AML/CTF Compliance Guide
for Australian reporting entities

Under the AML/CTF Act 2006, a “reporting entity” is any person or body that provides a “designated service” as defined in Table 1 of section 6. This is not limited to banks. The current regime captures a wide range of financial and remittance businesses.

Currently captured reporting entities include:

• Banks, credit unions, and authorised deposit-taking institutions
• Insurance companies and brokers providing life insurance or annuity products
• Superannuation fund trustees
• Finance companies providing consumer credit
• Currency exchange services and remittance dealers
• Digital currency exchange providers (DCEs) — including cryptocurrency exchanges
• Bullion dealers
• Casinos and gambling providers (in certain circumstances)
• Loan brokers and finance intermediaries

If your business provides any of these services, you are almost certainly a reporting entity and must be enrolled with AUSTRAC. Operating as an unregistered reporting entity is a strict liability offence attracting significant civil penalties.

The AML/CTF regime is built on four interconnected obligations. Every reporting entity must address all four.

The AML/CTF program is the foundation that governs how you implement the other three pillars. AUSTRAC can and does request copies of AML/CTF programs during examinations. A program that exists only on paper but is not operationally embedded will not satisfy the regulator.

Australia has been on the FATF grey list watch due to the delayed implementation of Tranche 2. The 2024 amendments finally expand the regime to capture what FATF calls “designated non-financial businesses and professions” (DNFBPs).

Newly captured from July 2026:

• Lawyers and law firms — when handling client money, forming companies, or conducting real estate conveyancing
• Accountants and accounting firms — when providing certain financial or company management services
• Real estate agents — when facilitating the purchase or sale of real property
• Trust and company service providers
• Precious metal and gemstone dealers above prescribed thresholds

If you are in one of these professions, you will need to enrol with AUSTRAC, conduct a business-wide risk assessment, develop a compliant AML/CTF program, and implement CDD procedures before the July 2026 commencement date. The transition period is short and penalties for non-compliance begin from day one.

Reporting entities must retain AML/CTF records for a minimum of 7 years from the date the record was created or the transaction occurred. This applies to:

• Customer identification records and supporting documents
• Transaction records for all designated services provided
• Copies of all SMRs, TTRs, and IFTIs submitted to AUSTRAC
• AML/CTF program and all previous versions
• Records of ongoing due diligence reviews
• Staff AML/CTF training records

Records must be stored in a manner that allows them to be retrieved and provided to AUSTRAC within a reasonable time. Cloud-based storage is permitted provided it meets Australian data residency requirements applicable to your business.

AUSTRAC has broad investigation and enforcement powers. It can compel the production of documents, conduct on-site inspections, issue remedial directions, and refer matters to the AFP or CDPP for criminal prosecution.

Civil penalty amounts (as at 2026):

• Failure to enrol with AUSTRAC: up to 100 penalty units per day
• Failure to have an AML/CTF program: up to $18 million for corporations
• Failure to report an SMR: up to $18 million per contravention
• Failure to file a TTR: up to $18 million per contravention
• Failure to retain records: significant civil penalties

AUSTRAC has demonstrated willingness to pursue large enforcement outcomes. In recent years it has secured the largest corporate penalties in Australian legal history. Compliance is not optional and the regulator is not passive.

Manual AML/CTF compliance is error-prone and creates documentation gaps that expose your business during examinations. Purpose-built software addresses the four pillars systematically:

• Automated CDD workflows with identity verification integrations and risk scoring
• Encrypted document storage meeting the 7-year retention requirement
• SMR workflow management with deadline tracking — AUSTRAC requires reports within 3 business days of forming suspicion
• TTR capture and submission preparation for cash transactions at or above $10,000
• Audit-ready reporting with complete, timestamped transaction and CDD records
• Staff training completion tracking as part of the AML/CTF program