By Flagship AML
As Australia prepares for the expansion of its AML/CTF regime under Tranche 2 reforms, a persistent misconception continues to shape how many firms approach compliance. At the same time, evolving privacy expectations are challenging long-standing practices around how client information is collected and stored.
Many professional firms continue to treat AML compliance as a series of client “checks”, typically identity verification and screening, often accompanied by the routine collection and retention of identification documents. While these steps may appear prudent, they reflect a narrow and increasingly outdated view of what the legislative framework requires.
AML/CTF laws do not ask whether a firm has simply “checked” a client or accumulated documents. They require firms to assess risk, apply judgment, and demonstrate how and why a decision to proceed was made. Identity verification is one input into that process, not the outcome, and holding copies of identification documents is not, in itself, evidence of compliance.
Treating compliance as a checklist risks creating a false sense of security. A firm may verify identity and complete screening, yet still fail to identify or appropriately manage the underlying money laundering or terrorism financing risk.
At its core, AML/CTF compliance is a framework of judgment.
Firms must identify who their clients are, who owns or controls them, the nature and purpose of the engagement, and whether these factors give rise to risk. These are not mechanical steps. They require context, analysis and professional assessment.
Two clients may present identical identification documents yet pose very different risk profiles. The distinction lies not in the documents themselves, but in the surrounding circumstances.
The legislation requires reporting entities to verify identity using reliable and independent documentation or information. However, it does not prescribe that this must be done electronically. What matters is whether the method adopted is appropriate to the level of risk and enables the reporting entity to be reasonably satisfied as to the customer’s identity.
This is reinforced by record keeping obligations, which require firms to retain not only the information collected, but also evidence of the analysis and decision making undertaken. In practice, this means firms must be able to reconstruct their reasoning, sometimes years after the event.
Tools that focus solely on document collection, verification and screening may improve efficiency, but they do not necessarily address the broader requirement to assess and document risk. A checklist can confirm that steps were completed, but it cannot explain why a particular client was accepted or how identified risks were mitigated.
Recent guidance from the Office of the Australian Information Commissioner (OAIC), issued alongside the AML/CTF reforms, reinforces an important shift in approach: firms should not retain copies of full identification documents as part of their AML/CTF record-keeping. From 31 March 2026 (and 1 July 2026 for Tranche 2 entities), the position is clear: keeping scanned passports, driver’s licences or similar documents is not required under the AML/CTF regime and is generally inconsistent with privacy obligations.
Instead, the focus is on data minimisation. Firms are expected to collect and retain only the information reasonably necessary to demonstrate compliance, such as name, date of birth, address, document type, and the outcome of verification and risk assessment, not the document itself. Holding full ID documents is now expressly recognised as a significant privacy risk, increasing exposure in the event of a data breach without adding meaningful compliance value. In practical terms, this marks a clear distinction: the law requires you to verify identity and record your reasoning, not to warehouse sensitive documents.
Flagship AML has been designed with this principle in mind. The platform does not collect or store identification documents. Instead, it records the key verification details and, critically, the reasoning behind the firm’s risk assessment and decision to proceed. This approach aligns with both AML/CTF obligations and modern privacy expectations, reducing data exposure while strengthening the firm’s ability to demonstrate compliance.
A more complete approach to AML/CTF compliance recognises that it is not simply a process, but a series of decisions. It supports structured risk assessment, appropriate escalation for higher risk matters, and clear documentation of the reasoning behind those decisions.
As Tranche 2 brings more professional services into scope, firms have an opportunity to rethink their approach.
Compliance is not defined by the documents collected, but by the quality of the judgment applied and the ability to demonstrate it.
© 2026 Flagship AML. All rights reserved. This article is for general informational purposes only and does not constitute legal advice.