Australia’s Tranche 2 AML Reforms Could Make Secure Email a Bigger Compliance Priority

Australia’s Tranche 2 reforms are tightening AML obligations and raising the stakes around how firms collect, share, and protect identity data.

From 31 March 2026, newly regulated businesses can start enrolling with AUSTRAC, and from 1 July 2026 certain designated services provided by lawyers, accountants, conveyancers, real estate professionals, trust and company service providers, and dealers in precious stones and metals will fall under the AML/CTF regime.

Customer due diligence (CDD) can involve collecting identity details, checking who is acting on a customer’s behalf, identifying beneficial owners, understanding the nature and purpose of a transaction, and in some cases examining source of funds or source of wealth.

More regulated firms mean more sensitive information moving through everyday operational workflows.

For those that still rely on ordinary email attachments to move onboarding packs and identity documents around, the compliance question is becoming broader.

It is becoming a question of whether your controls match the sensitivity of the data, the risk of misdirection, and your privacy obligations, rather than simply whether the information is sensitive or not.

Why Tranche 2 Changes the Data-Handling Picture

AUSTRAC has said the reforms will expand the number of businesses it regulates from around 19,000 to close to 100,000 nationwide.

That does not mean every newly regulated firm will collect the same information in every matter, but it does mean many more organisations will need repeatable processes for gathering and verifying customer information before providing designated services.

Customer Due Diligence Will Reach Beyond Basic ID Checks

Under AUSTRAC’s reforms, newly regulated entities providing designated services will need to apply customer due diligence measures from 1 July 2026.

Initial CDD guidance makes clear that businesses may need to establish the identity of the customer, anyone acting on the customer’s behalf, anyone on whose behalf the service is being received, and, where the customer is not an individual, any beneficial owners.

For individuals, AUSTRAC points to documents such as current passports and driving licences, or combinations of non-photographic documents and secondary evidence.

For trusts, the evidence can include a trust deed, a will, or letters of administration, as well as information about trustees, appointors, guardians, protectors, and beneficiaries where relevant.

That means more regulated firms will handle data that can be highly useful to fraudsters if it is exposed, forwarded, or left sitting in the wrong mailbox.

More Information Does Not Mean Unlimited Collection

The privacy side of this is just as important as the AML/CTF side.

In its OAIC guidance, the regulator says AML/CTF obligations do not override the basic rule that personal information collection must still be reasonably necessary.

"The AML/CTF obligations do not provide you with a ‘blank cheque’ to collect any personal information."

Office of the Australian Information Commissioner, Privacy guidance for reporting entities

That is an important distinction for firms designing new onboarding journeys.

Tranche 2 does not create a licence to collect everything, from everyone, at the earliest possible moment.

It requires businesses to understand when a designated service is actually in scope, what information is necessary for the due diligence task in front of them, and how to stop excess data gathering from becoming routine.

Why Ordinary Attachment Workflows Create Pressure

Email remains convenient, familiar, and fast.

But when the material being exchanged includes passports, driving licence details, trust documents, financial records, or beneficial ownership information, convenience stops being the only consideration.

Email Errors Are Still a Real Breach Scenario

The OAIC’s breach guidance explicitly uses an email sent to the wrong person as an example of a human-error breach.

It also notes that breaches involving personal information can lead to harms including financial fraud, identity theft, emotional harm, and reputational damage.

Across the OAIC’s recent notifiable data breach reporting, personal information sent to the wrong recipient by email accounted for 38% of human-error breaches in January to June 2024 and 42% in July to December 2024.

For any business about to increase the volume of identity data passing through inboxes, shared mailboxes, and manual follow-up chains, that should be a warning sign.

Mailbox Security Alone Is Not the Same as Controlled Delivery

Standard email can be protected in transit between mail servers.

ASD’s email guidance points organisations to controls such as opportunistic TLS, MTA-STS, SPF, DKIM, DMARC, and content filtering.

Those controls are important for spoofing resistance and mail hygiene. However, they do not, on their own, solve every workflow problem around sensitive attachments.

An attachment can still be sent to the wrong address, forwarded internally without the right controls, downloaded to unmanaged devices, or opened by someone who has access to the mailbox but was not the intended human recipient.

A secure email layer can help by adding recipient checks, controlled access, expiry options, and clearer evidence of delivery or access around the message itself.

If your process depends on a staff member attaching a passport scan to a normal email and hoping the right person receives, stores, and deletes it correctly, you are placing a lot of trust in habit.

The Overlooked Risk: Keeping More Than You Need

One of the more useful points in the new guidance is not about sending data at all - it is about what you should stop keeping.

Full ID Copies Are Not the Default Record-Keeping Answer

AUSTRAC’s record-keeping guidance says entities are not required to make copies of identification documents for customer due diligence.

Instead, they must keep records of what they did to identify the customer and what information the customer provided.

The OAIC goes further and says that from 1 July 2026 for Tranche 2 reporting entities, firms should not keep copies of full identification documents such as passports or driving licences for AML/CTF record-keeping purposes unless another obligation applies.

That is highly relevant to email workflows.

If teams are routinely circulating full scans of identity documents as attachments, then saving them in mailboxes, forwarding them to colleagues, or leaving them in case folders long after verification is complete, they may be creating a larger privacy and cybersecurity exposure than the regime actually requires.

AUSTRAC also says customer due diligence records must be kept for seven years after an occasional transaction is complete or a business relationship ends, and sensitive records should be stored securely with access limited to authorised staff.

So - keep evidence of compliance, not a growing archive of unnecessary identity documents.

What Better Practice Looks Like Before July 2026

For firms now reviewing their readiness, the sensible question is not whether email should disappear.

It is which parts of the workflow can remain in ordinary email, and which parts need stronger controls because they involve high-risk identity material.

Review the Trigger Points for CDD

Map the services in your practice that are designated services, and work out the point at which you reasonably conclude the engagement may involve one.

This shapes when you ask for identity information, and helps stop staff collecting documents far too early out of habit or caution.

Separate Low-Risk Messages From High-Risk Documents

Appointment confirmations, routine updates, and generic requests are one thing.

Passports, trust documents, verification evidence, and financial records are another.

Routine notices may remain suitable for standard email, but higher-risk identity documents often justify a more controlled delivery method.

Where identity material has to move digitally, use a method that adds safeguards around access, authentication, expiry, secure replies, and auditability, rather than treating every file the same.

Reduce the Amount of Data Moving Through Mailboxes

Reduce the data surface before you try to secure it.

Where possible, capture structured information into onboarding systems, and record only the data needed to demonstrate compliance.

If full document images are not required for your AML/CTF record-keeping purpose, make sure they are not becoming the default format simply because it feels easier operationally.

Train for the Breaches That Actually Happen

Staff need practical controls for common failure points: wrong-recipient emails, autocomplete mistakes, failure to use BCC, spoofed sender domains, weak verification of who is requesting the document, and inconsistent deletion after a matter closes.

That kind of operational discipline connects AML processes, privacy, and cybersecurity in a way many businesses have historically treated as separate workstreams.

The Strategic Point

Australia’s Tranche 2 reforms are often described as AML changes, and they are, but for many newly regulated firms, they are also a communications and data-handling change.

The organisations that respond well will not only update their policies for identity checks but also rethink how sensitive documents move, who can access them, how long they are retained, and what security sits around them.

That is where secure email, or a similarly controlled digital delivery method, starts to matter - not as a branding choice, but as a practical way to add recipient checks, tighter access controls, expiry options, secure replies, and better evidence around the delivery of sensitive identity documents.

FAQs

What Are Australia’s Tranche 2 AML Reforms?

They are reforms that expand Australia’s AML/CTF regime to additional high-risk designated services, including certain services provided by lawyers, accountants, real estate professionals, conveyancers, trust and company service providers, and dealers in precious stones and metals.

Will Tranche 2 Firms Need To Keep Passport Or Driving Licence Scans?

Not for AML/CTF record-keeping as a default. AUSTRAC says firms are not required to copy identification documents for customer due diligence, and the OAIC says Tranche 2 entities should not keep full ID copies for AML/CTF record-keeping purposes from 1 July 2026 unless another legal obligation applies.

Is Ordinary Email Automatically Non-Compliant?

No. The issue is whether the overall process uses reasonable and proportionate safeguards for the sensitivity of the information being handled. For high-risk identity data, ordinary attachments may not give enough control on their own.

What Should Firms Review Before 1 July 2026?

They should review when CDD is triggered, what data is genuinely necessary, how identity documents are shared, who can access them, how long they are retained, and how the business will respond if information is sent to the wrong person.

References

AUSTRAC Opens Enrolment for New Professions in Next Step for AML Reforms, AUSTRAC, 2026

About the Reforms, AUSTRAC, 2026

Overview of Initial Customer Due Diligence, AUSTRAC, 2026

Initial CDD for Individuals, AUSTRAC, 2026

Initial CDD for Trust, AUSTRAC, 2026

Record Keeping Overview, AUSTRAC, 2026

Privacy Guidance for Reporting Entities Under the Anti-Money Laundering and Counter-Terrorism Financing Act, OAIC, 2026

Chapter 11: APP 11 Security of Personal Information, OAIC, 2025

Part 1: Data Breaches and the Australian Privacy Act, OAIC, 2024

Notifiable Data Breaches Report: January to June 2024, OAIC, 2024

Notifiable Data Breaches Report: July to December 2024, OAIC, 2025

Guidelines for Email, Australian Signals Directorate, 2025

Reviewed by

Sam Kendall, 09.04.26