Australia’s Tranche 2 reforms are tightening AML obligations and raising the stakes around how firms collect, share, and protect identity data.
From 31 March 2026, newly regulated businesses can start enrolling with AUSTRAC, and from 1 July 2026 certain designated services provided by lawyers, accountants, conveyancers, real estate professionals, trust and company service providers, and dealers in precious stones and metals will fall under the AML/CTF regime.
Customer due diligence (CDD) can involve collecting identity details, checking who is acting on a customer’s behalf, identifying beneficial owners, understanding the nature and purpose of a transaction, and in some cases examining source of funds or source of wealth.
More regulated firms mean more sensitive information moving through everyday operational workflows.
For those that still rely on ordinary email attachments to move onboarding packs and identity documents around, the compliance question is becoming broader.
Firms now need to ask whether their controls match the sensitivity of the data, the risk of misdirection, and their privacy obligations.
AUSTRAC has said the reforms will expand the number of businesses it regulates from around 19,000 to close to 100,000 nationwide.
That does not mean every newly regulated firm will collect the same information in every matter, but it does mean many more organisations will need repeatable processes for gathering and verifying customer information before providing designated services.
Customer Due Diligence Will Reach Beyond Basic ID Checks
Under AUSTRAC’s reforms, newly regulated entities providing designated services will need to apply customer due diligence measures from 1 July 2026.
Initial CDD guidance makes clear that businesses may need to establish the identity of the customer, anyone acting on the customer’s behalf, anyone on whose behalf the service is being received, and, where the customer is not an individual, any beneficial owners.
For individuals, AUSTRAC points to documents such as current passports and driving licences, or combinations of non-photographic documents and secondary evidence.
For trusts, the evidence can include a trust deed, a will, or letters of administration, as well as information about trustees, appointors, guardians, protectors, and beneficiaries where relevant.
That means more regulated firms will handle data that can be highly useful to fraudsters if it is exposed, forwarded, or left sitting in the wrong mailbox.
More Information Does Not Mean Unlimited Collection
The privacy side of this is just as important as the AML/CTF side.
In its OAIC guidance, the regulator says AML/CTF obligations do not override the basic rule that personal information collection must still be reasonably necessary.
"The AML/CTF obligations do not provide you with a ‘blank cheque’ to collect any personal information."
That is an important distinction for firms designing new onboarding journeys.
Tranche 2 does not create a licence to collect everything, from everyone, at the earliest possible moment.
It requires businesses to understand when a designated service is actually in scope, what information is necessary for the due diligence task in front of them, and how to stop excess data gathering from becoming routine.
Why Ordinary Attachment Workflows Create Pressure
Email remains convenient, familiar, and fast.
But when the material being exchanged includes passports, driving licence details, trust documents, financial records, or beneficial ownership information, convenience stops being the only consideration.
Email Errors Are Still a Real Breach Scenario
The OAIC’s breach guidance explicitly uses an email sent to the wrong person as an example of a human-error breach.
It also notes that breaches involving personal information can lead to harms including financial fraud, identity theft, emotional harm, and reputational damage.
Across the OAIC’s recent notifiable data breach reporting, personal information sent to the wrong recipient by email accounted for 38% of human-error breaches in January to June 2024 and 42% in July to December 2024.
Where The Data Comes From
Wrong-recipient email remains the largest human-error breach category in the OAIC’s latest notifiable data breach reporting - a practical warning for firms about to increase identity data in inboxes.
For any business about to increase the volume of identity data passing through inboxes, shared mailboxes, and manual follow-up chains, that should be a warning sign.
Mailbox Security Alone Is Not the Same as Controlled Delivery
Standard email can be protected in transit between mail servers.
ASD’s email guidance points organisations to controls such as opportunistic TLS, MTA-STS, SPF, DKIM, DMARC, and content filtering - the same transport-layer protections explained in our TLS email encryption guide.
Those controls are important for spoofing resistance and mail hygiene. However, they do not, on their own, solve every workflow problem around sensitive attachments.
An attachment can still be sent to the wrong address, forwarded internally without the right controls, downloaded to unmanaged devices, or opened by someone who has access to the mailbox but was not the intended human recipient.
A secure email layer can help by adding recipient checks, controlled access, expiry options, and clearer evidence of delivery or access around the message itself.
If your process depends on a staff member attaching a passport scan to a normal email and hoping the right person receives, stores, and deletes it correctly, you are placing a lot of trust in habit.
"TLS and DMARC help with mail hygiene, but they do not tell you who opened a passport scan, whether access was checked, or what happened after the message left your outbox. That gap is where workflow controls around sensitive attachments matter."
Those workflow gaps become harder to ignore when teams start circulating full identity packs by attachment as Tranche 2 onboarding ramps up.
The Overlooked Risk: Keeping More Than You Need
One of the more useful points in the new guidance is retention: what you should stop keeping once verification is complete.
Full ID Copies Are Not the Default Record-Keeping Answer
AUSTRAC’s record-keeping guidance says entities are not required to make copies of identification documents for customer due diligence.
Instead, they must keep records of what they did to identify the customer and what information the customer provided.
The OAIC goes further and says that from 1 July 2026 for Tranche 2 reporting entities, firms should not keep copies of full identification documents such as passports or driving licences for AML/CTF record-keeping purposes unless another obligation applies.
That is highly relevant to email workflows.
If teams are routinely circulating full scans of identity documents as attachments, then saving them in mailboxes, forwarding them to colleagues, or leaving them in case folders long after verification is complete, they may be creating a larger privacy and cybersecurity exposure than the regime actually requires.
AUSTRAC also says customer due diligence records must be kept for seven years after an occasional transaction is complete or a business relationship ends, and sensitive records should be stored securely with access limited to authorised staff, consistent with APP 11 security obligations.
Need A Safer Way To Send Sensitive Email?
Mailock keeps email familiar while adding protected access, recipient checks, secure replies, message tracking, and sender controls.
Keep evidence of compliance, not a growing archive of unnecessary identity documents.
What Better Practice Looks Like Before July 2026
For firms now reviewing their readiness, the sensible starting point is to split the workflow: which parts can remain in ordinary email, and which parts need stronger controls because they involve high-risk identity material.
Checks Before July 2026
When is CDD triggered for each designated service in your practice?
Which identity documents need controlled delivery rather than ordinary attachments?
What records must you keep, and what should you delete after verification is complete?
These checks are most useful when teams map them to real client journeys rather than treating them as a one-off policy update.
Review the Trigger Points for CDD
Map the services in your practice that are designated services, and work out the point at which you reasonably conclude the engagement may involve one.
This shapes when you ask for identity information, and helps stop staff collecting documents far too early out of habit or caution.
Separate Low-Risk Messages From High-Risk Documents
Appointment confirmations, routine updates, and generic requests are one thing.
Passports, trust documents, verification evidence, and financial records are another.
Routine notices may remain suitable for standard email, but higher-risk identity documents often justify a more controlled delivery method.
Where identity material has to move digitally, use a method that adds safeguards around access, authentication, expiry, secure replies, and auditability, rather than treating every file the same.
Reduce the Amount of Data Moving Through Mailboxes
Reduce the data surface before you try to secure it.
Where possible, capture structured information into onboarding systems, and record only the data needed to demonstrate compliance.
If full document images are not required for your AML/CTF record-keeping purpose, make sure they are not becoming the default format simply because it feels easier operationally.
Train for the Breaches That Actually Happen
Staff need practical controls for common failure points: wrong-recipient emails, autocomplete mistakes, failure to use BCC, spoofed sender domains, weak verification of who is requesting the document, and inconsistent deletion after a matter closes.
That kind of operational discipline connects AML processes, privacy, and cybersecurity in a way many businesses have historically treated as separate workstreams.
The Strategic Point
Australia’s Tranche 2 reforms expand AML obligations, and for many newly regulated firms they also reshape how sensitive documents are collected, shared, and retained.
The organisations that respond well will update their policies for identity checks and rethink how sensitive documents move, who can access them, how long they are retained, and what security sits around them.
That is where Mailock, or a similarly controlled digital delivery method, starts to matter - as a practical way to add recipient checks, tighter access controls, expiry options, secure replies, message tracking, and audit trails around sensitive identity documents.
FAQs
Why Does Tranche 2 Increase Data-Handling Pressure?
More entities may need to collect, check, store, and send identity and due diligence information as part of AML processes.
Why Are Ordinary Attachment Workflows Risky?
Attachments can be misaddressed, forwarded, stored for too long, or accessed without strong recipient checks.
What Should Firms Review Before July 2026?
Review what information is collected, how long it is kept, who can access it, and how sensitive documents are sent.
Sam Kendall works on digital marketing at Beyond Encryption, helping build B2B marketing activity around research, first principles, and sustainable growth. He writes about marketing effectiveness, positioning, customer communications, and digital culture, with longer-form work published at ATNL.
Sam Kendall
.svg)
Previous post