By Justin Amos, Co-Founder & CEO, iDeed Pty Ltd
This article provides a general overview of AML/CTF compliance in Australia. It does not constitute legal advice. For guidance specific to your business, refer to AUSTRAC’s official guidance at austrac.gov.au.
What is AML/CTF compliance?
Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) compliance refers to the set of laws, regulations, and procedures designed to prevent criminals from disguising illegally obtained funds as legitimate income.
In Australia, the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) is the primary legislation governing these obligations. The regulator responsible for enforcement is AUSTRAC - the Australian Transaction Reports and Analysis Centre.
The regime exists because Australia’s financial system, like any developed economy, is a target for money laundering. AUSTRAC estimates that $2 billion per year flows through Australian businesses as proceeds of crime.
Who needs to comply?
Under Australian law, Reporting Entities must comply with AML/CTF obligations. These are businesses that provide “designated services” as defined in the Act.
Currently regulated (Tranche 1)
| Sector | Examples |
|---|---|
| Financial institutions | Banks, credit unions, building societies |
| Gambling services | Casinos, online wagering, lottery providers |
| Bullion dealers | Dealers in precious metals |
| Remittance providers | Money transfer services |
| Digital currency exchanges | Cryptocurrency platforms |
Newly regulated from 1 July 2026 (Tranche 2)
| Sector | Examples |
|---|---|
| Accountants & tax agents | Firms providing designated financial services |
| Lawyers & conveyancers | Firms involved in property, trusts, company formation |
| Real estate agents | Agents brokering property sales |
| Trust & company service providers | Formation agents, nominee services |
| Precious metals & stones dealers | Dealers above threshold amounts |
Not sure if your firm is captured? Use our compliance cost calculator to check your obligations.
The six core obligations
Every Reporting Entity must meet six core obligations under the AML/CTF Act:
1. Enrol with AUSTRAC
Before providing any designated service, you must enrol with AUSTRAC. This registers your business as a Reporting Entity and gives AUSTRAC visibility of your operations.
2. Establish an AML/CTF programme
You must develop and maintain a written AML/CTF programme appropriate to the nature, size and complexity of your business. The programme has two parts:
- Part A - Customer identification, ongoing due diligence, reporting obligations, record-keeping
- Part B - Employee due diligence, including background checks on staff in AML/CTF roles
3. Conduct Customer Due Diligence (CDD)
Before providing a designated service, you must:
- Collect and verify customer identity documents
- Identify beneficial owners of non-individual clients
- Screen against sanctions and PEP (Politically Exposed Persons) lists
- Assess the money laundering and terrorism financing risk of the relationship
- Conduct ongoing monitoring throughout the relationship
4. Report to AUSTRAC
You must submit reports to AUSTRAC in specific circumstances:
- Suspicious Matter Reports (SMRs) - when you suspect a transaction relates to money laundering or terrorism financing (within 24 hours for terrorism, 3 business days otherwise)
- Threshold Transaction Reports (TTRs) - cash transactions of $10,000 or more (within 10 business days)
- International Funds Transfer Instructions (IFTIs) - international transfers (within 10 business days)
5. Keep records
All records related to customer identification, transactions, and compliance decisions must be retained for at least 7 years after the relationship ends.
6. Appoint a compliance officer
A nominated AML/CTF compliance officer must be appointed - a natural person within the firm who is responsible for the programme.
What does Customer Due Diligence actually involve?
CDD is where most of the operational work sits. It’s not just a one-time identity check - it’s an ongoing process.
Initial CDD (at onboarding)
For individual clients:
- Collect full name, date of birth, residential address
- Verify identity using reliable documents (passport, driver’s licence)
- Screen against sanctions and PEP lists
- Assess ML/TF risk
For non-individual clients (companies, trusts):
- Identify the entity (ABN/ACN, registration details)
- Identify beneficial owners - natural persons who own 25%+ or exercise control
- Verify the identity of each beneficial owner
- Obtain trust deeds for trust structures
- Screen all relevant parties against sanctions and PEP lists
Ongoing CDD
- Periodic reviews - re-verify client information at intervals based on risk rating
- Transaction monitoring - watch for unusual patterns
- Trigger events - refresh CDD when circumstances change materially
- Ongoing screening - continuous sanctions and PEP monitoring
The real workload is in complex structures. A discretionary trust with a corporate trustee can require 5-10 individual verifications before you’ve completed CDD on a single client.
Risk-based approach
AUSTRAC expects a risk-based approach - not a one-size-fits-all checklist. This means:
- Higher-risk clients (PEPs, complex structures, high-risk jurisdictions) require enhanced due diligence
- Lower-risk clients (individuals, domestic, simple structures) can receive simplified measures
- Your programme must document how you assess and manage risk
The risk factors AUSTRAC expects you to consider:
| Factor | Higher risk | Lower risk |
|---|---|---|
| Client type | Complex trusts, foreign entities | Domestic individuals |
| Geography | High-risk jurisdictions (FATF grey/black list) | Australia, NZ, UK |
| Service type | Managing client money, company formation | Advisory only |
| Delivery channel | Non-face-to-face, introduced business | Direct, in-person |
| Transaction patterns | Large, unusual, cash-intensive | Regular, predictable |
Penalties for non-compliance
AUSTRAC has significant enforcement powers. The penalties are not theoretical - AUSTRAC has issued major enforcement actions in recent years.
| Penalty type | Maximum |
|---|---|
| Civil penalty (corporation) | $22.2 million per contravention |
| Civil penalty (individual) | $4.44 million per contravention |
| Criminal penalty | Imprisonment (serious offences) |
| Enforceable undertakings | Court-ordered compliance programmes |
| Remedial directions | Mandatory corrective actions |
| Infringement notices | Fixed penalties for specific breaches |
AUSTRAC CEO Brendan Thomas: “This year marks a regulatory shift, from regulation that primarily checks for compliance to one focused on substantive risks and harms.”
How technology helps
Manual compliance processes don’t scale. For firms with more than a handful of clients, technology is essential:
- Automated identity verification - reduces manual processing from hours to minutes
- Risk scoring algorithms - consistent, documented risk assessments
- Sanctions & PEP screening - real-time, ongoing monitoring against updated lists
- Beneficial ownership mapping - structured research for complex entities
- Record keeping - seven-year retention with instant retrieval
- Reporting - automated generation of SMRs and TTRs
Getting started
If you’re approaching AML/CTF compliance for the first time:
- Determine if you’re captured - check whether your services are “designated services” under the Act
- Enrol with AUSTRAC - register as a Reporting Entity
- Appoint a compliance officer - nominate a responsible person within your firm
- Build your programme - document your risk assessment, CDD procedures, and policies
- Implement CDD processes - set up how you’ll verify clients and monitor relationships
- Train your staff - ensure everyone understands their obligations
- Test and review - regularly evaluate your programme’s effectiveness
Ready to get started? Visit ideedworks.com.au to learn how ARCaml can handle the heavy lifting of your AML/CTF compliance.
Justin Amos is Co-Founder and CEO of iDeed Pty Ltd, operators of ARCaml - an AML/CTF compliance platform built for Australian designated service providers. ideedworks.com.au
Justin Amos
Co-Founder & CEO, iDeed Pty Ltd
Justin is Co-Founder and CEO of iDeed, operators of ARCaml - an AML/CTF compliance platform built for Australian designated service providers.
Connect on LinkedIn