Tailoring a fit-for-purpose AML programme, updating customer due diligence systems, and ensuring ongoing monitoring processes are just some of steps Australian businesses need to take to comply with new AML obligations.
Key takeaways
- A new AML/CTF law takes effect in Australia in March 2026, requiring a documented risk assessment, ongoing customer due diligence, and enhanced checks for high-risk clients.
- By July 2026, the regime expands to businesses outside of the financial sectors, including law firms.
- Businesses can prepare by establishing up an AML programme, reviewing third-party relationships, updating CDD processes and reporting systems.
Shutterstock.com/PeopleImages
From 31 March 2026, Australia’s overhauled anti-money laundering and counter-terrorism financing (AML/CTF) regime will apply to existing reporting entities, with newly captured businesses to comply by 1 July 2026.
The new AML regime is taking shape as the Australian Transaction Reports and Analysis Centre (AUSTRAC) tabled the final AML/CTF rules in parliament on 29 August 2025. Key rules are formalising, including more detailed customer due diligence (CDD) requirements, expanded delayed verification provisions, and limited relief from travel rule obligations for offshore businesses.
The rules build on the AML/CTF Amendment Act 2024, which received royal assent on 10 December 2024. The Act significantly increasing the number of companies in scope of regime, extending obligations beyond non-financial sectors to include law firms, accounting businesses, as well as trust and company service providers. This expansion will increase the number of reporting entities from 17,000 to roughly 90,000.
AUSTRAC will finalise the core guidance by October 2025 and sector-specific guidance by December 2025.
What are the key obligations under the new AML regime?
Conduct initial CDD
Under the new AML/CTF framework, reporting entities must complete initial CDD at the start of a customer relationship, before providing any services, with limited exceptions for delayed verification. This more flexible and risk-driven system replaces prescriptive requirements.
“AUSTRAC has broadened the circumstances in which all reporting entities can conduct ‘delayed verification’ on customers as part of their customer due diligence processes,” says John Bassilios, Melbourne-based partner at Hall & Wilcox.
“Initial CDD has been reorganised by customer type with minimum ‘know your customer’ collection standards established for some of the matters reporting entities must establish in relation to their customers,” he adds.
The initial CDD should identify the customer’s money laundering and terrorism financing risks and tailor verification steps accordingly. Core steps include verifying beneficial owners, understanding ownership structures, and assessing the purpose of the relationships.
Carry out a mandatory risk assessment
From next year, conducting a documented ML/TF risk assessment is mandatory. Businesses must not only perform this assessment but also define specific trigger events – such as launching a new product or entering a new market – that will prompt a reassessment and update of that risk profile.
As part of the risk assessment, regulators expect companies to examine quantitative factors, such as transactional data and patterns, including suspicious historical activity and alert volumes.
Enhanced CDD for high-risk scenarios
The new AML regime streamlines CDD processes by allowing simplified process for low-risk customers. Meanwhile, businesses must conduct enhanced CDD for high-risk clients , such as foreign potentially exposed persons or customers from high-risk jurisdictions, or when detecting suspicious activity. Enhanced measures include collecting additional information, obtaining senior management approval for high-risk business relationships, and increasing the frequency of monitoring
How can businesses prepare?
Check if your business falls under the expanded AML obligations
The first step for Australian businesses is to determine whether they qualify as a reporting entity. Under the new law, any activity connected to a transaction could fall under “designated service”. This focuses on the nature of services provided, such as advising on the purchase or sale of real estate or setting up an entity, rather than the size or frequency of transactions.
Expanded reporting entities include:
- law firms and legal service providers;
- professional services, including accountants, trust and company service providers;
- real estate businesses, including real estate agents, buyer’s agents, and property developers; and
- dealers of precious stones, metals, and products.
Set up an appropriate AML programme
Companies that fall under the expanded regime should then design a fit-for-purpose AML programme.
According to Jessica Tsiakis, a partner in Holding Redlich’s Melbourne office, reporting entities “need to develop an AML/CTF compliance programme that includes clear policies, procedures and systems for managing those risks, customer due diligence, reporting obligations, and appoint an AML/CTF compliance officer to oversee the program’s operation.”
Sole traders or small businesses may seek advice from third-party advisers on AML/CTF compliance, but they remain ultimately responsible for ensuring their own compliance.
Reassess third-party providers for AML compliance
For reporting entities that rely on third parties to conduct know-your-customer checks, they should ensure the providers qualify as reporting entities or meet international standards, such as those established by the Financial Action Task Force.
These arrangements with third parties must be tailored to the business’ specific money laundering and terrorist financing risks. Regular reviews and timely updates of these third party relationships help ensure the AML programme is effective and compliant.
Re-examine CDD processes
Companies should tailor their CDD processes for ongoing monitoring, including continuous activity checks, updating risk profiles, and conducting additional checks when suspicious activity arises.
Trudi Procter partner and Shemira Jeevaratnam senior associate at Baker McKenzie recommend companies review their current CDD against the new rules to map the updates that need to be operationalised.
This includes for those businesses with foreign operations who have previously relied on exemptions from customer due diligence who might be able to avail themselves of the new passporting rules relating to foreign operations, the duo tell Lexology PRO.
Update reporting systems and controls
Companies should ensure their monitoring systems align with updated reporting obligations. For example, suspicious matter reports must include more detailed personal, transactional and contextual data, including virtual asset activity.
“Updates to the requirements regarding reporting on suspicious matters, threshold transaction reports and international funds transaction instructions are part of the new AML/CTF rules and reporting entities should ensure that their systems and processes are designed to monitor and report on the new requirements for when the new rules commence,” adds Lycia Hayes, Sydney-based lawyer at Gilbert + Tobin.