The 2026 AML/CTF Reform: A Guide to Countering Money Laundering & Terrorism Financing

Introduction

Australia’s anti-money laundering and counter-terrorism financing (AML/CTF) regime is undergoing its most significant reform since the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) was introduced. The changes are designed to close systemic gaps exploited by organised crime and align the Australian framework with global standards from the Financial Action Task Force (FATF).

The reform marks a fundamental shift from a prescriptive, rules-based model to an outcomes-focused, risk-driven approach. This means Australian Transaction Reports and Analysis Centre (AUSTRAC) will now assess the effectiveness of a reporting entity’s systems in detecting and disrupting money laundering and terrorism financing. This article explains these structural changes for existing reporting entities and the newly regulated sectors, including professional services, real estate professionals, and dealers in precious metals.

Interactive Tool: Check Your Readiness for the 2026 AML & CTF Reforms

Key Changes to the AML & CTF Legal Framework

The Amended AML & CTF Act Framework

The core of the reform is the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 (Cth), which modernises Australia’s regime to focus on flexibility and risk-based compliance. Furthermore, this amendment to the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) shifts the focus from a prescriptive, compliance-based model to an outcomes-oriented approach. As a result, the amended Act replaces rigid requirements with a framework that allows businesses to tailor their AML/CTF efforts to their actual risk profile.

The key objectives of the legislation are to:

• Expand the regime to cover high-risk designated services provided by lawyers, accountants, and real estate professionals;
• Modernise the regulation of virtual asset services; and
• Simplify and clarify the rules to support businesses in preventing financial crime more effectively.

Operationalising Reform with the 2025 AML & CTF Rules

The Anti-Money Laundering and Counter-Terrorism Financing Rules 2025 (Cth), which were tabled in Parliament on 29 August 2025, translate the principles of the amended Act into daily operational requirements for reporting entities. Ultimately, these Rules provide the practical and technical details necessary for businesses to comply with their new obligations. In addition, the Rules implement new standards for critical compliance functions.

They set out the detailed requirements for:

• Customer due diligence (CDD): defining the processes for identifying and verifying customers and assessing their AML/CTF risk;
• Reporting obligations: specifying the information required for suspicious matter reports (SMRs) and other transaction reports submitted to AUSTRAC; and
• anti-money laundering and counter-terrorism financing programs: outlining the components of a compliant program, including risk assessment, governance, and internal controls.

Key 2026 Commencement Dates & Milestones

The reforms are being introduced in phases, with distinct timelines for different types of businesses. Therefore, understanding these dates is essential for planning and implementation.

The key milestones for the reform are as follows:

• 31 March 2026: New obligations under the amended regime commenced for all existing reporting entities. This date marked the start of the transition to the new risk-based framework for businesses already regulated by AUSTRAC.
• 1 July 2026: anti-money laundering and counter-terrorism financing obligations will begin for newly regulated “Tranche 2” entities. This includes lawyers, accountants, real estate professionals, and other professional services that provide designated services.
• Transitional Periods to 2029: The Anti-Money Laundering and Counter-Terrorism Financing Transitional Rules 2026 (Cth) provide extended deadlines for certain complex obligations. For example, existing reporting entities have until 31 March 2029 to fully transition from their previous customer identification procedures to the new initial CDD framework, provided they have transitional policies in place.

Key Structural Changes of the AML & CTF Reform

Expansion to Tranche 2 Entities

One of the most significant structural changes is the expansion of the AML/CTF regime to include a range of professions and businesses known as “Tranche 2” entities. This reform brings Australia into closer alignment with international standards set by the FATF.

From 1 July 2026, AML/CTF obligations will apply to specific designated services provided by:

• Lawyers and conveyancers
• Accountants
• Real estate professionals, including agents and property developers
• Trust and company service providers
• Dealers in precious metals and precious stones

This expansion will substantially increase the number of businesses regulated by AUSTRAC. The number of reporting entities is expected to grow from approximately 15,000 to over 100,000, fundamentally altering the regulatory landscape for these professional services.

Inclusion of Virtual Asset & Digital Currency Services

The reforms modernise the regulation of digital currencies by replacing the previous terminology with the broader concept of ‘virtual assets’. This change ensures that the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) can adapt to new technologies, including Australia’s regulations for stablecoins and non-fungible tokens (NFTs).

The framework now captures a wider range of activities provided by virtual asset service providers (VASPs). New designated services include:

• Exchanges between different virtual assets;
• Transfers of virtual assets on behalf of a customer;
• Safekeeping or administration of virtual assets; and
• Providing financial services related to an issuer’s offer or sale of a virtual asset.

A key change for VASPs is the introduction of the “Travel Rule” for value transfers. Under the Anti-Money Laundering and Counter-Terrorism Financing Transitional Rules 2026 (Cth), this obligation will commence on 1 July 2026. It requires VASPs to collect, verify, and pass on information about the sender and recipient when facilitating virtual asset transfers.

Shift to an Outcomes-Based, Risk-Focused Model

The reforms represent a core philosophical shift away from a prescriptive, compliance-based model. The new framework is outcomes-focused and risk-based, meaning AUSTRAC will assess the effectiveness of a business’s systems in practice, rather than just checking for documented procedures.

Under this model, reporting entities are required to adopt measures that are tailored to the actual AML/CTF risks they reasonably face. The emphasis is on whether a business’s AML/CTF program can genuinely identify, mitigate, and manage financial crime risks. Ultimately, this moves compliance from a “tick-box” exercise to a dynamic and continuous process of effective risk management.

Enhanced Customer Due Diligence Framework

The framework for CDD has been modernised to be more flexible and targeted. The previous, more rigid Applicable Customer Identification Procedures (ACIP) are being replaced with a risk-based approach that separates due diligence into two main components:

• Initial customer due diligence: Before providing a designated service, a reporting entity must take steps to identify the customer, any beneficial owners, and anyone acting on the customer’s behalf. This process includes screening these individuals to determine if they are politically exposed persons (PEPs) or subject to targeted financial sanctions.
• Ongoing customer due diligence: Reporting entities must continue to monitor their customers throughout the business relationship. This involves scrutinising transactions and behaviour to manage and mitigate any AML/CTF risks that arise.

While the new ongoing CDD obligations commenced on 31 March 2026, the Anti-Money Laundering and Counter-Terrorism Financing Transitional Rules 2026 (Cth) provide existing reporting entities with a transitional period until 31 March 2029 to move from their ACIP framework to the new initial CDD requirements. However, this is provided they have appropriate transitional policies in place by 1 July 2026.

Modernisation of AML & CTF Programs

The structure of AML/CTF programs has been simplified and modernised. The former requirement to have separate Part A and Part B programs is removed. Instead, businesses must develop a single, unified AML/CTF program organised in a way that suits their specific needs.

The new program requirements under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) include:

• A comprehensive risk assessment that identifies the money laundering, terrorism financing, and proliferation financing risks the business faces.
• Tailored anti-money laundering and counter-terrorism financing policies and controls designed to manage and mitigate those identified risks.
• A clear governance framework that outlines the roles and responsibilities of the governing body, senior management, and a formally appointed AML/CTF compliance officer who can pass the fit and proper test.

Additionally, the concept of Designated Business Groups (DBGs) was replaced with a new “reporting group” structure from 31 March 2026. This change is intended to streamline compliance for related corporate entities.

AUSTRAC’s Key Regulatory Expectations

From Compliance to Effectiveness

The AML/CTF reform marks a significant evolution in AUSTRAC’s supervisory approach, moving from a focus on technical compliance to one of operational effectiveness. The regulator has indicated that its priority is to reduce the harm caused by financial crime.

As a result, assessments will no longer be limited to whether a business has documented policies. Instead, systems and controls will be evaluated on whether they genuinely:

• Identify AML/CTF risks;
• Mitigate these identified vulnerabilities; and
• Manage ongoing exposure to financial crime.

AUSTRAC’s regulatory expectations, published on 3 July 2025, clarify this shift. The agency stated it does not expect “perfection on day one” from reporting entities, but rather expects businesses to show “sustained effort” and progress in implementing effective controls that are proportionate to their specific financial crime risks. Ultimately, this outcomes-based model requires reporting entities to prove their frameworks are working in practice, not just on paper.

Increased Data Reporting & Intelligence Expectations

The reform signals AUSTRAC’s expectation that reporting entities will function as crucial intelligence partners in the fight against financial crime. This is reflected in changes to reporting obligations and the introduction of new information-gathering powers.

Specifically, the Anti-Money Laundering and Counter-Terrorism Financing Rules 2025 (Cth) expand the details required in key filings, including:

• SMRs; and
• Threshold transaction reports (TTRs).

This change indicates a move towards higher-quality data that provides actionable intelligence for law enforcement and national security agencies. Furthermore, the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 (Cth) introduces new powers for the regulator.

Under Section 49B of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), the AUSTRAC CEO can issue a written notice to a person to produce information or documents. This power is designed to assist with identifying trends, threats, or vulnerabilities associated with serious crimes.

Expansion of the Regulatory Perimeter

The inclusion of Tranche 2 entities is a clear signal that AUSTRAC is focused on closing systemic gaps in Australia’s financial system. The reform extends AML/CTF obligations to professional services and sectors that are recognised globally as being at high risk of exploitation by criminals.

These newly regulated sectors include:

• Lawyers;
• Accountants;
• Real estate professionals; and
• Trust and company service providers.

This expansion aims to prevent criminals from using these professional services to legitimise illicit funds or conceal beneficial ownership. For example, real estate is often an attractive channel for money laundering because property values can be manipulated and complex corporate structures can be used to hide the true owners. By bringing these “gatekeeper” professions into the regulatory framework from 1 July 2026, the reform intends to create a more resilient financial ecosystem.

Impact on the Financial Services Industry: Brokers & Other Players

Banks Lenders & Payment Providers

For existing reporting entities such as banks, lenders, and payment providers—a sector often requiring specialised financial services lawyers for payments—the AML/CTF reform required a significant update to their compliance frameworks. From 31 March 2026, these organisations were required to transition their existing programs to the new unified, risk-based model. This involved implementing the modernised CDD framework, covering both initial and ongoing CDD.

The changes signal increased regulatory scrutiny on the quality of transaction monitoring and reporting. However, the Australian Banking Association, in its submission on the reforms, raised concerns regarding new powers for the AUSTRAC CEO to restrict or prohibit high-risk products. The association argued that such a power should be limited to registrable services like remittance and virtual asset providers, rather than all designated services provided by established and highly regulated entities.

Brokers & Brokerage Firms: Shares, CFDs, FX & Crypto

Brokers and brokerage firms, while already regulated, face enhanced obligations under the new regime which commenced on 31 March 2026, making expert legal advice for brokers and brokerage firms essential. As a result, these firms must adapt to several stricter requirements, including:

• Customer due diligence: adhering to stricter requirements and more rigorous monitoring of client behaviour and transaction patterns;
• Onboarding processes: ensuring they are dynamic and explicitly risk-based, moving away from a static, one-off verification; and
• Product design: integrating AML/CTF considerations into the design and distribution of financial products.

Ultimately, this ensures that financial crime risks are considered from the initial product concept through to its offering to clients.

Crypto Platforms & Virtual Asset Service Providers

The reform has a substantial impact on the crypto sector, expanding the regulatory scope significantly and increasing the need for specialised legal advice for the crypto and digital assets sector. The previous definition of “digital currency exchange” has been replaced with the broader term VASP, capturing a wider range of services.

New designated services for VASPs under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) now include the following:

• Exchanges: between different virtual assets;
• Transfers: of virtual assets for a customer;
• Safekeeping: or administration of virtual assets; and
• Financial services: related to an issuer’s offer or sale of a virtual asset.

A key new obligation is the Travel Rule, which requires VASPs to collect, verify, and pass on information about the sender and recipient during a value transfer. While general obligations for VASPs commenced on 31 March 2026, the Anti-Money Laundering and Counter-Terrorism Financing Transitional Rules 2026 (Cth) defer the commencement of the Travel Rule for virtual asset transfers until 1 July 2026.

Newly Regulated Tranche 2 Professions

The inclusion of “Tranche 2” entities represents the largest expansion of Australia’s AML/CTF regime. From 1 July 2026, a range of professional services will become reporting entities for the first time.

This expansion covers designated services provided by several key professions, as follows:

• Lawyers and conveyancers.
• Accountants.
• Real estate professionals.
• Trust and company service providers.
• Dealers in precious metals and stones.

These professions will be required to implement a full AML/CTF program, conduct CDD, and meet reporting obligations. Furthermore, this change marks a significant uplift in the compliance burden for these sectors.

Smaller & Mid-Sized Financial Services Firms

Smaller and mid-sized financial services firms face the practical challenge of meeting the new outcomes-based expectations without the resources of large compliance teams. However, the shift to a risk-based framework allows these firms to adopt proportionate systems tailored to their specific size, complexity, and risk profile.

To meet these new standards, there is an increased reliance on regulatory technology (RegTech) and outsourced compliance services. These solutions can help smaller firms automate processes like risk assessments and transaction monitoring, making it more feasible to maintain a compliant and effective AML/CTF program.

Key Compliance Risks Under the New Regime

Treating the Reform as a Documentation Exercise

A significant compliance risk under the new AML/CTF framework is treating the reform as a simple documentation update. AUSTRAC has signalled a clear shift from assessing technical compliance to testing operational effectiveness. Therefore, the regulator expects businesses to show “sustained effort” in implementing controls, rather than just creating policies that give the impression of compliance.

Simply updating an AML/CTF program manual without ensuring the changes are embedded in daily operations creates a major vulnerability. A gap between documented procedures and actual business practices will be a key focus for AUSTRAC’s supervisory activities. Ultimately, the regulator’s priority is to see that a reporting entity’s systems can genuinely identify, mitigate, and manage financial crime risks in practice.

Inadequate Risk Assessment Frameworks

A foundational risk for any reporting entity is developing an inadequate AML/CTF risk assessment. Under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), the risk assessment is the cornerstone of the entire AML/CTF program. As a result, all policies, procedures, and controls must be tailored to the specific risks identified in this assessment.

A generic or “off-the-shelf” risk assessment that does not reflect the specific nature, size, and complexity of a business will undermine the effectiveness of the whole compliance framework. The assessment must be a detailed analysis of the risks the business reasonably faces, considering factors including:

• specific customer types;
• the designated services provided;
• how those services are delivered; and
• the jurisdictions the business deals with.

Poor Quality Reporting & Monitoring Systems

Weak transaction monitoring systems and poor-quality reporting are likely to be significant enforcement triggers under the effectiveness-focused regime. In addition, the Anti-Money Laundering and Counter-Terrorism Financing Rules 2025 (Cth) expand the details required in SMRs and TTRs, signalling an expectation for higher-quality intelligence.

Under this regime, specific operational shortcomings can lead to compliance failures, including:

• Poor-quality reporting: submitting defensive or low-value SMRs that lack sufficient detail, which may be viewed as a failure to properly analyse and report risk; and
• Inadequate monitoring: utilising monitoring systems that are not calibrated to the entity’s risk profile, which can lead to failures in detecting suspicious activity.

Furthermore, reporting entities must ensure their systems are capable of identifying unusual patterns and that staff are trained to provide clear, actionable information in reports to AUSTRAC.

Practical Takeaways for Financial Services Businesses

AML & CTF Compliance as a Core Business Function

The AML/CTF reform elevates compliance from a back-office task to a central governance responsibility. Furthermore, the new framework under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) places explicit obligations on a reporting entity’s governing body and senior management to oversee AML/CTF risk.

As a result, this shift requires board-level attention and the integration of financial crime risk management into strategic business decisions. In addition, it is now a statutory requirement for reporting entities to appoint a fit and proper AML/CTF compliance officer who is responsible for implementing the program. Ultimately, this makes compliance a core operational function rather than a regulatory overhead.

Embedding Risk-Based Systems Across Operations

To be effective, risk-based systems and controls must be integrated throughout all business operations. Therefore, adopting an AML/CTF risk model that aligns with AUSTRAC’s outcomes-focused framework is essential for compliance. This means the AML/CTF risk assessment cannot be a standalone document.

Instead, its findings must inform and shape every stage of the customer lifecycle and product design, as follows:

• Customer onboarding and initial due diligence processes;
• Ongoing transaction monitoring rules and alert systems;
• The design and distribution of new financial products or services; and
• Staff training and awareness programs.

The Expanding Regulatory Perimeter

The reforms significantly expand the regulatory perimeter, bringing more businesses and a wider range of designated services into the AML/CTF regime. Specifically, the inclusion of high-risk sectors from 1 July 2026 increases compliance expectations across the entire financial ecosystem, including:

• Real estate professionals;
• Lawyers;
• Accountants; and
• Dealers in precious metals.

Ultimately, this expansion aims to close systemic gaps that criminals have previously exploited. For all reporting entities, this signals a more interconnected and scrutinised environment where financial crime risks are managed across multiple professional sectors.

Why Preparation Must Begin Before Formal Deadlines

Regulators expect businesses to demonstrate early readiness and sustained effort in transitioning to the new framework. Consequently, waiting until the formal commencement dates to prepare, particularly for complex technical changes, is a significant compliance risk. Furthermore, AUSTRAC has stated that for businesses already regulated, it expects them to act now to review and strengthen their existing frameworks.

For example, implementing the “Travel Rule” for virtual asset transfers, which commences on 1 July 2026, requires significant lead time for technical integration and process changes. Therefore, reporting entities should have documented implementation plans that manage their risks while they transition their policies and systems to meet the new obligations.

Conclusion

The 2026 AML/CTF reform marks a significant shift to a broader, deeper, and more enforcement-driven framework for all reporting entities. This transition from AML compliance as a process to a measurable outcome requires businesses to proactively adapt their risk assessment and CDD systems to meet AUSTRAC’s new expectations.

To navigate these complex changes and ensure your business is prepared for the new regime, contact our specialized AML and AFSL lawyers at AFSL House. Our team specialises in helping financial services, crypto, and fintech businesses implement effective AML/CTF frameworks, so reach out today to secure your compliance and build a more resilient business.

Frequently Asked Questions