New anti-money laundering and counter-terrorism financing laws

Australia has been undergoing a significant transformation in responding to the growing and increasingly sophisticated forms of financial crime.

On 31 August 2025, Australia’s anti-money laundering and counter-terrorism financing (AML/CTF) laws regulator and financial intelligence unit the Australian Transaction Reports and Analysis Centre (AUSTRAC) tabled the Anti-Money Laundering and Counter-Terrorism Financing Rules 2025 (Cth) (Rules) in Parliament. The Rules follow amendments to Australia’s AML/CTF Act (Act), which were passed by Parliament in November 2024.

The amended Act and Rules provide a framework for both existing reporting entities and new entities under ‘Tranche 2’. The purpose of these changes is to enhance transparency, improve compliance, and align Australia’s AML/CTF regime with international standards.

The AML/CTF Act already regulates the provisions of certain types of services known as ‘designated services’. It has applied to financial services, gambling services and bullion services for nearly two decades. It has required ‘reporting entities’ to enrol with AUSTRAC (Australia’s financial intelligence unit and AML/CTF regulator), establish and comply with an AML/CTF Program, and report certain matters to the regulator (including cash transactions above a threshold of $10,000), international funds transfers instructions, suspicious matters, and annual compliance reports. Historically it has been supported by a prescriptive set of AML/CTF Rules covering a wide range of matters including ‘know your customer’ checks.

The cost of managing the risk and complying with the regime can be significant; as can be the customer impact.

Reporting entities to date are entities that provide any designated services listed under section 6 of the AML/CTF Act (because it has been identified as posing a risk for money laundering and terrorism financing). These entities generally provide financial, gambling, bullion or digital currency exchange services.

New Regulated Services

From 1 July 2026, AML/CTF obligations will apply to certain services known as tranche 2 entities, including:

• real estate professionals – such as real estate agents, buyer’s agents and property developers
• dealers in precious stones, metals and products
• lawyers
• conveyancers
• accountants
• trust and company service providers.

More virtual asset-related services and intermediary transfer message services will also come under AML/CTF regulation from 31 March 2026.

Key obligations

The key obligations for regulated businesses are to:

1. Enrol and register with AUSTRAC.
2. Develop and maintain an AML/CTF program tailored to your business.
3. Get your staff ready to implement your obligations.
4. Conduct initial and ongoing customer due diligence (CDD).
5. Report certain transactions and suspicious activities.
6. Make and keep records.

The relevant laws also provide clear protections for information that may be subject to legal professional privilege.

Understanding your obligations under the AML/CTF Act is essential to protect your business.

What Do I Have to Do?

(a) Enrol and register with AUSTRAC

If you provide a designated service with a geographical link to Australia you must enrol.

If you’re a remittance service provider or virtual asset service provider, you need to enrol and apply for registration.

Enrolment involves providing basic information about your business, such as its:

• structure
• services
• key personnel
• contact details.

You must also update your details when they change.

Criminal penalties apply for non-compliance.

(b) Develop and maintain an AML/CTF program

Your program must contain both of the following:

• A risk assessment: you must identify and assess your money laundering, terrorism financing and proliferation financing risks (we refer to these as ML/TF risks).
• AML/CTF policies: you must develop and maintain appropriate policies, procedures, systems and controls to manage and mitigate your ML/TF risks and comply with your obligations.

Your program must be documented and approved by a senior manager of your business. It must be kept up to date, including to reflect significant changes to your business and relevant ML/TF risk products we release. It must also be independently evaluated at least once every 3 years.

Reporting group

If you want to share the costs of compliance with other businesses and fit within the framework established by the Act and Rules, you may be able to do so within a reporting group. Entities in a reporting group share some or all risk management and compliance arrangements. This includes those set out in a group AML/CTF program established by a lead entity of the group.

(c) Prepare Staff

Preparing your staff is critical to help you meet your AML/CTF obligations. This includes making sure of all of the following:

• they’re fit to perform their roles
• they understand their obligations
• your business has strong governance and oversight in place.

Your AML/CTF program must be subject to appropriate governance arrangements.

Your AML/CTF governance structure must clearly identify 3 roles:

• Governing body: has primary responsibility for your governance and executive decisions, empowers the AML/CTF compliance officer and oversees compliance at the highest level.
• Senior manager or managers: approves key AML/CTF compliance decisions.
• AML/CTF compliance officer: manages day-to-day AML/CTF compliance and makes sure policies and procedures are implemented.

These roles are usually held by different people, but in smaller businesses, one person may conduct multiple governance responsibilities.

Conduct personnel due diligence and provide AML/CTF training

Personnel due diligence and training ensure the people performing AML/CTF functions in your business have the right skills, knowledge and integrity to meet your obligations and manage risk.

AUSTRAC expects businesses to:

• conduct personnel due diligence: assess the skills, knowledge, expertise and integrity of personnel you employ or engage to conduct AML/CTF functions; and
• provide AML/CTF training: make sure personnel understand your AML/CTF obligations and know how to follow your policies, procedures and systems. This is so they can identify, manage and mitigate ML/TF risks.

Conduct customer due diligence

Customer due diligence (CDD) helps you understand who your customers are and the AML/CTF risks they may bring to your business.

CDD is separated into initial CDD and ongoing CDD.

The level of information you collect and verify to complete CDD will depend on the AML/CTF risk profile of the customer.

You must apply enhanced CDD in high-risk scenarios. You may be able to apply simplified CDD in low-risk scenarios.

Initial customer due diligence

Initial CDD involves establishing certain matters about a customer on reasonable grounds before you start providing them with a designated service. This makes sure you identify relevant AML/CTF risks from the beginning of your relationship with the customer based on information reasonably available to you.

You must establish the identity of your customer, their representatives, any person on whose behalf they’re receiving a service and any beneficial owner of the customer.

You must also establish if any of these persons are any of the following:

• designated for targeted financial sanctions – which prevents you from dealing with their assets or making assets available to them
• a politically exposed person (PEP) – a person who holds a prominent public position in a government body or international organisation (for example, a government minister) or is a family member or close associate of such a person.

Ongoing customer due diligence

Ongoing CDD involves monitoring and managing AML/CTF risks throughout the customer relationship. This includes all the following:

• monitoring transactions and behaviours for suspicious activity
• updating the customer’s ML/TF risk profile in response to various triggers
• reviewing, updating and reverifying information as needed.

Pre-commencement customers

You won’t need to do initial or ongoing CDD on a pre-commencement customer until any of the following occurs:

• you’re required to file a suspicious matter report in relation to the customer
• there’s a significant change in the nature and purpose of the business relationship with a customer which results in the customer’s ML/TF risk being assessed as medium or high.

This is intended to reduce the regulatory burden of regulating your existing customers, while making sure they’re subject to appropriate CDD measures when their risk profile changes.

Report certain transactions and suspicious activity

The types of reports you may need to submit to AUSTRAC are all of the following:

• suspicious matter reports (SMR): if you suspect a person isn’t who they claim to be, or you have information relevant to criminal activity
• threshold transaction reports (TTR): for any transaction involving physical currency (cash) of $10,000 or more
• international funds transfer reports for instructions to transfer funds into or out of Australia
• cross-border movement reports: if you move physical currency (cash) and other monetary instruments of $10,000 or more into or out of Australia
• compliance reports: an annual report about how you met your obligations the previous calendar year.

Make and keep records

You must make and maintain accurate and complete records for at least 7 years.

These records provide evidence of your due diligence, risk management practices and compliance with AML/CTF obligations. Your records include documents related to your:

• AML/CTF program
• CDD
• transaction records
• staff training sessions
• audit results.

Next steps

The emphasis on identifying and mitigating AML/CTF risk in the new law means that compliance requires both legal and risk management considerations. Evolving technologies, and reliance arrangements with third party providers will play an increased role in how reporting entities meet their new compliance requirements.

The next steps for businesses subject to the upcoming changes to the regime include to:

1. determine whether they, or their customers, fall within the newly regulated kinds of Tranche Two Entities;
2. ensure they, or their customers, enrol with AUSTRAC as reporting entities before 1 July 2026;
3. conduct, or ensure their customers conduct, an AML/CTF risk assessment to identify risks they may reasonably face;
4. develop or update AML/CTF policies to address identified risks, or ensure customers have appropriate measures in place if applicable;
5. confirm that their governing bodies, or those of their customers, are overseeing AML/CTF program implementation;
6. appoint a compliance officer with sufficient authority, or verify that customers have made an appropriate appointment;
7. carry out initial, ongoing and enhanced customer due diligence, or confirm that customers are meeting these requirements where applicable;
8. report relevant transactions and suspicious matters to AUSTRAC, or confirm that customers are doing so if appropriate;
9. maintain records in accordance with AML/CTF obligations, or ensure customers are fulfilling this requirement where relevant.

The information provided in this article is for general informational purposes only. Bowen Buchbinder Vilensky (BBV Legal) accepts no responsibility for any actions taken based on this information, and users do so at their own risk.

For further information contact Leslie Buchbinder at BBV Legal on 93259644 or by email at enquiries@bbvlegal.com.au.