AML privacy guidance Australia: why full ID scans are now a retention risk

For financial services firms, retaining a full AML identity pack became operational muscle memory: passport and driver licence scans, certification pages and verification artefacts stored across onboarding tools, CRMs, document repositories and outsourced platforms. OAIC acknowledges that some Tranche 1 entities and their agents have longstanding systems and practices built around copied ID documents. For new collections, that legacy position is now much harder to defend.

What changed

From 31 March 2026, the reformed AML/CTF Act requires reporting entities to retain records that are reasonably necessary to demonstrate compliance with Part 2 customer due diligence obligations, including sufficient and accurate records of the type and content of the data collected and records of ML/TF risk analysis and decision-making. OAIC’s updated AML privacy guidance says that does not require scanned copies or photocopies of identity documents themselves for Tranche 1 entities. Instead, firms should keep the relevant data points from the document, the document type, what they did to identify the customer, and the outcome of verification and risk assessment. OAIC says the same position applies from 1 July 2026 for Tranche 2 entities.

That should not trigger blunt deletion. OAIC says copies made before 31 March 2026 may continue to be retained for the pre-reform seven-year period after the end of the business relationship or the last occasional transaction. AUSTRAC’s transitional rules also allow eligible current reporting entities to continue using ACIP for customer classes until 31 March 2029 while they move to the new initial CDD framework. But OAIC treats transition as a remediation issue, not a reason to keep collecting and storing new full-document copies by default. Where immediate system change is impracticable, OAIC expects a documented plan, senior management oversight and, where necessary, “beyond use” controls until destruction or de-identification is possible.

Why it matters

This is not just a privacy-policy edit. APP 3.2 limits collection to personal information that is reasonably necessary for an organisation’s functions and activities, and APP 11.2 requires destruction or de-identification when personal information is no longer needed and no Australian law or court order requires retention. OAIC’s AML guidance also warns that unnecessary collection and retention create cyber risk, and that breaches involving AML data can lead to identity theft, financial loss and increased ML/TF exposure if criminals reuse compromised information. In other words, privacy and cyber risk now sit inside the design of AML operations, not beside them.

The exposure is broader than major institutions. The Privacy Act applies to reporting entities and authorised agents handling AML data, including small businesses that would otherwise sit outside the Act. Outsourcing does not solve the problem: AUSTRAC says the reporting entity remains legally liable for AML/CTF compliance even where functions are outsourced, and OAIC says offshore disclosures will generally engage APP 8 accountability. This also matters for smaller firms entering or expanding within the regime. Tranche 2 obligations begin from 1 July 2026, and AUSTRAC’s transitional rules say some AFSL holders that previously only provided item 54 arranging services move to full professional-services AML/CTF obligations from 1 July 2026.

What firms should do now

The better question is not whether to delete everything. It is whether the firm can articulate a lawful basis for each category of AML identity data, and show where that data sits. In practice, that means separating pre-31 March 2026 legacy copies from post-commencement collections; testing every workflow that still saves a full scan by default, including onboarding portals, OCR tools and adviser-support processes; aligning privacy policies and collection notices with actual AML handling, while recognising OAIC’s view that notices need not include information where doing so would conflict with tipping-off constraints; tightening vendor contracts on storage location, access control, audit rights, deletion and end-of-contract destruction; and placing technically hard-to-delete legacy data beyond use under a timed remediation plan with senior management oversight.

ABML’s view is that this is a records-design and governance issue, not a one-line privacy policy update. Section 111 supports a more targeted record set, but firms still need enough evidence to show how identification was carried out and how ML/TF risk decisions were made. The mature response is lawful minimisation, clear retention logic and controlled remediation of legacy data, not blunt deletion and not business-as-usual hoarding.