AML/CTF vs Privacy Laws: How Independent Evaluations Should Resolve the Conflict

Introduction

Reporting entities in Australia are required to navigate a complex regulatory landscape, balancing their duties under both the anti-money laundering and counter-terrorism (AML/CTF) and data privacy frameworks. While the AML/CTF framework mandates the collection and verification of personal data to combat financial crime, privacy laws impose strict obligations on how that information is handled. These two sets of legal requirements are not mutually exclusive; instead, they operate concurrently, demanding a careful and integrated approach to compliance.

With the 2026 reforms expanding the AML/CTF regime to new sectors and updating the rules for existing reporting entities, understanding the intersection of AML and privacy obligations has become increasingly critical. This guide provides essential information to help reporting entities reconcile these duties, ensuring they can meet their reporting obligations while upholding the key privacy protections required under Australian law.

Understanding the Concurrent AML/CTF & Privacy Act Obligations

Application of the Privacy Act to AML/CTF Activities

Reporting entities under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act) must comply with the Privacy Act 1988 (Cth) (Privacy Act) whenever they handle personal information to meet AML/CTF compliance obligations.

This obligation applies to all reporting entities and their authorised agents, ensuring a consistent level of privacy protection.

Importantly, the usual small-business exemption in the Privacy Act (Cth) is switched off for AML/CTF work:

• Businesses with an annual turnover of $3 million or less are ordinarily exempt from the Privacy Act (Cth).
• That exemption does not apply to activities carried out for AML/CTF compliance, so even very small entities must meet the Privacy Act (Cth)’s requirements.

AML/CTF Compliance Does Not Override Privacy Obligations

The AML/CTF and privacy regimes operate concurrently, meaning one does not cancel out the other.

While the AML/CTF framework authorises the collection, use and disclosure of personal information, it does not provide a blanket exemption from privacy law.

When gathering customer data, reporting entities should remember:

• They must continue to observe the Australian Privacy Principles (APPs).
• Any information collected must be limited to what is reasonably necessary to satisfy legal AML/CTF requirements and manage identified money-laundering or terrorism-financing risks.

Where the Compliance Conflict Arises for AML/CTF Reporting Entities

Personal Information Collection Under APP 3 & CDD Rules

A primary point of tension exists between the customer due diligence (CDD) requirements of the AML framework and the principles of data minimisation under the Privacy Act (Cth). While reporting entities are obligated to collect and verify customer information to assess money laundering and terrorism financing (ML/TF) risk, this must be balanced against APP 3.

Under APP 3.2, the collection of personal information is limited to what is “reasonably necessary” for an entity’s functions and activities. Because this relies on an objective test, a properly informed, reasonable person would have to agree that the collection is necessary.

This prevents reporting entities from collecting extra data “just in case” it might be useful later, as such a practice could breach their privacy obligations. Instead, the obligation is to justify every piece of information collected against:

• A specific AML/CTF requirement.
• A documented ML/TF risk.

Information Retention Under APP 11 & AML/CTF Record-Keeping

Another conflict arises between record-keeping mandates and data destruction obligations. Specifically, this tension involves two competing legal requirements:

• Under Section 111 of the AML/CTF Act (Cth), reporting entities must retain certain records for seven years after the end of the business relationship.
• Conversely, APP 11.2 requires entities to take reasonable steps to destroy or de-identify personal information once it is no longer needed for any purpose for which it may be used or disclosed under the APPs.

The Office of the Australian Information Commissioner (OAIC) has provided specific guidance to resolve this issue, particularly concerning identification documents:

• From 31 March 2026 for existing reporting entities, and 1 July 2026 for Tranche 2 entities, businesses must not retain full copies of identity documents like passports or driver’s licences for AML/CTF purposes.
• Instead, they should only record the minimum information necessary to demonstrate compliance, such as the customer’s name, date of birth, address, document type, and the outcome of the verification process.
• Copies of identification documents collected before these dates must still be retained for the required seven-year period.

Information Use & Disclosure Under APP 6 & Reporting Obligations

APP 6 of the Privacy Act (Cth) generally restricts the use or disclosure of personal information to the primary purpose for which it was collected, unless the individual consents or an exception applies. This could appear to conflict with the requirement to report certain activities to the Australian Transaction Reports and Analysis Centre (AUSTRAC).

However, the Privacy Act (Cth) provides a clear exception that resolves this conflict.

Specifically, APP 6 permits the use or disclosure of personal information if it is “required or authorised by or under an Australian law”, which directly covers obligations under the AML/CTF Act (Cth) like:

• Mandatory reporting to AUSTRAC.
• The submission of Suspicious Matter Reports (SMRs) under Section 41 of the AML/CTF Act (Cth).

Transparency Under APP 5 & Tipping Off Prohibitions

A direct conflict exists between the transparency required by APP 5 and the secrecy mandated by the “tipping off” provisions of the AML/CTF Act (Cth). APP 5 requires entities to notify individuals at or around the time of collection about why their personal information is being collected and to whom it might be disclosed.

However, Section 123 of the AML/CTF Act (Cth) makes it an offence to disclose information that could prejudice an investigation. Examples of this include:

• Informing a customer that an SMR has been filed about them.
• Disclosing that an SMR will be filed in the future.

In this scenario, the tipping off prohibition overrides the notification obligation under APP 5 .

Critical Role of AML/CTF Independent Evaluations in Resolving the Conflict

Statutory Basis for AML/CTF Independent Evaluation

Under Section 26F(4)(f) of the AML/CTF Act (Cth) and Rule 5-10 of the Anti-Money Laundering and Counter-Terrorism Financing Rules 2025 (Cth) (AML/CTF Rules), reporting entities are legally required to conduct regular independent evaluations of their AML/CTF programs. This requirement ensures that your program is subject to objective scrutiny.

The purpose of this evaluation is multifaceted, as it must assess:

• How you have conducted and reviewed your ML/TF risk assessment.
• The design of your AML/CTF policies against the requirements of the AML/CTF Act (Cth) and AML/CTF Rules (Cth).
• Whether you have effectively identified, managed, and mitigated your ML/TF risks in compliance with your own policies.

Your AML/CTF policies must specify the frequency of these evaluations, which should be appropriate for the nature, size, and complexity of your business. While the minimum legal requirement is at least once every three years, a higher frequency may be necessary depending on your specific risk profile.

Privacy Compliance as an Inherent Part of AML/CTF Program’s Independent Evaluation

An AML/CTF program inherently involves the collection, use, and storage of personal information, which automatically engages your obligations under the Privacy Act (Cth). Therefore, privacy compliance is not a separate consideration but a core component of your AML/CTF obligations.

Since an independent evaluation must test the design of your policies and your compliance with them, it must specifically examine:

• How those policies address the handling of personal data.
• The overall effectiveness of your program, which is directly tied to its adherence to the APPs.

An evaluation that overlooks privacy would fail to provide a complete picture of your program’s legal compliance and its ability to manage risk.

How AML Independent Evaluation Should Test for Privacy Compliance

Testing if Data Collection Is Genuinely Reasonably Necessary

An independent evaluation must scrutinise whether the personal information collected by a reporting entity is genuinely “reasonably necessary” as required by APP 3 of the Privacy Act (Cth). This involves an objective test to determine whether a reasonable, properly informed person would agree that the collection is required for the entity’s specific AML functions.

Furthermore, evaluators should examine client onboarding forms and data fields to ensure every piece of information collected can be justified. The collection must be directly linked to either:

• A specific obligation under the AML/CTF Act (Cth).
• A documented ML/TF risk.

Collecting extra data “just in case” it might be useful later is not permitted and may constitute a breach of your privacy obligations. Ultimately, the evaluation must confirm that there is a genuine connection between the service being offered and an actual or potential designated service that triggers AML/CTF obligations.

This demonstrates a considered and compliant approach to data collection, showing that the reporting entity has strong governance and documented decision-making processes for its data-handling practices.

Testing Data Minimisation & Retention Practices Post-Reform

The evaluation must verify that the reporting entity’s data retention policies and practices align with the updated rules. A key focus during this process is the strict prohibition on retaining full copies of identification documents for AML/CTF purposes.

As per the latest AML/CTF reforms and accompanying transitional rules, from 31 March 2026 for existing reporting entities, and 1 July 2026 for Tranche 2 entities, businesses should not keep copies of documents like passports or driver’s licences. Consequently, the independent evaluation should test whether systems and procedures have been updated to ensure compliance.

Instead of retaining full copies, entities should only record the minimum information necessary to demonstrate that identity verification was performed, such as:

• The customer’s name, date of birth, and residential address.
• The type of identification document and its reference number.
• The steps taken to verify the customer’s identity and the outcome of that verification.
• The entity’s assessment of the ML/TF risk.

Testing for Gaps Between Stated Policies & Actual Practices

A thorough independent evaluation must extend beyond a review of written policies to test whether those policies are effectively implemented in day-to-day operations. The independent evaluator must assess the actual conduct of staff to identify any gaps between the entity’s stated AML/CTF program and its real-world practices.

This practical testing involves several key steps to confirm that privacy-compliant procedures are consistently followed:

• Examining day-to-day operational workflows.
• Sampling a variety of customer files.
• Reviewing records to ensure that documented controls are actively applied by employees rather than just remaining theoretical.

Testing Third-Party Provider & Technology Risks

Reporting entities remain responsible for ensuring that personal information handled by third-party service providers complies with the APPs. Therefore, an independent evaluation must assess the privacy and data-handling risks associated with any external providers or technology platforms used for AML/CTF functions, such as identity verification or customer due diligence.

Crucially, a reporting entity cannot outsource its obligations under the Privacy Act (Cth). The evaluation should therefore verify that the entity has performed adequate due diligence on its vendors and that contractual agreements are in place to manage privacy risks and ensure compliance.

Conclusion

Reporting entities in Australia must navigate the concurrent obligations of the AML/CTF Act (Cth) and the Privacy Act (Cth), using independent evaluations as a key tool to resolve conflicts in data collection, retention, and disclosure. Proactively aligning compliance through data minimisation and mapping data collection to specific legal requirements is essential for meeting both sets of duties.

To ensure your AML/CTF program effectively integrates these key privacy obligations, contact Click Legal’s specialist AML independent evaluation lawyers for trusted expertise. Our specialised services are tailored to help your business achieve peace of mind and robust compliance in this complex regulatory landscape.

Frequently Asked Questions