You have 0 free articles left this month.
Compliance

Damned if you do, defenceless if you don't: The new AML/CTF dilemma

5 min read
Share this article on:

The 2026 AML/CTF changes suggest destroying client ID copies is the right move for privacy, but it might leave brokers completely exposed in a fraud audit, warns QED Group director Greg Ashe. In this opinion piece, he unpacks the new ID dilemma brokers need clarity on.

The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cwth) went through a couple of changes this year, which broker businesses need to be aware of.

While the AML/CTF rules have been expanded to more professionals (real estate professionals, dealers in precious metals and stones, and professional service providers such as lawyers, conveyancers, accountants, and trust and company service providers were brought into the Privacy Act on 1 July 2026 under Tranche 2 reforms), changes for current reporting entities (i.e. Tranche 1) - including brokers - took effect from 31 March 2026.

It may affect the types and volume of personal information that is handled for AML/CTF purposes, depending on the customer risk.

 
 

Retention of identification copies

Perhaps misguidedly, perhaps overstepping their boundaries, perhaps neither, the Office of the Australian Information Commissioner (OAIC) has released specific guidance on the management of identification documents – and their guidance is that you must not keep copies!

According to the OAIC, as of 31 March 2026, Tranche 1 businesses should not retain copies of full ID documents for AML/CTF record-keeping purposes.

Here’s how it breaks down:

The AML/CTF Act specifically no longer requires actual copies of identification images to be retained by any parties.

The Privacy Act forbids you from holding personal information on record that you no longer have a need for.

The dilemma

Written above are the facts. However, that’s where the facts end and the interpretation begins (and bear in mind that “regulatory guidance” does not, in itself, hold the force of law. It’s just what it says – a guide based on the regulator’s considered opinion).

This change represents a bit of effort on behalf of brokers. We believe it also increases brokers’ vulnerability to the “fraud witch hunts” that we have seen in our industry recently.

Taking that at face value, how are brokers supposed to prove, in an audit or similar inquiry, that they did, in fact, sight the client ID and that they (the broker) are not complicit in customer fraud (especially at a time when the industry is undergoing all sorts of accusations)?

Certainly, at least one major aggregator has gone public with its interpretation of the OAIC’s interpretation of the AML/CTF and Privacy Acts. The aggregator is stating, as a cold, hard fact, that you have no reason to hold copies of ID and therefore you must destroy all copies of ID collected after 31 March 2026.

They’re missing a couple of things.

Firstly, they’re missing the key add-on that the OAIC was keen to emphasise – even if you don’t keep the ID, you must still keep the details of the ID.

Yes, of course, this likely means extra work for brokers, as you can’t just keep an image of the ID, you will have to transpose all the details of the ID documents into your loan file.

However, is the OAIC really drawing a solid line through the retention of ID documents? There are purposes for retention other than pure, regulatory ones. Their guidance clearly states:

There may be another AML/CTF purpose for holding copies of ID documents or other legislative obligations to retain them outside of the AML/CTF Act.

One of these purposes may be to demonstrate that you did, in fact, comply with your contractual obligations to your lenders.

One of these purposes may be to demonstrate to the police that you did, in fact, observe a form of genuine identification to confirm the identity of the consumer that you assisted with credit, that you didn’t just write some numbers down and “say” you saw the ID.

Indeed, what happens if you mis-record some of those document details?

Will these “records” protect you from prosecution if you are accused of aiding a criminal plot to defraud banks and launder money?

So here is another pathway. “Legislation” is not the only, legitimate reason for holding personal information – including copies of ID documents.

Just because the AML/CTF Act doesn’t require you to retain these documents doesn’t mean you no longer have a legitimate purpose for retention. The Australian Privacy Principles are not this restrictive. They intend to cover all records for all legitimate reasons.

The industry may shout us down; the good, collective legal minds of this country may publish a more qualified opinion of this situation than CompliFast’s; or the whole industry may simply adopt this as the norm and we just have to go along with it.

However, in the meantime, if I were a broker, I would be thinking very carefully about what to say if my aggregator/lenders/cops turn up at my office, seizing files with no ID in them.

Disclaimer: CompliFast provides informed, plain‑English interpretations of legislative and regulatory requirements. Our role is to help you understand what the law means in practice and to give you a clear, confident view of how to meet your obligations.

Whilst we aim to be a source of clarity and comfort, our commentary is not legal advice, nor can it be relied upon as such. It represents our professional compliance opinion. For legal advice specific to your circumstances, please consult a qualified legal practitioner.

Want to see more stories from trusted news sources?
Make The Adviser a preferred news source on Google.
Click here to add The Adviser as a preferred news source.

greg ashe qed group ta t hhcc