Complete Guide to AML/CTF Compliance in Australia
Australia's anti-money laundering and counter-terrorism financing regime is governed by the AML/CTF Act 2006 and enforced by AUSTRAC. This guide covers everything a reporting entity needs to know — from registration through to the six core compliance obligations.
Contents
- 01What is AML/CTF compliance?
- 02The AML/CTF Act 2006 — key obligations
- 03Who is a reporting entity?
- 04The six core compliance obligations
- 05Penalties for non-compliance
- 06How IntelliCompli helps
- 07Frequently asked questions
What is AML/CTF compliance?
Anti-money laundering and counter-terrorism financing (AML/CTF) compliance refers to the legal obligations placed on certain businesses to detect, prevent, and report financial crimes including money laundering, terrorism financing, and related offences.
Money laundering is the process of disguising the proceeds of crime to make them appear legitimate. It typically occurs in three stages: placement (introducing criminal proceeds into the financial system), layering (obscuring the trail through complex transactions), and integration (reintroducing funds as apparently legitimate wealth).
Terrorism financing involves providing financial support for terrorist activities or organisations. Unlike money laundering, the funds involved may be from entirely legitimate sources — the criminal element is the intended use, not the origin.
Australia's AML/CTF framework aligns with the international standards set by the Financial Action Task Force (FATF), the global standard-setter for AML/CTF. Australia is a founding member of FATF and is subject to periodic mutual evaluations that assess the effectiveness of its AML/CTF regime.
Key legislation
- AML/CTF Act 2006 — the primary legislation governing AML/CTF obligations
- AML/CTF Rules 2007 — detailed requirements made under the Act
- Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 — introduces Tranche 2 obligations from 2026
- Proceeds of Crime Act 2002 — governs confiscation of criminal assets
The AML/CTF Act 2006 — key obligations
The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) is the cornerstone of Australia's AML/CTF regime. It places obligations on reporting entities to implement risk-based programs, identify and verify customers, monitor transactions, report suspicious matters, and keep records.
The Act is administered by AUSTRAC, which also functions as Australia's financial intelligence unit (FIU). AUSTRAC collects, analyses, and disseminates financial intelligence to law enforcement agencies including the Australian Federal Police (AFP), the Australian Criminal Intelligence Commission (ACIC), and state and territory police.
The Act was significantly amended by the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024, which expands the regime to cover professional services (Tranche 2) and modernises the compliance framework. These reforms come into effect progressively from March 2026, with full compliance required by 1 July 2026.
Part 2 — Customer ID
Requires reporting entities to identify and verify customers before providing designated services, including enhanced verification for high-risk customers.
Part 3 — Reporting
Requires filing of Threshold Transaction Reports (TTRs), Suspicious Matter Reports (SMRs), and International Funds Transfer Instructions (IFTIs) with AUSTRAC.
Part 7 — Programs
Requires all reporting entities to establish and maintain a written AML/CTF program with risk assessments, policies, staff training, and an independent review function.
Part 10 — Records
Requires retention of transaction records, KYC records, and reports for a minimum of 7 years from the date the record was made or the business relationship ended.
Who is a “reporting entity”?
A reporting entity is any business or individual that provides one or more “designated services” listed in Table 1 or Table 2 of section 6 of the AML/CTF Act. Designated services cover a wide range of financial, gambling, and digital currency activities.
If your business provides a designated service, you must register with AUSTRAC, establish an AML/CTF program, and meet all compliance obligations — regardless of the size of your business or the volume of transactions you process.
Current Tranche 1 reporting entities include:
Tranche 2 expansion — from 1 July 2026
The 2024 amendments add professional services as reporting entities for the first time, including:
- Law firms, solicitors, and barristers (for designated legal services)
- Accounting firms, tax agents, and bookkeepers
- Real estate agents and property professionals
- Trust and company service providers
- Dealers in precious metals and stones
The six core compliance obligations
Every reporting entity must meet the following six obligations under the AML/CTF Act. Failure to meet any of these obligations can result in civil and criminal penalties.
1. Customer Identification
Verify the identity of customers before providing a designated service. This includes collecting and verifying name, date of birth, and address for individuals, and ABN/ACN, registered name, and beneficial ownership for businesses.
2. Ongoing Due Diligence
Continuously monitor customer transactions and behaviour against their risk profile. Update customer information when it changes, re-screen against sanctions and PEP lists, and re-assess risk when circumstances change.
3. Transaction Monitoring
Monitor transactions for indicators of money laundering, terrorism financing, or other suspicious activity. Apply rule-based and behavioural monitoring to detect structuring, unusual cash activity, and high-risk patterns.
4. Suspicious Matter Reporting
Lodge a Suspicious Matter Report (SMR) with AUSTRAC when you suspect a customer or transaction is related to money laundering, terrorism financing, tax evasion, or other serious crimes. SMRs are due within 24 hours (terrorism) or 3 business days (other).
5. AML/CTF Programs
Maintain a written AML/CTF program that documents your risk assessment, policies, procedures, and controls. The program must have Part A (general) and Part B (customer identification). It must be reviewed regularly and kept up to date.
6. Record Keeping
Retain KYC records, transaction records, and reports for at least 7 years. Records must be stored in a way that allows them to be retrieved quickly in response to an AUSTRAC request or law enforcement inquiry.
The AML/CTF program requirement
Your AML/CTF program is the central compliance document. Under the AML/CTF Act, it must contain two parts:
Part A — General
Risk assessment, governance, policies, staff training program, employee due diligence, oversight of independent review, and AML/CTF compliance officer appointment.
Part B — Customer Identification
Customer identification and verification procedures, including standard, simplified, and enhanced due diligence, beneficial ownership identification, and politically exposed persons (PEPs).
Penalties for non-compliance
AUSTRAC has broad enforcement powers and has demonstrated its willingness to impose substantial penalties on non-compliant entities, including Australia's largest financial institutions.
Civil penalties
Up to $22.2 million per contravention for body corporates, and up to $4.44 million for individuals. Each breach of the AML/CTF Act is a separate contravention, so penalties can accumulate rapidly for systemic failures.
Criminal penalties
For serious or deliberate AML/CTF failures, criminal penalties can include fines of up to $44.4 million for companies and imprisonment of up to 10 years for individuals. Tipping off a customer about an SMR is a criminal offence.
Other enforcement actions
AUSTRAC can issue infringement notices, apply for injunctions, accept enforceable undertakings, require independent audits, or seek court-ordered compliance programs. AUSTRAC can also disclose non-compliance publicly, which carries significant reputational risk.
Notable AUSTRAC penalties
23 million contraventions of the AML/CTF Act
53,506 contraventions relating to intelligent deposit machines
Failure to maintain AML/CTF programs at Melbourne casino
How IntelliCompli helps you meet every obligation
IntelliCompli is purpose-built for the Australian AML/CTF regime. The platform automates the six core compliance obligations and provides tools to build, maintain, and demonstrate your compliance program.
AML/CTF Program Builder
Build your Part A and Part B program with industry-specific templates, guided editing, and automated version control. Export to PDF for AUSTRAC review.
Customer Identification & KYC
Automated identity verification via Stripe Identity, document scanning, biometric checks, and manual KYC workflows — all with full audit trails.
Transaction Monitoring
Rules-based and behavioural monitoring with configurable thresholds, alert management, and investigation workflows.
AUSTRAC Report Generation
Automated TTR, SMR, and IFTI generation with pre-submission review and deadline tracking.
Sanctions & PEP Screening
Real-time screening against OFAC, UN, Australian, and international sanctions lists, plus PEP database checks.
Record Keeping
7-year record retention with tamper-evident audit logs, searchable document storage, and automated expiry notifications.
Frequently asked questions
Who must comply with the AML/CTF Act in Australia?
Any business that provides a 'designated service' listed in Table 1 or Table 2 of the AML/CTF Act 2006 is a reporting entity and must comply. This includes financial institutions, remittance dealers, digital currency exchanges, and gaming operators. From 1 July 2026, Tranche 2 reforms expand this to include lawyers, accountants, real estate agents, and trust and company service providers.
What happens if you don't comply with AML/CTF requirements?
AUSTRAC can issue civil penalties of up to $22.2 million per contravention for companies, and criminal penalties for serious or systemic failures. AUSTRAC can also apply for injunctions, enforceable undertakings, or seek court-ordered remediation programs. The largest penalty in Australian history — $1.3 billion — was imposed on Westpac in 2020.
How long does it take to build an AML/CTF program?
A compliant AML/CTF program can typically be built in 2–6 weeks depending on business complexity. It requires a risk assessment, documented policies and procedures, staff training, and a designated AML/CTF compliance officer. IntelliCompli's Program Builder reduces this to days with industry-specific templates and guided workflows.
Do small businesses need an AML/CTF program?
Yes. There is no small-business exemption under the AML/CTF Act. Any business providing a designated service must maintain an AML/CTF program, register with AUSTRAC, and meet all six core obligations regardless of size. However, the complexity of the program can be proportionate to the risk profile of your business.
What is AUSTRAC and what does it do?
AUSTRAC (Australian Transaction Reports and Analysis Centre) is Australia's financial intelligence unit and AML/CTF regulator. It receives and analyses financial data from reporting entities, shares intelligence with law enforcement, and enforces compliance with the AML/CTF Act 2006.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal, financial, or professional compliance advice. While we endeavour to keep this information accurate and up to date, legislation and regulatory guidance change frequently. You should seek independent legal or compliance advice specific to your circumstances before acting on any information in this guide. See our Privacy Policy for how we handle your data.
Build your AML/CTF program today
IntelliCompli makes it straightforward to meet all six core AML/CTF obligations. Program Builder, automated reporting, KYC, transaction monitoring, and 7-year record keeping — all in one platform.