Australian businesses that provide designated services must comply with anti-money laundering and counter-terrorism financing (AML/CTF) laws administered by AUSTRAC. Missing your obligations can lead to civil penalties of up to $31.3 million per breach. Yet many businesses struggle to understand what compliance actually requires—especially with reforms reshaping the regime by 31 March 2026. The shift from checkbox compliance to risk-based programs means you need practical clarity on what to implement and how.
Compliance boils down to four clear steps: confirm you’re a reporting entity and enrol, design a risk-based AML/CTF program, implement customer due diligence (CDD) and reporting systems, then train staff and maintain your program. Each step builds on the previous one to create a robust framework that meets AUSTRAC’s expectations.
This guide walks you through exactly what AML/CTF compliance requires in Australia. You’ll learn who must comply, how to build your program from scratch, what CDD and reporting obligations you must meet, and how to keep everything current. By the end, you’ll have a practical roadmap to implement compliant processes in your business.
What AML/CTF compliance requires in Australia
The AML/CTF Act establishes four core obligations that define what compliance means for your business. These requirements apply from the moment you provide a designated service listed under Section 6 of the Act. You must register with AUSTRAC, build a risk-based program, conduct customer due diligence, and report specific transactions and suspicious matters. The regime focuses on preventing criminals from using legitimate businesses to launder money or finance terrorism.
The four mandatory obligations
Your aml compliance requirements center on these specific duties that AUSTRAC enforces:
1. Enrolment and registration
You must register your business with AUSTRAC within 28 days of providing your first designated service. Some entities, including remittance providers and digital currency exchanges, must renew registration every three years.
2. AML/CTF program
You need a written program that identifies, assesses, and mitigates money laundering and terrorism financing risks in your business. This program must include your risk assessment, policies, procedures, systems, and controls. The 2024 reforms require an outcomes-focused approach rather than a checkbox exercise.
3. Customer identification and verification
You must conduct customer due diligence (CDD) before providing designated services. This includes verifying customer identities, understanding the nature and purpose of relationships, and conducting ongoing monitoring based on your risk assessment.
4. Reporting and record keeping
You must submit threshold transaction reports (TTRs), suspicious matter reports (SMRs), and international funds transfer instructions (IFTIs) to AUSTRAC. All records must be kept for seven years and made available on request.
Compliance is not a one-time project. Your program must evolve as your business grows and risks change.
How the 2024 reforms change compliance
The reforms that commence on 31 March 2026 remove the previous Part A and Part B structure from AML/CTF programs. You now need a single, unified program that demonstrates how you identify and mitigate risks proportionate to your business size and complexity. AUSTRAC expects you to show your board or senior management oversees the program, while your AML/CTF compliance officer manages daily implementation.
Step 1. Confirm you are a reporting entity and enrol
Your first task is determining whether your business falls under AUSTRAC’s jurisdiction. You become a reporting entity the moment you provide any of the designated services listed in Section 6 of the AML/CTF Act. This includes activities like accepting deposits, providing loans, exchanging currency, facilitating remittances, or dealing in digital currency. Professional services such as accounting, legal advice, and real estate transactions will join this list when Tranche 2 reforms commence on 31 March 2026.
Check if you provide designated services
Review Section 6 of the AML/CTF Act against your actual business activities. If you accept payments, transfer funds internationally, or provide financial products, you likely meet the definition. Account providers, money transfer businesses, financial advisers, and bullion dealers all fall within the current regime. Accountants and lawyers providing services covered under the reforms must prepare for compliance by the March 2026 deadline.
Once you provide a designated service, you have 28 days to enrol with AUSTRAC.
Complete your AUSTRAC enrolment
Log into AUSTRAC Online and select the appropriate entity category for your business. You need your Australian Business Number (ABN), business structure details, and information about your services. The registration process requires you to nominate an AML/CTF compliance officer who will act as AUSTRAC’s primary contact. Submit all required documentation and wait for AUSTRAC to verify your details before you receive confirmation.
Remittance providers and digital currency exchanges must note their three-year renewal requirement. Set a calendar reminder for 90 days before your registration expires to avoid operating without valid registration. Some reporting entities must also pay an annual industry contribution levy based on their transaction volumes and business type.
Step 2. Design your risk based AML/CTF program
Your AML/CTF program forms the foundation of your compliance approach. This written document must demonstrate how you identify, mitigate, and manage the money laundering and terrorism financing risks your business faces. The 2024 reforms require an outcomes-focused program tailored to your business size, complexity, and risk profile rather than a generic template. You need to show AUSTRAC that your program works in practice, not just on paper.
Conduct your ML/TF risk assessment
Your risk assessment drives every other component of your program. You must identify and evaluate the money laundering, terrorism financing, and proliferation financing risks you may reasonably face when providing designated services. This assessment considers four mandatory risk factors: your customer types, the designated services you provide, your delivery methods, and the jurisdictions you operate in or deal with. Start by mapping each product or service you offer against these factors.
Document your methodology clearly so AUSTRAC understands your reasoning. Rate each risk area as low, medium, or high based on factors like transaction volumes, customer profiles, and geographic exposure. A basic risk matrix helps structure this analysis:
| Risk Category | Risk Factors | Risk Rating | Mitigation Measures |
|---|---|---|---|
| Customer Type | Politically exposed persons, high-net-worth clients | High | Enhanced due diligence, senior approval |
| Service Type | International transfers, large cash transactions | Medium | Transaction monitoring, reporting thresholds |
| Delivery Method | Remote onboarding, digital channels | Medium | Multi-factor authentication, document verification |
| Jurisdiction | High-risk countries per AUSTRAC guidance | High | Restricted transactions, enhanced screening |
Your risk assessment must be reviewed and updated when you introduce new products, enter new markets, or AUSTRAC publishes new risk intelligence.
Build your AML policies and procedures
Your aml compliance requirements extend beyond the risk assessment to documented policies that address identified risks. Write clear procedures covering customer due diligence, ongoing monitoring, suspicious matter identification, and reporting workflows. Each procedure must explain who does what, when, and how. Include decision trees or flowcharts that staff can follow when they encounter specific scenarios.
Structure your policies around your actual business processes. If you onboard clients through a CRM, document how identity verification integrates with that system. Specify approval thresholds, escalation paths, and record-keeping requirements for each procedure. Your documentation should enable a new staff member to understand and execute their compliance duties without additional guidance.
Assign clear governance roles
Your board or senior management must oversee the program and ensure it effectively identifies and mitigates risks. Document their specific responsibilities, including approving program updates, reviewing risk assessments, and receiving compliance reports. Appoint an AML/CTF compliance officer at management level who manages daily implementation and coordinates program activities. This person reports program performance and issues to senior management.
Define what oversight means in practice for your business. Smaller firms might combine roles, with a sole director acting as both governing body and compliance officer. Larger organizations need clear separation between strategic oversight and operational management. Document meeting frequencies, reporting formats, and escalation triggers that activate board involvement in compliance matters.
Step 3. Put CDD, reporting and records in place
Your aml compliance requirements demand operational systems that execute your program daily. You need customer due diligence procedures, reporting workflows, and record-keeping infrastructure that work within your existing business processes. These systems transform your documented policies into actions that staff can complete reliably. Integration with your current technology stack determines whether compliance becomes seamless or creates friction that leads to errors.
Implement customer due diligence procedures
You must verify each customer’s identity before providing a designated service. Collect and verify their full name, date of birth, and residential address using acceptable identification documents. For individuals, this means government-issued photo ID plus a secondary document. Companies require verification of their Australian Company Number (ACN) or ABN, plus identification of beneficial owners controlling more than 25% of the entity.
Design your CDD process to integrate with how you already onboard customers. If you use a CRM system, build identity verification directly into your contact creation workflow. Automation reduces manual data entry and ensures you capture required information consistently. Your process should flag high-risk customers who need enhanced due diligence, including additional documentation or senior management approval before proceeding.
Document what you collect, when you collect it, and how you verify it. Create checklists that staff follow for different customer types:
| Customer Type | Required Documents | Verification Method | Risk Assessment |
|---|---|---|---|
| Individual | Photo ID + address proof | Document verification service | Standard CDD |
| Company | ASIC extract, beneficial owner details | Business registry check | Enhanced if high-risk jurisdiction |
| Trust | Trust deed, trustee identification | Legal document review | Enhanced CDD required |
Your CDD procedures must match the risks identified in your assessment, applying stricter measures to higher-risk relationships.
Set up your reporting workflows
You must submit threshold transaction reports (TTRs) to AUSTRAC within 10 business days for any cash transactions of $10,000 or more. International funds transfer instructions (IFTIs) require reporting within 10 business days of the instruction. Suspicious matter reports (SMRs) must be filed as soon as you form a suspicion about a transaction or customer activity, with no prescribed timeframe.
Build reporting triggers into your transaction processing systems. Configure alerts when transactions meet TTR thresholds or exhibit patterns requiring SMR consideration. Designate who reviews alerts, who approves reports, and who submits them through AUSTRAC Online. Your workflow should prevent reporting delays while maintaining confidentiality to avoid tipping off customers under investigation.
Establish record-keeping systems
You must retain all customer identification records, transaction records, and AML/CTF program documents for seven years from the date you complete a transaction or end a customer relationship. Store records in a format that AUSTRAC can access and review on request. Your systems need to retrieve specific records quickly when authorities request information.
Implement secure storage that protects personally identifiable information while allowing authorised staff access for compliance purposes. Document your retention schedule, destruction procedures for expired records, and backup processes. Regular audits confirm your systems actually retain what they should and dispose of records appropriately after the retention period expires.
Step 4. Train staff, test and keep up to date
Your aml compliance requirements extend beyond documentation to ensuring staff understand and follow your program. You need regular training, independent testing, and continuous monitoring of regulatory changes to maintain effective compliance. A program that sits on a shelf serves no purpose when staff don’t know their obligations or your systems fail to catch risks. Build ongoing compliance into your business operations through structured activities that identify weaknesses before AUSTRAC does.
Create your training program
You must train all staff whose work involves designated services or AML/CTF obligations. Deliver training when staff join your business and annually thereafter, with additional sessions when you update policies or AUSTRAC issues new guidance. Cover how to identify suspicious behaviour, complete customer due diligence correctly, and escalate concerns to your compliance officer.
Tailor training content to specific roles rather than generic presentations. Front-line staff need practical scenarios they encounter daily, while managers require deeper understanding of risk indicators and reporting obligations. Document who attended each session, what content you covered, and test comprehension through quizzes or practical exercises. Keep training records for seven years as evidence of your program.
Training effectiveness shows in how staff handle compliance tasks, not just attendance records.
Conduct independent reviews
You must test your program’s effectiveness through independent audits at least every two years. Appoint an external auditor or internal staff member who doesn’t manage daily compliance operations. Your reviewer examines whether procedures match documented policies, staff follow requirements, and controls actually mitigate identified risks. They test transaction samples, interview staff, and assess system outputs.
Document all audit findings and create action plans that address identified gaps. Track remediation progress and report results to your board or senior management. AUSTRAC expects you to demonstrate continuous improvement through this testing cycle.
Monitor regulatory changes
Subscribe to AUSTRAC updates and industry communications that announce regulatory changes. Review your program whenever AUSTRAC publishes new risk assessments, updates Rules, or releases guidance materials. The regime evolves constantly as new threats emerge and enforcement approaches shift. Set quarterly reviews to confirm your program remains current with obligations and industry standards.
Final thoughts
Your aml compliance requirements in Australia demand a structured approach that balances regulatory obligations with practical implementation. You now understand the four core steps that transform compliance from an abstract legal requirement into a functioning business process: confirming your reporting entity status and enrolling, designing a risk-based program, implementing CDD and reporting systems, and maintaining everything through training and testing. Each step builds on the previous one to create a defensible compliance framework that AUSTRAC expects.
The challenge lies in integrating these requirements into your existing business systems without creating manual bottlenecks or duplicate data entry. Your staff need compliance tools that work within the platforms they already use daily, not separate systems that add complexity and increase error rates. StackGo’s identity verification integrations let you conduct compliant customer due diligence directly in your CRM, eliminating the need to adopt new software or manage multiple tabs while maintaining the privacy and security standards AUSTRAC requires.
