AML/CTF Tranche 2 Privacy Compliance Kit

For Lawyers, Accountants, Real Estate Agents, Conveyancers, Jewellers & Trust Service Providers

You know your clients. You've always kept records, protected sensitive information, and run a professional practice. But from 1 July 2026, two things change at once: AML/CTF obligations require you to conduct formal customer due diligence for the first time, and the Privacy Act now applies to how you handle that information.

The AML/CTF regime brings rigorous identity verification, beneficial ownership checks, ongoing monitoring, and reporting obligations that most lawyers, accountants, real estate agents, conveyancers, jewellers, and trust service providers have never had to deal with. And because you're now collecting and storing personal information for CDD purposes, the small business exemption in the Privacy Act disappears — regardless of your turnover.

This kit gives you the 15 privacy and information security documents you need to handle that new reality. They're specifically tailored for Tranche 2 entities — covering the unique intersection of AML/CTF obligations and privacy law that generic templates don't address.

Compliance shouldn't be a transformation project. Start with documentation. You're stepping into a new regulatory environment, but you don't need to build everything from scratch. These documents give you the right legal language, the right structure, and the AML/CTF-specific nuances (like tipping-off carve-outs and ID document minimisation) that matter from day one. Get the foundation in place, then build from there.

Aligned with the OAIC's Privacy Essentials Checklist for AML/CTF reporting entities. In April 2026, the OAIC published dedicated privacy guidance for reporting entities under the AML/CTF Act, including a 14-point Privacy Essentials Checklist. This kit provides documents addressing every item — from privacy policies and collection notices through to ID document destruction, breach response, and staff training. The OAIC tells you what you need. This kit gives you the documents.

What's Included

1. Privacy Policy
Public-facing policy covering all 13 APPs, tailored for Tranche 2 entities. Includes AML/CTF-specific collection, use, and disclosure clauses, overseas disclosure options, and complaint handling. Ready to publish on your website.
2. Client Collection Notice — AML/CTF CDD
APP 5 compliant notice for client onboarding. Covers what you collect for customer due diligence, why, who you share it with, and consequences of not providing information. Provide as a handout, in your engagement letter, or by email.
3. Employee Collection Notice
Privacy notice for staff and contractors. Include in your employment contract pack or onboarding materials.
4. Data Breach Response Plan
Step-by-step procedure: contain, assess, notify, review. Includes the Notifiable Data Breaches scheme requirements AND critical tipping-off warnings for breaches involving SMR-related information. Red warning boxes flag the criminal offence provisions.
5. Individual Rights Request Procedure
Internal procedure for handling APP 12 (access) and APP 13 (correction) requests. Includes SMR carve-out guidance — what to do when a client requests access to a file that contains Suspicious Matter Report information.
6. Data Retention & Destruction Schedule
Retention periods for AML/CTF records (7 years), client files, employee records, financial records, and more. Aligned to the new OAIC guidance on not retaining copies of full ID documents. Includes destruction methods and annual review process.
7. Third Party & Outsourcing Privacy Schedule
Contractual privacy clauses for your service provider agreements. Covers data handling obligations, breach notification, overseas processing, audit rights, and an AI/ML data use restriction clause.
8. Privacy Impact Assessment Template
Simple PIA template for new projects, systems, or service changes. Pre-populated risk matrix covering the most common privacy risks. Fill in, assess, approve.
9. Privacy Management Plan
Your internal governance document — the plan that sits behind your public privacy policy. Documents how you manage personal information, your governance structure, roles and responsibilities, personal information holdings register, and how AML/CTF obligations interact with privacy requirements. Includes tipping-off guidance and ID document minimisation requirements. This is what the OAIC expects under APP 1.2.
10. Compliance Monitoring Guide
Tells you what to check, when, and how to record the results. Seven quarterly checks (sample client files for notices, check user access, test breach plan accessibility, spot-check staff awareness) and ten annual reviews. Includes a monitoring log with pre-filled example entries. The log is your evidence that you're not just compliant on paper — you're actively monitoring. Includes AML/CTF-specific checks for ID document retention and CDD notice issuance.

Information Security (APP 11)

11. Information Security Policy
Core security policy covering access controls, encryption, physical security, incident response, acceptable use, and staff obligations. Proportionate to small practice operations — not an enterprise framework, but enough to demonstrate reasonable steps under APP 11.
12. Access Control & Password Policy
Who gets access to what, how passwords are managed, MFA requirements, and procedures for onboarding/offboarding. Particularly important given CDD records and client files.
13. Acceptable Use of IT Policy
Rules for using business IT systems — email, internet, cloud tools, personal devices. Covers what staff can and can't do with firm systems and client data.
14. Remote Working & BYOD Policy
Controls for working from home and using personal devices. Covers secure access, data handling outside the office, physical security of paper files, and reporting obligations.
15. Data Classification Guide
Four-level classification scheme (Public, Internal, Confidential, Restricted) with handling rules. CDD records sit at Confidential or Restricted — this guide tells staff exactly how to handle each level.

Excel Companion Files

These spreadsheets ship alongside the Word documents. They turn static reference documents into operational tools.

Compliance Monitoring Log (Excel)
Spreadsheet version of the monitoring log with dropdown validation (Q1–Q4, Annual), pre-filled examples, and a quarterly checklist tab.
Data Retention Schedule (Excel)
Operational tracker with "Next Destruction Due" dates and status dropdowns. Includes AML/CTF 7-year retention periods pre-populated.
Compliance Framework Tracker (Excel)
All 15 documents mapped to APP coverage with status dropdowns (In Place, Draft, Needed) and a dashboard showing your % complete.
Third Party Provider Register (Excel)
Data Breach Incident Workbook (Excel)
Breach register with SMR involvement tracking, incident assessment worksheet (duplicate per incident 2014 containment log, serious harm test, tipping-off check, corrective actions), and notification log. Your operational companion to the Data Breach Response Plan.
Track all service providers handling personal information. Contract status and risk rating dropdowns. Pre-filled with common examples.

How It Works

  • Download — 15 Word documents + 5 Excel files, delivered instantly
  • Customise — find-and-replace [Organisation Name], add your logo, set the effective date
  • Read the guidance — blue implementation notes explain every section and help you adapt
  • Publish — remove the guidance notes, approve internally, and you're compliant

Who This Is For

  • Law firms and sole practitioners providing designated legal services
  • Accounting practices and tax agents
  • Real estate agencies
  • Conveyancing practices
  • Trust and company service providers
  • Dealers in precious metals and stones (jewellers, gold dealers, gemstone dealers)

Designed for practices with up to ~15 staff. If your practice has a small team, operates from one or two locations, and provides standard designated services, these documents will get you compliant. The implementation guidance scales to mid-sized practices. If you have complex operations — multiple offices across states, high-volume CDD, significant outsourcing, or international transfers — these are still a strong foundation, but consider tailored advice for the specifics. This kit covers your privacy obligations only — you still need a separate AML/CTF program as required by AUSTRAC.

$497 AUD + GST
Get Compliant Now →
FormatWord documents (.docx) + Excel spreadsheets (.xlsx)
Documents15 Word files + 5 Excel files + Kit Guide
DeliveryInstant download
LicenceSingle organisation use
UpdatedApril 2026
AuthorBetter Privacy — CIPP/E, CIPM, CIPT, AIGP, CISM certified team
$497AUD + GST
Get Compliant Now →