AML Compliance Australia – Complete Guide (2026)

⚡ Direct Answer:  AML (Anti-Money Laundering) compliance in Australia refers to the legal obligations imposed on businesses classified as “reporting entities” under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act). These businesses must develop AML/CTF programs, conduct customer due diligence, submit reports to AUSTRAC, and maintain proper records. Failure to comply can result in significant civil penalties and regulatory action.

What is AML Compliance in Australia?

AML compliance is the system of laws, regulations, policies, and procedures designed to detect and prevent financial crime — specifically money laundering (ML) and terrorism financing (TF). In Australia, the primary legislation is the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (the Act), supported by the AML/CTF Rules.

The Act is administered and enforced by AUSTRAC — Australia’s financial intelligence unit and AML/CTF regulator. AUSTRAC oversees thousands of businesses across the financial, gambling, and digital currency sectors, ensuring they have appropriate controls to detect and deter financial crime.

At its core, AML compliance requires businesses to:

  • Identify and verify the identity of their customers
  • Understand the nature of the business relationship and the purpose of transactions
  • Conduct ongoing monitoring of customer activity
  • Report suspicious matters, threshold transactions, and international fund transfers to AUSTRAC
  • Develop and maintain a written AML/CTF program tailored to the nature, size, and complexity of the business
  • Conduct periodic independent evaluations of the program
  • Keep records for a minimum of 7 years

Who Needs AML Compliance in Australia?

AML/CTF obligations apply to businesses that provide “designated services” under the Act and have a geographical link to Australia. These businesses are known as reporting entities. Size is not a factor — a one-person operation can be a reporting entity just as a major bank can be.

Businesses currently captured under the AML/CTF regime include:

  • Banks, credit unions, building societies and other authorised deposit-taking institutions
  • Mortgage and finance brokers
  • Insurance providers and intermediaries
  • Superannuation funds and trustees
  • Securities dealers and investment advisers
  • Remittance and money transfer businesses
  • Digital currency (cryptocurrency) exchanges
  • Gambling service providers (casinos, wagering, gaming)
  • Bullion dealers
  • Pawnbrokers

👉 Understand which businesses rea reporting entities: What is a Reporting Entity under AUSTRAC?

AML Reforms: Tranche 2 (2026)

Australia’s AML/CTF regime is expanding significantly under the Tranche 2 reforms. From 1 July 2026, new designated services will be introduced, and certain professional service providers — the so-called “gatekeeper professions” — will become regulated for the first time.

Newly regulated businesses are required to apply to enrol with AUSTRAC by 29 July 2026. This includes:

  • Accountants and accounting service providers
  • Lawyers and conveyancers
  • Real estate agents (residential and commercial)
  • Trust and company service providers
  • Precious metals and stones dealers
  • Virtual asset service providers (new categories)

If your business is in one of these sectors, you should begin preparing your AML/CTF program now. The reforms represent the most significant expansion of the Australian AML/CTF regime since the Act was first introduced.

The Role of AUSTRAC

AUSTRAC (the Australian Transaction Reports and Analysis Centre) is Australia’s financial intelligence unit and AML/CTF regulator. Established under the Financial Transaction Reports Act 1988, AUSTRAC has broad supervisory and enforcement powers.

AUSTRAC’s key responsibilities include:

  • Registering and enrolling reporting entities
  • Receiving and analysing financial intelligence reports (SMRs, TTRs, IFTIs)
  • Monitoring compliance through risk-based supervision
  • Issuing guidance and regulatory expectations
  • Taking enforcement action against non-compliant entities
  • Sharing intelligence with law enforcement agencies

Key AML/CTF Obligations for Reporting Entities

1. AML/CTF Program

Every reporting entity must develop and maintain a written AML/CTF program before commencing designated services. The program must be approved by a senior manager and must be tailored to the nature, size, and complexity of your business. AUSTRAC expects the program to include risk-based policies, procedures, systems, and controls that collectively manage and mitigate your identified ML/TF risks.

Your AML/CTF program must include:

  • A completed ML/TF risk assessment
  • Customer due diligence (CDD) procedures for all customer types
  • Ongoing monitoring processes
  • Employee due diligence and training requirements
  • Record-keeping policies
  • Reporting procedures (SMR, TTR, IFTI)
  • A framework for independent review and evaluation

👉 Read more How to build an AML Program

2. ML/TF Risk Assessment

You must conduct a risk assessment to identify and assess your business’s money laundering, terrorism financing, and proliferation financing risks. The risk assessment is the foundation of your AML/CTF program — it determines where controls should be focused and how intensive due diligence needs to be.

AUSTRAC requires you to consider risks arising from:

  • The types of designated services you provide (including new or emerging technologies)
  • Your customer types and risk profiles
  • Your delivery channels
  • The countries or jurisdictions you deal with
  • Any new or planned services, customers, or geographies that may increase risk

👉 Read more How to conduct an AML CTF Risk Assessment

3. Customer Due Diligence (CDD)

Before providing designated services, you must conduct initial CDD on your customers to understand their ML/TF risk and identify the relevant individuals. You must then conduct ongoing CDD to monitor customers and manage their evolving risk profile. CDD includes identity verification, understanding the nature and purpose of the relationship, and detecting politically exposed persons (PEPs) or sanctioned individuals.

👉 Read more Customer Due Diligence Australia and What is KYC (Know Your Customer) in Australia?

4. Reporting Obligations

Reporting entities must submit the following reports to AUSTRAC:

  • Suspicious Matter Reports (SMRs): when you suspect a transaction or activity may be linked to criminal activity or terrorism financing. Must be submitted within 24 hours if related to terrorism financing, or within 3 business days for other suspicions.
  • Threshold Transaction Reports (TTRs): for cash transactions of AUD $10,000 or more. Must be submitted within 10 business days of the transaction.
  • International Funds Transfer Instructions (IFTIs): for electronic transfers of funds into or out of Australia.
  • Cross-Border Movement Reports (CBMRs): when moving cash or monetary instruments of $10,000 or more across the Australian border.

👉 Read more Suspicious Matter Reports Explained, Threshold Transactions Reports Explained

5. Record Keeping

Reporting entities must keep records relating to designated services, CDD, transactions, and their AML/CTF program. Most records must be retained for at least 7 years. Records must be stored in a way that allows them to be retrieved and provided to AUSTRAC on request.

Penalties for AML/CTF Non-Compliance

Non-compliance with AML/CTF obligations can result in serious consequences. AUSTRAC has increasingly exercised its enforcement powers, and Australian courts have imposed some of the largest corporate penalties in the country’s history for AML/CTF breaches.

Penalties and enforcement actions include:

  • Significant civil penalty orders (with penalties running into billions of dollars for major institutions)
  • Infringement notices for less serious contraventions
  • Enforceable undertakings requiring remediation
  • Compliance directions to fix specific deficiencies
  • Appointment of external compliance auditors
  • Cancellation of registration (for remittance and virtual asset providers)
  • Reputational damage and public reporting of enforcement actions

👉 Read more What Happens If You Don’t Comply with AUSTRAC? and AML Penalties in Australia Explained

How to Comply: A Step-by-Step Roadmap

Step 1: Determine whether you are a reporting entity by checking whether your business provides designated services with a geographical link to Australia..

Step 2: Enrol with AUSTRAC — you must apply within 28 days of commencing designated services. Remittance and virtual asset providers must also register.

Step 3: Conduct your ML/TF risk assessment, covering customer types, services, delivery channels, and geographic exposure.

Step 4: Develop and document your AML/CTF program, including policies, procedures, and controls tailored to your risk assessment.

Step 5: Implement customer due diligence processes — initial CDD for new customers and ongoing CDD for existing relationships.

Step 6: Train staff on AML/CTF obligations and your internal procedures.

Step 7: Establish reporting and record-keeping systems.

Step 8: Schedule an independent review of your program to evaluate its effectiveness.

    👉 Read more AUSTRAC Registration – Step-by-Step Guide and AML Compliance Checklist for Australian Businesses

    Frequently Asked Questions

    Is AML compliance mandatory in Australia?

    Yes, for reporting entities. If your business provides designated services with a geographical link to Australia, you are legally required to comply with AML/CTF obligations under the Act. There is no exemption based on business size.

    What is a “designated service”?

    Designated services are specific financial, gambling, and other services listed in Table 1 and Table 2 of Part 1 of the AML/CTF Act. Examples include accepting deposits, providing loans, exchanging foreign currency, digital currency exchange, and gambling services. From 1 July 2026, new services — including those provided by accountants, lawyers, and real estate agents — are being added.

    How long do I have to register with AUSTRAC?

    You must apply to enrol within 28 days of commencing a designated service. Newly regulated businesses under the 2026 reforms must apply by 29 July 2026.

    What is the difference between AML and KYC?

    KYC (Know Your Customer) is a component of AML compliance. It refers specifically to the process of verifying a customer’s identity and understanding their activities. AML compliance is the broader framework — encompassing not just KYC but also risk assessments, transaction monitoring, reporting, and program management.

    Do small businesses need AML compliance?

    If a small business provides designated services, yes. The Act does not provide any exemption based on business size. However, AUSTRAC acknowledges that smaller, less complex businesses may have proportionally simpler AML/CTF programs compared to large financial institutions.

    📣 Need help with AML/CTF compliance? 

    👉 Contact The AML Consultant for expert advice on building your AML/CTF program.

    👉 Check if your business is a reporting entity: Do I need AML?

    👉 Download our AML compliance checklist: AML Compliance Checklist for Australian Businesses

    🧬 About the Author

    Indika Gunawardana
    AML/CTF Specialist

    Experienced in AML/CTF compliance, regulatory frameworks, and advisory services, with a focus on helping businesses navigate Australia’s evolving compliance landscape.

    Powered by
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    Powered by