In February 2026, the Office of the Australian Information Commissioner (OAIC) published some helpful guidance on the steps that reporting entities should take to ensure that they are complying with the requirements of the Privacy Act 1988 when dealing with personal information collected for the purposes of completing customer due diligence. Most notably, the OAIC recommended that reporting entities not keep copies of identification documents (e.g. scanned copies and photocopies of drivers licences and passports), but that reporting entities instead keep records of the types of identification documents relied upon and the information contained in those identification documents (e.g. name, date of birth and residential address).
Significantly, the OAIC’s recommendation appeared to overlook the fact that a reporting entity relying on KYC information collected and verified by another reporting entity (for example, a product provider relying on KYC information collected and verified by a financial adviser):
must:
if a written reliance agreement is in place – ensure that the written reliance agreement enables it to obtain copies of the identification documents used by the other reporting entity to verify the KYC information immediately or as soon as practicable upon request; or
if not – have reasonable grounds to believe that it can obtain copies of the identification documents used by the other reporting entity to verify the KYC information immediately or as soon as practicable upon request; and
therefore, will likely require the other reporting entity to keep copies of identification documents (at least until it has received them itself).
This oversight put financial advisers in a difficult position whereby they were simultaneously required by product providers to keep copies of identification documents and advised by the OAIC to not keep copies of identification documents.
New guidance
In April 2026, the OAIC updated its guidance. Most notably, the OAIC:
removed the following statement from page 16:
“From 31 March 2026 (or 1 July 2026 for ‘Tranche 2’ reporting entities), you should not keep copies of full identification documents for AML/CTF record keeping purposes (such as driver’s licenses or passports). The AML/CTF Act does not require you to keep scanned copies or photocopies of identity documents themselves.”
clarified the following statement on page 3:
“The AML/CTF Act does not require you to keep scanned copies or photocopies of identity documents themselves for record keeping purposes.”
added the following statement to page 3:
“There may be another AML/CTF purpose for holding copies of ID documents or other legislative obligations to retain them outside of the AML/CTF Act.”
Current interpretation
In light of these changes, the OAIC’s current position appears to be that reporting entities:
may make copies of full identification documents where doing so is reasonably necessary for their functions and activities; but
should take reasonable steps to destroy or de-identify those copies once they are no longer needed.
On the basis that:
dealings with product providers form an important (and often essential) part of a financial adviser’s business; and
dealings with product providers may (as identified above) require a financial adviser to keep copies of identification documents;
we consider that – where a financial adviser is required by a product provider to keep a copy of an identification document – doing so in accordance with this requirement is reasonably necessary for the financial adviser’s functions and activities.
For this reason, we take the view that:
Where a financial adviser is required by a product provider to keep a copy of an identification document – doing so in accordance with this requirement will not breach the financial adviser’s privacy obligations (provided the adviser considers that it is reasonably necessary to keep a copy for its business purposes). The financial adviser should however take reasonable steps to destroy or de-identify the copy once it is no longer needed.
Where a financial adviser is not required by a product provider to keep a copy of an identification document – they should not keep a copy of the identification document and should instead keep a record of the type of identification document relied upon and the information contained in that identification document (e.g. name, date of birth and residential address).
This view is based on the current law and published guidance and is subject to change as the law is amended and further guidance is released. Further, a financial adviser’s specific circumstances need to be taken into account in assessing this.
Existing copies of identification documents
The OAIC’s guidance is specific to the new AML/CTF regime. Financial advisers are therefore not required to immediately destroy or de-identify all copies of identification documents made prior to 31 March 2026. Financial advisers may continue to retain these copies for the duration of the relevant period in accordance with their record-keeping obligations.
If you have any questions in relation to the above, please contact Cowell Clarke’s AML/CTF team at Compliance@CowellClarke.com.au.
We’d like to thank Ivanna Tan, Law Clerk, for her contribution to this insight.
This publication has been prepared for general guidance on matters of interest only and does not constitute professional legal advice. You should not act upon the information contained in this publication without obtaining specific professional legal advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication and to the extent permitted by law, Cowell Clarke does not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting or refraining to act in relation on the information contained in this publication or for any decision based on it.