Australia's financial crime prevention landscape changed dramatically when the federal parliament passed amendments to the Anti-Money Laundering and Counter-Terrorism Financing Act in late 2024. The message was unambiguous: the old way of doing things wasn't enough. By mid-2026, thousands of Australian businesses — many of which had never considered themselves part of the financial compliance world — are finding themselves firmly inside AUSTRAC's regulatory net.
If your organisation is still working out what this means in practice, this guide will walk you through what changed, who it affects, and what you need to do about it right now.
The Biggest AML/CTF Shake-Up in Nearly Two Decades
Australia is entering a transformative period in its response to financial crime. The reforms to the Anti-Money Laundering and Counter-Terrorism Financing Act represent the most significant overhaul of the country's AML regime in almost twenty years — and that's not an exaggeration.
The changes operate in two distinct waves. Existing reporting entities — banks, financial institutions, remittance providers, asset managers, and payment businesses — were required to implement new obligations from 31 March 2026. A second wave, known as Tranche 2, brings entirely new sectors into the framework from 1 July 2026.
According to industry reports, an estimated 80,000 to 90,000 new businesses are entering the AML/CTF regime under Tranche 2. These aren't all large corporations. Many are small law firms, boutique property agencies, accounting partnerships, and independent jewellers — businesses where compliance has traditionally sat at the bottom of the priority list.
The global context matters here too. The Financial Action Task Force (FATF) — the international body that sets AML/CTF standards — has long identified professional services as high-risk channels for money laundering and terrorism financing. Australia's reforms are a direct response to FATF evaluation findings and years of pressure to modernise a regime that had significant structural gaps.
Who Is Now Captured Under Tranche 2?
The expanded "designated services" definition is broad and deliberately so. Real estate agents, property developers, lawyers, accountants, conveyancers, and dealers in precious metals, stones, and high-value goods all fall within scope.
The detail that surprises many is that size is irrelevant. A sole practitioner conveyancer operating from a suburban shopfront carries the same basic obligations as a major commercial law firm — if they provide designated services, they are a Tranche 2 entity. Full stop.
This mirrors international practice across mature AML regimes. In the United Kingdom, the Financial Conduct Authority (FCA) has regulated professional service providers under anti-money laundering rules for years. The European Union's successive AML directives have similarly extended coverage to lawyers, accountants, and real estate professionals across member states. Australia was behind the curve on this, and the 2026 reforms are closing that gap.
The goal, as AUSTRAC has stated clearly, is to eliminate the avenues through which organised crime and professional money laundering networks exploit gaps in the system. The professions being captured have historically been used to layer and integrate criminal proceeds — particularly through property transactions and complex legal structures.
Key Deadlines: What You Cannot Afford to Miss
Deadlines in AML/CTF compliance are not soft targets. Missing them draws regulatory attention immediately.
31 March 2026 — Existing reporting entities' updated AML/CTF program obligations and new ongoing customer due diligence (CDD) requirements took effect. From this date, all existing regulated entities must apply the new ongoing CDD obligations to all customers.
30 May 2026 — Existing reporting entities must have notified AUSTRAC of their AML/CTF compliance officer by this date.
1 July 2026 — Tranche 2 entities must be enrolled and compliant. Enrolment opened from 31 March 2026, and businesses should not wait until the deadline to complete this step.
29 July 2026 — Newly regulated Tranche 2 entities must have notified AUSTRAC of their AML/CTF compliance officer.
30 March 2029 — Existing reporting entities have until this date to fully transition from the old applicable customer identification procedures (ACIP) to the new initial CDD framework. This three-year transitional period does not extend to Tranche 2 businesses.
For virtual asset service providers, travel rule obligations — covering both traditional transfers and virtual asset transactions — apply from 1 July 2026, with no exemption available beyond that date.
Understanding the Two-Part AML/CTF Program
This is where many businesses get stuck. The concept of an AML/CTF program sounds administrative until you're actually building one and realise how much structural thinking it requires.
The program must have two distinct parts.
Part A covers your risk management framework — the processes and controls your business uses to identify, assess, and mitigate money laundering and terrorism financing risks. This isn't a generic statement of intent. It needs to reflect your actual customer base, your transaction types, the geographies you deal with, and the specific vulnerabilities in your services.
Part B covers customer due diligence — how you identify and verify customers, how you identify beneficial owners, and how you handle higher-risk categories like politically exposed persons (PEPs) and customers from high-risk jurisdictions.
A small accounting firm in Perth that predominantly serves local SME clients will have a very different risk profile to a commercial law firm that manages international asset transfers. The programs should look different too. AUSTRAC provides program starter kits as a beginning point, but they are a scaffold — not a finished product.
One practical insight from professionals who have gone through this process: the most common gap isn't in the documentation itself, but in the evidence trail. A program can be well-written but completely unsupported by records of how it's actually being applied day to day. AUSTRAC looks at both. Building in documentation habits from the start saves significant pain during any subsequent review or enforcement engagement.
Governance: Boards Are Now Personally in the Frame
One of the most significant cultural shifts embedded in the reforms is the explicit elevation of board and senior management accountability. This isn't subtle language buried in a regulatory note — it's a clear structural feature of the reformed Act.
Boards are expected to actively oversee AML/CTF programs, not simply receive periodic reports from compliance staff. Senior managers carry personal legal exposure for failures in governance. Civil penalties under the AML/CTF Act can be imposed on individuals, not just corporate entities.
For company directors in Tranche 2 sectors, this reframes the conversation entirely. The question is no longer whether your compliance officer has it covered. The question is whether you, as a director, understand your organisation's obligations well enough to provide meaningful oversight and challenge.
Governance frameworks for AML/CTF have been a standard expectation in mature financial services companies for years. The Basel Committee on Banking Supervision has published guidance on compliance function governance that reflects the same principles now being embedded in Australia's reformed AML/CTF regime. The difference is that these expectations now extend far beyond banks.
The Travel Rule: A Technical but Critical Change
The travel rule is one of the most operationally demanding elements of the 2026 reforms — particularly for businesses managing cross-border transfers or dealing in virtual assets.
In simple terms, the travel rule requires that structured information about both the sender and the recipient travels with a value transfer. Whether the transfer involves traditional funds, cryptocurrency, stablecoins, or non-fungible tokens, the business initiating the transfer must capture and pass on identifying information about both parties.
A new and broader definition of "virtual asset" has been inserted into the AML/CTF Act, replacing the previous "digital currency" terminology. This brings stablecoins and NFTs within scope — closing a definitional gap that had created regulatory uncertainty for some digital asset businesses.
For virtual asset service providers, there is no transition period grace beyond 1 July 2026 for travel rule compliance. Businesses that haven't updated their systems and processes to capture and transmit the required information in a compliant format will be in breach from day one.
Building Your Compliance Readiness: A Practical Sequence
For organisations in the preparation or catch-up phase, a structured approach matters more than speed alone.
Start by confirming your status. Are you a Tranche 2 entity? Which designated services do you provide? AUSTRAC's website at austrac.gov.au/amlctf-reform has sector-specific guidance that answers these questions with more precision than any general summary can.
Then enrol with AUSTRAC if you haven't already. Enrolment is the gateway to all subsequent obligations. Don't wait for the July deadline if you can complete it now.
Appoint your AML/CTF compliance officer. This must be a management-level appointment — not a junior administrator, not a shared responsibility, and not someone who is unaware of the obligations attached to the role. Notify AUSTRAC within your applicable deadline.
Conduct your enterprise-wide risk assessment. This is the foundation of everything else. Be honest. Look at your highest-risk customers, your highest-risk transaction types, and the geographic exposures in your work. Document the assessment thoroughly.
Build your AML/CTF program from that risk assessment, not from a template. AUSTRAC's starter kits are useful scaffolding, and industry associations including the Law Society of NSW have released sector-specific implementation guides. Use them as a starting point, not an endpoint.
Then train your people. A program that nobody has read and nobody understands is not compliance — it's paperwork. Your frontline staff, your client relationship managers, your administration team — they all need to understand what suspicious behaviour looks like, what to do when they see it, and how the reporting process works.
The Australian Compliance Institute offers CPD-accredited AML/CTF training built specifically for Australian legislative requirements, covering customer due diligence, suspicious matter reporting obligations, and how the FATF framework connects to day-to-day business decisions. For organisations needing to upskill staff at scale, structured online training with documented completion records also supports audit readiness.
What Happens If You're Not Ready?
AUSTRAC has been explicit. Its enforcement posture does not soften because the reform is complex or the transition is difficult.
Businesses that cannot demonstrate they are managing their risks during the transition period are expected to have a documented implementation plan showing how they are managing those risks while moving toward full compliance. That plan won't protect a business that isn't genuinely trying — but it demonstrates good faith for those that are.
The consequences of non-compliance are real. Civil penalties can be imposed at both corporate and individual level. Registration can be cancelled or suspended for businesses with unacceptably high or unmanaged risks. Australia has seen landmark corporate penalties for AML/CTF failures in financial services in recent years. The expansion of the regime doesn't dilute that enforcement appetite — if anything, it signals that AUSTRAC intends to hold all regulated sectors to the same standard.
The time to build your compliance framework is before 1 July 2026 — not after the first AUSTRAC engagement arrives.
