AML/CTF Tranche 2 Privacy Compliance Kit
For Lawyers, Accountants, Real Estate Agents & Conveyancers
You know your clients. You've always kept records, protected sensitive information, and run a professional practice. But from 1 July 2026, two things change at once: AML/CTF obligations require you to conduct formal customer due diligence for the first time, and the Privacy Act now applies to how you handle that information.
The AML/CTF regime brings rigorous identity verification, beneficial ownership checks, ongoing monitoring, and reporting obligations that most lawyers, accountants, real estate agents, and conveyancers have never had to deal with. And because you're now collecting and storing personal information for CDD purposes, the small business exemption in the Privacy Act disappears — regardless of your turnover.
This kit gives you the 8 privacy compliance documents you need to handle that new reality. They're specifically tailored for Tranche 2 entities — covering the unique intersection of AML/CTF obligations and privacy law that generic templates don't address.
Compliance shouldn't be a transformation project. Start with documentation. You're stepping into a new regulatory environment, but you don't need to build everything from scratch. These documents give you the right legal language, the right structure, and the AML/CTF-specific nuances (like tipping-off carve-outs and ID document minimisation) that matter from day one. Get the foundation in place, then build from there.
What's Included
1. Privacy Policy
Public-facing policy covering all 13 APPs, tailored for Tranche 2 entities. Includes AML/CTF-specific collection, use, and disclosure clauses, overseas disclosure options, and complaint handling. Ready to publish on your website.
2. Client Collection Notice — AML/CTF CDD
APP 5 compliant notice for client onboarding. Covers what you collect for customer due diligence, why, who you share it with, and consequences of not providing information. Provide as a handout, in your engagement letter, or by email.
3. Employee Collection Notice
Privacy notice for staff and contractors. Include in your employment contract pack or onboarding materials.
4. Data Breach Response Plan
Step-by-step procedure: contain, assess, notify, review. Includes the Notifiable Data Breaches scheme requirements AND critical tipping-off warnings for breaches involving SMR-related information. Red warning boxes flag the criminal offence provisions.
5. Individual Rights Request Procedure
Internal procedure for handling APP 12 (access) and APP 13 (correction) requests. Includes SMR carve-out guidance — what to do when a client requests access to a file that contains Suspicious Matter Report information.
6. Data Retention & Destruction Schedule
Retention periods for AML/CTF records (7 years), client files, employee records, financial records, and more. Aligned to the new OAIC guidance on not retaining copies of full ID documents. Includes destruction methods and annual review process.
7. Third Party & Outsourcing Privacy Schedule
Contractual privacy clauses for your service provider agreements. Covers data handling obligations, breach notification, overseas processing, audit rights, and an AI/ML data use restriction clause.
8. Privacy Impact Assessment Template
Simple PIA template for new projects, systems, or service changes. Pre-populated risk matrix covering the most common privacy risks. Fill in, assess, approve.
9. Privacy Management Plan
Your internal governance document — the plan that sits behind your public privacy policy. Documents how you manage personal information, your governance structure, roles and responsibilities, personal information holdings register, and how AML/CTF obligations interact with privacy requirements. Includes tipping-off guidance and ID document minimisation requirements. This is what the OAIC expects under APP 1.2.
10. Compliance Monitoring Guide
Tells you what to check, when, and how to record the results. Seven quarterly checks (sample client files for notices, check user access, test breach plan accessibility, spot-check staff awareness) and ten annual reviews. Includes a monitoring log with pre-filled example entries. The log is your evidence that you're not just compliant on paper — you're actively monitoring. Includes AML/CTF-specific checks for ID document retention and CDD notice issuance.
Excel Companion Files
These spreadsheets ship alongside the Word documents. They turn static reference documents into operational tools you can use day-to-day.
Compliance Monitoring Log (Excel)
Spreadsheet version of the monitoring log with dropdown validation (Q1–Q4, Annual), pre-filled examples, and a quarterly checklist tab with Working/Partially Working/Not Working dropdowns.
Third Party Provider Register (Excel)
Track all service providers that handle personal information. Provider name, service, data handled, location, contract status (dropdown), risk rating, review dates. Pre-filled with common examples.
How It Works
- Download — 10 Word documents + 2 Excel trackers, delivered instantly
- Customise — find-and-replace [Organisation Name], add your logo, set the effective date
- Read the guidance — blue implementation notes explain every section and help you adapt
- Publish — remove the guidance notes, approve internally, and you're compliant
Who This Is For
- Law firms and sole practitioners providing designated legal services
- Accounting practices and tax agents
- Real estate agencies
- Conveyancing practices
- Trust and company service providers
- Dealers in precious metals and stones
Designed for practices with up to ~15 staff. If your practice has a small team, operates from one or two locations, and provides standard designated services, these documents will get you compliant. The implementation guidance scales to mid-sized practices. If you have complex operations — multiple offices across states, high-volume CDD, significant outsourcing, or international transfers — these are still a strong foundation, but consider tailored advice for the specifics. This kit covers your privacy obligations only — you still need a separate AML/CTF program as required by AUSTRAC.