Privacy Act Tranche 2 changes how fraud works today
Vericode · 18 February 2026
Most fraud is not a clever caller. It is a list. A list of names, numbers, account hints, addresses, roles, recovery details and old facts that somebody leaked, sold, scraped, lost, or kept for too long. The caller is the visible part. The list is where the work starts.
That is why Tranche 2 of the Privacy Act reforms matters to fraud.
The Attorney-General has confirmed the government is progressing the second tranche of privacy reforms this year. Most coverage will treat that as a privacy story, which is fair. Privacy law is about individual rights, organisational obligations and the boundaries around collection, use and disclosure.
But in the scam economy, privacy reform is also fraud reform. That is our framing, not the government’s slogan. It matters because most social engineering needs a supply of true facts. The more unnecessary data an organisation holds, the more material exists for the next pretext when something goes wrong.
The fraud chain is not complicated. Leak. List. Pretext. Call. Transfer. Most visible controls sit in the back half. Banks watch payments. Platforms remove ads. Telcos block traffic. Customers are warned. Staff are trained. All of that work is necessary, but it starts after the facts have already escaped.
Data minimisation bites earlier.
If a business does not collect a detail, it cannot leak it. If it deletes information it no longer needs, that information cannot turn up in a script two years later. If it stops treating every customer interaction as a reason to keep another copy of identity material, the future fraud market has less to assemble.
That is not a neat or immediate fix. Privacy reform does not make tomorrow’s scam call vanish. It changes the slope over time. It asks whether the fact needed to impersonate a person should have been sitting in so many places in the first place.
The recent fraud signals make the point. Identity-support services are seeing thousands of myGov-linked account misuse cases. Fraud-intelligence sharing is surfacing large volumes of attempted fraud before it lands. Voice-cloning losses and romance-scam campaigns keep showing how much damage can be done once enough personal context is available.
The lists are working.
That phrase should be uncomfortable. It means fraudsters do not need perfect information. They need enough. A phone number, a name and a recent interaction can be enough to keep a person on the line. A partial account detail can be enough to make a fake bank call feel credible. A branch name, manager name, invoice number, travel detail, or family clue can turn a cold approach into a warm one.
The privacy conversation often starts with fairness to the individual. It should. But for fraud teams, the starting point is attack surface. Every retained field is a future credential in somebody else’s mouth.
That is the part of Tranche 2 worth watching. Not as a silver bullet, and not as a reason to stop building controls at the payment, platform, telco, or contact-centre layer. Those controls still matter. The point is that the cheapest place to remove a fraud input is before the input exists.
Less data does not mean no service. It means fewer stale facts sitting around waiting to be repurposed. It means fewer old forms, duplicated identity checks and unnecessary retention habits feeding the next caller’s script.
Privacy reforms are fraud reforms when they shorten the chain at its source.
The cheapest fraud control is the one that prevents the list from existing.