⚡ Direct Answer: The most common AML/CTF compliance mistakes in Australia include failing to enrol with AUSTRAC, using generic AML programs not tailored to the business, inadequate customer due diligence, late or missing reports to AUSTRAC, poor record keeping, and not conducting independent program reviews. AUSTRAC’s supervisory work consistently highlights these failures as the basis for enforcement action.
Why Businesses Get AML Compliance Wrong
AML/CTF compliance is often misunderstood as a tick-box exercise. Businesses acquire a template AML program, complete a basic customer identification process, and assume they are compliant. AUSTRAC’s enforcement experience tells a very different story. The most common failures are not deliberate wrongdoing — they are the result of misunderstanding what the law actually requires, inadequate resources, or simply not treating compliance as a priority.
The consequences of getting it wrong can be severe — from civil penalties to business disruption and reputational damage. Understanding the most common mistakes is the first step to avoiding them.
Mistake 1: Not Knowing You Are a Reporting Entity
Many businesses operate without realising that their services trigger reporting entity status under the AML/CTF Act. This is particularly common in:
- Fintech and technology businesses that facilitate payments or currency exchange
- Businesses that provide services that include an ancillary designated service (e.g., a travel agent that also sells foreign currency)
- Newly regulated professions that will be captured from 1 July 2026
Operating as a reporting entity without having enrolled is a breach of the Act from day one. Businesses that discover they have been operating without enrolment should seek legal advice and consider voluntary disclosure to AUSTRAC.
Mistake 2: A Generic, Off-the-Shelf AML Program
AUSTRAC’s guidance is unambiguous: your AML/CTF program must be tailored to the nature, size, and complexity of your business. A generic template downloaded from the internet — or adapted wholesale from another business — does not meet this requirement.
An inadequate program typically:
- Uses generic risk categories rather than assessing the actual customers and services of the business
- Contains procedures that cannot practically be implemented by the business
- Has not been updated to reflect changes in the business’s services, customers, or risk profile
- Was never approved by a senior manager with genuine understanding of its contents
- Has no evidence of actual implementation — procedures that exist on paper only
Mistake 3: Inadequate Customer Due Diligence
CDD failures are among the most frequently identified compliance deficiencies. Common CDD mistakes include:
- Accepting expired identity documents or documents that are clearly insufficient
- Not identifying and verifying beneficial owners of companies and trusts
- Applying simplified due diligence without having assessed whether the conditions are actually met
- Failing to update customer information when it becomes out of date
- Not screening customers against PEP databases or targeted financial sanctions lists
- Conducting initial CDD but then failing to perform ongoing monitoring of the relationship
Mistake 4: Missing or Late Reports to AUSTRAC
Failure to submit timely and accurate reports is one of the most serious compliance failures — and one of the most visible to AUSTRAC.
- Not having a clear internal process for identifying suspicious activity and escalating it for SMR consideration
- Delaying SMR submission because staff are uncertain whether the threshold for suspicion is met
- Missing TTR obligations for cash transactions at or above $10,000
- Not tracking reporting deadlines — particularly the 24-hour terrorism financing SMR deadline
- Submitting reports that are incomplete or contain errors
Mistake 5: Poor Record Keeping
AUSTRAC can request records at any time during a compliance assessment or investigation. Businesses that cannot produce their records on request face serious problems. Common record-keeping failures include:
- Not retaining records for the full 7-year minimum retention period
- Records scattered across different systems with no centralised management
- CDD records that do not document the verification process — only the outcome
- Transaction records that are insufficient to fully reconstruct the transaction
- No process for securely destroying records after the retention period
Mistake 6: Treating Staff Training as a One-Off Exercise
AML/CTF training is often conducted once at the beginning of employment and never revisited. This approach fails for several reasons:
- The AML/CTF laws and AUSTRAC guidance change over time — particularly with the 2026 reforms
- Staff turnover means new employees may not receive adequate training
- Customer-facing staff who have not recently refreshed their training may miss red flags
- Training that is not documented cannot be evidenced to AUSTRAC during a compliance assessment
Mistake 7: Not Conducting Independent Program Reviews
The AML/CTF Act requires reporting entities to periodically conduct independent evaluations of their AML/CTF program. Many businesses skip this requirement or conduct a superficial internal review that does not meet the independence requirement. An independent review should:
- Be conducted by someone who was not involved in developing or implementing the program
- Assess the effectiveness of the program — not just confirm that it exists on paper
- Identify deficiencies and recommend improvements
- Be documented in writing with findings and recommendations
How to Avoid These Mistakes
- Confirm your reporting entity status and enrol with AUSTRAC before commencing designated services.
- Invest in a properly tailored AML/CTF program — seek professional help if needed.
- Implement meaningful CDD procedures that your staff can actually follow.
- Establish clear internal reporting processes so that suspicious matters are escalated promptly.
- Conduct regular training and keep training records.
- Schedule an independent review of your program before AUSTRAC does it for you.
- Keep thorough, organised records from day one.
Frequently Asked Questions
What is the most common reason AUSTRAC takes enforcement action?
AUSTRAC’s enforcement actions frequently involve systemic failures — not isolated incidents. The most common drivers are inadequate AML/CTF programs (particularly programs that are generic or not implemented in practice), failure to submit SMRs, and poor CDD processes.
Can self-reporting compliance failures to AUSTRAC help?
Yes. AUSTRAC’s published guidance indicates that self-reporting is a mitigating factor in enforcement decisions. Businesses that proactively identify issues, report them to AUSTRAC, and take genuine remediation steps are treated more favourably than those whose failures are discovered through AUSTRAC-initiated compliance assessments.
How does AUSTRAC find out about compliance failures?
AUSTRAC uses a risk-based supervisory approach. It analyses data from reporting entities’ submissions, conducts targeted assessments of sectors it considers higher risk, and investigates tips and referrals. Businesses that submit poor quality reports, unusual reporting patterns, or unexplained gaps in reporting attract supervisory attention.
📣 Need help with AML/CTF compliance?
👉 Get an independent review of your AML/CTF program: contact us
👉 Read the complete AML guide: AML Penalties in Australia Explained
👉 Download the AML compliance checklist: AML Compliance Checklist for Australian Businesses