This update covers the draft AML transitional rules, AUSTRAC’s guidance on its new compulsory examination powers, and the Office of the Australian Information Commissioner’s privacy guidance for current and new reporting entities under the AML/CTF Act.

AML transitional rules draft

The Department of Home Affairs has published draft transitional rules to allow periods of time for reporting entities to adjust their business and processes to certain obligations, while still managing their ML/TF risk. Background.

AUSTRAC guidance on its new compulsory examination powers

AUSTRAC has published guidance on its new compulsory examination powers under section 172A of the AML/CTF Act.

Section 172A provides that AUSTRAC may issue a notice to a person requiring them to attend for an examination and answer questions on oath or affirmation.

It can only use this power if it believes on reasonable grounds that a person has information or documents relevant to compliance with the AML/CTF Act, Rules or regulations, or a a prescribed criminal offence.

If a person receives a section 172A notice, they must attend and answer questions asked of them. Failure to comply is an offence.

The guidance sets out when their answers may not be used against them if they incriminate them or expose them to a penalty.

Examinees are entitled to be represented by an Australian legal practitioner during an examination.

Privacy obligations under the Anti-Money Laundering / Counter-Terrorism Financing Act

The Office of the Australian Information Commissioner (OAIC) has released updated Privacy guidance for reporting entities under the AML/CTF Act having regard to an expanded range of businesses that will be regulated by the Privacy Act as part of the AML/CTF reforms. This includes those which are small businesses with an annual turnover of less than $3 million which would otherwise be exempt.

The guidance discusses what personal information businesses may collect, how they must protect it, and when it must be deleted under the AML/CTF regulatory framework.

From 1 July 2026, real estate professionals, dealers in precious metals and stones, and professional service providers such as lawyers, conveyancers, accountants, and trust and company service providers (also known as ‘Tranche 2’ entities) will be brought into the Privacy Act.

The guidance clarifies that reporting entities from 31 March 2026, and from 1 July 2026 for tranche 2 entities, businesses should not retain copies of full ID documents for AML/CTF record-keeping purposes. The AML/CTF regime does not require copies full ID documents to be kept, and entities’ obligations under the Privacy Act require them to minimise the data they retain.

Reporting entities should consider whether they have obligations to make copies of full ID documents outside of the AML/CTF Act.

Entities must also have clear and accessible privacy policies and collection notices explaining how personal information is handled – unless issuing a notice would breach statutory tipping‑off restrictions.

The guidance also discusses the collection of biometric information and the Digital ID scheme.

If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.