Your AML/CTF Obligations. Know What's Required

July 1, 2026. That's when your AML/CTF obligations start. Not gradually. Not with a grace period. July 1.

If you're a lawyer, accountant, or real estate agent providing designated services, you need to know what compliance looks like. Because AUSTRAC isn't publishing vague guidelines. They're setting clear, enforceable obligations.

Here's what you must do.

1. Enrol with AUSTRAC

Deadline: Within 28 days of providing your first designated service

Before you provide any designated service after July 1, 2026, you must enrol with AUSTRAC. Enrolment opens March 31, 2026.

What you need to provide:

• Business details (ABN, ACN, business name)
• Contact information
• Details of designated services you provide
• AML/CTF compliance officer details

Enrolment is through AUSTRAC Online. Once approved, you're a reporting entity. That triggers all other obligations.

Penalty for not enrolling: Operating without enrolment is a breach. Civil penalties apply.

2. Develop and Implement an AML/CTF Program

Deadline: Before providing designated services

Your AML/CTF program is a written document showing how you identify, assess, manage, and mitigate ML/TF risks. It's not a template you download. It must be specific to your business.

Part A: Risk Management and Systems

Your program must include:

1. ML/TF Risk Assessment
Identify and assess risks across four dimensions:

• Customers: Who are your clients? Are they high-risk (PEPs, foreign buyers, complex structures)?
• Services: Which designated services do you provide? Which are highest risk?
• Delivery channels: Face-to-face? Online? Through agents?
• Geographic locations: Do you deal with high-risk jurisdictions?

2. Governance Arrangements

• Board/senior management approval of your AML/CTF program
• Ongoing oversight of compliance
• AML/CTF compliance officer appointed (Australian resident, management level, "fit and proper")

3. Employee Due Diligence

• Processes to assess if employees pose ML/TF risks
• Background checks for high-risk roles

4. AML/CTF Training Program

• Train all staff performing AML/CTF functions
• Ensure they understand obligations, risks, and red flags
• Ongoing training when program changes or new risks emerge

5. Systems and Controls for Reporting

• How you identify suspicious matters
• Processes for filing SMRs
• Transaction monitoring procedures

6. Independent Review

• Your AML/CTF program must be independently reviewed every 3 years
• Results provided to senior management/board

Part B: Customer Identification and Verification

Your program must specify:

• How you identify and verify customers
• How you identify beneficial owners
• How you screen for PEPs and sanctions
• What documents you accept as proof of identity
• How you assess customer ML/TF risk

Approval required: Your AML/CTF program must be approved by senior management before implementation.

Keep it current: Review and update your program when business changes, new risks emerge, or AUSTRAC issues guidance.

3. Conduct Customer Due Diligence (CDD)

Timing: Before providing designated services

Customer due diligence is your primary defense against money laundering. You must conduct CDD before providing designated services.

Initial CDD Requirements:

1. Verify Customer Identity

• Full name
• Date of birth
• Residential address

Acceptable documents: Australian passport, driver's license, government-issued photo ID.

For companies: ASIC company extract, business registration.

2. Identify Beneficial Owners

If your customer is a company, trust, or complex structure, you must identify the individuals who ultimately own or control it.

Beneficial owner: Individual who owns 25%+ or exercises control.

This is critical. Shell companies hide beneficial owners. Your job is to find them.

3. Screen for Politically Exposed Persons (PEPs)

• Is your customer a PEP? (Government official, senior judge, military general, etc.)
• Is a beneficial owner a PEP?
• Are family members or close associates PEPs?

PEPs require Enhanced Due Diligence (ECDD).

4. Screen Against Sanctions Lists

• DFAT Consolidated List (Australia)
• UN Security Council sanctions
• International sanctions (US, EU, UK)

If customer is sanctioned, you cannot proceed. Report immediately.

5. Assess ML/TF Risk

Based on CDD findings, assess customer risk: Low, Medium, or High.

High risk triggers Enhanced Due Diligence.

Ongoing CDD Requirements:

CDD doesn't stop at onboarding. You must continuously monitor:

• Transactions: Are they consistent with customer profile?
• Customer information: Has it changed? Update KYC records.
• Risk: Has customer's ML/TF risk increased?

Enhanced Due Diligence (ECDD):

When required:

• Customer is a foreign PEP (mandatory)
• High ML/TF risk customer
• High-risk jurisdiction involvement
• Complex ownership structures
• Suspicious activity detected

ECDD measures:

• Source of funds and wealth verification
• Senior management approval before onboarding
• Enhanced ongoing monitoring
• More frequent reviews

4. Monitor Transactions

Ongoing obligation

You must monitor customer transactions throughout the relationship to detect suspicious activity.

What to monitor for:

• Unusual transaction patterns
• Transactions inconsistent with customer profile
• Structuring (multiple transactions designed to avoid thresholds)
• Layering (complex transactions to obscure source)
• High-risk jurisdictions
• Cash-heavy activity (when customer isn't normally cash-based)

Transaction monitoring doesn't mean reviewing every transaction manually. You need systems that flag unusual activity for review.

5. Report to AUSTRAC

Timelines vary by report type

Suspicious Matter Reports (SMRs)

When: When you have reasonable grounds to suspect money laundering or terrorism financing

Deadline:

• 24 hours for terrorism financing suspicions
• 3 business days for other ML/TF suspicions

Important: You cannot "tip off" the customer that you've filed an SMR. That's a criminal offence.

Threshold Transaction Reports (TTRs)

When: Transactions involving physical currency of $10,000 or more

Deadline: 10 business days

Note: TTRs generally apply to financial institutions. Most Tranche 2 entities won't be filing TTRs unless they're handling large cash amounts.

Annual Compliance Reports

When: Annually, describing how you met AML/CTF obligations during the previous year

Deadline: Within 4 months after the end of your reporting period

6. Keep Records

Duration: 7 years minimum

You must maintain records of:

Customer identification records:

• ID documents collected
• Verification steps taken
• Beneficial ownership information
• PEP screening results

Transaction records:

• Details of designated services provided
• Transaction amounts, dates, parties involved
• Source of funds documentation

Risk assessment records:

• Customer risk assessments
• Business-wide ML/TF risk assessment
• Decisions about CDD or ECDD application

Reporting records:

• SMRs filed
• TTRs filed
• Annual compliance reports

Training records:

• Who was trained
• When training occurred
• What was covered

Why 7 years? AUSTRAC audits can go back 7 years. Law enforcement investigations need historical records. Failure to keep records is a separate breach from failing to comply with the underlying obligation.

Storage: Electronic or paper. Must be retrievable and provided to AUSTRAC within reasonable timeframes if requested.

7. Appoint an AML/CTF Compliance Officer

Required before commencing designated services

You must appoint an AML/CTF compliance officer at management level. They're responsible for:

• Implementing and maintaining your AML/CTF program
• Monitoring compliance
• Reporting to senior management/board
• Liaising with AUSTRAC
• Filing SMRs and other reports

Requirements:

• Australian resident
• Management level (not junior staff)
• "Fit and proper" (no criminal history relevant to ML/TF)
• Competent, skilled, knowledgeable

For small businesses, the principal or managing partner often takes this role.

8. Train Your Staff

Ongoing obligation

All employees performing AML/CTF functions must be trained. That includes:

• Anyone conducting CDD
• Transaction monitoring staff
• Compliance officers
• Customer-facing employees

Training must cover:

• Your AML/CTF obligations
• Your policies and procedures
• How to identify ML/TF risks and red flags
• How to escalate suspicious activity
• Tipping-off prohibitions

Frequency: Initial training before performing AML functions. Ongoing training annually or when program changes.

9. Respond to AUSTRAC Requests

Timeframes specified in requests

AUSTRAC can request information from you at any time. Common requests:

• Customer identification records
• Transaction details
• AML/CTF program documentation
• Explanation of compliance practices

You must respond within the specified timeframe. Failure to respond is a breach.

AUSTRAC audits: AUSTRAC can audit your compliance. They'll review your AML/CTF program, customer records, transaction monitoring, SMRs, and training. If they find deficiencies, they'll issue compliance notices requiring remediation. Serious breaches? Civil penalties.

Penalties for Non-Compliance

AUSTRAC has enforcement powers. Penalties include:

Civil penalties:

• Corporations: Up to $22.2 million per breach
• Individuals: Up to $4.44 million per breach

Each breach is separate. Fail to conduct CDD on 100 customers? That's 100 breaches. Miss 50 SMRs? That's 50 breaches. Penalties compound.

Criminal penalties:

• Serious breaches (e.g., tipping off, deliberately avoiding compliance): Criminal prosecution possible

Reputational damage:

• AUSTRAC publishes enforcement actions
• Media coverage of penalties
• Loss of client trust

Real examples:

• Commonwealth Bank: $700 million penalty
• Westpac: $1.3 billion penalty

These were banks with compliance infrastructure. Tranche 2 entities starting from scratch? AUSTRAC will expect compliance from day one. No excuses.

Summary: Your Obligations Checklist

Before July 1, 2026:

• Develop AML/CTF program (risk assessment, policies, procedures)
• Appoint compliance officer
• Train staff
• Implement CDD systems (KYC, PEP screening, beneficial ownership)
• Set up transaction monitoring
• Establish record-keeping systems

By March 31, 2026:

• Be ready to enrol with AUSTRAC when enrolment opens

From July 1, 2026:

• Enrol with AUSTRAC (within 28 days of first designated service)
• Conduct CDD before providing designated services
• Monitor transactions continuously
• File SMRs within required timeframes
• Keep records for 7 years
• Respond to AUSTRAC requests

Ongoing:

• Update AML/CTF program as risks change
• Train staff annually
• Independent review every 3 years
• File annual compliance reports

The Bottom Line

Tranche 2 obligations are comprehensive. They're not a light-touch regulatory addition. AUSTRAC expects full compliance from day one.

July 1, 2026 isn't negotiable. If you're providing designated services after that date without complying, you're breaching the AML/CTF Act. And AUSTRAC has shown (through massive bank penalties) that they enforce.

Start preparing now. Understand your obligations. Build your program. Train your staff. Because on July 1, there's no grace period. Only compliance or breaches.