Beyond compliance: what AML reforms reveal about information governance

From 1 July 2026, Australia’s expanded Anti-Money Laundering and Counter-Terrorism Financing regime will extend to a broader range of professions, including lawyers, accountants, real estate agents and other designated non-financial businesses and professions.

For many organisations, the immediate response will be to focus on the new rules: what needs to change, who is responsible and what evidence must be produced. That is understandable. But the reforms also raise a broader and very practical business question: if you were asked to prove compliance tomorrow, could you quickly find and trust the information you need?

This is where AML reform becomes more than a regulatory issue. It becomes an operational one.

Globally, businesses are already feeling the pressure. More than three-quarters of organisations say compliance complexity is negatively affecting their business, with rising costs, increasing resource demands and greater operational risk. For business leaders already managing tight margins, lean teams and competing priorities, another layer of compliance can feel like yet another burden.

But it can also be a useful trigger to fix a problem many organisations already know they have: information that is hard to find, inconsistently managed or spread across too many systems.

The real compliance challenge is control

Iron Mountain research shows a strong data foundation is a top strategic priority for many Australian businesses. Yet globally, organisations continue to struggle with the basics of information management. Almost six in ten executives cite data availability and quality as a major barrier to reporting, while only one in five say they have fully validated their data.

For an executive team, this is not just a technology issue. It affects how quickly a business can respond to a regulator, satisfy an auditor, answer a customer query, manage risk or make a confident decision.

In many organisations, information sits across physical records, legacy systems, shared drives, email inboxes, cloud platforms and business applications. Different teams may have different ways of storing, naming and retaining records. Ownership can be unclear. Duplication is common. Retention rules may be applied inconsistently.

Most of the time, these issues sit quietly in the background. But when scrutiny arrives, they quickly become visible.

Experience in markets such as the UK and New Zealand shows the risk of treating compliance as an administrative exercise. Organisations have not only had to understand new AML requirements; they have also had to demonstrate that records are complete, decisions are documented and risk assessments are supported by reliable data.

For Australian businesses, the lesson is simple: compliance depends on information you can trust.

Why audit readiness is a business priority

Being audit-ready is not about preparing for one review or responding to one regulatory request. It is about having a consistent, defensible way to manage business information every day.

That starts with knowing what information exists, where it is stored, who owns it, who can access it, how long it should be kept and when it should be securely destroyed. These may sound like back-office details, but they have very real business consequences.

When information is well managed, teams can respond faster. Compliance costs are easier to contain. Risk is easier to monitor. Decisions are based on better evidence. Customers and partners can have greater confidence in how information is handled.

When information is poorly managed, the opposite is true. Poor records management has been linked to 60 per cent of data breaches, highlighting the connection between governance and business risk.

Fragmentation remains one of the biggest barriers. Disconnected systems and inconsistent processes create blind spots that make it harder to enforce policy or show accountability. As regulatory expectations rise, only 43 per cent of organisations have formal governance frameworks in place, while 80 per cent report inconsistent practices across environments.

The issue is rarely that businesses do not have enough data. Most have more than they can comfortably manage. The issue is whether they have control over it.

Turning reform into a practical advantage

For organisations preparing for expanded AML/CTF obligations, the message is clear: strong information governance is essential to effective compliance.

But this should not sit with one person or one team. Legal, compliance, finance, operations, IT, records management and executive leadership all have a role to play. Policies matter, but so do everyday behaviours: how teams save documents, classify records, manage access, dispose of outdated information and respond when evidence is needed.

The expansion of AML/CTF regulation is a pivotal moment for Australian businesses. Regulators will not only be interested in whether policies exist. They will want to know whether organisations can demonstrate control through accurate, accessible and well-governed information.

For business leaders, that makes information governance more than a compliance task. Done well, it can reduce risk, improve efficiency and create greater confidence in the way the organisation operates.

Safe, compliant business starts with information you can trust.

Garry Valenzisi is Vice President & General Manager at Iron Mountain ANZ.

 

Business Solution