New AML/CTF rules released: what you need to know

Insights29 Jan 2025
 By John Bassilios

Key takeaways

  • AUSTRAC has published draft rules for public feedback after the Anti-Money Laundering and Counter-Terrorism Financing Amendment Bill 2024 has been passed. The deadline for submissions on the draft rules is 14 February 2025. 
  • The draft rules involve a substantial revision of the existing Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007, aligning the AML/CTF rules with the new laws. It is therefore important for reporting entities to assess how the new obligations would impact their businesses, and whether new measures should be adopted to ensure compliance with all applicable AML/CTF requirements.

Introduction

On 29 November 2024, the Commonwealth Parliament passed the Anti-Money Laundering and Counter-Terrorism Financing Amendment Bill 2024 (Amendment Bill), amending the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act). The new laws will take effect on 31 March 2026 for existing reporting entities and on 1 July 2026 for Tranche II reporting entities. This article refers to the AML/CTF Act, as amended by the Amendment Bill, as the ‘Amended AML/CTF Act’.

As part of implementing these reforms and establishing a new AML/CTF rules framework, on 11 December 2024, AUSTRAC released for public consultation the first round of exposure draft rules (Exposure Draft Rules). The Exposure Draft Rules give detailed information regarding specific requirements under the Amended AML/CTF Act and entail a major repeal, revision and simplification of the Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (Current Rules).

Given we have previously explored the significant reforms the Amendment Bill involves and separately their implications for the virtual assets sector, this article’s main focus is on the key new rules contained in the Exposure Draft Rules and highlights what you need to know from the Exposure Draft Rules consultation paper. Where relevant, however, the obligations under the Amended AML/CTF Act are also considered.

Overview of the Exposure Draft Rules

The Amended AML/CTF Act is designed to create an enhanced outcomes-based compliance system that makes clear the outcomes to be met, affords flexibility to achieve those outcomes and ensures obligations of regulated entities are scaled according to their nature, size and complexity.[1] To that end, the Exposure Draft Rules will bolster the Amended AML/CTF Act by:

  • removing most of the unnecessary prescriptive requirements in the Current Rules;
  • setting out detail on core AML/CTF concepts in the Amended AML/CTF Act, including an initial proposal on who must be the lead entity of a reporting group, the travel rule and new definitions for politically exposed persons (PEPs);
  • introducing additional requirements to meet specific obligations, especially for AML/CTF programs, customer due diligence (CDD) and transfer of value; and
  • rewriting existing measures that are not substantively changed in the Amendment Bill, such as AML/CTF compliance reports requirements.

AML/CTF programs

The below table summarises the key obligations under the Amended AML/CTF Act and the Exposure Draft Rules in respect of AML/CTF programs.

Subject matter
Amended AML/CTF Act: what is involved?
Exposure Draft Rules: what is involved?
ML/TF risk assessments
  • Sets out triggers for when a reporting entity must review and update its ML/TF risk assessment, and allows the AML/CTF rules to provide further detail on other kinds of circumstances that trigger reviews of ML/TF risk assessments.[2]
  • Set out an additional trigger for review and update of a reporting entity’s ML/TF risk assessment, which will activate when there are adverse findings in an independent evaluation report in relation to the ML/TF risk assessment.[3]
  • Specify that the review must be undertaken ‘as soon as practicable’ after the governing body of the reporting entity receives the evaluation report containing adverse findings.[4]
AML/CTF policies
  • Requires a reporting entity to develop and maintain AML/CTF policies that achieve two outcomes:
    • manage and mitigate the ML/TF risks that the reporting entity may reasonably face in providing its designated services;[5] and 
    • internal compliance management to ensure the reporting entity complies with the AML/CTF Act, Rules, regulations and, by extension, the reporting entity’s own AML/CTF program.[6] 
  • Includes a number of specific AML/CTF policies that are required within these two overarching categories. For example:
    • CDD is a fundamental ML/TF risk management and mitigation policy;[7] and
    • undertaking due diligence on personnel who carry out AML/CTF functions and providing them with appropriate training are important compliance management policies.[8]
  • Contain a number of proposed rules made under the AUSTRAC CEO’s power to make sures.[9]  Details of the specific rules are addressed below.
  • Contain the ‘default’ AML/CTF rules that will apply to reporting entities, but these may be subject to change post-consultation.
Additional AML/CTF policies for compliance training
  • Require reporting entities to develop the following additional AML/CTF policies that are focused on compliance management, on top of those mentioned in the Amended AML/CTF Act:
    • safeguards to prevent tipping off, ie the unlawful disclosure of suspicious matter reports and other sensitive information related to financial intelligence and law enforcement investigations;[10] 
    • ensuring the reporting entity’s ‘governing body’ (eg its board) receives information to fulfil its strategic oversight and other responsibilities;[11]
    • requiring the AML/CTF compliance officer to report regularly, and at least annually, to the governing body about the reporting entity’s compliance and the effectiveness of its policies in appropriately mitigating and managing the reporting entity’s ML/TF risk;[12]
    • ensuring that information reported by the reporting entity under various reporting obligations (eg suspicious matter reporting) is complete, accurate and free from unauthorised change;[13] and
    • ensuring that reporting entities determine as soon as practicable whether they have formed a suspicion on reasonable grounds that would necessitate making a suspicious matter report.[14]
Specific requirements for compliance management AML/CTF policies
  • Elaborate on the following compliance management AML/CTF policies mentioned in the Amended AML/CTF Act, providing greater detail about what must be done to achieve compliance:
    • due diligence policies must be applied to personnel with AML/CTF functions before they are employed or engaged and must remain ongoing throughout their employment or engagement – these policies extend to contractors and other individuals engaged in AML/CTF related functions;[15] and
    • training policies for personnel with AML/CTF functions must provide both initial and ongoing training throughout a person’s engagement or employment, and such training must be appropriate to the person and their responsibilities.[16]
  • A reporting entity may elect to leverage existing protocols regarding a person’s integrity for the purpose of fulfilling personnel due diligence requirements under the AML/CTF regime. If existing protocols are adequate to cover a reporting entity’s obligations, they will still be required to adequately document these protocols in their AML/CTF policies and supplement them in cases where personnel are not subject to them.
Specific requirements for AML/CTF policies on independent evaluations
  • Include AML/CTF policy requirements on the conduct of independent evaluations of a reporting entity’s AML/CTF programs, and steps a reporting entity must include in its AML/CTF policies to respond to these evaluations:[17]
    • the policies must provide for the evaluation of steps taken to undertake and update ML/TF risk assessments, the design of AML/CTF policies, and the reporting entity’s compliance with its AML/CTF obligations;
    • the policies must provide for the independent evaluation to produce a written report that is provided to the governing body and relevant senior managers with AML/CTF responsibilities;
    • the policies must set out how the reporting entity will respond to independent evaluation reports; and
    • the policies must deal with reviewing and updating a reporting entity’s AML/CTF policies in response to adverse findings as part of an independent evaluation (this requirement mirrors the ML/TF risk assessment review trigger outlined above).
Additional AML/CTF policies for value transfer services
  • Some additional AML/CTF policies focused on mitigating and managing ML/TF risk will be required for those reporting entities that provide value transfer services.[18] Other reporting entities will not be required to develop and maintain these AML/CTF policies.
  • These value transfer service-focused AML/CTF policies will document how relevant reporting entities services will fulfil their travel rule obligations under Part 5 of the Amended AML/CTF Act, which concerns value transfer transparency:
    • for ordering and beneficiary institutions involved in virtual asset transfers –counterparty due diligence to understand the other institution (if any) involved in the transfer, and to undertake associated risk management and mitigation;
    • for intermediary institutions and beneficiary institutions involved in transfers of money, property or virtual assets – what reasonable steps the institution will take to monitor for the completeness of travel rule information received and what steps to mitigate and manage ML/TF risk the institution will take where it receives incomplete information; and
    • for the beneficiary institution – what reasonable steps the institution will take to monitor for the accuracy of the information received about its customer, the payee, and what steps to mitigate and manage ML/TF risk the institution will take where it receives inaccurate information.

Reporting groups

The below table summarises the main obligations under the Amended AML/CTF Act and the Exposure Draft Rules as regards reporting groups.

Subject matter
Amended AML/CTF Act: what is involved?
Exposure Draft Rules: what is involved?
Reporting groups
  • Replaces the existing concept of designated business groups with the new defined concept of ‘reporting group’, which will be automatically formed if at least one person in the group provides a designated service and the conditions (if any) in the AML/CTF rules are met.[19] Therefore, a reporting group will typically exist where there is a structure in which a business providing designated services is controlled by another entity. This helps ensure that ML/TF risks are managed at the group level, and facilitates more efficient implementation of AML/CTF program obligations among group members.
  • Includes non-reporting entities in the concept of ‘reporting group’, given they often discharge AML/CTF obligations on behalf of reporting entities.
  • Requires the ‘lead entity’ of a ‘reporting group’, whether formed by election or by operation of law, to develop and maintain an AML/CTF program that identifies, assesses, mitigates and manages ML/TF risk and ensures AML/CTF compliance across the group. Members of the reporting group are given flexibility to satisfy each other’s AML/CTF obligations subject to conditions in the AML/CTF Rules.
  • Prescribe a business will be the ‘lead entity’ for a reporting group formed by operation of law if it:
    • is a resident of Australia;
    • provides a designated service; or 
    • is registered under Division 2 of Part 5B.2 of the Corporations Act 2001 (Cth), 
    • and it controls all other businesses in the group that provide a designated service.[20] 
  • Ensure unqualified or inappropriate people in reporting groups are not tasked with discharging AML/CTF obligations by providing that a member of a reporting group who is not a reporting entity but plays a role in fulfilling the obligations of reporting entities can only discharge an obligation of a member who is a reporting entity if they have:
    • undertaken due diligence in relation to persons performing the relevant functions in a manner equivalent to the reporting entity's AML/CTF policies; and
    • provided training to those persons that is equivalent to the training required by the AML/CTF policies of the reporting entity.[21]

Customer due diligence

The below table sets out the key obligations under the Amended AML/CTF Act and the Exposure Draft Rules in relation to CDD.

Subject matter
Amended AML/CTF Act: what is involved?
Exposure Draft Rules: what is involved?
General
  • Replaces the concept of ‘Applicable Customer Identification Procedures’ with the initial CDD obligation, and continues the concept of ongoing CDD.
  • Part 2 sets out: 
    • the outcomes that initial CDD and ongoing CDD must achieve;
    • requirements for delayed CDD (eg verifying information about the customer after commencing to provide a service); and 
    • reliance provisions. 
  • Part 5 outlines general requirements for initial and ongoing CDD, including:
    • requirements for standard initial CDD for particular kinds of customers where services are provided through an Australian permanent establishment;[22]
    • circumstances where delayed verification is permissible;[23]
    • circumstances where alternative verification is permissible;[24] and
    • specific enhanced CDD requirements for foreign PEPs, high-risk domestic and international organisation PEPs,[25] and designated services provided as part of nested services relationships,[26] consistent with international standards.
  • Rules relating to standard initial CDD generally set out specific requirements for establishing aspects of a customer’s identity and due diligence for related persons such as beneficial owners.[27] These rules are supplementary to section 28 of the Amended AML/CTF Act and should be read together with that section.
CDD when providing services to individuals
  • Collection and verification of information about the customer should be completed in accordance with section 28 in the Amended AML/CTF Act, ie both collection and verification of information should be appropriate to ML/TF risk to achieve the outcome of ‘establishing on reasonable grounds’ the various matters required under subsection 28(2).
  • There are no proposed generally applicable rules related to individual customers receiving designated services in a personal capacity. However, the Exposure Draft Rules require some specific ‘know your customer’ (KYC) information (eg the individual’s date and place of birth) to be collected and verified where:
    • the customer is an individual;
    • the designated service they receive or propose to receive is in Australia; and 
    • the designated service is an account-based or transfer of value designated service.[28]
CDD when providing services to non-individual customers and customers that are sole traders (eg businesses, bodies corporate, trusts etc.)
  • Set out specific requirements that elaborate on the requirements in section 28 of the Amended AML/CTF Act:
    • information that must be collected and verified about customers that are businesses – including the customer’s trading name, relevant identity numbers issued by a government body, address of the customer’s registered office, address of the customer’s principal place of operations.[29] Information on the nature of the customer’s business is to be collected, but is not required to be verified.[30]
    • requirements in relation to beneficial owners of customers, persons on whose behalf the customer is receiving the designated service, persons acting on behalf of the customer (such as agents) and other specified persons associated with the customer.[31]
Delayed verification – circumstances in which it is permitted
  • Set out circumstances in which initial CDD verification may be delayed until after a reporting entity commences to provide a designated service, including:
    • Where a financial institution opens an account and only accepts deposits – this continues existing delayed verification rules, but removes the mandated deadline for completing verification.[32] No time frame for completing verification is specified, meaning that it must be done ‘as soon as reasonably practicable’ under section 29 of the Amended AML/CTF Act.
    • Where the service is the acquisition or disposal of a security, derivative or foreign exchange contract on a declared financial market that must be performed rapidly due to financial market conditions – this continues existing delayed verification rules.[33]
    • Where a reporting entity has established all of the matters in section 28 of the Amended AML/CTF Act about the customer, except in relation to whether the customer or associated person is a PEP or subject to targeted financial sanctions – this will allow PEP and sanctions screening to be delayed where the conditions in the new section 29 are met, including that the delay is essential to avoid interrupting the ordinary course of business and appropriate risk mitigations are implemented. In these circumstances, PEP and sanctions checks must be carried out as soon as reasonably practicable.[34]
    • Where the service is to be provided at or through a permanent establishment of the reporting entity in a foreign country and the law of that country gives effect to the FATF Recommendations which permits delayed verification – the reporting entity will be eligible for delayed verification when certain requirements are met.[35] This is to reduce the possibility of a conflict of laws where a reporting entity or reporting group is regulated by several jurisdictions’ AML/CTF regimes.
Simplified CDD requirements
  • Allows simplified CDD measures to be applied where the ML/TF risk of the customer is low and the reporting entity complies with specified requirements in the AML/CTF Rules.[36]
  • Require only that for a reporting entity to apply simplified CDD measures, it must have in place AML/CTF policies that deal with the application of those measures. 
Mandated enhanced CDD requirements 
  • Mandate that certain enhanced CDD measures must be carried out in limited circumstances:
    • For all foreign PEPs and for high-risk domestic and international organisation PEPs, source of wealth and source of funds must be established.[37] These enhanced CDD requirements should be read together with the AML/CTF program governance requirements which require policies to ensure senior management approval is obtained for services provided to such PEPs.
    • For nested services relationships, a range of matters relating to the AML/CTF policies and compliance history of the customer are specified,[38] given that the reporting entity will in effect be relying on its overseas customer to effectively mitigate ML/TF risks when providing nested services. 
  • Enhanced CDD measures are to be applied to a customer who seeks designated services that have no apparent economic or legal purpose, if the proposed provision of designated services would involve:
    • unusually complex or large transactions; or
    • an unusual pattern of transactions.[39]
Deemed compliance – initial CDD 
  • Applicable customer identification procedure previously carried out: a reporting entity is taken to have complied with each of the matters in subsection 28(2) of the Amended AML/CTF Act if the reporting entity has, before 31 March 2026, carried out relevant applicable customer identification procedures in respect of that customer.[40] As such, reporting entities regulated before the commencement of the Amended AML/CTF Act need not collect or verify additional KYC information to existing customers just because of the reforms. This will only apply to reporting entities regulated under the current AML/CTF Act.
  • ‘Passporting’ from foreign entities: a reporting entity is taken to have complied with each of the matters in subsection 28(2) of the Amended AML/CTF Act if the reporting entity or another member of its reporting group has applied foreign CDD measures which give effect to FATF recommendations relating to customer due diligence and record keeping, where certain requirements are met.[41] This serves to reduce the burden of carrying over CDD applied to customers between different AML/CTF regimes.
Deemed compliance – ongoing CDD
  • Obligations to monitor for unusual transactions and customer behaviours that may give rise to a suspicious matter reporting obligation have been moved into section 30 of the Amended AML/CTF Act.
  • A reporting entity is taken to have complied with the requirement in subsection 30(2)(a) of the Amended AML/CTF Act if it monitors for unusual transactions and behaviours that may give rise to a suspicious reporting obligation because of the operation of section 41 of the Amended AML/CTF Act (subject to exceptions).[42]
  • Section 39 focuses transaction monitoring efforts on crime types that drive money laundering, terrorism financing and proliferation financing, rather than the current ‘all crimes’ approach to monitoring. This shift means transaction monitoring will be more closely aligned with global standards recommended by the FATF. 

Travel rule

The below table sets out the key obligations under the Amended AML/CTF Act and the Exposure Draft Rules in connection with transfer of value.

Amended AML/CTF Act: what is involved?
Exposure Draft Rules: what is involved?
  • Under the travel rule, information about the parties to a transaction must travel with the transfer of value. This provides payment transparency and aids preventative measures. 
  • Part 5 of the Amended AML/CTF Act simplifies the concepts relating to transfers of value and international value transfer services, and introduces the updated travel rule obligations for financial institutions and new travel rule obligations for remitters and virtual asset service providers. 
  • Parts 1 and 7 of the Exposure Draft Rules outline the relevant definitions and obligations associated with the new provisions in the Amended AML/CTF Act. The new definitions (notably ‘ordering institution’ and ‘beneficiary institution’) are intended to cover:
    • traditional transfers to or from financial institutions, either through bank accounts or over the counter;
    • certain remitter models where the remitter deposits money into the customer’s bank account, but the bank otherwise has no active role in the value transfer;
    • certain financial technology and payment service provider transfer services; and
    • alternative remittance, hawala and other offsetting arrangements.
  • The above criteria should be read together with the designated service in which:
    • the ordering institution accepts the instruction from the payer (and thereby begins a value transfer chain); and
    • the beneficiary institution makes the transferred value available to the payee (and thereby ends the value transfer chain).
  • Part 7 of the Exposure Draft Rules also specify risk mitigation measures for the travel rule that are applicable to beneficiary and intermediary institutions. 
    • Beneficiary institutions must:
      • take reasonable steps to monitor for missing payer and payee information in a transfer of value;
      • verify the entity of a payee in a transfer of value to ensure the accuracy of information;
      • monitor if payee information is inaccurate; and
      • determine what to do where the information is incomplete or inaccurate.
    • Intermediary institutions are only required to: 
      • take reasonable steps to monitor for missing payer information 
      • determine what to do in the case such information is incomplete
      • ensure that the required payer and payee information is retained with the transfer of value. 
  • The Exposure Draft Rules also outline the information collection, verification and transmission obligations for the ordering, beneficiary, and intermediary institutions involved in transfers of value generally, as well as special provision for certain types of transfers.

Other changes worth noting

The Exposure Draft Rules set out a number of provisions to bring the following obligations in line with the Amended AML/CTF Act:

  • Section 19 of the Exposure Draft Rules requires that the AML/CTF policies of a reporting entity must ensure that senior managers give approval or are informed before commencing to provide a designated service in certain circumstances. These measures are additional to the requirement to perform enhanced CDD under the circumstances mentioned in section 32 of the Amended AML/CTF Act.
  • Division 4 of Part 8 of the Exposure Draft Rules specifies the reporting period and lodgement period for compliance reports, which replace Chapter 11 of the Current Rules. 
  • Division 5 of Part 8 of the Exposure Draft Rules specifies how reporting obligations of registered remittance affiliates may be discharged.
  • Division 6 of Part 8 of the Exposure Draft Rules retains and relocates the existing cross border movement requirements in Chapter 24 of the Current Rules. 

Next steps

AUSTRAC is working closely with industry in developing the new AML/CTF rules regime and invites submissions on the Exposure Draft Rules. Submissions must be made by 14 February 2025 and will enable AUSTRAC to determine whether measures in the Exposure Draft Rules require modifications or whether additional rules are needed. 

The second exposure draft of the AML/CTF rules is expected to be published for consultation in early 2025, and will include topics addressed in the Exposure Draft Rules (with any necessary updates) and subject matters yet to be covered.

If you require assistance with making a submission or would like to discuss the proposed reforms, please contact John Bassilios.

Footnotes

Contact

Relevant Services
Related news & insightsView all
Subscribe

Hall & Wilcox acknowledges the Traditional Custodians of the land, sea and waters on which we work, live and engage. We pay our respects to Elders past, present and emerging.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of service apply.
© 2025 Hall & Wilcox. All rights reserved.