AML/CTF Reforms in Australia – A Looming Cyber risk?

On 1 July 2026, Australia will see the commencement of some of the most significant reforms to its Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) regime over the past decade. 

The reforms will require a range of new businesses across the Australian economy to take steps to address money laundering and terrorism financing risks that they may face. These obligations include the development of an AML/CTF program and compliance with customer due diligence requirements, which requires regulated services to verify the identity of their customers.

However, some of the most damaging major data breaches in Australian history have involved the breach of consumers’ identity documents, which presents a number of questions. Will the reforms present a cybersecurity risk by requiring a greater number of entities across the economy to verify individuals’ identity? And how should regulated services navigate this cyber risk whilst meeting their obligations?

The AML/CTF reforms – new regulated services

The Government’s Anti-Money Laundering and Counter-Terrorism Financing Amendment Bill 2024 (AML/CTF Amendment Bill) was passed in November 2024 and is due to commence next year on 1 July 2026.

One of the most significant features of the Bill is the expanded range of services that will be regulated under the AML/CTF regime. The Bill brings a broad range of new services within scope, including:

• real estate professionals – such as real estate agents, buyer’s agents and property developers
• conveyancers
• dealers in precious metals, stones and products
• lawyers
• accountants, and
• trust and company service providers.  

The reforms intend to regulate these services due to the potential high risk of them assisting or facilitating money laundering or terrorism financing activities. However, the practical effect of the reforms is that a greater number of entities across the economy will need to verify the identity of their customers. 

Australians may be required to submit identity documents to these newly regulated entities, including the real estate sector which does not have a positive reputation for high privacy and cybersecurity standards.

Customer Due Diligence (CDD) obligations

One of the cornerstones of the reformed AML/CTF regime will be the obligation for regulated services to conduct Customer Due Diligence (CDD). Before providing a designated service, businesses will be required to establish the following on ‘reasonable grounds’ (among other matters) as part of initial CDD:

• the identity of their customers
• the nature and purposes of the business relationship or transaction; and
• the money laundering and terrorism financing risks involved in providing designated services to the customer.

The required steps are likely to differ depending on the type of the customer and whether they are an individual, sole trader, trust, corporation, partnership or association. However, entities will generally be required to:

• collect ‘Know Your Customer’ (KYC) information that’s appropriate to the customer’s risk; and
• verify KYC information, using reliable and independent data.

In respect to individual customers, AUSTRAC guidance notes that the collected information should be enough to distinguish the individual from others (e.g. their name, date of birth and residential address). Businesses should also verify this information, which could include using either:

• government-issued primary photographic ID documents (e.g. a driver’s licence, passport or proof of age card); or
• primary non-photographic ID documents (e.g. a birth certificate, citizenship certificate or concession card, and a secondary ID document showing the individual’s name and address, such as a utility bill or notice issued by a government body).

AUSTRAC notes that businesses may also use reliable and independent third-party digital identity services to verify KYC information or use other independent sources to verify information such as the Government’s Document Verification Service (DVS).

For certain high risk customers, regulated entities may need to collect additional KYC information or apply further measures such as enhanced CDD or measures in relation to politically exposed persons or individuals that are designated for financial sanctions.

Crucially, regulated services are subject to retention requirements and must keep records that demonstrate how they complied with their initial CDD obligations for each customer for 7 years. This includes records of what customer information was collected, and the steps taken to verify that information. However, AUSTRAC guidance has expressly clarified that entities “aren’t required to make copies of identification documents” (e.g. entities may only record the passport details used to verify the individual’s identity, rather than making a photocopy). 

Historical breaches of identity documents in Australia

When applying these requirements, regulated services should be cognisant of the security and privacy risks associated with the collection and retention of identity documents.

A clear example of the risks can be seen in the 2022 Optus data breach, which led to the exposure of both current and former customer personal information. The breached information included customers’ names, dates of birth, contact details and for a subset of customers, ID document numbers such as driver’s licence or passport numbers.

The exposure of identity document numbers alongside these personal details placed a range of Australians at risk of identity theft, fraud and financial harm, and many were required to replace their passports or driver’s licenses. Questions were also raised regarding why Optus was retaining the information of former customers and the extent to which this was required under AML/CTF or telecommunications regulations.

In the context of the present AML/CTF reforms, while it is welcome that AUSTRAC has clarified that entities do not need to retain photocopies of their customers’ identity documents, the Optus data breach demonstrates that there are still risks associated with the storage of ID document numbers. 

Navigating cybersecurity risks as a regulated service

In light of these risks, there are tangible actions that regulated services can take to minimise their cybersecurity risk while meeting the new requirements. These include:

• Leveraging third-party digital identity services and the Government’s Document Verification Service, where permissible.
• Adopting a risk-based and privacy-enhancing interpretation of the AML/CTF regime. Entities should adopt a data minimisation approach and should collect and retain the minimum amount of information needed to comply with their AML/CTF CDD obligations. For example, entities could opt to retain key details of the documents that they use to verify an individual’s identity, rather than retaining raw photocopies of ID documents, as per AUSTRAC’s guidance.
• Ensuring that all personal information that must be legally retained is stored securely.
• Implement clear retention and disposal schedules and procedures to ensure that personal information is destroyed when it is no longer required to be retained.

Privacy 108 is available to provide advice to entities that are navigating the potential security and privacy challenges of the AML/CTF reform package. Reach out to us at hello@privacy108.com.au or via the form below.