AML/CTF compliance doesn't just mean AUSTRAC is watching — it means the Privacy Act applies to you now too.
Most agents know something is changing on 1 July 2026. What many don't realise is that the AML/CTF obligations don't come alone. They bring the Privacy Act with them — and for the vast majority of Queensland agencies, that's a law that has never applied to them before. &asterisk;
That changes everything about how you handle client identity documents. The photos on your camera roll. The photocopies in your files. The way you've been collecting and storing ID for years. Under the Privacy Act, almost none of it is acceptable — and from 1 July, that matters.
Book a demoThe Privacy Act now applies to every reporting entity — including small businesses under $3 million turnover. For most agencies, this is brand new.
When agents think about AML/CTF compliance, they think about AUSTRAC — enrolling, building a program, verifying clients. What gets far less attention is the other obligation that arrives at exactly the same time: the Privacy Act now applies to your agency, most likely for the first time.*
And that changes the conversation entirely. Because it's not just about who you verify — it's about what you do with the information you collect when you verify them. The Privacy Act is clear: you must not retain personal information beyond what is necessary, and you must store it securely. That has direct and immediate consequences for the way most Queensland agents currently handle client ID.
Think about how your agency verifies identity today. A photo on a phone. A photocopy slipped into a file. A document number scribbled on an appointment form. These practices felt completely unremarkable — because for most agencies, they weren't regulated. From 1 July, they are.
* Most Queensland real estate agencies fall under the $3 million annual turnover threshold that previously exempted small businesses from the Privacy Act. AUSTRAC reporting entities are not eligible for this exemption. Source: OAIC, Privacy guidance for AML/CTF reporting entities (February 2026).
The Office of the Australian Information Commissioner (OAIC) is clear:
"All reporting entities that are required to comply with the AML/CTF Act are also required to comply with the Privacy Act when handling personal information for AML/CTF obligations."
— OAIC, Privacy guidance for AML/CTF reporting entities (February 2026)
This includes small businesses — regardless of turnover. For most real estate agencies, that's a new obligation that didn't exist before. That means the way your agency collects, stores and retains client identity information is now regulated — and some very common current practices are likely to fall foul of the law.
Across the industry, many agents currently verify identity by taking a photo of a client's licence or passport on their smartphone, or keeping a photocopy on the client's file. It's quick, it's familiar — and both regulators are now clear that it is the wrong approach.
AUSTRAC's reform guidance states plainly: "You aren't required to keep scanned copies or photocopies of identity documents themselves, such as driver's licences."
The OAIC goes further: "You should not keep copies of full identification documents (such as driver's licences or passports) for AML/CTF record keeping purposes."
— OAIC, Privacy guidance for AML/CTF reporting entities (February 2026)
This isn't a grey area. Both regulators have said, in plain terms, that keeping a photo or photocopy of a client's ID is not required — and under the Privacy Act, retaining personal information beyond what is necessary is not permitted.
"Collecting and retaining personal information you do not need may create cyber security risks, for your business, and to the people whose information you hold."
— OAIC, Privacy guidance for AML/CTF reporting entities (February 2026)
A file — or a smartphone photo — containing a client's full name, date of birth, document number, expiry date and residential address is, in practice, almost as valuable to an identity thief as the document itself. Data breaches in real estate are not hypothetical. Agencies hold some of the most sensitive personal and financial information of any small business sector — and from 1 July 2026, they will be holding more of it than ever before. A smartphone containing unencrypted photos of dozens of clients' passports and driver's licences is a significant liability.
Livesign's digital identity verification platform is designed to meet your verification of identity obligations while keeping your clients' information — and your business — protected.
Your new privacy obligations don't have to create new risks for your clients. Livesign helps you meet them — compliantly, and without the liability that comes with a camera roll full of your clients' passports.
