
Organisations affected: Reporting entities
Policies affected: AML/CTF related and Privacy related
Reminder: AML/CTF Program reforms deadline – 31 March 2026
Existing Reporting Entities must be ready for the new legislative requirements taking effect on 31 March 2026. Key actions existing Reporting Entities should have taken or be finalsing include:
- A governance framework be established.
- The Risk Assessment being revisited and updated.
- Customer Due Diligence be updated to ensure consistentcy.
- Ongoing monitoring – e.g. transaction monitoring and enhanced customer due diligence (ECDD) procedures.
- Personnel due diligence and training. Read more here.
Organisations affected: Reporting enities
Policies affected: AML/CTF related policies
FATF Updates on Global ML/TF Risk – February 2026
The Financial Action Task Force (FATF) has released its February 2026 updates regarding jurisdictions that pose significant risks to the international financial system due to strategic deficiencies in their anti-money laundering and counter-terrorism financing (AML/CTF) regimes.
AUSTRAC advises all Reporting Entities to use these updates to:
- Inform and update their risk assessments.
- Refine their internal compliance programs.
- Support decisions regarding the submission of SMRs to AUSTRAC.
- Ensure customer due diligence and transaction monitoring processes remain effective. Read more here.
Organisations affected: Reporting entities
Policies affected: AML/CTF related policies, Risk framework
Contact MIntegrity today for a confidential consultation and expert regulatory support.
← Back to Blog
