AML compliance requires identity verification — here's what the Privacy Act says you can actually store — AML Simple

From 1 July 2026, every real estate agency that brokers property sales must verify client identities before providing a designated service.

Most principals understand that part.

What fewer have thought through: the Office of the Australian Information Commissioner (OAIC) published privacy guidance specifically for AML/CTF entities in February 2026, updated in April — and what it says about storing identity documents is more specific than most agencies expect.

Important: This article explains the intersection of AUSTRAC Tranche 2 obligations and OAIC privacy guidance under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 and the Privacy Act 1988. It is general information only — not legal or compliance advice. Your agency's specific circumstances may require advice from a qualified professional. AML Simple is a compliance workflow tool, not a law firm.

What AML compliance requires you to collect

Before providing a designated service, you must complete initial Customer Due Diligence (CDD) on your client.

For an individual, that means collecting:

Full legal name (as it appears on the ID document)
Date of birth
Residential address (not a PO Box)
Whether they're acting on behalf of someone else

You then verify that information against an acceptable identity document — an Australian driver's licence, passport, or foreign passport are common examples. The full list of acceptable documents is in AUSTRAC's Customer Due Diligence guidance.

This is where most agencies stop thinking about the process.

You've sighted the licence. You've confirmed the name matches. What do you keep?

What the OAIC guidance addresses

The OAIC published its AML/CTF privacy guidance on 27 February 2026, updated 13 April 2026.

Its position is unambiguous: "The AML/CTF Act does not require you to keep scanned copies or photocopies of identity documents themselves for record keeping purposes."

This applies to Tranche 2 entities — including real estate agencies — from 1 July 2026.

What the guidance says to retain instead are the details recorded from the document. Specifically:

Name
Date of birth
Residential address
Document expiry date
Passport or licence number

This information, combined with noting the document type and the issuing authority, is what constitutes a compliant CDD record.

The full scan or photocopy that many agencies instinctively save — because that's what they've always done in a paper-based sales process — is not required and creates a Privacy Act exposure.

Why this is relevant to agencies building their process now

Most real estate agencies are setting up their CDD process for the first time.

That's an advantage.

Agencies that already have identity document practices (some use them for property management, some as a general ID-check habit) need to actively review whether those practices align with the data minimisation principle the OAIC describes.

The OAIC acknowledges that changing existing systems takes time and effort. For agencies working through a transition, the standard is "reasonable steps" — which includes documenting what you intend to change and by when.

For agencies starting fresh from 1 July 2026, this is simpler: build the process to capture document details, not document images, from day one.

What a compliant CDD record looks like

A complete identity verification record for an individual client includes:

Full legal name
Date of birth
Residential address
Document type (e.g. Australian passport)
Issuing authority (e.g. the Australian Passport Office)
Document number
Expiry date
Date the verification was conducted
Who conducted it

All records must be retained for 7 years under the AML/CTF Act 2006.

None of it requires the original document image.

Note: this article covers individual-client CDD. Entity clients — companies, trusts, partnerships — have additional requirements, including beneficial ownership identification. The AUSTRAC CDD guidance has sector-specific detail on those.

Three things worth checking before July 1

Review your planned CDD workflow. If you're intending to photograph or scan identity documents as part of verification, the OAIC guidance suggests that practice goes further than required. Recording the document details is sufficient.
Check existing record-keeping practices. If your property management or sales process already captures ID document images for other purposes, consider whether those records need to be reviewed in light of the Privacy Act's data minimisation principle. That's a question worth putting to a qualified compliance professional.
Document your approach in your AML/CTF program. Your program should describe what you collect during CDD, how you verify it, and how long you retain it. Making sure that description reflects your actual process is part of a well-functioning program.

AML Simple's CDD workflow records document details — not document scans — so if you're using the platform, your verification records are built to match the OAIC's data minimisation guidance from the first client check.

The process takes around 2 minutes per client, and the record is stored automatically and is retrievable for the 7-year retention period.

Sources:

OAIC, Privacy guidance for reporting entities under the Anti-Money Laundering and Counter-Terrorism Financing Act (published 27 February 2026, updated 13 April 2026): oaic.gov.au
AUSTRAC, Customer Due Diligence — Reform guidance: austrac.gov.au
Anti-Money Laundering and Counter-Terrorism Financing Act 2006: legislation.gov.au

General information only. Consult a qualified AML/CTF compliance professional for advice specific to your agency.