AML/CTF Act: What It Requires and Who It Applies To

What is AML/CTF Act?

The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 is Australia's primary statute for preventing money laundering and terrorism financing. AUSTRAC (Australian Transaction Reports and Analysis Centre) administers and enforces it. The legislation replaced the Financial Transaction Reports Act 1988 and came into effect progressively between 2006 and 2008.

Parliament introduced it largely in response to the Financial Action Task Force's 2005 mutual evaluation of Australia, which found significant gaps in the existing regime: no risk-based Customer Due Diligence (CDD) framework, no mandatory AML programs for most reporting entities, and limited obligations for designated non-financial businesses and professions (DNFBPs). The evaluation outcome pushed Australia to overhaul its approach from the ground up.

The Act takes a risk-based structure. Reporting entities must assess their specific money laundering and terrorism financing (ML/TF) risks and design controls proportionate to those risks, rather than follow a single prescriptive rulebook. AUSTRAC publishes sector-specific guidance, risk assessments, and typology reports to help entities calibrate their programs. This risk-based orientation reflects FATF Recommendation 1, which Australia implemented as the conceptual backbone of the Act.

Two major legislative updates have shaped the current framework. The Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2017 tightened customer due diligence obligations and introduced group-wide AML/CTF program requirements. The Tranche 2 reforms, passed in 2024, extended the Act to lawyers, accountants, real estate agents, and other high-risk professions that had operated outside its scope for nearly two decades, closing a gap that FATF had flagged in its 2015 mutual evaluation of Australia.

Who does AML/CTF Act apply to?

The Act covers "reporting entities," defined as businesses that provide "designated services" listed in section 6 of the Act. The category is broader than many compliance teams assume.

Financial services providers:

• Authorised deposit-taking institutions: banks, credit unions, and building societies
• Non-bank lenders and mortgage brokers providing credit products
• Foreign exchange dealers and currency exchange businesses
• Payment service providers and electronic funds transfer operators
• Insurers issuing life insurance and investment-linked products
• Securities dealers, financial advisers, and futures brokers
• Stored-value card issuers and digital wallet providers

Digital asset service providers:

• Digital currency exchange (DCE) providers, regulated by AUSTRAC under the AML/CTF Rules since April 2018
• Any business facilitating exchange of cryptocurrency for fiat or other digital assets

Designated non-financial businesses and professions (DNFBPs), from 2026:

• Legal practitioners handling client money for property transactions, business acquisitions, or company formation
• Accountants providing services in those categories
• Real estate agents in residential and commercial property transactions
• Trust and company service providers
• Dealers in precious metals and precious stones above threshold transaction values

The Act applies to entities operating in Australia or providing designated services to customers in Australia. There is no minimum business size for most categories. A fintech with five employees providing payment services must comply just as a major bank does, though the risk-proportionate approach allows for lighter program structures where risk is genuinely lower.

What does AML/CTF Act require?

The Act's obligations fall into seven main categories, each with specific timelines and thresholds.

1. AML/CTF Program: Every reporting entity must have a written AML/CTF program. Part A covers overall risk management, board-level governance, independent review requirements, and staff training. Part B covers Know Your Customer (KYC) and customer due diligence procedures. The program must be reviewed at least every three years, or when there is a material change to the business or its risk environment.

2. Customer identification and verification: Reporting entities must identify and verify customers before providing designated services. For individuals, this means verifying name, date of birth, and residential address against a reliable and independent source. For companies, identification extends to the entity itself and its beneficial owners. CDD must be completed before the first designated service is provided, with limited exceptions for low-risk products.

3. Enhanced due diligence: Higher-risk customers, including politically exposed persons (PEPs), customers from high-risk jurisdictions, and those with complex ownership structures, require Enhanced Due Diligence (EDD). EDD must include senior management approval for new PEP relationships and more frequent ongoing monitoring.

4. Suspicious Matter Reporting (SMR): If a reporting entity suspects a customer or transaction is connected to money laundering, terrorism financing, or proceeds of crime, it must file an SMR with AUSTRAC. There is no monetary threshold. For terrorism financing suspicions, the deadline is 24 hours from the point of suspicion. For other suspicious matters, it is three business days.

5. Threshold Transaction Reports (TTR): Cash transactions of AUD 10,000 or more must be reported to AUSTRAC within 10 business days of the transaction.

6. International Funds Transfer Instructions (IFTIs): Every instruction to transfer money into or out of Australia must be reported to AUSTRAC on the day of transmission or receipt. This obligation generated the bulk of the contraventions in the 2020 Westpac enforcement action.

7. Record keeping: All transaction records, customer identification documents, and AML/CTF program materials must be retained for seven years from the date of the transaction or the end of the customer relationship, whichever is later. This aligns with FATF Recommendation 11 on record retention standards.

What evidence do regulators expect?

AUSTRAC examinations have become increasingly forensic. Examiners don't just ask for policies. They test whether controls actually work.

What AUSTRAC examiners look for:

• Current AML/CTF Program: A board-approved program with a dated independent review completed within the last three years. Examiners check whether the risk assessment reflects the entity's actual product mix and customer base, not a version from years ago.

• Customer risk ratings: Evidence that each customer has been assigned a risk rating based on documented criteria, applied consistently. A spreadsheet where every customer is rated "medium" is a red flag.

• KYC file completeness: Identification and verification records for all current and recent customers. AUSTRAC samples files. Gaps in verification for high-risk customers draw immediate attention.

• Transaction monitoring evidence: Alert records, disposition notes, and the documented rationale for closing alerts without escalation. Examiners look at alert-to-SMR conversion rates. A conversion rate near zero, without explanation, is treated as a control failure.

• SMR quality and timeliness: AUSTRAC expects SMRs to contain sufficient detail for intelligence use. Vague reports, reports filed weeks after the suspicion arose, and entities that almost never file SMRs are consistent findings in examinations.

• Staff training records: Completion logs with dates, content covered, and which staff completed each module. Frontline staff need training specific to their role, not just a generic annual compliance video.

• Board and senior management oversight: Board minutes showing AML/CTF was discussed, annual compliance reports to the board, and evidence that material program deficiencies were escalated and addressed.

• Third-party reliance documentation: If the entity relies on a third party for customer identification, AUSTRAC expects a written agreement and documented due diligence on that third party's compliance standards.

Common failure modes

The pattern across AUSTRAC enforcement actions is consistent. The same failures appear case after case.

• Inadequate transaction monitoring: The largest single failure category. Many institutions run monitoring rules so broadly tuned that analysts can't manage alert volumes, or so narrowly set that genuine suspicious activity goes undetected. AUSTRAC's 2020 action against Westpac cited 23 million failures to report IFTIs and monitoring gaps that allowed payments linked to child exploitation to go unreported for years.

• Stale risk assessments: Entities write a risk assessment in year one and don't update it. When the product mix changes, when a new high-risk jurisdiction is added, or when the regulatory environment shifts, the risk assessment should change too. Examiners frequently find programs that describe businesses that no longer exist.

• Weak beneficial ownership identification: The Act requires identifying the Ultimate Beneficial Owner (UBO) of corporate customers. Many entities stop at the first layer of ownership without tracing through to natural persons holding 25% or more. This failure was explicitly cited in AUSTRAC's 2018 action against Commonwealth Bank of Australia.

• Late or missing SMRs: Reporting entities sometimes investigate a customer for weeks before filing, by which time the three-business-day window has long passed. Some entities rely entirely on transaction monitoring and rarely or never file SMRs independently.

• Correspondent banking due diligence gaps: For banks with correspondent relationships, AUSTRAC expects documented due diligence on respondent banks consistent with FATF Recommendation 13. Failure to assess ML/TF risk of respondent banks is a recurring finding.

• No independent review: The Act requires an independent review of the AML/CTF program. Entities that use internal audit teams reporting to the same management responsible for the program don't satisfy this requirement. AUSTRAC is explicit on this point.

Penalties for non-compliance

AUSTRAC's civil penalty powers are among the most severe of any financial regulator globally.

The civil penalty for a single contravention of a reporting obligation reaches AUD 22.2 million for a body corporate, indexed annually. For course-of-conduct breaches, penalties multiply. The AML/CTF Act also provides for criminal liability: up to 10 years imprisonment for individuals who recklessly contravene obligations, and substantial fines for corporate criminal offences.

Two cases illustrate how AUSTRAC uses these powers.

Commonwealth Bank of Australia (2018): AUSTRAC filed civil penalty proceedings for approximately 53,700 contraventions. CBA failed to report over 53,000 threshold transactions through its Intelligent Deposit Machines due to a coding error. The bank also failed to monitor and report suspicious transactions linked to known drug syndicates. CBA agreed to pay AUD 700 million, then the largest civil penalty in Australian corporate history. AUSTRAC press release, June 2018.

Westpac Banking Corporation (2020): AUSTRAC alleged 23 million breaches of AML/CTF obligations, including 19.5 million failures to report IFTIs and monitoring failures that allowed payments connected to child exploitation to proceed undetected. Westpac agreed to pay AUD 1.3 billion, the largest corporate penalty in Australian history at the time. AUSTRAC press release, September 2020.

Beyond financial penalties, AUSTRAC can issue remedial directions requiring entities to appoint external compliance auditors at their own cost, restrict an entity's ability to provide designated services, and refer matters to the Australian Federal Police for criminal investigation.

Related regulations and frameworks

The AML/CTF Act sits within a broader international and domestic framework.

At the international level, the Act implements Australia's obligations under the FATF 40 Recommendations. Australia underwent a FATF mutual evaluation in 2015, which rated the country "largely compliant" overall but identified ongoing weaknesses in DNFBP coverage. The 2024 Tranche 2 reforms are the direct legislative response. FATF's next Australian evaluation is expected in 2025 to 2026.

The Act operates alongside other domestic legislation. The Proceeds of Crime Act 2002 provides the enforcement mechanism for seizing and forfeiting assets linked to criminal conduct. The Criminal Code Act 1995 defines the money laundering and terrorism financing offences that AUSTRAC's reporting framework is designed to detect. The Privacy Act 1988 runs alongside AML/CTF obligations: reporting entities must collect personal information as part of customer identification while managing their obligations as data controllers.

For digital asset businesses, AUSTRAC's 2019 AML/CTF Rules on digital currency exchanges are the operative compliance instrument. Australia is one of the earlier adopters of formal cryptocurrency AML regulation globally.

Comparable national frameworks include UK MLR 2017, administered by the FCA and HM Revenue & Customs, and MAS Notice 626 in Singapore. All implement the same FATF standards with significant national variation in thresholds, covered entities, and enforcement approach. The AUSTRAC framework is broadly similar in structure to these regimes, though its penalty scale and willingness to litigate against major banks sets it apart in practice.

How FluxForce supports AML/CTF Act compliance

FluxForce AI agents automate the obligations most frequently cited in AUSTRAC enforcement actions: continuous transaction monitoring, suspicious matter triage and reporting, customer due diligence at onboarding, and ongoing risk re-scoring as customer behavior changes. Every decision is accompanied by a full evidence trail, satisfying AUSTRAC's expectation for documented disposition rationale. Configurable autonomy settings let compliance teams set thresholds and review workflows to match their risk appetite. Book a demo to see how FluxForce handles regulated-industry AML compliance end to end.