AML compliance in Australia: a complete guide for regulated businesses

AML compliance in Australia is changing. For years, the AML/CTF regime mainly applied to banks, remittance providers, digital currency exchanges, gambling businesses, lenders and other financial-sector reporting entities. That is no longer the whole story.

From 1 July 2026, certain services provided by lawyers, accountants, conveyancers, real estate professionals, dealers in precious metals and stones, and trust and company service providers come under AUSTRAC regulation. AUSTRAC says the number of regulated businesses will grow from around 19,000 to close to 100,000 nationwide.

AML compliance is not just having a policy. It means understanding risk, checking customers, monitoring activity, reporting suspicious matters, keeping records, training staff and proving that the programme works. This guide explains the Australian AML/CTF framework, who must comply, what a compliant programme includes, and how technology can reduce manual workload.

Preparing for AUSTRAC obligations and need to turn AML/CTF policy into workflow? See how Veraxa automates AML compliance

What is AML compliance?

AML compliance means the systems, controls, policies and records a business uses to prevent, detect and report money laundering risk. In Australia, AML is usually discussed together with CTF, which means counter-terrorism financing.

AML/CTF compliance is governed by the Anti-Money Laundering and Counter-Terrorism Financing Act 2006, the AML/CTF Rules and AUSTRAC guidance. AUSTRAC is both Australia’s AML/CTF regulator and financial intelligence unit.

In practice, AML compliance requires a reporting entity to understand how its services could be misused, identify and verify customers, assess customer and transaction risk, monitor for unusual activity, submit required reports, keep records and review its controls over time.

A small firm does not need a bank-sized compliance department. It does need a clear way to prove who the customer is, what service is being provided, what risk exists, what checks were done and what evidence supports the decision.

Who needs to comply with Australian AML/CTF law?

A business must comply with Australian AML/CTF law if it is a reporting entity providing designated services with the required Australian connection.

Existing reporting entities include many businesses in financial services, banking, lending, remittance, gambling, bullion, digital currency exchange and related sectors. These businesses already have AML/CTF obligations and must update their programmes for the reformed regime.

Tranche 2 expands the regime. From 1 July 2026, AML/CTF obligations apply to certain designated services typically provided by:

The dates are important. AUSTRAC guidance says currently regulated businesses must update programmes for the new requirements from 31 March 2026. New virtual asset-related designated services and intermediary transfer message services also start from 31 March 2026. For legal, accounting, real estate, precious metals and stones, and professional services, the start date is 1 July 2026.

Newly regulated businesses providing new designated services from 1 July 2026 generally must enrol with AUSTRAC by 29 July 2026.

Not every business in a sector is automatically in scope for every activity. Reporting entity status follows designated services. A law firm may be in scope for one matter type and outside scope for another. For more on scope, see AUSTRAC designated services and reporting entity status.

Tranche 2 timeline

Date | What changes

31 March 2026 | Current reporting entities must update AML/CTF programmes for the reformed requirements. New virtual asset-related services and intermediary transfer message services also start.

1 July 2026 | Certain legal, accounting, conveyancing, real estate, precious metals and stones, and trust and company services come into scope.

29 July 2026 | Typical enrolment deadline for businesses newly providing designated services from 1 July 2026.

1 July 2026 to 30 June 2027 | Next annual compliance reporting period under AUSTRAC’s updated guidance.

1 July to 30 September each year | Annual compliance report submission window for the previous financial year.

What does AML compliance require?

AML compliance has several moving parts. The exact design depends on business size, complexity and risk profile, but the core obligations are consistent.

1. A documented AML/CTF programme

A reporting entity must develop, maintain and comply with an AML/CTF programme tailored to its business. Under AUSTRAC’s reform guidance, the programme must be documented and approved by a senior manager before the business starts providing a designated service.

The programme should explain how the business identifies, mitigates and manages ML/TF risk. It should cover governance, risk assessment, customer due diligence, ongoing monitoring, reporting, staff training, independent evaluation, record keeping and review.

Older terminology often referred to Part A and Part B. Under the reformed guidance, AUSTRAC now frames the programme around governance, risk assessment and AML/CTF policies. The practical point remains: the programme must be written, risk-based and used.

A policy that sits in a folder is not an AML programme. It is a document.

2. Governance and compliance officer

AUSTRAC guidance requires reporting entities to appoint an AML/CTF compliance officer. That person communicates with AUSTRAC and oversees day-to-day compliance with AML/CTF obligations.

The compliance officer must have enough authority, independence, resources and access to expertise to perform the role. They must also report to the governing body at least once every 12 months. In a small firm, this may be a principal or senior manager. Responsibility still needs to be clear.

3. Customer due diligence

Customer due diligence, or CDD, is the process of identifying the customer, verifying relevant information, understanding customer risk and determining whether the business can provide the designated service.

AUSTRAC says initial CDD must be completed before the business starts providing a customer with a designated service. If the business cannot establish the required matters on reasonable grounds, it must not start providing the service.

CDD includes individual KYC and entity KYB. KYC focuses on identifying individuals. KYB focuses on businesses, trusts, partnerships, companies, beneficial ownership, control and related persons. For Tranche 2 firms, KYB is often the harder part.

4. Enhanced due diligence and monitoring

Enhanced customer due diligence applies when risk is higher. AUSTRAC guidance requires enhanced CDD in cases such as unusual, complex or large transactions, unusual transaction patterns, or situations with no apparent economic or legal purpose.

EDD may include extra information, source of funds checks, source of wealth checks, senior approval, tighter monitoring or refusal to proceed. The business should be able to show why EDD was triggered, what extra work was done and why the final decision was reasonable.

AML compliance does not stop after onboarding. Reporting entities must monitor customers to identify, assess, manage and mitigate ML/TF risk while providing designated services. That includes unusual transactions and behaviours, customer risk changes and KYC updates where appropriate.

For firms newly captured by Tranche 2, this is the part most likely to be underestimated. Client onboarding may happen once. Client risk changes over time.

5. Reporting to AUSTRAC

Reporting entities may need to submit different reports to AUSTRAC, depending on the service and circumstances.

Common reports include:

Suspicious matter reporting is not limited to confirmed wrongdoing. It is triggered by reasonable grounds for suspicion. Staff need to know what to escalate, and the business needs a process for deciding whether a report is required.

6. Record keeping

Record keeping is the evidence base for AML compliance.

AUSTRAC guidance says reporting entities must make and keep records that show how they complied with CDD obligations, including what customer information was collected, what verification steps were taken, and what analysis or decision-making explains the level of CDD applied.

The record should show the path, not just the outcome: reviewer, evidence, screening result, exception rationale and later changes. If the answer lives across five inboxes, a shared drive and someone’s memory, the system is too fragile.

7. Annual reporting, review and independent evaluation

AUSTRAC requires reporting entities to submit annual compliance reports. Under updated guidance, the reporting period is moving to financial years. The next reporting period will be 1 July 2026 to 30 June 2027, with submission within three months after the reporting period ends.

A reporting entity must also review and update its AML/CTF programme as risks change. AUSTRAC guidance says the entire risk assessment and all AML/CTF policies must be reviewed at least once every three years.

Independent evaluations are also required. They assess the ML/TF risk assessment, the design of AML/CTF policies and whether the programme is operating effectively. Frequency depends on business size, complexity and risk.

Common AML compliance failures

AUSTRAC enforcement history shows recurring patterns. The names are large, but the lessons apply to smaller firms.

Weak customer due diligence

In 2022, AUSTRAC accepted an enforceable undertaking from NAB to address shortcomings in areas including customer identification procedures, ongoing customer due diligence and adoption and maintenance of a compliant AML/CTF programme. AUSTRAC finalised the undertaking in 2025 after NAB satisfied its obligations, while noting that compliance is not a one-off task.

Poor risk assessment and oversight

Crown Melbourne and Crown Perth were ordered by the Federal Court to pay a $450 million penalty in 2023. AUSTRAC said Crown admitted its AML/CTF programmes were not based on appropriate risk assessments, did not have appropriate systems and controls, and were not subject to appropriate board and senior management oversight.

Systemic control failures

AUSTRAC’s case against Commonwealth Bank involved serious and systemic non-compliance. The enforcement record says CBA was ordered by the Federal Court to pay a $700 million penalty in 2018. AUSTRAC’s original case included allegations connected to intelligent deposit machines and failures to assess ML/TF risk before rollout.

These cases are useful because the failure patterns are familiar:

Current civil penalty exposure is serious. AUSTRAC says Federal Court civil penalties can reach 100,000 penalty units for a body corporate and 20,000 penalty units for other persons. At the current $330 penalty unit, that is up to $33 million and $6.6 million respectively, depending on the contravention and court outcome.

How to build an AML compliance programme step by step

1. Confirm designated services and reporting entity status

Map services against the AML/CTF Act and AUSTRAC guidance. Do not assume the whole firm is either in or out. Scope may depend on service type, customer type and Australian connection.

2. Appoint an AML/CTF compliance officer

Decide who owns day-to-day compliance and AUSTRAC communication. Make sure the person has authority, time and access to senior management.

3. Conduct an ML/TF risk assessment

Identify how the business could be misused for money laundering, terrorism financing or proliferation financing. Consider customers, services, jurisdictions, delivery channels, transactions, intermediaries and entity structures.

4. Draft the AML/CTF programme

Document governance, risk assessment, policies and procedures. The programme should be approved by a senior manager before designated services are provided.

5. Design CDD, KYC and KYB workflows

Translate policy into customer workflows. Define what information is collected, what evidence is required, how identity is verified, how beneficial ownership is assessed, when EDD applies and who approves exceptions.

6. Set up monitoring, escalation and reporting

Define what unusual activity looks like for the business. Build escalation routes for suspicious matters, high-risk customers, unresolved screening results and unusual transactions.

7. Train staff

Train staff on the firm’s actual services and risk scenarios, not only generic AML theory. Front-line staff need to know what to ask, what to record and when to escalate.

8. Enrol with AUSTRAC

Newly regulated businesses must enrol within the required timeframe. For many Tranche 2 businesses providing new designated services from 1 July 2026, the practical deadline is 29 July 2026.

9. Build records, review and improve

Create records that show compliance activity as it happens. Management should be able to see volumes, high-risk cases, overdue reviews, unresolved issues, training status and exceptions.

Review the risk assessment and policies as the business changes, and at least every three years. Conduct independent evaluation at a frequency appropriate to business size, complexity and risk.

Veraxa gives regulated businesses a no-code AML/CTF programme builder, onboarding workflows and audit-ready records in one place. Book a demo

How technology can automate AML compliance

Manual AML compliance does not scale well. It tends to work until case volume rises, staff change, or the business encounters a complex customer.

Technology can help by turning policy into guided workflow.

Useful AML compliance automation should cover:

The goal is not to remove human judgement. The goal is to make sure the right human sees the right case with the right evidence at the right time.

This is where compliance management systems and onboarding software meet. AML obligations begin at intake, continue through the customer relationship and should be visible in management reporting.

Related reading: What is a compliance management system? and Best client onboarding software for Australian regulated businesses.

How Veraxa helps Australian businesses meet AML/CTF obligations

Veraxa is built for regulated onboarding and compliance workflows. It helps Australian businesses turn AML/CTF policy into operational process without building custom internal software.

The platform supports:

This matters for Tranche 2 firms because some clients will be simple and others will involve trusts, companies, overseas parties, beneficial owners, source of funds questions and partner-level approvals. A static form cannot handle that variation well. A no-code workflow system can.

Veraxa is not a substitute for legal advice, senior accountability or a properly designed AML/CTF programme. It is the operating layer that helps staff apply the programme consistently.

Frequently asked questions

What is AML compliance in Australia?

AML compliance in Australia means complying with the Anti-Money Laundering and Counter-Terrorism Financing Act 2006, AML/CTF Rules and AUSTRAC guidance. It includes risk assessment, customer due diligence, ongoing monitoring, reporting, staff training, record keeping, review and governance.

Who regulates AML compliance in Australia?

AUSTRAC regulates AML/CTF compliance in Australia. It is also Australia’s financial intelligence unit. Reporting entities enrol with AUSTRAC, submit required reports and may be subject to AUSTRAC supervision or enforcement.

What are the penalties for non-compliance with the AML/CTF Act?

AUSTRAC can take enforcement action, seek civil penalty orders, accept enforceable undertakings, issue infringement notices and issue remedial directions. Civil penalties can reach 100,000 penalty units for a body corporate and 20,000 penalty units for other persons, subject to the Act and court outcome.

Do small businesses need to comply with AML laws?

Small businesses need to comply if they provide designated services and meet the requirements to be a reporting entity. Size alone does not decide AML/CTF status. A small accounting, legal, conveyancing or real estate business may be in scope if it provides regulated services from 1 July 2026.

What is the difference between AML and CTF?

AML means anti-money laundering. It focuses on preventing criminals from disguising the origins of illicit funds. CTF means counter-terrorism financing. It focuses on preventing funds from being used to support terrorism. In Australia, both are covered together under the AML/CTF framework.

How often must an AML/CTF programme be reviewed?

AUSTRAC guidance says a reporting entity must review its entire ML/TF risk assessment and all AML/CTF policies at least once every three years. Reviews may be needed more often when risks, services, customers, systems or business operations change. Independent evaluation frequency depends on business size, complexity and risk.

Is AML compliance software mandatory?

No specific software product is mandatory. The obligation is to comply with the AML/CTF Act, Rules and related requirements. In practice, software helps businesses apply policies consistently, keep records, manage approvals and monitor ongoing obligations.

Conclusion

AML compliance is becoming a normal operating requirement for a much wider group of Australian businesses.

For newly regulated firms, the real challenge is not reading the law once. It is turning obligations into repeatable work: onboarding, risk assessment, KYC, KYB, monitoring, escalation, reporting, training and records.

A good AML compliance programme needs policy, judgement and governance. It also needs workflow. Veraxa helps Australian regulated businesses build that workflow without custom software development.

Build an AML/CTF operating model before the workload arrives. Book a Veraxa demo

Related reading