Privacy compliance

AML/CTF: Privacy compliance

At a glance

  • Practitioners should be aware of their privacy obligations under AML/CTF (1 July 2026 commencement).
  • Who is affected? Law firms with annual turnover under $3 million that provide AML/CTF designated services (typically conveyancing, business sales, company or trust structuring, managing client money + other). Firms with an annual turnover above $3 million are already fully regulated.
  • What is regulated? Personal information collected or held for the purposes of, or in connection with AML/CTF activities (Privacy Act, s.6E) — for example, client identity documents, beneficial owner records, AML risk assessment notes.
  • What are the penalties? OAIC has significant enforcement powers, including fines of up to $50 million dollars.

Note: Additional automated-decision-making disclosures commence 10 December 2026.

How do I get started

Read the Starter Guide, then work through the four-step roadmap. The Compendium sets out the same roadmap in more detail in Chapter 13.

Resources

QLS has prepared guidance and resources to assist practitioners to understand their privacy obligations under AML/CTF. 

Note: It is important that you read the guidance, consider what regulated data your firm will collect and hold, then modify all templates accordingly

The Privacy Policy needs careful review. It must both guide and reflect your actual processes, and it should not bind your firm to deal with all personal information as if it were regulated personal information. A poorly drafted policy can extend your regulatory obligations beyond what the law requires by making general promises you will then be held to.