AUSTRAC releases Core Guidance ahead of AML/CTF reforms

From 31 March 2026, designated business groups (DBGs) will be replaced by reporting groups, by which AUSTRAC intends to offer a more adaptable and centralised approach to AML/CTF compliance. The Core Guidance sets out two ways to form a reporting group:

1. A business group can form a reporting group if all members of the business group agree on a lead entity.
   
   AUSTRAC is clear that all members of the business group must form part of the reporting group. A business group cannot form a reporting group with only some of its members.  Further, if some members can’t agree on who the lead entity should be, the reporting group won’t form.
    
2. An ‘elective’ reporting group can form if two or more reporting entities, or a member of a business group, elects to form a reporting group.
   
   Similar to a reporting group formed around a business group, if a member of a business group joins an ‘elective’ reporting group, all other members of that business group must also join the reporting group. 

Key takeaways

AUSTRAC is clear that the key to determining if you are in a business group is the principle of control. A business group can only form if one entity controls every other member of the group.  Reading between the lines of the Core Guidance, AUSTRAC’s interpretation of the ‘business group’ definition is that it captures control relationships that already exist within corporate groups (both large and small). In this assessment of ‘control’, AUSTRAC implies that a business group will capture the largest possible number of entities within a corporate group, so long as there is a control structure for all those entities. In other words, AUSTRAC adopts a restrictive interpretation of ‘business group’. So long as an entity is in a control structure, that entity will form part of the business group and must be part of any reporting group formed.

Next steps

If your business is currently part of a designated business group, by 31 March 2026 you should prepare to assess your control structure and determine whether to replace the DBG with a compliant reporting group. 

If so, you must consider how your AML/CTF policies should be tailored to apply to the new reporting group.

Tranche 2 of the AML/CTF reforms replaces the existing Parts A and B of an AML/CTF program with an AML/CTF program that consists of a ML/TF risk assessment and AML/CTF policies. 

AUSTRAC’s reform guidance outlines a five-step approach to developing, maintaining and assessing an AML/CTF program:

1. Establish a governance framework
   • The AML/CTF governance structure includes three key roles: the governing body (responsible for overall oversight), senior management (who approve and direct the AML/CTF program) and the compliance officer (who manages day-to-day compliance).
   • Smaller organisations may consolidate the above into one or two positions.
2. Identify and assess ML/TF risks
   • The risk assessment must identify and evaluate the ML/TF risks associated with both current and planned designated services.
   • Consideration must be given to service types, customers, delivery channels and countries involved.
   • Relevant risk information provided by regulators should be included to ensure a robust assessment.
3. Mitigate and manage your risks - AML/CTF policies
   • Proportionate to your business’s size and complexity, AML/CTF policies must effectively manage the risks identified above.
   • All AML/CTF policies should be regularly reviewed and approved by senior management.
4. Review and update the program regularly
   • At least every three years, the AML/CTF program (including risk assessments and policies) should be reviewed and updated.
   • Updates must be documented promptly and approved by senior management.
5. Conduct an independent evaluation
   • At least every three years, the AML/CTF program must be independently reviewed by suitably knowledgeable and unbiased evaluators.
   • If any adverse findings are reported, the risk assessment and policies must be updated promptly.

Next steps

AUSTRAC’s commentary is aligned with the requirements in the new Act and Rules, which set out the substantial changes Tranche 2 will introduce for both new and existing reporting entities in relation to their AML/CTF policies. 

We recommend all reporting entities adopt new AML/CTF policies to align with the new AML/CTF laws and with AUSTRAC’s guidance. 

The Core Guidance on KYC checks covers a number of key areas in the lifecycle of a customer relationship, for example:

• assigning a risk rating to the customer prior to onboarding the customer;
• when onboarding the customer, conducting initial KYC checks, relying on other parties to conduct KYC checks or conducting enhanced due diligence checks; and
• ongoing customer due diligence checks.

It also covers key areas such as identifying politically exposed persons, when to collect and verify source of wealth and source of fund information and how to transition existing customers from the current regime to the Tranche 2 regime. 

An overview of the KYC process is illustrated in the diagram below by AUSTRAC.

Source: austrac.gov.au

Key takeaways

• AUSTRAC expects entities to assign all customers with a risk rating as part of conducting initial and ongoing customer due diligence.
• The mechanisms in place for reporting entities to rely upon KYC checks conducted by another reporting entity largely remain unchanged as part of the Tranche 2 reforms.
• Compared to the current AML/CTF laws, under Tranche 2 of the reforms there are additional circumstances in which you will need to collect and verify the source of funds and source of wealth information from customers. AUSTRAC has set out extensive guidance as to how to collect and verify such information.

The new AML/CTF Act and Rules contain requirements that personnel training and due diligence checks conducted on a reporting entity’s personnel which is tailored to individual roles and responsibilities. The Core Guidance provides greater detail as to AUSTRAC’s expectations on personnel roles that require greater levels of training and due diligence. 

For example, any person who:

• has access to and can submit suspicious matter reports and threshold transaction reports;
• handles high value transactions and physical currency (cash);
• approves or escalates high-risk customers;
• has the authority to amend customer risk profiles or related audit trails;
• manages and authorises outsourcing or contracting arrangements;
• has access to highly sensitive business or customer information;

may be in a role AUSTRAC considers ‘high-risk’. AUSTRAC’s expectation is that personnel within such roles should be subject to increased employee due diligence checks and receive additional AML/CTF training compared to personnel in lower risk roles. 

For example, in relation to personnel training, AUSTRAC sets out good practice guidance that:

• AML/CTF compliance officers and senior management could receive training every 6-12 months; while
• all other personnel not in an AML/CTF relevant role may receive training at onboarding only.

AUSTRAC is also clear that in conducting personnel due diligence, a reporting entity must assess:

• the skills, knowledge and expertise relevant to the person’s AML/CTF responsibilities (and can do so by validating technical skills or qualifications, or conducting interviews); and
• the integrity of the person (and can do so by conducting police checks, bankruptcy checks or conducting screening such as adverse media checks).

Key takeaways

Reporting entities should consider the ML/TF risk exposure of all roles within a business. The requirement to conduct personnel training and due diligence should be tailored to this risk exposure. To the extent businesses have historically applied blanket training and due diligence requirements, tailoring these requirements based on the roles and responsibilities of individuals within the business could represent a cost-saving within the business while complying with the Core Guidance for the Tranche 2 reforms.

It is expected that outsourcing of compliance with the AML/CTF laws will continue to increase as businesses face added compliance costs associated with AML/CTF, particularly in light of the Tranche 2 reforms. 

AUSTRAC makes it clear that a reporting entity outsourcing its AML/CTF functions remains responsible for complying with the AML/CTF laws and will generally remain liable for breaches of the AML/CTF obligations and for penalties that arise from a breach.

AUSTRAC sets out six principles for managing any additional ML/TF risks that might arise from outsourcing compliance with the AML/CTF laws, and to ensure appropriate oversight of third-party service providers:

• identify the risks that may arise through outsourcing;

• conduct due diligence and train outsourced service providers;

• understand legal restrictions on sharing information with outsourced service providers;

• consider using a written agreement for outsourcing;

• monitor and review outsourcing arrangements;

• document procedures for managing outsourcing arrangements in your AML/CTF program.

Key takeaways

With the increase in the population of reporting entities introduced by the Tranche 2 reforms, we are observing increasing emphasis from AUSTRAC that reporting entities must take responsibility for compliance with the AML/CTF laws. AUSTRAC warns against adopting template documents without reviewing how the documents may apply to the business and warns against appointing third party service providers without sufficient supervision and management of risk.