What APRA's 2026 deadlines mean for your TFN records, and how to prepare

Australia's financial services sector is facing a compliance deadline that many organisations are underprepared for. APRA's 2026 requirements around Tax File Number (TFN) records management are not new, but the scrutiny behind them is intensifying. And for organisations that have relied on ad hoc processes to locate, retain, and destroy TFNs, the window to act is closing fast.

This post breaks down what APRA's 2026 deadlines require, the three most common compliance gaps we see across financial services institutions, and what a robust, audit-ready TFN records process looks like in practice.

‍

The APRA TFN compliance landscape in 2026

APRA's focus on TFN compliance sits at the intersection of three of its most critical standards: CPS 230 (Operational Resilience), CPS 234 (Information Security), and CPG 235 (Managing Data Risk). Together, these frameworks require APRA-regulated entities — banks, superannuation funds, and insurers — to demonstrate that they can:

• Locate TFNs across all systems and formats, on demand

• Retain TFNs only for as long as they are required to perform a specific function

• Destroy TFNs defensibly and with a full audit trail when retention periods expire

The key word APRA uses is mechanically. It is not sufficient to demonstrate that your team can find TFNs when asked. APRA expects a process-driven, operationally resilient mechanism that functions continuously — regardless of whether the lights are on or off.

Key 2026 dates

‍

Commencement of a new retirement reporting framework, developed with Treasury, to monitor member outcomes

The January 2026 deadlines have now passed, but compliance is not a one-time exercise. APRA's ongoing supervisory expectations mean that organisations still working toward these requirements need to act quickly — and those already compliant need to ensure their processes remain demonstrably robust.

‍

Top 3 TFN compliance gaps in Financial Services

Across our work with tier-one banks, superannuation funds, and insurers, we consistently see the same three failure points. None of them are surprising. All of them are avoidable.

Gap 1: No visibility across the full data estate

The most common problem is deceptively simple: organisations do not know where their TFNs are.

TFNs don't live in one system. They appear in onboarding documents, member correspondence, scanned forms, Excel files, email attachments, SharePoint sites, and line-of-business applications — structured and unstructured, across dozens of platforms. Most organisations have a rough idea of where TFNs should be. Very few have a verified, real-time view of where TFNs are.

APRA is not looking for a best-guess answer. It expects demonstrable, auditable visibility — and an inability to provide that is itself a compliance exposure.

What good looks like: A single, continuously updated view across all connected systems showing exactly where TFNs are present, in what volume, and in what format — including images, PDFs, and scanned documents processed through OCR.

Gap 2: Retention that depends on people, not process

The second gap is governance that exists on paper but not in practice. Many organisations have a records retention policy that covers TFNs. Far fewer have a mechanism that enforces it automatically.

Under APRA's guidance, TFNs should only be retained for the length of time they are needed to perform their designated function — for example, verifying a member during onboarding. Once that function is complete, the TFN should be flagged for review and, where appropriate, defensibly destroyed.

When this process relies on end users to tag, move, or flag content, it will fail at scale. People forget. Systems change. Staff turnover. APRA knows this — which is why it requires entities to demonstrate operational resilience, not just policy documentation.

What good looks like: Automated classification that detects the presence of a TFN at the point of creation or modification, applies the appropriate retention category, calculates the destruction date based on a triggering event (such as application date), and routes the document through an auditable disposal workflow — without any action required from the end user.

Gap 3: No audit-ready evidence of compliance

The third gap is the one that creates the most acute regulatory exposure: organisations that are doing the right things but cannot demonstrate they are doing the right things.

APRA does not just want to see a compliant process. It wants to see evidence that the process is working — trend data, risk scoring, disposal records, and the ability to produce a comprehensive report at short notice. In the event of a breach, an audit, or an APRA review, the organisations that suffer the most are those that cannot answer the question: what data did we have, where was it, and what did we do with it?

What good looks like: Out-of-the-box reporting that shows your current TFN risk profile across all systems, trends in sensitive data volume over time, a full audit trail for every disposal event, and the ability to generate an evidence package for APRA on demand — not over several weeks.

‍

What a compliant TFN records process looks like in practice

A robust, APRA-aligned TFN compliance process has four components working together:

1. Connected discovery‍

Connectors into every platform that may contain TFNs — SharePoint, OneDrive, Teams, Exchange Online, file shares, CRM systems, structured databases, and more. Content is ingested retrospectively (so existing records are covered) and continuously (so new content is captured at the point of creation or modification).

2. Automated detection and classification‍

AI-powered signals that identify the presence of TFNs in text-based and image-based content (including JPEGs and TIFFs via OCR), with algorithmic validation to minimise false positives. Detection is paired with automatic classification — no end-user action required.

3. Policy-driven retention and defensible disposal‍

A rules engine that applies retention schedules based on configurable triggers — such as application date, member status, or document type — and routes eligible content through an auditable disposal workflow with approvers, timestamps, and retained stubs for post-destruction auditability.

4. Real-time reporting and risk visibility‍

Dashboards that surface your organisation's current TFN risk posture, broken down by platform, content type, and risk score. Reports that can be exported and presented directly to APRA, demonstrating not just current compliance but the trajectory of improvement over time.

‍

The cost of waiting

The financial and reputational cost of being on the wrong side of an APRA review is well-documented. Breach notices, undertakings, fines, and the management time consumed by remediation under regulatory scrutiny are all significantly more expensive than the investment required to get compliant proactively.

There is also an emerging AI dimension to this. As financial services organisations accelerate AI adoption, the data estate that AI systems access becomes a direct compliance risk. Ungoverned TFN records that feed into an AI model — or that are accessible to an AI agent without appropriate controls — represent a new and rapidly escalating exposure that APRA and the Privacy Act reforms are both moving toward.

The organisations that govern their data now are not just protecting themselves from a 2026 audit. They are building the foundation for safe, scalable AI adoption in 2026 and beyond.

‍

Ready to see where your TFNs are right now?

RecordPoint's platform manages close to 4 billion records across 150+ regulated organisations, including Westpac, NAB, APRA, and ASIC. In 2025, our customers defensibly disposed of 159 million records, generating an estimated $795 million in storage savings.

We've built a practical checklist to help compliance and records management teams assess their current TFN posture against APRA's requirements — and identify the gaps before APRA does. Download the checklist