On 1 July 2026, amendments to the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act) took effect.
The purpose of the amendments is to:
- expand the services and businesses which are covered by the AML/CTF Act;
- change the requirements for conducting client due diligence;
- change the requirements for tipping off and disclosing to the regulator, the Australian Transaction Reports and Analysis Centre (AUSTRAC);
- update key concepts, such as services in relation to virtual assets; and
- expand AUSTRAC’s powers.
The changes to the AML/CTF Act place greater obligations on businesses which provide certain services, defined as ‘designated services’ under the AML/CTF Act. These businesses are known as ‘reporting entities’. The amendments to the AML/CTF Act will make a substantial change to the processes and systems of many reporting entities. In this article we explain who or what is a reporting entity, the obligations of a reporting entity and if you are not a reporting entity, how you may interact with the AML/CTF Act.
What is money laundering and terrorism financing
‘Money laundering’ is the process of hiding, disguising or legitimising the origins and ownership of money or property used in or derived from crime. ‘Financial terrorism’ is the process that terrorist organisations use to finance or support terrorist activities or organisations. These crimes contribute to:
- drug trafficking;
- human exploitation;
- tax evasion;
- government-funded program fraud;
- scams;
- cybercrime; and
- large-scale financial fraud.
Australia’s amended AML/CTF Act is based on international standards and is designed to address and prevent these crimes by ensuring Australia’s legal, financial and asset systems are not exploited for unlawful purposes.
What services are included in the AML/CTF Act
Prior to 1 July 2026, the AML/CTF Act applied to the following businesses:
- financial services, such as banks;
- bullion dealers;
- gambling businesses;
- remittance providers; and
- virtual assets providers.
The AML/CTF Act has now been extended to:
- legal professionals;
- accountants;
- conveyancers;
- real estate professionals; and
- dealers in precious metals, stones and products.
If your business is one of the above, you may be a reporting entity under the AML/CTF Act. If a business fails to comply with the AML/CTF Act they risk penalties of up to $6.6 million for individuals and $33 million for companies.
What are the obligations on reporting entities?
A reporting entity has a number of obligations under the AML/CTF Act. The key obligations are:
- Enrol with AUSTRAC — Reporting entities which provided designated services before 1 July must enrol with AUSTRAC by 29 July 2026. Reporting entities which provide designated services after 1 July 2026 must enrol with AUSTRAC within 28 days of providing their first designated service. Enrolment is completed through the AUSTRAC website.
- Develop and maintain a risk assessment — Reporting entities must identify the money-laundering and financial terrorism risks they face when providing designated services to customers. These risks need to be specific to their profession or business. The risk assessment must be reviewed if there are changes in the business, or money-laundering or financial terrorism risks, or at a minimum, annually.
- Develop and maintain a policy — Based on this risk assessment, the reporting entity must develop a policy to guide the reporting entity or how it manages its risks and complies with its AML/CTF obligations. The policy includes:
- roles, responsibilities and methods for appointing AML/CTF personnel;
- how to train your AML/CTF personnel;
- how client due diligence is conducted;
- how the reporting entity will manage its relationship with clients and AUSTRAC; and
- how the reporting entity will conduct reviews of the policy and risk assessment, including independent evaluations.
- Conducting customer due diligence — Reporting entities must complete client due diligence on clients who request designated services. Generally, the client due diligence must occur before the designated service is provided to the client. The client due diligence will include:
- verification of identities;
- risk assessment on the client requesting the designated service; and
- request any additional or updated information required to ensure the client due diligence is compliant with the AML/CTF Act.
- Reporting to AUSTRAC — Reporting entities must report to AUSTRAC:
- suspicious matters where a reporting entity has a suspicion based on a client’s actions when the reporting entity is providing a designated service;
- cash transactions of AUD $10,000 or more;
- all instructions from clients for the transfer of value sent into or out of Australia;
- cross border movements of monetary instruments; and
- annual compliance reports detailing compliance with the AML/CTF Act across the year.
- Record keeping — Reporting entities must retain records for 7 years including documentation of compliance with the AML/CTF Act, client due diligence conducted and documentation on any reports to AUSTRAC.
Amending other documents
If you are a reporting entity under the AML/CTF Act, you may will also need to update other documents in your business, such as your:
- Privacy Policy;
- Collection Notice; and
- terms and conditions.
These documents should be updated, where appropriate, to reflect your obligations under the AML/CTF Act. For example, your Privacy Policy may need to be updated to include the additional personal or sensitive information you may now need to collect in order to verify a client’s identity. The updates to documents should be tailored to your business and obligations under the AML/CTF Act.
Providing identify verification information
If you are not a reporting entity, but are engaging with a reporting entity such as a bank, legal professionals or accountants, you may be required to provide information in order for them to verify your identity. This information may include:
- your full name;
- address;
- government-issued photo identification, such as a drivers licence or passport;
- biometric details, such as a face scan;
- for a company, a constitution or information about nominee directors; and
- for a trust, a copy of the trust deed and any amendments.
All reporting entities are required to complete identity verification when providing certain services. If you do not provide the required information to the reporting entity, they may not be able to provide the services you are requesting. If you have any questions about the information you are asked for, you should contact the reporting entity which is requesting the information.
Contact us
If you are a reporting entity or believe your business must comply with the AML/CTF Act, you should undertake your AML/CTF risk assessment and have your AML/CTF policy prepared. We recommend your privacy and trading documents be reviewed to ensure compliance with your obligations under the AML/CTF Act.
For more information on the AML/CTF Act or to review your compliance and obligations, please contact a member of our Corporate & Commercial group.
| Disclaimer: This publication contains comments of a general nature only and is provided as an information service. It is not intended to be relied upon, nor is it a substitute for specific professional advice. No responsibility can be accepted by Rigby Cooke Lawyers or the authors for loss occasioned to any person doing anything as a result of any material in this publication.
Liability limited by a scheme approved under Professional Standards Legislation. © 2026 Rigby Cooke Lawyers |
