The July 1 Obligation: What AML/CTF Tranche 2 Actually Means for Your Data Infrastructure

On 1 July 2026, Australia’s Anti-Money Laundering and Counter-Terrorism Financing regime expands more significantly than at any point since the original Act was introduced in 2006. Legal practices, accounting firms, real estate professionals, conveyancers, trust and company service providers, and dealers in precious metals and stones will become reporting entities for the first time, bringing tens of thousands of organisations under AUSTRAC’s supervisory remit (AUSTRAC, 2026).

Most of those organisations have spent the past months focused on the legal compliance question: do we need an AML/CTF programme, and what does it need to contain? Fewer have asked the infrastructure question that follows directly from it: where is the data we are now required to collect, retain, and protect actually going to live — and what does that environment need to look like?

That is the gap this article addresses.

What Tranche 2 actually requires

The core obligations imposed on newly regulated entities are not abstract. Each creates a concrete data liability.

Initial customer due diligence requires newly regulated organisations to collect and verify customer identity information before providing designated services. That means creating records of who the customer is, what documents were used to verify their identity, and the steps taken to satisfy the verification requirement.

Ongoing customer due diligence requires that organisations monitor customer relationships and update their records over time. Compliance is not a one-time event — it is an ongoing operational process that generates a growing body of sensitive personal data.

Suspicious matter reporting requires organisations to maintain secure, auditable reporting mechanisms for transactions or interactions that give rise to suspicion of money laundering or terrorism financing. The integrity and chain of custody of those records matters.

Record keeping ties these obligations together. Under the AML/CTF Act, organisations must retain customer identification and transaction records for a minimum of seven years (AUSTRAC, 2026). Seven years is a long time. It is a long time for data to accumulate, for storage configurations to change, for staff to turn over, and for threat actors to develop more sophisticated methods of targeting exactly this category of sensitive personal information.

This article provides technology and infrastructure guidance only. Organisations should confirm their specific obligations and the application of these requirements to their circumstances with qualified legal counsel.

The data liability you are now carrying

The practical effect of Tranche 2 is that tens of thousands of organisations — many of them professional services firms that have never previously operated as regulated entities — will begin holding, managing, and retaining significant volumes of sensitive personal information under a statutory obligation.

That personal information is regulated on two fronts simultaneously. It falls under the Privacy Act 1988 and the obligations it imposes on how personal information is collected, stored, used, and secured. And it falls under the AML/CTF Act, which imposes a separate set of obligations around record integrity, retention duration, and regulator accessibility.

Australia’s data breach environment provides important context for understanding why the infrastructure question matters. The OAIC received 1,113 data breach notifications in 2024 — the highest annual total since mandatory reporting began in 2018, representing a 25% increase from the previous year (OAIC, 2024). Malicious or criminal attacks accounted for 59% of those notifications, with cyber security incidents the dominant source (OAIC, 2025). The average cost of a data breach in Australia reached a record AUD $4.26 million in 2024 (IBM, 2024).

Customer identity records — the category of data that AML/CTF compliance generates — are among the most targeted by criminal actors. The 2023 Latitude Financial breach is instructive for newly regulated entities specifically because of what was taken: 7.9 million driver licence numbers, along with passport and Medicare numbers, stolen because attackers gained access through a third-party vendor’s employee credentials. Driver licences are one of the primary identity verification documents organisations will use to satisfy AML/CTF customer due diligence requirements. Latitude was not unprepared in any simple sense. The failure was that its environment — including its third-party dependencies — had not been designed to carry a regulatory data burden of that category and scale.

For newly regulated entities, the risk is compounded by unfamiliarity. Organisations that have not previously operated as reporting entities may not yet have the security maturity to recognise what their AML/CTF data environment actually requires.

What your infrastructure needs to do

A compliant data environment for AML/CTF records is not simply a matter of having storage capacity. The obligations under the Act imply specific technical capabilities that many professional services environments do not currently have in place.

Encryption at rest and in transit is foundational. Customer identity records and transaction data should be encrypted whenever they are stored and whenever they move — between systems, between locations, and between the organisation and any third parties involved in processing.

Access controls and audit logging are required both practically and implicitly by the record-integrity obligations of the Act. Who can access AML/CTF records, under what circumstances, and with what authorisation should be definable, enforceable, and auditable. Audit logs should be tamper-evident and retained alongside the records they relate to.

Network segmentation matters where AML/CTF data is stored alongside other operational data. Regulated personal information should not share the same network boundary as systems that face the public internet without appropriate controls in between.

Retention and deletion management is a distinct capability from storage. The seven-year minimum creates an obligation to retain. The Privacy Act creates an obligation to destroy personal information when it is no longer required for the purpose for which it was collected. Managing both obligations simultaneously requires a data lifecycle framework, not simply a storage policy.

Data residency is addressed in the next section, but it is worth noting here: the environment in which AML/CTF records are stored should be capable of demonstrating to AUSTRAC that records are accessible, complete, and unaltered upon request. That requires more than backup infrastructure. It requires records management.

Orro’s Trust and Security framework provides a reference point for understanding how these infrastructure requirements map to managed security and cloud services — see orro.group/about/trust-security/.

Data sovereignty: the question most organisations haven’t asked

AUSTRAC’s record-keeping guidance makes clear that records must be created, retained, and accessible in a form that allows regulators to retrieve them. AUSTRAC’s record-keeping requirements specify that organisations must be able to quickly access and, if needed, translate records into English (AUSTRAC, 2026).

That has practical implications for where data is stored. Organisations that rely on cloud infrastructure hosted in foreign jurisdictions — particularly US-headquartered hyperscalers whose default configurations do not guarantee Australian data residency — may find that data which should be accessible to an Australian regulator is, in practice, subject to foreign legal jurisdiction, foreign data retention laws, and foreign access regimes.

This is not a hypothetical concern. Legal and privacy professionals are well aware of the tensions that can arise when Australian records are subject to US data requests, European data protection law, or the shifting regulatory posture of any foreign jurisdiction. For organisations that had no regulatory obligations before 1 July, it may not have been a concern worth resolving. After 1 July, it is.

Australian-domiciled, Australian-managed infrastructure removes that uncertainty. It does not eliminate all compliance complexity — organisations still need the right controls, the right processes, and the right governance in place — but it removes a category of uncertainty that should not exist in a regulatory data environment.

For newly regulated entities reviewing their cloud infrastructure and managed services arrangements, data residency is a question to raise now, before obligations commence.

The window for preparation is narrow. Organisations newly subject to Tranche 2 that have not yet assessed their data infrastructure against what the obligations require are operating in a gap that will close on 1 July — and that will be visible to AUSTRAC if and when it looks.

The compliance question and the infrastructure question are not separate decisions. Organisations that answer one without the other have answered neither.