Australia’s anti-money laundering framework is undergoing its most significant transformation in over a decade. For accounting firms and other professional services businesses, understanding the AUSTRAC AML/CTF rules isn’t optional, it’s becoming a legal requirement that will fundamentally change how you onboard and verify clients.
The reforms taking effect through 2025 and 2026 extend AML/CTF obligations to a much broader range of "reporting entities," including accountants, lawyers, and real estate professionals. This means thousands of businesses that previously operated outside AUSTRAC’s regulatory scope must now implement compliant identity verification processes, customer due diligence programs, and ongoing monitoring systems.
At StackGo, we help regulated businesses integrate identity verification and KYC compliance directly into their existing software stack, whether that’s HubSpot, Salesforce, or another CRM. As these new obligations come into force, having the right infrastructure in place will determine whether compliance becomes a competitive advantage or an operational burden.
This article breaks down the current AUSTRAC AML/CTF framework, explains what’s changing with the 2026 reforms, and outlines the practical steps your business needs to take. We’ll cover the legislative requirements, transitional timelines, and what compliance actually looks like in practice.
What the AUSTRAC AML/CTF Rules cover
The AUSTRAC AML/CTF rules establish Australia’s legal framework for combating money laundering and terrorism financing across the financial system. These rules, made under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006, prescribe specific obligations that reporting entities must follow when providing designated services. The framework covers everything from customer identification requirements to transaction monitoring, reporting suspicious activity, and maintaining compliance programs.
Core legislative framework
Your obligations under the AUSTRAC framework stem from two primary sources: the AML/CTF Act 2006 and the AML/CTF Rules. The Act establishes the broad legislative requirements, while the Rules provide the detailed, prescriptive obligations you must implement in your business operations. AUSTRAC updates these Rules periodically to address emerging risks, with the most significant changes coming into effect during 2025 and 2026.
The Rules specify exactly how you must verify customer identities, what documentation you need to collect, and the timeframes within which you must complete verification. They also define the types of businesses and services that fall under the regulatory regime, establishing clear boundaries around who is considered a reporting entity.
The scope of regulated activities
The framework applies to businesses providing designated services, which historically included banks, remittance providers, casinos, and bullion dealers. These entities must conduct customer due diligence, monitor transactions, and report to AUSTRAC when they identify suspicious activity or threshold transactions above specified amounts.
Under the expanded reforms, professional services including accounting, legal services, and real estate transactions now fall within the regulatory perimeter, significantly broadening the range of businesses that must comply.
Designated services now encompass activities where money laundering risks exist, such as client account operations, property settlements, and business advisory services involving significant funds. The expansion recognises that criminals increasingly use professional intermediaries to legitimise illicit proceeds, making these sectors critical to Australia’s financial crime defences.
Key compliance requirements
You must implement several interconnected obligations under the Rules. Customer identification requires you to verify the identity of individuals and beneficial owners of entities before providing designated services. This means collecting specific identity documents, verifying their authenticity, and maintaining records for seven years after the business relationship ends.
Transaction monitoring obligations require you to have systems that detect suspicious activity and unusual transaction patterns. When you identify reportable matters, you must submit suspicious matter reports (SMRs) to AUSTRAC within specified timeframes. Your business must also maintain an AML/CTF program that assesses your money laundering and terrorism financing risks, implements appropriate controls, and ensures ongoing compliance through regular audits and staff training.
Current obligations for reporting entities
If your business is already captured under the existing AUSTRAC AML/CTF rules, you’re subject to a comprehensive set of obligations that govern how you identify customers, monitor transactions, and report suspicious activity. These requirements apply to traditional reporting entities including financial institutions, remittance providers, casinos, and bullion dealers. Understanding these current obligations provides the baseline for what newly regulated entities will need to implement when the 2026 reforms commence.
Customer identification and verification
You must verify the identity of every customer before providing a designated service. This means collecting and checking specific identity documents that meet AUSTRAC’s verification standards, including government-issued photo identification for individuals and company registration details for entities. Your verification process must occur within a reasonable timeframe, typically before you provide the service, though some limited exceptions exist for low-risk situations.
The Rules require you to identify beneficial owners when dealing with corporate entities, trusts, or partnerships. You need to establish who ultimately owns or controls the entity, typically identifying individuals who hold 25% or more ownership interest. This prevents criminals from hiding behind complex corporate structures to launder money or finance terrorism.
Your business must maintain all identification records for seven years after the customer relationship ends, ensuring AUSTRAC can access historical verification data during investigations.
Ongoing monitoring and reporting
Your obligations don’t end after initial customer verification. You must implement ongoing due diligence to monitor customer transactions and activities throughout the business relationship. This includes detecting unusual patterns, conducting enhanced due diligence for high-risk customers, and updating customer information when circumstances change or risks increase.
When you identify suspicious activity that may involve money laundering or terrorism financing, you must submit a suspicious matter report to AUSTRAC. You also need to report threshold transactions above specified amounts, typically $10,000 or equivalent for most transaction types, and maintain an AML/CTF program that documents your risk assessment and compliance approach.
What changes in the 2025 Rules and 2026 start
The AML/CTF Rules 2025 represent the most significant expansion of Australia’s financial crime framework since its inception. These new AUSTRAC AML/CTF rules, which commenced on 31 March 2026, extend reporting entity obligations to accountants, lawyers, real estate professionals, and other trust and company service providers. Your business now falls under regulatory oversight if you provide services involving client accounts, property settlements, or business structuring advice that previously operated outside AUSTRAC’s scope.
Expansion to professional services
Accounting firms must now comply when they prepare or lodge tax returns involving client money, establish or manage client trust accounts, or provide business structuring advice. Legal practices face obligations when conducting property settlements, managing trust accounts, or forming companies and trusts on behalf of clients. Real estate agents and conveyancers come under the framework when they handle funds in settlement transactions or act as intermediaries in property transfers.
These expanded obligations recognise that criminals increasingly exploit professional intermediaries to legitimise illicit funds, making your sector critical to Australia’s anti-money laundering defences.
Enhanced verification requirements
The 2025 Rules introduce stronger identity verification standards that go beyond the previous framework. You must now collect biometric-capable identity documents where possible, verify beneficial ownership chains more thoroughly, and implement ongoing monitoring systems that detect suspicious patterns across your client base. Enhanced due diligence requirements apply when dealing with high-risk customers, including politically exposed persons or clients from jurisdictions with weak anti-money laundering controls. Your business needs systems that can flag unusual transaction patterns, verify complex ownership structures, and maintain comprehensive audit trails for all verification activities you conduct.
Transitional arrangements through 2029
AUSTRAC recognises that implementing comprehensive AML/CTF compliance takes time, particularly for businesses that have never operated under these obligations before. The transitional arrangements provide a phased approach through to March 2029, giving your business structured timeframes to build systems, train staff, and implement required controls without facing immediate enforcement action for technical breaches during the implementation period.
The phased implementation timeline
Your business entered the first phase when the AUSTRAC AML/CTF rules commenced on 31 March 2026. During this initial period through 2027, AUSTRAC expects you to prioritise establishing your customer identification processes, implementing basic risk assessment frameworks, and setting up internal reporting procedures. You must begin collecting and verifying customer identities according to the Rules, even if your full compliance program isn’t yet complete.
The second phase runs through 2028, when you must have operational transaction monitoring systems, completed staff training programs, and documented policies that cover all aspects of your obligations. AUSTRAC will increase its supervision activities during this period, conducting reviews to ensure you’re making genuine progress toward full compliance.
The transitional period doesn’t exempt you from obligations; it provides regulatory tolerance while you build compliant systems and processes.
Compliance milestones for new reporting entities
By March 2027, you must complete customer due diligence for all existing clients who receive designated services, implement a risk-based approach to verification, and establish your initial AML/CTF program. Your program doesn’t need to be perfect, but it must demonstrate a genuine commitment to identifying and managing money laundering risks within your business operations.
Full compliance becomes mandatory by March 2029. AUSTRAC will enforce all obligations from this point forward, including penalties for non-compliance, so your systems must be operational and effective well before this deadline.
How to prepare your business for compliance
Preparing for the AUSTRAC AML/CTF rules requires a structured approach that addresses your identification processes, risk management frameworks, and internal controls. Your first step involves conducting a comprehensive audit of your current client onboarding procedures to identify gaps between your existing practices and the regulatory requirements. This assessment reveals which systems need upgrading, what training your team requires, and where you can leverage existing infrastructure to minimise compliance costs.
Conduct a comprehensive risk assessment
You must document the money laundering and terrorism financing risks your business faces based on your client types, service offerings, and geographic exposure. Your risk assessment identifies which customers require enhanced due diligence, what transaction patterns signal suspicious activity, and how often you need to review client information. This framework guides every compliance decision you make, from verification standards to monitoring thresholds.
Your risk assessment isn’t a one-time exercise; you must review and update it whenever your business operations change or new threats emerge.
Establish compliant verification procedures
Your verification procedures need to capture the right identity documents, confirm their authenticity, and maintain audit trails for every customer interaction. Consider integrating identity verification technology directly into your CRM or practice management software, eliminating manual data entry and reducing verification errors. StackGo’s IdentityCheck reads contact information from your existing system, verifies identities against global databases, and writes outcomes back automatically, ensuring your compliance data lives where you already work rather than requiring separate platforms or manual processes.
Build ongoing monitoring capabilities
Transaction monitoring requires systems that flag unusual patterns, detect high-risk activities, and generate suspicious matter reports when necessary. Your monitoring approach must align with your risk assessment, applying stricter oversight to higher-risk clients while maintaining efficient processes for standard relationships.
Next steps
The AUSTRAC AML/CTF rules now apply to your business if you provide accounting, legal, or real estate services involving client funds or business structuring advice. Your compliance deadline depends on when you need full operational systems in place, with March 2029 marking the end of transitional tolerance from AUSTRAC. You need compliant identity verification processes, documented risk assessments, and ongoing monitoring capabilities before this final deadline.
Start implementing your compliance framework now rather than waiting until enforcement begins. Your first priorities include conducting a risk assessment of your current client base, establishing verification procedures that capture the right identity documents, and integrating these processes into your existing software systems. StackGo’s IdentityCheck solution handles AUSTRAC Tranche 2 compliance directly inside your CRM, eliminating separate platforms and manual data entry. Your verification outcomes write back automatically, creating audit trails without disrupting your existing workflows.
