Quick AML/CTF Compliance Overview for Australian Businesses
Australia’s AML/CTF framework has undergone major reforms through the AML/CTF Amendment Act 2024 and AML/CTF Rules 2025, strengthening regulatory expectations and enforcement.
AUSTRAC remains the regulator, applying a risk-based approach that focuses on real outcomes rather than box-ticking compliance.
Businesses must implement a documented AML/CTF Program, including governance controls and operational procedures.
Key obligations include customer due diligence (CDD), enhanced due diligence for high-risk customers, transaction monitoring, and timely suspicious matter reporting (SMRs).
Common compliance gaps include the use of generic AML templates, weak beneficial ownership checks, inadequate transaction-monitoring calibration, and insufficient staff training.
AUSTRAC has demonstrated strong enforcement action, with significant financial penalties and reputational consequences for non-compliance.
A practical, proportionate AML/CTF program helps businesses manage risk, meet regulatory expectations, and avoid costly remediation.
Australia’s anti-money laundering and counter-terrorism financing regime has undergone transformative reforms in 2024-2026, reshaping compliance expectations for thousands of businesses. Whether you’re a financial institution navigating updated obligations or a professional service provider preparing for new regulatory requirements, understanding Australia’s AML/CTF framework is now essential for business viability and protection.
What Is AML and CFT Compliance?
AML and CFT compliance represents a business’s legal and operational commitment to preventing criminal exploitation of financial systems. At its core, this framework exists to stop criminals from disguising illegally obtained funds and to cut off funding streams to terrorist organisations.
Anti-Money Laundering (AML) focuses on detecting and preventing criminals from transforming proceeds of crime into apparently legitimate funds. Money laundering typically involves three stages: placing illicit cash into the financial system, layering it through complex transactions to obscure its origin, and integrating it back into the economy as seemingly clean money.
Counter-Terrorism Financing (CTF) targets the movement of funds that support terrorist activities. Unlike money laundering, terrorism financing doesn’t always involve illegal source funds, but the destination and purpose make these transactions criminal.
In practice, these frameworks work together. Consider a real estate agent approached by a buyer wanting to purchase a $2 million property with multiple cash payments just under $10,000. This could indicate structuring to avoid reporting thresholds, a classic money laundering red flag. Under Australia’s regime, that agent would need to conduct enhanced checks, verify the source of funds, and potentially file a suspicious matter report with AUSTRAC.
AML and CFT Compliance in Australia – Legal Framework Explained
Australia’s AML/CTF regulatory structure centres on the Australian Transaction Reports and Analysis Centre (AUSTRAC), which operates as both the nation’s financial intelligence unit and the primary regulator for compliance matters.
The Anti-Money Laundering and Counter – Terrorism Financing Act 2006 establishes the legal foundation, recently amended through the AML/CTF Amendment Act 2024 to modernise obligations and expand regulatory reach. These amendments, which took effect through 2025 and into 2026, represent the most significant changes to Australia’s financial crime framework in nearly two decades.
The amended Act works alongside the Anti-Money Laundering and Counter Terrorism Financing Rules 2025, tabled in Parliament in August 2025. These Rules provide supplementary detail on how businesses must implement their obligations, from customer identification procedures to reporting requirements and risk management frameworks.
Australia’s approach emphasises outcomes over prescriptive checklists. The regime is explicitly risk-based, meaning your compliance measures must be proportionate to the money laundering and terrorism financing risks your business actually faces. This flexibility allows tailoring to your business model, but it also means generic, template-driven approaches consistently fail AUSTRAC scrutiny.
The framework aligns Australia with international standards set by the Financial Action Task Force (FATF), the global financial crime watchdog. Recent reforms specifically address gaps identified in previous FATF evaluations, particularly the long-standing exclusion of certain professional services from regulation.
Who Must Comply With AML and CFT Requirements in Australia?
If you provide designated services with a geographical link to Australia, you’re a reporting entity with AML/CTF obligations. The definition of designated services has expanded significantly through recent reforms.
Current reporting entities include:
- Financial institutions such as banks, building societies, and credit unions
- Payment service providers and remittance businesses
- Digital currency exchange providers and related virtual asset services
- Superannuation fund managers and trustees
- Gaming and gambling operators, including casinos and online platforms
- Dealers in precious metals, stones, and bullion
- Financial planners and advisers arranging designated services
New reporting entities from 1 July 2026 (Tranche 2) include:
- Real estate agents, buyer’s agents, and property developers
- Lawyers and conveyancers providing certain services
- Accountants offering specified professional services
- Trust and company service providers
- Dealers in precious stones, metals, and products accepting cash or virtual assets of $10,000 or more
The geographical link requirement means you must either provide designated services at or through a permanent establishment in Australia, or be an Australian resident (or subsidiary of one) providing services through a foreign permanent establishment.
If you’re unsure whether your services are designated services, the answer often lies in the specific activities you perform rather than your professional label. We often see businesses misclassify themselves by focusing on their industry rather than the specific services triggering obligations. An accountant preparing tax returns doesn’t automatically become a reporting entity, but the same accountant facilitating a business acquisition involving trust structures likely does. AUSTRAC provides an online tool to check your status, though independent legal advice remains prudent for borderline cases.
Core AML and CFT Compliance Obligations for Australian Businesses
Your obligations as a reporting entity extend across multiple interconnected requirements, each designed to create layers of defence against financial crime.
1. AML/CTF Program (Part A & Part B)
Before providing any designated service, you must have a documented AML/CTF program demonstrating how you identify, assess, manage, and mitigate money laundering and terrorism financing risks. This isn’t a compliance document you create once and forget. Your program must be living, breathing, and actively used.
Part A addresses institutional-level requirements: governance structures, risk assessments, compliance officer appointments, independent reviews, employee due diligence, and training programs. Your board and senior management must approve Part A and maintain active oversight.
Part B covers operational procedures for customer identification, ongoing monitoring, transaction analysis, and reporting. These procedures must be specific enough that staff can follow them consistently, yet flexible enough to adapt to different risk scenarios.
2. Customer Due Diligence (CDD & ECDD)
Customer due diligence sits at the heart of effective compliance. You must complete initial CDD before providing designated services, establishing on reasonable grounds who your customer is, understanding their risk profile, and collecting sufficient know-your-customer information.
The intensity of your due diligence must match the risk. Standard CDD applies to typical, lower-risk customers. Enhanced CDD becomes mandatory when risks elevate: politically exposed persons, customers from high-risk jurisdictions, complex beneficial ownership structures, or situations where your risk assessment identifies heightened concerns.
Simplified CDD may apply to objectively low-risk situations, though the circumstances permitting simplified measures are tightly defined under the reformed regime.
3. Transaction Monitoring
Ongoing monitoring of customer transactions and behaviour is non-negotiable. Your systems must detect unusual patterns, changes in customer risk profiles, and activity inconsistent with what you’d reasonably expect based on the customer’s stated purpose and profile.
Effective transaction monitoring isn’t about setting arbitrary thresholds and generating thousands of alerts. It’s about understanding your customers well enough to recognise genuine anomalies. A $50,000 transaction might be perfectly normal for a property developer but highly suspicious for a student with no apparent income source.
4. Suspicious Matter Reports (SMRs)
When you form a suspicion on reasonable grounds that a person or transaction relates to money laundering, terrorism financing, tax evasion, or other serious crimes, you must submit a suspicious matter report to AUSTRAC. This obligation applies even if you can’t identify the specific crime or prove anything definitively.
Reasonable grounds means a reasonable person in your position, with access to the same information and circumstances, would form the same suspicion. The threshold is lower than proof but higher than mere speculation.
Timing matters critically. Suspicions related to terrorism financing must be reported within 24 hours. Other suspicions require reporting within three business days. These deadlines begin when the appropriate person in your organisation forms the suspicion, not when it’s convenient to report.
5. Ongoing Compliance & Reviews
Your AML/CTF program requires regular independent review by someone with appropriate expertise who isn’t involved in day-to-day compliance operations. Reviews must assess whether your program remains effective and appropriate to your current risk profile.
Beyond formal reviews, continuous improvement should be embedded in your compliance culture. When AUSTRAC releases risk intelligence, industry guidance, or enforcement outcomes, you should evaluate whether adjustments to your program are warranted.
Is your business AUSTRAC-ready?
Quick compliance health-check to spot gaps before they become problems.
Customer Due Diligence Under Australia’s AML and CFT Regime
The reformed CDD framework emphasises proportionate, risk-based measures while establishing clear minimum standards and mandatory enhanced measures for higher-risk scenarios.
1. Standard Customer Due Diligence
Standard CDD establishes the baseline expectations for customer identification and verification. You must collect and verify information about your customer’s identity using reliable, independent data sources. For individuals, this typically includes full name, date of birth, and residential address. For entities, you’ll need registration details, beneficial ownership information, and details about the entity’s structure and control.
Verification must occur before providing the designated service, with limited exceptions where completing CDD beforehand would interrupt the normal conduct of business and the risk is appropriately managed.
2. Simplified Customer Due Diligence
Simplified CDD applies when the risk is objectively low based on the customer, product, delivery channel, or jurisdiction. AUSTRAC guidance clarifies when simplified measures are appropriate, but you retain discretion in determining the extent of simplification.
Simplified measures might include less frequent reverification of customer information, accepting more limited documentation, or streamlining the information collected about low-risk products. However, even simplified CDD must enable you to identify suspicious activity and meet your reporting obligations.
3. Enhanced Customer Due Diligence
Enhanced CDD becomes mandatory in specific circumstances under the reformed regime. You must apply enhanced measures when the customer’s money laundering or terrorism financing risk is high, when you submit a suspicious matter report and continue providing services, or when specific triggers occur.
Mandatory ECDD triggers include customers who are or have beneficial owners who are foreign politically exposed persons, customers present in or formed in high-risk jurisdictions identified by FATF, and situations involving nested service relationships.
Enhanced measures must be appropriate to the specific risks identified. This might involve obtaining additional information about the customer’s source of wealth and source of funds, conducting more frequent monitoring and reviews, requiring senior management approval for the relationship, or implementing additional controls on transaction types or values.
4. Common Mistakes Businesses Make
We consistently see several patterns in CDD failures. Businesses frequently fail to adequately verify beneficial ownership for complex corporate structures, accepting nominee arrangements without understanding who ultimately controls and benefits from the entity. Many organisations conduct initial customer identification but neglect ongoing due diligence, missing significant changes in customer risk profiles.
Another common error involves treating PEP screening as a one-time checkbox exercise rather than an ongoing obligation. Customer circumstances change, and someone who wasn’t a PEP when onboarded might become one through appointment to public office.
Perhaps most critically, businesses often collect information without actually using it for risk assessment. CDD isn’t about accumulating documents in a file, it’s about understanding your customer well enough to recognise when something doesn’t make sense.
Transaction Monitoring and Suspicious Matter Reporting (SMRs)
Transaction monitoring and suspicious matter reporting work as interconnected systems. Monitoring detects potential concerns, investigation determines whether reasonable grounds for suspicion exist, and reporting alerts AUSTRAC to enable intelligence analysis and potential law enforcement action.
What Triggers an SMR Beyond Thresholds
Suspicion isn’t determined by dollar thresholds alone. While transactions structured to avoid reporting limits clearly warrant attention, many suspicious matters involve perfectly legal transaction amounts but suspicious patterns, contexts, or behaviours.
Red flags warranting enhanced scrutiny include customers providing inconsistent or implausible information about transaction purposes, reluctance to provide standard identification documents, unusual requests for privacy or circumventing normal procedures, transaction patterns inconsistent with stated business or personal circumstances, and rapid movement of funds through accounts with no apparent business purpose.
The reformed regime emphasises that your transaction monitoring must be capable of detecting patterns over time, not just individual transactions. Layering schemes often involve multiple smaller transactions that appear innocent in isolation but reveal suspicious patterns when viewed collectively.
Timing Expectations and Quality Standards
Speed matters in suspicious matter reporting, but quality matters equally. AUSTRAC consistently emphasises that high-quality, detailed SMRs provide the best foundation for intelligence analysis and operational action by law enforcement partners.
Your SMR should clearly articulate who is involved, what suspicious activity occurred, where and when it happened, why you’re suspicious, and how the suspicious activity manifested. Include results from your enhanced due diligence investigation, explaining what additional checks you conducted and what those revealed.
Avoid internal jargon, acronyms, or shorthand that make your SMR difficult for AUSTRAC and partner agencies to interpret. The person reading your report shouldn’t need specialised knowledge of your systems to understand what you’re reporting.
How AUSTRAC Uses Reports
AUSTRAC analyses SMRs alongside threshold transaction reports, international funds transfer instructions, and other intelligence to build comprehensive pictures of potential criminal activity. This intelligence feeds directly to law enforcement agencies including the Australian Federal Police, state police forces, and national security agencies.
Your individual SMR might be the piece that connects disparate intelligence strands, enabling authorities to identify networks, trace fund flows, or disrupt criminal enterprises. The better your SMR quality, the more actionable the intelligence becomes.
AUSTRAC also uses aggregate SMR data to identify emerging risks, develop typologies of criminal behaviour, and inform guidance to reporting entities about threats requiring heightened attention. Your reporting obligations don’t end with submission. AUSTRAC may request additional information or clarification, and timely, complete responses to these requests form part of your compliance obligations.
Penalties for AML and CFT Non-Compliance in Australia
The consequences of non-compliance extend far beyond regulatory penalties, though those alone can be catastrophic.
Civil Penalties and Court Actions
Civil penalties for AML/CTF contraventions can reach up to $31.3 million for corporations and $6.26 million for individuals per contravention. When violations are systematic across multiple transactions or customers, theoretical exposure can exceed billions of dollars.
Recent enforcement history demonstrates AUSTRAC’s willingness to pursue maximum penalties for serious breaches. Westpac’s $1.3 billion penalty in 2020 remains the largest civil penalty in Australian corporate history. Crown Resorts paid $450 million in 2023 for fundamental AML/CTF program failures. SkyCity Adelaide faced a $67 million penalty in 2024 for serious compliance breakdowns.
These cases share common threads: inadequate risk assessments, ineffective transaction monitoring systems, poor governance and board oversight, and failure to conduct meaningful enhanced due diligence on high-risk customers. The penalties reflect both the seriousness of breaches and AUSTRAC’s intent to send deterrent messages across the regulated community.
Enforceable Undertakings and Remedial Directions
Civil penalty proceedings represent AUSTRAC’s most severe enforcement tool, but the regulator has a graduated toolkit. Enforceable undertakings allow entities to commit to specific remedial actions, external reviews, and compliance improvements in lieu of court proceedings.
These undertakings become public, creating reputational consequences even without financial penalties. Non-compliance with an undertaking’s terms can result in court enforcement, potentially escalating to civil penalty proceedings.
Remedial directions represent formal written instructions to take specific compliance actions. AUSTRAC might direct you to submit overdue reports, implement specific controls, or engage external auditors to review your program. Failure to comply with a remedial direction itself constitutes a contravention subject to penalties.
For less serious breaches, AUSTRAC issues infringement notices with fixed penalties ranging from several thousand to tens of thousands of dollars per violation. While smaller than civil penalties, multiple infringement notices signal regulatory concern and often presage more serious enforcement if compliance doesn’t improve.
Reputational Damage and Operational Impact
The financial penalties, substantial as they are, often pale against the broader business impact of non-compliance. Enforcement actions become public, creating media coverage and reputational damage that affects customer confidence, investor perceptions, and commercial relationships.
Banks and other financial institutions may terminate relationships with entities seen as compliance risks. The threat of de-banking, where your business loses access to banking services, represents an existential risk particularly for fintechs, remitters, and other businesses requiring banking partnerships to operate.
Regulatory enforcement commonly triggers parallel consequences. Your financial services licenses may face conditions, suspensions, or cancellation. Directors and senior managers may face personal liability and professional consequences. Insurance costs increase or coverage becomes unavailable.
Tailored AML/CTF Program Build
We draft a customised Part A & Part B program that fits how you actually operate.
Common AML and CFT Compliance Challenges for Australian Businesses
Understanding theoretical obligations differs from implementing effective compliance in operational reality. Most businesses encounter predictable challenges regardless of size or sector.
Inadequate Risk Assessments
The single most common compliance failure involves superficial risk assessments that don’t genuinely inform compliance measures. Many organisations approach risk assessment as a compliance document to satisfy AUSTRAC rather than a strategic tool for understanding where their vulnerabilities actually lie.
Effective risk assessment requires honest evaluation of your customer base, delivery channels, products and services, and geographical exposure. This means acknowledging uncomfortable realities: certain customer segments, service types, or transaction patterns do present elevated risks requiring stronger controls.
Over-Reliance on Templates
Industry templates and consultant-provided compliance documents create dangerous illusions of compliance. AUSTRAC explicitly expects your AML/CTF program to reflect your actual business model, services, risk profile, and operational reality.
A template might provide a starting framework, but if your policies and procedures read like generic boilerplate disconnected from how your business actually operates, that disconnect will become evident during any regulatory examination. Staff won’t follow procedures that don’t match operational reality, and your controls will fail when tested.
Poor Transaction Monitoring Systems
Transaction monitoring represents one of the most resource-intensive compliance obligations, and it’s where many programs fail. Setting monitoring rules without understanding your customer baseline behaviour generates massive false-positive alert volumes that overwhelm compliance teams.
The opposite problem, setting thresholds too high to avoid alert fatigue, means genuine suspicious activity slips through undetected. Effective monitoring requires ongoing tuning based on your customer population, regular reviews of rule effectiveness, and willingness to investigate thoroughly when alerts trigger.
Lack of Staff Training
Your compliance program exists on paper, but staff execute it in practice. Inadequate training means front-line personnel fail to recognise red flags, don’t understand when to escalate concerns, and inadvertently tip off customers during due diligence inquiries.
Training can’t be a annual checkbox exercise. Effective programs involve regular refreshers, specific scenario-based training for different roles, and updates whenever obligations change, new typologies emerge, or enforcement actions reveal compliance pitfalls.
Acknowledging Operational Realities
These challenges aren’t hypothetical. Small and medium businesses particularly struggle with the cost and complexity of compliance. You might lack dedicated compliance personnel, face budget constraints on technology solutions, or find that detailed compliance procedures slow your business to uncompetitive speeds.
These realities don’t excuse non-compliance, but they do require pragmatic solutions. Your program must be proportionate to your actual risk profile. AUSTRAC’s risk-based approach means a small remittance business with limited products and customer types shouldn’t need the same infrastructure as a major bank. The challenge lies in achieving appropriate compliance without over-engineering or under-investing.
How to Build a Strong AML and CFT Compliance Program in Australia
Creating effective compliance requires systematic development, stakeholder engagement, and commitment to ongoing improvement.
Step 1: Conduct a Genuine Risk Assessment
Begin by honestly evaluating your business’s exposure to money laundering and terrorism financing risks. Assess your customer types, the services you provide, how you deliver those services, and where you operate. Document not just the risks but also your reasoning about why certain areas present higher or lower concern.
Your risk assessment should inform everything that follows. Higher-risk areas require stronger controls, more frequent monitoring, and greater management attention.
Step 2: Design Your AML/CTF Program
With your risk assessment complete, develop policies, procedures, systems, and controls tailored to managing those specific risks. Your program should address governance structures, compliance officer roles and responsibilities, customer due diligence procedures calibrated to different risk levels, transaction monitoring approach and rules, suspicious matter reporting processes, record-keeping requirements, and staff training frameworks.
Ensure your program receives appropriate board and senior management approval. Compliance can’t be delegated entirely to compliance officers, executive leadership must own the framework and provide necessary resources.
Step 3: Implement Systems and Controls
Translation from policy to practice requires systems that enable compliance efficiently. This might involve customer onboarding systems that capture required information and conduct verification checks, transaction monitoring platforms that identify unusual patterns and generate alerts for investigation, case management systems for investigating potential suspicious matters, reporting interfaces for submitting reports to AUSTRAC, and record-keeping systems that maintain required documentation for appropriate retention periods.
Technology solutions should facilitate compliance rather than creating additional burdens. The right systems reduce manual work, improve consistency, and create audit trails demonstrating your compliance efforts.
Step 4: Train Your Personnel
Ensure everyone in your organisation understands their role in your AML/CTF program. Front-line staff need to recognise red flags and understand escalation processes. Middle management requires skills to investigate potential suspicious matters and make reporting decisions. Executive leadership must understand their oversight obligations and risk the business faces from compliance failures.
Training should be role-specific, scenario-based where possible, and regularly updated to reflect changes in obligations, emerging risks, and lessons from enforcement actions.
Step 5: Monitor, Review, and Improve
Compliance isn’t static. Arrange independent reviews of your program at appropriate intervals. Monitor the effectiveness of your controls through metrics like alert investigation times, SMR quality feedback from AUSTRAC, and findings from audits or reviews.
When reviews identify deficiencies, implement improvements promptly and document your responses. AUSTRAC evaluates not just whether problems exist but how you respond when issues are identified.
Tailoring to Your Business Model
Your compliance approach should reflect your actual business. A digital currency exchange faces different risks than a superannuation fund, which differs from a real estate agency or accounting practice. Generic approaches consistently fail because they don’t address the specific ways criminals might exploit your particular services.
Consider how your customer acquisition works, what red flags would look like in your context, how your operational workflows can incorporate compliance checks without creating unsustainable bottlenecks, and what level of investment is proportionate to your risk profile and business scale.
Why Expert AML and CFT Advisory Matters in Australia
The complexity of Australia’s AML/CTF regime, particularly following the recent reforms, creates significant advantages for businesses that engage experienced advisory support.
Why Generic Policies Fail AUSTRAC Scrutiny
AUSTRAC consistently identifies template-based compliance programs as a key failing in enforcement actions. The regulator expects your program to demonstrate genuine understanding of your business, your risks, and how your controls actually operate.
Generic policies fail because they don’t reflect operational reality, making them unworkable for staff to follow consistently. They don’t address the specific risks your business faces or the particular ways criminals might target your services. When AUSTRAC examines your program, the disconnect between generic documentation and actual practice becomes immediately apparent.
Local Regulatory Understanding
Australia’s AML/CTF regime has unique features that distinguish it from other jurisdictions. The designated services model, the specific structure of reporting obligations, AUSTRAC’s regulatory approach and expectations, and the nuances of how courts interpret obligations all require local expertise.
Advisors with deep experience in Australian AML/CTF compliance understand not just what the law requires but how AUSTRAC interprets obligations, what enforcement patterns reveal about regulatory priorities, how to engage with AUSTRAC effectively when issues arise, and what practical approaches work for different business models and sizes.
Operational Fit and Strategic Integration
Effective advisory support goes beyond compliance documentation to help you integrate AML/CTF obligations into your operational workflows. This means designing customer onboarding processes that capture required information without creating excessive friction, developing risk assessment methodologies that reflect your actual business model, implementing monitoring approaches calibrated to your transaction types and volumes, and building escalation and reporting procedures that work with your organisational structure.
The goal isn’t just avoiding penalties but creating compliance systems that protect your business while remaining operationally sustainable. Expert advisors help you find that balance rather than implementing theoretical best practices that don’t work in your practical context.
SMR Draft & Quality Review
Get expert review and drafting of suspicious matter reports to ensure they’re timely, clear, and actionable for AUSTRAC.
AML and CFT Compliance in Australia – Key Takeaways
Australia’s AML/CTF regime has undergone transformative change through 2024-2026 reforms, expanding obligations to thousands of new reporting entities while modernising requirements for existing ones. Compliance is mandatory, risk-based, and subject to significant penalties for failure, but it’s also an opportunity to protect your business from criminal exploitation.
Your obligations centre on developing and maintaining an AML/CTF program tailored to your actual risks, conducting appropriate customer due diligence calibrated to risk levels, monitoring transactions and customer behaviour for suspicious patterns, reporting suspicious matters to AUSTRAC within required timeframes, and maintaining robust governance, training, and review processes.
The consequences of non-compliance extend beyond regulatory penalties to encompass reputational damage, operational disruption, and potential loss of banking relationships or professional licenses. However, compliance done well protects your business, your customers, and the integrity of Australia’s financial system while aligning with international standards.
Proactive compliance preparation remains essential, particularly for newly regulated entities approaching their July 2026 obligations. The time to build your program, train your staff, and implement necessary systems is now, not after obligations commence
"Precious metals and stones concentrate high value in small, easily transferable forms, making the sector inherently attractive to money laundering. Tranche 2 reflects AUSTRAC’s view that dealers now sit on the front line of financial crime prevention."
FAQs: AML and CFT Compliance in Australia
1. What is AML and CFT compliance in Australia?
AML and CFT compliance refers to the legal obligations that certain businesses must meet to prevent money laundering and terrorism financing. If you provide designated services such as financial, remittance, digital currency, gaming, or certain professional services, you must have systems to identify customers, monitor transactions, assess risks, and report suspicious activity to AUSTRAC. These obligations help protect Australia’s financial system from criminal exploitation.
2. Who regulates AML and CFT compliance in Australia?
The Australian Transaction Reports and Analysis Centre (AUSTRAC) regulates AML and CFT compliance in Australia. AUSTRAC operates as both the nation’s financial intelligence unit and the primary regulator, supervising reporting entities’ compliance with the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 and associated Rules. AUSTRAC has extensive enforcement powers including issuing infringement notices, seeking civil penalties through courts, and accepting enforceable undertakings.
3. Which businesses must follow AML and CFT compliance requirements?
Businesses providing designated services must comply with AML/CTF requirements. Current reporting entities include financial institutions, payment providers, digital currency exchanges, gaming operators, and bullion dealers. From 1 July 2026, new obligations apply to real estate professionals, lawyers and conveyancers, accountants, trust and company service providers, and dealers accepting cash or virtual assets above $10,000. Not all businesses in these sectors are covered; obligations depend on providing specific designated services defined in the Act.
4. What happens if a business fails AML and CFT compliance in Australia?
Non-compliance can result in civil penalties up to $31.3 million per contravention for corporations, with multiple contraventions potentially creating exposure exceeding hundreds of millions of dollars. AUSTRAC can also issue infringement notices, remedial directions, and accept enforceable undertakings. Recent enforcement actions include Westpac’s $1.3 billion penalty, Crown Resorts’ $450 million fine, and SkyCity Adelaide’s $67 million penalty. Beyond financial penalties, non-compliance creates reputational damage, potential loss of licenses or banking relationships, and operational disruption. Criminal penalties may apply for serious violations.
4. How often should AML and CFT programs be reviewed?
AML/CTF programs must undergo regular independent review by someone with appropriate expertise who isn’t involved in day-to-day compliance operations. Review frequency should reflect your business size, complexity, and risk profile, though annual reviews represent a common baseline for many entities. Beyond formal independent reviews, you should continuously monitor your program’s effectiveness and update it when your business changes significantly, new risks emerge, AUSTRAC releases relevant guidance, or enforcement actions reveal compliance gaps requiring attention.
Independent AML/CTF Review
Independent audit of your program and remediation plan to satisfy boards, regulators, or prospective partners.
