Anti-Money Laundering and Counter-Terrorism Financing

To provide clarity to accountants, lawyers, conveyancers and other Tranche 2 entities, AUSTRAC has published guidance on what is expected of regulated entities as the reforms approach, and what regulated entities can expect from AUSTRAC in return. Our article Countdown to AML/CTF reforms: AUSTRAC outlines what's required provides a breakdown of AUSTRAC's guidance.

In short, before 1 July 2026, new reporting entities will be expected to:

• enrol as a reporting entity (the online enrolment system will be accessible from 31 March 2026)
• implement an AML/CTF program
• appoint an AML/CTF compliance officer
• train staff on their AML/CTF program and processes
• be ready to ask clients questions and report suspicious activity. 

Tranche 2 entities should prepare for a significant review and update to their customer onboarding processes, risk management systems, and compliance procedures. In less than 12 months, these entities will need to:

• conduct know your client (KYC) checks
• monitor client transactions for suspicious activity
• conduct internal training on AML/CTF obligations
• monitor their compliance with their AML policies to report to AUSTRAC on a yearly basis. 

A reporting entity must conduct a ML/TF risk assessment having regard to the nature, scale and complexity of its operations when determining its exposure to ML/TF risks and incorporate relevant risks communicated to it or otherwise published by AUSTRAC.

At a minimum, reporting entities are required to assess risks associated with:

• the kinds of customers they service
• the designated services they offer
• the channels through which those services are delivered, and
• the jurisdictions with which they engage.

ML/TF risk assessments must be regularly reviewed and updated to ensure they remain current. 

Importantly, reporting entities must not commence to provide a designated service to a customer if it does not have an up-to-date ML/TF risk assessment.

Generally, the key elements of an AML/CTF program are:

• an ML/TF risk assessment
• an appropriate governance framework, including reporting lines and group compliance
• properly instituted internal AML/CTF policies and procedures
• established reporting protocols
• review and record keeping systems and processes, and
• effective customer identification procedures. 

Before providing a designated service to a customer, the general rule is that you must identify: 

• the customer
• any person on whose behalf the customer is receiving the designated services
• the identity of any person acting on behalf of the customer
• if the customer is not an individual – any beneficial owners of the customer, and
• whether any of the above people are politically exposed persons. 

You must also monitor your customers in relation to the provision of the designated services to appropriately identify and manage the risks of ML/TF/PF that you may reasonably face in providing the designated services. Specific requirements apply if you provide the designated services through a permanent establishment in Australia.

AUSTRAC acknowledges the challenges newly regulated entities face in preparation for the reforms and has committed to facilitating the implementation of AML/CTF programs by providing ample guidance, education, and materials.

However, it is critical to note that non-compliance by newly regulated entities will be closely monitored by AUSTRAC from 1 July 2026 and will face intense scrutiny should ignorant or malicious non-compliance be encountered. 

To help navigate your compliance journey we encourage you to explore our latest articles or reach out to our team to learn more: 

Proposed AML/CTF Rules: the red and green flags

New Draft Rules shake up AML/CTF regime

Countdown to AML/CTF reforms: AUSTRAC outlines what's required

Upcoming AML/CTF compliance for the accounting profession

Upcoming Tranche 2 AML/CTF Reforms: key KYC obligations

In response to evolving financial crime risks and international standards, the Australian Government through AUSTRAC has introduced significant reforms to the AML/CTF regime for existing reporting entities. These changes, effective from 31 March 2026, reflect a shift toward a more risk-based and outcomes-focused approach, aligning Australia’s framework more closely with global best practices. 

Existing reporting entities are required to amend existing or prepare new compliance programs to conform with the incoming changes. Below we summarise some of the key matters existing reporting entities should consider and address in amending their AML/CTF compliance programs to maintain compliance with the AML/CTF regime.

One of the more substantial features is the changes to AML/CTF program structures for reporting entities. Programs were previously separated into two parts, Part A and Part B, which AUSTRAC noted was onerous and created practical difficulties for reporting entities. Under the new regime, the program is to firstly set out the ML/TF risk assessment, followed by the entity’s policies and procedures.

Perhaps the biggest change is replacing the concept of designated business groups with ‘reporting groups’. There are two types of reporting groups:

• Business group: this means the largest conglomeration of entities within a corporate group where there is a parent company that controls all other entities within the group. For these entities, they form business groups and providing services within a business group is exempt from providing designated services and does not have AML/CTF implications. However, for a business group to form a reporting group, all entities need to agree in writing.
• Elective reporting group: these groups occur when a reporting entity, an entity that discharges obligations on behalf of the reporting entity, or a member of a business group elect to form a group where the entities agree in writing to form the reporting group and form a ‘lead entity’.

The benefit of forming a reporting group is that entities can discharge obligations on behalf of another, which is a much cleaner and more efficient process for all stakeholders, including AUSTRAC.

The reforms introduce significant changes to know your customer (KYC) obligations by replacing the previous ‘applicable customer identification procedures’ with a more flexible, outcomes-based customer due diligence (CDD) framework. Under the amendments, where the ML/TF for the customer is low, reporting entities must conduct initial and ongoing CDD on the customer, but in certain instances are not required to verify the information. 

Where the ML/TF risk is higher, enhanced due diligence is required, including obtaining further information, and verifying it. The reforms emphasise risk-based verification using reliable and independent data and the obligation to understand the nature and purpose of customer relationships. 

Organisations already subject to the AML/CTF Act must:

• maintain existing AML/CTF controls
• develop and document implementation plans to meet the reformed obligations
• show ongoing progress against those plans
• make tactical improvements to systems and processes in the short term
• review and strengthen AML/CTF frameworks to ensure they are fit for purpose.

Relying on the ‘status quo’, or superficial compliance – particularly if your current AML/CTF policies are ineffective – will not be tolerated. AUSTRAC expects businesses to comply with current obligations while also reviewing and enhancing their existing AML/CTF policies and procedures to determine their effectiveness in preparation for the incoming reforms.

To help navigate your compliance journey we encourage you to explore our latest articles or reach out to our team to learn more:

Proposed AML/CTF Rules: the red and green flags

New draft AML/CTF rules: what fund managers need to know

Countdown to AML/CTF reforms: AUSTRAC outlines what's required

AUSTRAC fires warning shot at AML/CTF reporting entities

AML/CTF compliance due March 2026: practical guidance