OAIC guidance update: What it means for identity document retention in AML compliance

On 27 February 2026, the Office of the Australian Information Commissioner (OAIC) released new privacy guidance for reporting entities under the Anti-Money Laundering and Counter-Terrorism Financing Act. The guidance was updated in April 2026 to reflect the 31 March 2026 commencement date for Tranche 1 reporting entities.

The headline message is clear:

“Businesses should not store copies of identification documents collected for AML/CTF purposes.”

For many organisations, this represents a meaningful shift in how customer due diligence (CDD) is operationalised, particularly where full passport or driver licence scans have historically been retained in onboarding files.

This guidance does not change the AML/CTF Act itself. It clarifies how privacy obligations apply when carrying out AML/CTF compliance activities, and it has immediate practical implications.

What has changed?

The OAIC guidance focuses on how reporting entities should apply the Australian Privacy Principles (APPs) when collecting and retaining personal information for AML/CTF compliance. Below are the key takeaways.

1. Stop retaining full identity document copies

The OAIC states that organisations should not retain copies of identification documents collected for AML identity verification purposes, including:

• Passports
• Driver licences
• Other government-issued photo ID documents

Identification documents contain highly sensitive information: document numbers, photographs, signatures, and other identifiers. Retaining full copies increases exposure in the event of a data breach, raises identity theft risk, and holds sensitive personal information beyond what is necessary for compliance.

2. Record the verification, not the document

The OAIC's position is that AML/CTF obligations require you to retain evidence that verification occurred, not the document itself. This means moving from document storage to structured verification records.

Before:
A customer provides a passport. A full scan is stored in the client file and retained for seven years post-end of the business relationship.

Now:
You record:

• Identity details: legal name, date of birth, passport number, issuing country, expiry date
• Method of verification (for example, electronic verification provider or face-to-face sighting, including date and staff member where sighted in person)
• Outcome of verification: Did the passport pass

This approach demonstrates compliance without retaining unnecessary sensitive information.

3. Data minimisation applies to AML

The guidance reinforces that reporting entities must:

• Collect only personal information reasonably necessary for AML/CTF purposes
• Avoid collecting or retaining information "just in case"
• Regularly review whether the stored information remains required

This applies across initial CDD, enhanced due diligence, ongoing monitoring, and source of funds and wealth enquiries. The privacy lens now sits squarely over AML operations.

What about AUSTRAC?

A natural question is: what happens if AUSTRAC requests documentation?

The key is understanding the distinction between demonstrating that identification procedures were carried out and retaining full copies of identity documents.

AUSTRAC's record-keeping requirements focus on being able to show:

• What identification procedure was applied
• What information was relied upon
• When verification was completed

The OAIC guidance does not suggest ignoring AML obligations. It clarifies that retaining full document images is not required to satisfy them. Where an organisation believes retaining a document is necessary in a specific higher-risk scenario, that decision should be risk-based, documented, and justifiable under both AML and privacy frameworks. For most simplified and standard CDD scenarios, structured records will be sufficient.

When must you comply?

The OAIC guidance is interpretative rather than legislative. There is no delayed commencement date. If your organisation is already subject to the Privacy Act, these expectations apply now.

Two dates are relevant for AML/CTF reporting entities specifically:

• 31 March 2026: The date from which Tranche 1 reporting entities (including financial institutions, remittance providers, and digital currency exchanges) are no longer required to retain copies of identity documents for AML/CTF record-keeping purposes.
• 1 July 2026: The date from which Tranche 2 reporting entities (including lawyers, accountants, conveyancers, and real estate professionals) come under the AML/CTF Act and are subject to the same document retention approach from the outset.

For Tranche 2 entities, this means building compliant practices from day one rather than having to unwind existing document storage.

Operational impact depends on how your firm currently stores documents

The guidance applies to all reporting entities subject to the Privacy Act. The practical impact differs.

Smaller reporting entities

Smaller firms often store ID documents in shared drives or email folders, retain full scans as a default safeguard, and operate without formalised data retention schedules.

The OAIC’s expectations for small reporting entities are not the same as those for large businesses. The guidance requires reviewing onboarding checklists, removing automatic document storage practices, and updating internal policies and privacy notices. It will also reduce data breach exposure by limiting sensitive data holdings.

Larger reporting entities

Larger organisations typically use AML technology platforms, maintain structured document repositories, and operate formal retention and destruction schedules.

The focus here is reviewing system configurations that store document images, assessing whether document retention is embedded in workflows, conducting privacy impact assessments where appropriate, and ensuring AML record-keeping and privacy retention policies are aligned. The challenge is less about awareness and more about design.

What should you review internally?

For most organisations, this will involve refining processes rather than overhauling them entirely. First AML already captures and stores the structured verification records the OAIC requires. For every identity check, the platform retains the legal name, date of birth, residential address, document number, document type, expiry date, verification method, and the outcome of the check, including the ML/TF risk assessment result. These records are kept for the full 7-year statutory period under the AML/CTF Act.

From 1 July 2026, document image deletion is enabled by default for Australian customers. This applies to images collected on or after 31 March 2026. Images collected before that date are retained for the statutory period, as permitted under the AML/CTF Act and the OAIC's transitional position.

If your firm stores document images outside of First AML (in email, shared drives, or a document management system), those fall outside the platform's deletion controls and need to be reviewed separately.

At a minimum, review the following:

1. Check your data retention settings to confirm they reflect your firm's policy.
2. Confirm whether document images are stored outside the First AML platform and update those practices to align with the OAIC guidance.
3. Review your client-facing privacy notices to confirm they accurately describe what is retained and for how long.

Additional resources

• OAIC: Privacy guidance for reporting entities under the AML/CTF Act
• OAIC: Collect personal information for AML/CTF compliance (flowchart)
• AUSTRAC: AML/CTF record-keeping requirements
• A step-by-step guide to AML/CTF record-keeping requirements