Australia's AML/CTF reforms introduce a clear data minimisation requirement: businesses can no longer retain full passport or driver's licence copies for AML purposes. Here's what changed, who is affected under Tranche 1 and 2, and what AML compliance software should handle.
.webp)
AML compliance in Australia just got a data problem most businesses haven't solved yet.
For years, the default practice in Australian financial services, legal, and real estate businesses was simple: when you needed to verify a customer's identity, you scanned their passport or driver's license and kept a copy.
It felt like compliance. It was actually over-collection — and from 31 March 2026, it is no longer acceptable.
The AML/CTF Amendment Act 2024, combined with updated guidance from the Office of the Australian Information Commissioner (OAIC), has clarified what reporting entities are actually required to retain for AML/CTF record-keeping — and it is significantly less than most businesses currently hold. The Act does not require photocopies or scans of identity documents. It never did. Businesses that have been storing them have been creating unnecessary privacy risk without any compliance benefit.
This matters because the 2022 Optus breach, where millions of Australian passport and licence numbers were exposed, demonstrated exactly what happens when identity document copies sit in systems they don't need to be in. The OAIC's updated guidance is a direct response to that lesson.
The Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 passed in November 2024 and is one of the most significant updates to Australia's financial crime framework in nearly two decades. The reforms pursue three goals: expanding coverage to higher-risk professional services, modernising obligations around digital assets, and simplifying compliance for regulated entities.
The data-handling changes are where most businesses will feel the practical impact.
What the OAIC guidance now explicitly states:
"The AML/CTF Act does not require you to keep scanned copies or photocopies of identity documents themselves."
Instead, what must be retained is a record of specific data points extracted from those documents:
That is the complete list. A passport scan is not on it.
The transition rule: Identity document copies collected before the compliance dates may remain retained as required records for seven years following the end of the customer relationship or the final transaction — consistent with the prior law that authorised their collection. After seven years, or at the relationship end date, deletion is required.
Data minimisation is the principle that organisations should collect, use, and retain only the minimum personal information necessary to fulfil a specific, legitimate purpose. In the AML/CTF context, the purpose is customer due diligence and record-keeping — and the OAIC's updated guidance has now drawn a clear line around what is actually necessary for that purpose.
The term "data minimisation" does not appear verbatim in the AML/CTF Act. The principle flows from two overlapping sources:
1. The Australian Privacy Principles (Privacy Act 1988)
APP 3 restricts collection to information that is "reasonably necessary" for a function or activity. APP 11 requires that personal information is not retained longer than necessary. Together, these principles mean that retaining a full passport scan — when the Act only requires the extracted data points — is a Privacy Act breach independent of any AML/CTF obligation.
2. OAIC guidance applying the Privacy Act to AML/CTF entities
The Commissioner has explicitly clarified that AML/CTF reporting entities are subject to the Privacy Act and that their data collection and retention practices must satisfy both regimes simultaneously. An entity that retains full ID document copies "just in case" or out of habit is not satisfying the reasonably necessary test — and cannot point to AML/CTF requirements to justify it, because those requirements do not demand full copies.
What data minimisation means for AML KYC requirements in Australia
Australia's AML KYC requirements — customer identification, verification, and ongoing due diligence — can be met entirely by recording the extracted data points listed above. The verification process itself (checking a document against a name, DOB, and address) does not require retaining the document image. The outcome of that check — verified, not verified, risk rating — is what must be recorded.
This has practical implications for every part of the onboarding workflow:
The practical question every AML compliance team in Australia now needs to answer is: where are our identity document copies, who can access them, and when do they need to be deleted? That is a data discovery question before it is a compliance question.
The reforms affect two broad groups on different timelines.
Tranche 1 — 31 March 2026
Existing reporting entities that have been subject to AML/CTF obligations for years: banks, credit unions, payment service providers, casinos, remittance dealers, and bullion dealers. These entities already have compliance programs — the change is updating those programs to reflect the new document-retention rule and to begin the process of identifying and managing legacy ID document stores.
Tranche 2 — 1 July 2026
Approximately 90,000 additional businesses are brought into scope for the first time. This is the larger and more disruptive change. Newly regulated entities include:
For many of these businesses, the challenge is not just updating an existing AML program — it is building one from scratch while simultaneously understanding what data they are allowed to collect and what they need to delete.
The OAIC's guidance is not simply about bureaucratic compliance. It is a direct response to the data breach risk created by over-retention.
When a business stores full scanned copies of passports and driver's licenses, it creates what security professionals call a honeypot — a concentrated store of high-value identity data that becomes an attractive target for attackers. A successful breach does not just expose customer names. It exposes documents that can be used to commit identity fraud, open fraudulent accounts, and cause harm that follows individuals for years.
The Optus breach put this risk in sharp relief. Customer passport and licence numbers were exposed at scale. The regulatory and reputational consequences were severe. Notably, many of those copies were retained for compliance purposes — purposes that, under the OAIC's updated guidance, did not actually require the full document.
Holding more identity data than you need is now simultaneously:
The OAIC has been explicit: "Unnecessary data retention is one of the greatest risks to Australians."
Compliance under the new regime has three distinct components.
1. Stop over-collecting going forward
From the applicable compliance date, new customer onboarding processes must not capture full document images unless another law specifically requires it. Identity verification workflows need to be updated to record only the permitted data points. This affects CRM systems, onboarding platforms, KYC tools, and any workflow that currently captures or stores document images.
2. Discover and remediate legacy stores
This is the harder problem. Most organisations have years of identity document copies sitting across:
Before the compliance deadline, businesses need to find every location where identity document copies exist, assess whether retention is still permitted under the transition rule, and delete or redact what is not.
This is a data discovery and remediation problem — and it cannot be solved manually at any meaningful scale.
3. Prevent future over-retention through policy and controls
After the initial remediation, ongoing compliance requires controls that prevent identity document copies from re-entering systems. This means DLP policies that detect and block passport scans and driver's license images before they are stored in cloud or SaaS environments.
Most AML compliance software in Australia focuses on transaction monitoring, sanctions screening, and suspicious matter reporting. These are the financial crime detection functions. But the 2026 reforms have created a second compliance layer that transaction monitoring tools don't address: the data security and minimisation obligations around identity documents themselves.
The right AML compliance software for the current environment needs to handle both sides:
This is where a data security platform fills the gap that AML-specific tools leave open.
Strac's platform maps directly onto all three compliance requirements.
Discover where identity documents are stored
Strac connects to your SaaS and cloud environment — Google Workspace, Microsoft 365, Slack, Salesforce, S3, SharePoint, OneDrive, and 50+ more — and scans for sensitive data including identity documents, passport numbers, driver's licence numbers, and other regulated PII.
Critically, Strac uses ML and OCR to detect identity data inside images and scanned documents — not just plain text fields. A passport scan stored as a JPEG in Google Drive is not invisible to Strac. This matters because most legacy identity document copies are images, not structured data.
The result is a data map that shows exactly where AML-regulated identity data sits across your environment — which systems, which users have access, and how long it has been there.
Remediate excess retention
Once discovery is complete, Strac's bulk remediation capabilities allow security and compliance teams to delete, redact, or quarantine files that contain identity document copies no longer permitted under the new rules.
Remediation workflows include audit trails — so when OAIC or AUSTRAC asks what you did to address legacy over-retention, you have documentation of every action taken.
Prevent new over-collection
Strac's real-time DLP policies can detect when a passport scan or driver's licence image is being uploaded to a SaaS application, shared via email, or saved to cloud storage — and block or alert before retention occurs.
For Tranche 2 entities building AML programs for the first time, this provides a control layer that enforces the data minimisation principle automatically, without relying on staff to remember a policy document.
In Australia’s new regulatory landscape, “we’ve always stored IDs this way” is no longer a valid defense. The enforcement frameworks for AUSTRAC and the OAIC have been significantly strengthened to ensure businesses take data minimisation seriously.
Failing to transition from storing full ID copies to recording only “necessary details” exposes your firm to three tiers of risk:
1. Massive Civil Penalties: For serious or repeated interferences with privacy, corporations can face fines of up to $50 million, three times the benefit gained from the breach, or 30% of adjusted turnover during the breach period.
2. Per-Record Liability: Under the AML/CTF Act, AUSTRAC can apply for civil penalty orders reaching 100,000 penalty units (currently $33 million) for corporations per breach. Because these fines can be applied per contravention, a single database containing thousands of prohibited passport scans represents a catastrophic financial risk.
3. Criminal Charges & Personal Liability: For directors and compliance officers, the stakes are even higher. Reckless failure to comply with certain AML/CTF record-keeping or reporting obligations can lead to criminal prosecution and up to two years of imprisonment.
The data minimisation problem is not just about stopping new collection. Every business that has been onboarding customers for years has identity document copies scattered across systems — often in places no one is actively monitoring.
Strac connects to your entire SaaS and cloud stack and surfaces exactly where identity documents are stored. Once found, Strac can redact sensitive fields, delete the files entirely, or remove external access — in bulk, with a full audit trail. Here is how it works across the surfaces where identity documents most commonly end up.
Customer support is one of the most common places identity documents accumulate. Customers submit onboarding queries with their driver's licence or passport attached. Agents process the ticket, the document gets stored in the ticket thread, and it sits there indefinitely.
Strac scans every Zendesk, Intercom, and Salesforce record — including image attachments — and detects driver's licence numbers, passport numbers, SSNs, and other regulated PII using ML and OCR. When found, Strac can redact the values inline or delete the attachment, without agent intervention.
The screenshot below shows a real Zendesk ticket where a customer shared their driver's licence and social security card as attachments alongside their licence number and SSN in the message body. Strac detected all of it.
Slack is a high-risk surface for identity document exposure. Employees routinely paste customer details into channels during onboarding or support escalations. Files get shared in DMs. Screenshots of ID documents get uploaded without a second thought.
Strac monitors Slack in real time. When a driver's licence image, passport scan, or identity number is shared in any channel or DM, Strac detects and redacts it before it can be forwarded or accessed by unauthorised users. Historical Slack messages are also scanned retrospectively.
Email is where the highest volume of identity document copies accumulates over time. Onboarding emails, KYC submission threads, and verification request replies — all contain passport and licence attachments that were stored without any retention schedule.
Strac integrates with Office 365 and Gmail to scan both new and historical email — including attachments — for identity documents and regulated PII. Files containing passport scans, driver's licence images, or identity numbers can be automatically redacted or deleted. Policies can be set to alert compliance teams, quarantine flagged messages, or remove external access.
Identity documents also end up in:
Strac covers all of these with the same ML + OCR detection engine. The same policy that flags a passport scan in a Zendesk ticket also flags it in an S3 bucket or a Google Drive folder — no separate configuration required.
The term "data minimisation" does not appear verbatim in the AML/CTF Act, but the principle is enforced through two overlapping frameworks. First, the OAIC's updated guidance states entities should "collect only what you need" and may "only collect personal information that is reasonably necessary to comply with AML/CTF obligations." Second, the Australian Privacy Principles under the Privacy Act (APP 3 on collection, APP 11 on retention) impose minimisation obligations independently. In practice, the combination means you must not retain more identity data than the Act requires — and the Act does not require full document copies.
Yes, under the transition rule. Identification documents collected before the compliance date (31 March 2026 for Tranche 1, 1 July 2026 for Tranche 2) may be retained as required records for seven years after the customer relationship ends or the final transaction occurs, whichever is later. After that retention period expires, deletion is required. You cannot collect new full document copies after the applicable compliance date.
The OAIC guidance specifies: full name, date of birth, residential address, document type, document number, document expiry date, the verification method used, and the outcome of verification and ML/TF risk assessment. These records must be retained for seven years and must be in English or readily convertible to English.
The AML KYC requirements — customer identification and verification — remain the same in substance: you must verify that a customer is who they say they are, using reliable and independent sources. What changed is the data retention obligation attached to that process. You must still perform KYC. You must now record only the specific data points from that process (name, DOB, address, document type/number/expiry, verification method, outcome) — not the underlying document. The KYC process itself is unchanged; what you are permitted to keep afterwards is now strictly defined.
Yes, but using a third-party digital identity service or the government's Document Verification Service (DVS) is actually an easier path to compliance — these services return a verification outcome rather than a document copy, which aligns with what you are now required to retain anyway.
Breaches of the Privacy Act's Australian Privacy Principles carry civil penalties up to AUD $50 million (or three times the benefit obtained, or 30% of adjusted turnover) for serious or repeated breaches. For AML/CTF-specific breaches, AUSTRAC can issue infringement notices, accept enforceable undertakings, or pursue civil penalties. Notifiable data breaches involving identity documents also trigger mandatory notification obligations to the OAIC and affected individuals.
Start with discovery: map where customer identity data currently lives across your systems — email, document management, cloud storage, CRM. Then assess what is within the seven-year transition window and what is not. Build a deletion schedule for what falls outside the window, and update your onboarding process to record only the permitted data points going forward. Finally, implement controls (technical or procedural) that prevent new over-collection. If you have no existing AML program, AUSTRAC's tranche two guidance and transitional rules are the starting point for the broader program.
Manual search is not viable at scale — a typical business has identity documents scattered across email attachments, cloud folders, CRM records, and file shares accumulated over years. A DSPM or DLP tool that uses OCR to detect document images (not just text patterns) is the practical approach. Strac connects to your existing SaaS and cloud environment and surfaces exactly where identity data is stored, including inside image files and scanned documents.
.avif){kind=icon}
.gif)
