From today, 1 July 2026, Australia’s anti-money-laundering rules extend to a long list of “tranche 2” businesses — real estate agents, accountants, conveyancers, lawyers and a few others — as confirmed by business.gov.au and overseen by AUSTRAC. If you provide a “designated service”, you now have to enrol with AUSTRAC (enrolment has been open since 31 March and closes 29 July), verify your customers’ identity, watch for and report suspicious activity, and keep the records for seven years.
Central West NSW runs on exactly these firms. Orange, Bathurst and Dubbo are full of independent accounting practices, busy conveyancers and a property market that’s kept agents flat out — and many have never had AML obligations before, so this is a standing start. The part that catches people out isn’t the form-filling. It’s the data. Collecting and holding ID for seven years means you’re now sitting on a pile of passports, licences and financial details that didn’t used to live in your systems.
In smaller regional practices, that sensitive ID tends to end up in the worst possible places — sitting in an email inbox, dropped into a shared drive the whole office can open, or scanned and left in a photocopier’s memory. Under these rules that’s a problem twice over: you have to keep it securely for seven years, then dispose of it properly. And if it leaks, a data breach involving that much identity information is very likely reportable to the OAIC under the Privacy Act.
So before you wrestle with the AML paperwork, sort out where client ID is going to live: an access-controlled, encrypted store with a retention clock on it — not an inbox. If you’re not sure your current setup is up to it, ask your IT provider, or we’re happy to take a look at your data security as part of managed IT.
