Australia Financial Crime & AML Compliance: Regulators, Laws, and What Foreign Banks Need to Know

Who regulates financial crime in Australia?

AUSTRAC (Australian Transaction Reports and Analysis Centre) is Australia's AML/CTF regulator and financial intelligence unit. It sits within the Home Affairs portfolio. AUSTRAC registers reporting entities, sets compliance obligations, collects financial intelligence, and refers matters to law enforcement for prosecution. Its website at austrac.gov.au is the primary reference for enrollment, reporting timelines, and rule updates.

APRA (Australian Prudential Regulation Authority) supervises banks, credit unions, building societies, insurance companies, and superannuation funds on prudential grounds. It doesn't administer the AML/CTF Act directly, but APRA's prudential standards expect supervised institutions to maintain governance and risk frameworks consistent with AML/CTF obligations. APRA and AUSTRAC coordinate through a formal information-sharing arrangement covering prudentially regulated entities.

ASIC (Australian Securities and Investments Commission) regulates financial markets and financial services licensees. Where a firm holds an Australian Financial Services Licence and is also a reporting entity under the AML/CTF Act, ASIC and AUSTRAC obligations overlap. ASIC can pursue conduct that constitutes financial crime where it also relates to market integrity or investor harm.

Criminal enforcement sits with the Australian Federal Police and the Australian Criminal Intelligence Commission. AUSTRAC passes intelligence and suspected serious offences to these agencies for prosecution under the Criminal Code Act 1995.

Sanctions are administered separately. The Australian Sanctions Office within DFAT administers the Autonomous Sanctions Act 2011 alongside UN Security Council measures. Reporting entities must screen against the Australian Sanctions Register, maintained on the DFAT website.

Australia's 4th round FATF Mutual Evaluation, published in 2015, rated the country largely compliant but flagged gaps in beneficial ownership transparency and the absence of AML obligations for professional services providers. AUSTRAC's supervisory approach reflects the FATF Recommendation 1 risk-based methodology, expecting firms to calibrate controls proportionately to the risks they face rather than applying uniform procedures across all customers.

What are the key AML and fraud laws in Australia?

The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) is the principal statute. It defines "reporting entity" to include banks, credit unions, remittance dealers, digital currency exchanges, and bullion dealers, and sets out their core obligations: enroll with AUSTRAC, maintain a risk-based AML/CTF program, verify customer identity through thorough KYC procedures, conduct ongoing customer due diligence, file Suspicious Matter Reports (SMRs) and Threshold Transaction Reports (TTRs), and report all international funds transfer instructions over AU$1,000. The Act is available at legislation.gov.au. The AML/CTF Rules Instrument 2007 supplements it with prescriptive requirements for customer identification procedures across specific product types.

In 2024, Australia passed the AML/CTF Amendment Act 2024, extending AML/CTF obligations to lawyers, accountants, real estate agents, and trust and company service providers. These are the long-discussed "tranche 2" entities, previously excluded from the framework. Obligations phase in from 2026. Australia had been one of the few FATF members yet to extend professional-sector AML requirements. Singapore implemented comparable obligations for legal and accounting professionals years ago, so foreign banks accustomed to those frameworks will find the Australian transition familiar in structure if not in timing.

Money laundering offences sit in Division 400 of the Criminal Code Act 1995. The most serious offences carry a maximum of 25 years' imprisonment. Fraud against the Commonwealth is covered in the same statute.

The Privacy Act 1988 governs how personal data collected during customer due diligence must be handled. Its 13 Australian Privacy Principles impose obligations on data quality, security, and cross-border transfers. AML/CTF record-keeping requirements (seven years) and the Privacy Act's data minimisation principles need to be reconciled explicitly in program documentation. The Office of the Australian Information Commissioner (OAIC) administers the Act and can investigate complaints about mishandled personal data.

Australia's overall AML/CTF effectiveness is benchmarked against the FATF Mutual Evaluation framework, and AUSTRAC's supervisory priorities track directly against the findings and follow-up assessments from that process.

What controls do Australia regulators expect?

AUSTRAC expects a risk-based AML/CTF program structured in two parts. Part A covers the institution's overarching framework: governance, risk assessment, enrollment with AUSTRAC, employee due diligence and training, and independent audit. Part B covers customer identification and verification procedures for each specific product and service. This isn't optional structuring. The AML/CTF Rules mandate it, and AUSTRAC reviews both parts during compliance assessments.

Customer due diligence obligations require identity verification at account opening for individuals and entities, with enhanced due diligence for higher-risk customers. That includes politically exposed persons, non-face-to-face relationships, and customers from high-risk jurisdictions. Ongoing CDD means continuously monitoring the customer relationship and updating records when risk indicators change. AUSTRAC publishes detailed guidance on customer identification programs and expects those programs to be reviewed on a regular cycle.

Transaction monitoring is a core pillar. Australia operates two mandatory reporting tracks: SMRs must be filed within 24 hours of forming a suspicion (or three business days for terrorism financing suspicion), and TTRs must be filed within 10 business days for cash transactions of AU$10,000 or more. All international funds transfer instructions over AU$1,000, both incoming and outgoing, must be reported electronically to AUSTRAC. The IFTI obligation is broader than most comparable jurisdictions, and the incoming reporting requirement catches foreign compliance teams off guard.

Sanctions screening against the Australian Sanctions Register and the UN consolidated list is mandatory. Procedures must include asset-freezing and dual reporting to DFAT and AUSTRAC on matches. PEP screening is required as part of enhanced due diligence, consistent with FATF Recommendation 12 on politically exposed persons and their family members and close associates.

Record-keeping requirements mandate that customer identification records and transaction records be retained for seven years from the end of the customer relationship or from the date of the transaction. Audit logs supporting monitoring decisions must be available to AUSTRAC on request.

What is unique about compliance in Australia?

Several features of Australia's framework consistently trip up foreign banks entering the market.

AUSTRAC enrollment is a prerequisite, not a formality. All reporting entities must actively enroll with AUSTRAC before conducting their first relevant service. Operating without enrollment is itself a standalone breach, separate from any program failures. Many foreign banks assume enrollment flows automatically from their APRA banking authority. It doesn't.

IFTI reporting is broader than most systems. Australia requires reporting entities to file with AUSTRAC for every international funds transfer instruction over AU$1,000, both incoming and outgoing. Most foreign compliance teams are accustomed to reporting only outgoing cross-border transfers. The inbound IFTI obligation catches institutions out on their first AUSTRAC review.

Terminology differs from international norms. Australia uses Suspicious Matter Reports (SMRs), not Suspicious Activity Reports (SARs) or Suspicious Transaction Reports (STRs). Cash-based reporting uses Threshold Transaction Reports (TTRs), not Currency Transaction Reports (CTRs). Getting this right in program documentation matters: AUSTRAC reviewers notice when documentation references the wrong report type.

The Pacific remittance corridor creates scrutiny. Australia is a major remittance corridor to Pacific Island nations. AUSTRAC has actively discouraged blanket de-risking of Pacific remittance providers, citing financial inclusion concerns. Banks that exit Pacific remittance relationships without documented, proportionate risk justification may face direct questions from AUSTRAC about the methodology behind that decision.

Digital currency exchanges have been regulated since 2018. AUSTRAC brought digital currency exchanges into scope under amendments to the AML/CTF Act that took effect in April 2018. Any platform exchanging fiat for digital currency must enroll with AUSTRAC and comply with the full program, monitoring, and reporting obligations. The international framework underpinning this is FATF Recommendation 15 on new technologies and virtual assets, and Australia moved ahead of most comparable jurisdictions in implementing it.

Beneficial ownership disclosure is tightening. Australia has committed to a public register of ultimate beneficial owners (UBOs) for companies, with legislative groundwork laid in 2023. Compliance teams should build UBO collection and verification into CDD workflows now rather than retrofitting later. One other detail worth noting: the tipping-off prohibition under s.123 of the AML/CTF Act prohibits institutions from disclosing to a customer that an SMR has been filed about them or their transactions.

Recent enforcement actions in Australia

Australia has produced some of the world's largest AML civil penalties. AUSTRAC has shown consistently that it will pursue systemic failures at major institutions.

The defining case is Westpac's 2020 settlement. AUSTRAC commenced civil penalty proceedings in 2019, alleging more than 23 million contraventions of the AML/CTF Act. The failures included not submitting over 19.5 million international funds transfer instructions to AUSTRAC, inadequate due diligence on correspondent banking relationships, and a failure to monitor transactions that were later linked to child exploitation networks operating in the Philippines and Southeast Asia. Westpac agreed to a AU$1.3 billion civil penalty, approved by the Federal Court in September 2020. At the time, it was the largest civil penalty in Australian corporate history. AUSTRAC published the settlement details on its media releases page.

Before Westpac, the Commonwealth Bank of Australia (CBA) settled with AUSTRAC in 2018 for AU$700 million. CBA's failures centred on its intelligent deposit machines, which accepted large cash deposits. The bank failed to file Threshold Transaction Reports for 53,506 transactions totalling more than AU$625 million, and a configuration error disabled automated monitoring for a 15-month period before it was detected. The Federal Court approved that settlement in June 2018.

Tabcorp, Australia's largest wagering operator, paid AU$45 million in 2017 for AML/CTF program failures, confirming AUSTRAC would act outside the banking sector.

AUSTRAC publishes an annual Compliance Outlook identifying the sectors it considers highest risk. It has stated publicly that self-reporting, genuine cooperation, and demonstrated remediation receive credit in penalty negotiations.

What foreign banks operating in Australia need to know

Foreign banks entering Australia face the same AML/CTF obligations as domestic institutions. Several practical considerations are worth getting right from the start.

Bank licence first, AUSTRAC enrollment immediately after. Foreign bank branches must obtain a banking authority from APRA before taking deposits from the public. AUSTRAC enrollment is a separate, mandatory step that must happen before your first relevant transaction. Don't assume one follows the other automatically.

Appoint a locally based AML/CTF compliance officer. AUSTRAC's guidance expects reporting entities to have a designated compliance officer with board-level access and genuine authority over the AML/CTF program. For a foreign branch, this should be a person based in Australia who understands the local regulatory environment. A group MLRO based in London or Singapore doesn't satisfy this requirement in practice.

SMR filing timelines run from the moment suspicion forms, not from escalation completion. You have 24 hours to file once your institution forms a suspicion. That clock doesn't pause while the case escalates through a group-level approval chain in another time zone. Your local escalation procedures must be calibrated to meet the Australian deadline, not the group's standard workflow.

Correspondent banking obligations are specific. If your Australian branch maintains correspondent banking relationships, enhanced due diligence on each respondent is required, consistent with FATF Recommendation 13 on correspondent banking. AUSTRAC's guidance in this area was substantially updated after the Westpac enforcement action and is more prescriptive than most foreign compliance teams expect when they arrive.

Data flows to head office require Privacy Act compliance. Customer identification data collected in Australia is subject to the Privacy Act 1988. Transferring it to group systems overseas requires compliance with Australian Privacy Principle 8, including confirming the overseas recipient handles data to a comparable standard. Build this into your data architecture from day one, not as an afterthought.

Document your AML/CTF program in English. AUSTRAC operates in English. Your Part A and Part B program documents must be in English and available to AUSTRAC on request, even if your group-level framework is maintained in another language.

How FluxForce supports Australia compliance

FluxForce maps directly to AUSTRAC's core control expectations: real-time transaction monitoring against behavioural and rule-based thresholds, automated SMR drafting with full evidence trails attached to every decision, sanctions and PEP screening against the Australian Sanctions Register and global watchlists, and audit-ready records retained for the required seven-year period. Every decision comes with a full explanation, so your compliance officer can stand behind each report filed with AUSTRAC. Configurable autonomy settings let you calibrate detection thresholds to your institution's risk profile without rebuilding your program from scratch. Book a demo to see how it works in practice.