6 min read

AML/CTF Reforms 2026: Real Estate Agents, Accountants and Lawyers Now Need a Privacy Policy

From 1 July 2026, AML/CTF Tranche 2 reforms bring 100,000+ small businesses under the Privacy Act for the first time — including real estate agents, accountants, lawyers, and conveyancers.

The Short Answer

If you're a real estate agent, accountant, lawyer, conveyancer, or dealer in precious metals — and you currently rely on the Privacy Act small business exemption — that changes on 1 July 2026.

AML/CTF Tranche 2 reforms bring more than 100,000 small businesses under the Privacy Act 1988 for the first time, regardless of their annual turnover. When you become a reporting entity under the AML/CTF Act, the small business exemption no longer applies to the personal information you handle for those purposes.

You need a compliant privacy policy before 1 July 2026.

Table of Contents

What is AML/CTF Tranche 2?

Australia's Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Act has applied to financial institutions — banks, casinos, remittance services — since 2006. Tranche 2 extends these obligations to a new set of businesses for the first time.

From 1 July 2026, certain professional service providers become reporting entities under the AML/CTF Act. This means they must:

  • Register with AUSTRAC
  • Implement an AML/CTF compliance program
  • Conduct customer due diligence (know your customer)
  • Report suspicious matters and threshold transactions
  • Comply with the Privacy Act 1988 for information handled under these obligations

The last point is what most affected businesses don't realise — and it has immediate implications for privacy compliance.

Which Businesses Are Affected?

AML/CTF Tranche 2 applies to designated non-financial businesses and professions (DNFBPs) that provide specific services. The categories are:

Real Estate Agents

Agents involved in buying or selling real property on behalf of clients. This is one of the largest affected groups — Australia has approximately 45,000 licensed real estate agents.

Lawyers and Law Firms

Legal practitioners providing services related to:

  • Buying or selling real property
  • Managing client money
  • Creating, operating, or managing legal arrangements (trusts, companies)
  • Acting in financial transactions on behalf of clients

Not all legal work triggers the obligations — it's specific to the types of transactions listed above.

Accountants

Accountants providing services related to:

  • Creating, operating, or managing legal arrangements
  • Buying or selling business entities
  • Managing client money or securities
  • Real property transactions

Again — not all accounting work is captured, but most practices providing business advisory services will be affected.

Conveyancers

All conveyancers handling property transactions — already closely aligned with real estate, but separately captured.

Trust and Company Service Providers

Businesses that form companies, provide registered office addresses, act as directors or secretaries, or manage trusts on behalf of clients.

Dealers in Precious Metals and Stones

Jewellers, bullion dealers, and similar businesses involved in high-value transactions.

Why the Small Business Exemption No Longer Protects You

Under the Privacy Act 1988, the small business exemption currently means businesses with annual turnover under $3 million are generally exempt from the Act's requirements.

This exemption has always had carve-outs — health service providers, for example, are covered regardless of turnover. AML/CTF Tranche 2 creates another significant carve-out.

When you become a reporting entity under the AML/CTF Act, the Privacy Act applies to the personal information you handle in connection with your designated services — regardless of your annual turnover.

In practice, for most affected businesses, the personal information collected for AML/CTF purposes (customer identity documents, transaction records, source of funds information) overlaps significantly with the personal information you collect in the ordinary course of your business. The safest and most practical approach is to treat your entire business as Privacy Act-covered from 1 July 2026.

What You Need to Have in Place

1. A Compliant Privacy Policy

Your privacy policy must cover all 13 Australian Privacy Principles (APPs). This is not a US-style disclaimer — it's a specific document addressing:

  • What personal information you collect and why (APP 3, APP 5)
  • How you use and disclose it (APP 6)
  • Sensitive information handling — identification documents fall into this category (APP 3)
  • Security measures (APP 11)
  • How clients can access and correct their information (APPs 12, 13)
  • Overseas disclosure — if you use overseas software or services (APP 8)

Your policy must also include the Notifiable Data Breaches (NDB) scheme — the requirement that 100% of Australian company privacy policies we analysed miss, even at major enterprises.

2. Notifiable Data Breaches Scheme Procedures

The NDB scheme requires you to notify the OAIC and affected individuals if you experience a data breach likely to cause serious harm. For professional services firms handling identity documents, financial records, and transaction data, a breach would almost certainly trigger this obligation.

You need:

  • A process for identifying potential breaches
  • A 30-day assessment window
  • Notification procedures for the OAIC and affected clients
  • Your privacy policy must explain the NDB scheme

3. Data Security Measures

APP 11 requires reasonable technical and organisational security measures. Since December 2024 this explicitly includes both:

Technical: Encryption, access controls, secure file storage, strong passwords, multi-factor authentication

Organisational: Staff training, documented policies, vendor security assessment, incident response plan

For professional services firms handling sensitive client identity documents and financial records, "reasonable steps" is a meaningful obligation.

4. Collection Notices

APP 5 requires you to tell clients what information you're collecting and why at the time of collection. For most professional service firms, this means updating your client engagement process — onboarding forms, engagement letters, or intake procedures — to include a brief privacy notice.

5. Access and Correction Process

Clients have the right to access the personal information you hold about them and request corrections. You need a documented process for handling these requests within 30 days.

The Deadline: 1 July 2026

Unlike the broader Tranche 2 privacy reforms (which remove the small business exemption and don't yet have a confirmed date), the AML/CTF Tranche 2 deadline is fixed: 1 July 2026.

That's approximately 2 months away.

If you're a real estate agent, accountant, lawyer, or conveyancer who has been relying on the small business exemption, you need to act now. The timeline:

Now — June 2026:

  • Get a compliant privacy policy in place
  • Review your client onboarding process for collection notices
  • Implement basic security measures if not already in place
  • Document your breach response process

By 1 July 2026:

  • Register with AUSTRAC (separate AML/CTF obligation)
  • Privacy policy live on your website
  • Staff briefed on privacy obligations
  • Breach response process documented

How This Differs from the Broader Privacy Reforms

There are currently two separate pathways bringing small businesses under the Privacy Act:

AML/CTF Tranche 2Broader Tranche 2 Privacy Reforms
Deadline1 July 2026 — confirmedExpected 2026-2027 — not yet legislated
Who's affected~100,000 DNFBPs (real estate, legal, accounting, conveyancing)~2.3 million businesses under $3M turnover
TriggerBecoming a reporting entity under AML/CTF ActRemoval of small business exemption
CertaintyDefinite — legislation passedExpected but not yet passed

If you're in one of the affected professional categories, the AML/CTF deadline is the more immediate concern. The broader exemption removal will follow — but the 1 July 2026 date is the one to act on now.

Frequently Asked Questions

I'm a small real estate agency with 3 staff. Does this really apply to me?

Yes. The AML/CTF Act applies to all real estate agents providing designated services — there's no turnover threshold or size exemption. From 1 July 2026, you're a reporting entity and the Privacy Act applies to you.

I'm a sole trader accountant. Am I affected?

It depends on the services you provide. If you provide services involving managing client money, creating or managing trusts or companies, or advising on business acquisitions, you're likely captured. Check the AUSTRAC guidance for the full list of designated services.

Does my existing privacy policy cover the new requirements?

Almost certainly not if it was generated by a US-based tool or downloaded from a template site. Most policies miss the NDB scheme entirely and don't cover all 13 Australian Privacy Principles. Check whether yours explicitly mentions: the Privacy Act 1988, all 13 APPs, and the Notifiable Data Breaches scheme.

What happens if I don't comply by 1 July 2026?

AUSTRAC handles the AML/CTF compliance side. For Privacy Act non-compliance, the OAIC can issue infringement notices up to $66,000 per contravention without going to court, and conduct formal investigations. The OAIC launched its inaugural privacy compliance sweep in January 2026, reviewing approximately 60 entities across six sectors — professional services are a clear target.

I already comply with the Privacy Act because we're over $3M turnover. Do I need to do anything?

Review your existing privacy policy to ensure it's current and covers the specific types of personal information you handle for AML/CTF purposes — particularly identity documents and sensitive financial information. If it was generated more than 12 months ago, it may not reflect the December 2024 reforms.

Summary

AML/CTF Tranche 2 brings a confirmed, hard deadline for Privacy Act compliance to more than 100,000 Australian small businesses — real estate agents, accountants, lawyers, conveyancers, and others. From 1 July 2026, the small business exemption no longer applies to these businesses for the personal information they handle in connection with their designated services.

The practical steps are straightforward:

  1. Get a compliant privacy policy covering all 13 APPs and the NDB scheme
  2. Add collection notices to your client intake process
  3. Document basic security measures and breach response procedures

With approximately 2 months to the deadline, now is the time to act.

Last updated: April 27, 2026

This guide provides general information about AML/CTF Tranche 2 reforms and their Privacy Act implications. It is not legal advice. For specific advice about your AML/CTF obligations, contact AUSTRAC at austrac.gov.au or 1300 021 037. For privacy law questions, consult a qualified privacy lawyer or the OAIC on 1300 363 992.

Get Compliant Before 1 July 2026

ComplianceKit generates privacy policies built specifically for Australian law — covering all 13 Australian Privacy Principles and the Notifiable Data Breaches scheme. Generate your policy in under 5 minutes.

Generate Your Compliant Privacy Policy — $79 AUD →

Generate Your Compliant Privacy Policy

ComplianceKit automatically includes all 13 Australian Privacy Principles and the NDB scheme. Generate your policy in 5 minutes.

Get Started →

Last updated: 27 April 2026

This guide provides general information about Australian privacy law. It's not legal advice. For specific legal questions about your situation, consult a qualified privacy lawyer.