AUSTRAC AML/CTF Compliance: The Complete Guide for Australian Financial Institutions

Australia's Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) regime is entering its most demanding phase. The Tranche 2 reforms bringing lawyers, accountants, and real estate agents into the regime, record civil penalty orders against Crown ($450 million) and Westpac ($1.3 billion), and AUSTRAC's escalating supervision intensity have made AML/CTF the single highest-stakes compliance obligation for most reporting entities in 2025-2026.

Whether you are a bank, credit union, remittance dealer, digital currency exchange, or any other AUSTRAC-regulated entity, this guide covers every core obligation — from structuring your AML/CTF program through to reporting, risk assessment, and what the enforcement record tells you about where AUSTRAC looks first.

What is an AML/CTF Program?

Under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act), every reporting entity must adopt and maintain an AML/CTF program before it provides any designated service. The program is not a document you file with AUSTRAC — it is a living compliance system with two distinct parts.

Part A — Customer and Business Risk Management

Part A is the operational heart of your AML/CTF program. It must document how your business identifies, mitigates, and manages money laundering and terrorism financing risk. Key components include:

• ML/TF risk assessment — a documented assessment of the risk posed by your customers, designated services, delivery channels, and the jurisdictions you operate in or transact with
• Customer identification and verification (CID/V) — procedures for identifying individuals, companies, trusts, and other entities before providing designated services
• Enhanced customer due diligence (ECDD) — heightened procedures for politically exposed persons (PEPs), high-risk customers, and complex or unusual transactions
• Ongoing customer due diligence — monitoring customer relationships and transactions over time to detect changes in risk profile
• Employee due diligence — screening employees with access to AML/CTF functions and providing regular training
• Board and senior management oversight — the board must approve the AML/CTF program and receive regular compliance reports

Part B — Transaction Monitoring Program

Part B requires a documented transaction monitoring program (TMP) that identifies, monitors, and assesses transactions for suspicious activity and reporting obligations. The TMP must:

• Set out the monitoring rules, thresholds, and scenarios your systems apply
• Define how alerts are investigated and escalated
• Specify who is responsible for reviewing and approving suspicious matter reports before submission
• Be reviewed and updated as your business and risk profile change

AUSTRAC's enforcement findings consistently show that weak or outdated TMPs are the primary failure point. Crown's $450 million penalty, for example, stemmed in part from a TMP that was not calibrated to detect the cash-intensive risks present in its casino operations.

Customer Identification (KYC/CDD)

Knowing your customer is both an obligation and a risk management tool. AUSTRAC's AML/CTF Rules prescribe minimum verification requirements by customer type. Getting CID/V wrong — either by not collecting enough information or by relying on inadequate verification sources — is a common source of AUSTRAC findings.

Individual Customers

You must collect: full name, date of birth, and residential address. You must verify at least the name and either the date of birth or address using a reliable and independent source. Acceptable verification sources include:

• Australian driver licence or passport (government-issued photo ID)
• Electronic verification via AUSTRAC-approved databases (e.g., credit bureau or government identity verification services)
• For non-face-to-face customers, a combination of two sources covering name plus one other data point

Company Customers

For Australian companies, you must collect the company name, ACN, and registered address, and verify via ASIC records. You must also identify beneficial owners — individuals who ultimately own or control more than 25% of the company — and apply individual verification to those persons.

Trust Customers

Trusts are one of the highest-risk customer structures under AUSTRAC guidance. You must identify the trust name, settlor, trustee(s), and all beneficial owners with an interest of 25% or more. For discretionary trusts, you must identify the class of potential beneficiaries and the person who controls the trust. Trustees that are companies trigger the full corporate beneficial ownership chain.

Enhanced Customer Due Diligence (ECDD)

ECDD applies to customers and transactions that present heightened ML/TF risk. Your AML/CTF program must specify the circumstances that trigger ECDD and what additional steps you take. Mandatory ECDD triggers include:

• Politically Exposed Persons (PEPs) — domestic and foreign PEPs, their family members, and close associates. AUSTRAC's PEP guidance requires senior management approval before establishing or continuing a PEP relationship.
• Correspondent banking — before entering any correspondent banking relationship you must conduct comprehensive due diligence on the respondent institution
• High-risk jurisdictions — transactions involving FATF-listed countries or your own internally assessed high-risk jurisdictions
• Complex or unusual transactions — transactions with no apparent economic rationale, inconsistent with the customer's expected activity profile, or structured in a way that appears designed to avoid reporting thresholds

Transaction Monitoring and Reporting

AML/CTF reporting obligations are non-negotiable. Missing a mandatory report — even once — can constitute a civil penalty offence. There are three primary report types.

Suspicious Matter Reports (SMRs)

An SMR must be submitted to AUSTRAC as soon as practicable, and in any case within 24 hours of forming a suspicion, where you suspect on reasonable grounds that:

• A customer is not who they claim to be
• A transaction involves proceeds of crime
• A transaction is related to terrorism financing
• A customer is acting on behalf of an undisclosed third party in a way that raises ML/TF concerns

The obligation to report is triggered by suspicion, not certainty. You do not need proof. Failure to submit an SMR when a suspicion has formed — even if the underlying activity turns out to be legitimate — is an offence. AUSTRAC tracks SMR submission rates by reporting entity type and investigates anomalous under-reporting.

Critically, tipping off is prohibited. Once an SMR has been submitted or you have decided to submit one, you must not disclose this to the customer or any affected third party. Tipping off is a criminal offence carrying up to two years imprisonment.

Threshold Transaction Reports (TTRs)

A TTR is required for every cash transaction of AUD $10,000 or more (or foreign currency equivalent). The report must be submitted within 10 business days of the transaction. TTRs are mandatory and automatic — there is no discretion. Structuring transactions to keep them below the $10,000 threshold to avoid TTR obligations is a specific criminal offence under the AML/CTF Act.

International Funds Transfer Instructions (IFTIs)

Every international transfer of funds — both incoming and outgoing — must be reported to AUSTRAC. For transfers sent from Australia, the report is due within 10 business days. For transfers received into Australia, the report is due within 10 business days of receipt. IFTIs include SWIFT transfers, international telegraphic transfers, and transactions through correspondent banking arrangements.

ML/TF Risk Assessment

Your ML/TF risk assessment is the foundation of your entire AML/CTF program. Everything downstream — your CDD procedures, monitoring thresholds, ECDD triggers, reporting escalations — should be calibrated to the risks you identify here. AUSTRAC expects the risk assessment to be proportionate (reflecting your actual business) and dynamic (updated as risks change).

Customer Risk

Assess the ML/TF risk presented by your customer base. High-risk customer factors include: use of cash, complex ownership structures, PEP status, non-resident customers, customers from high-risk jurisdictions, customers operating in high-risk industries (gambling, real estate, precious metals), and customers who are evasive or provide incomplete information.

Product and Service Risk

Some designated services carry inherently higher ML/TF risk than others. Cash acceptance, anonymous prepaid products, digital currency exchange, large-value loan origination, and international wire transfers all carry elevated risk profiles. Your program must reflect these differences in how you monitor and control each service line.

Delivery Channel Risk

Non-face-to-face onboarding, digital-only channels, and third-party introducers (including aggregators and mortgage brokers) introduce additional risk because you cannot directly verify customer identity or observe behaviour. Your program must include additional controls for these channels, including enhanced verification requirements and introducer due diligence.

Geographic Risk

FATF-listed jurisdictions (both "black list" — non-cooperative — and "grey list" — enhanced monitoring) must feature in your risk assessment. Beyond FATF lists, you should assess exposure to jurisdictions identified by your own intelligence or by AUSTRAC guidance as presenting elevated ML/TF risk.

Keeping the Risk Assessment Current

AUSTRAC expects risk assessments to be reviewed regularly — at minimum annually, and whenever there is a material change in your business, customer base, products, or the external threat environment. The Westpac enforcement action highlighted the risk of allowing a static risk assessment to fall years out of date while the business and regulatory landscape evolved.

Recent Enforcement Lessons

The three largest civil penalty orders in Australian corporate history are all AML/CTF matters. Each reveals a different failure pattern, and together they define where AUSTRAC supervision is most intense.

Westpac — $1.3 Billion (2020)

AUSTRAC alleged over 23 million breaches of the AML/CTF Act, including:

• Failure to report 19.5 million IFTIs totalling over $11 billion
• Failure to carry out appropriate due diligence on customers sending money to the Philippines and South-East Asia through Westpac's LitePay platform, some of which was linked to child exploitation
• Failures in correspondent banking due diligence
• A risk assessment and transaction monitoring program that had not kept pace with a product (LitePay) that carried significantly elevated risk

Lesson: New products and channels require a dedicated risk assessment and transaction monitoring build-out before launch. A TMP designed for one product cannot be assumed to cover a new one.

Crown Resorts — $450 Million (2023)

AUSTRAC found Crown had:

• Allowed patrons to use its Melbourne and Perth casinos as conduits for money laundering through high-value cash play, junket operations, and third-party chip purchases
• Failed to maintain an AML/CTF program that was appropriate to the ML/TF risks of casino operations
• Inadequate ongoing due diligence on high-value customers, including patrons with known criminal associations
• A board and senior management that had not been adequately briefed on ML/TF risks or AML/CTF program deficiencies

Lesson: AML/CTF is a board-level obligation. Senior management cannot delegate awareness of significant program deficiencies. Governance failures amplify penalties.

Star Entertainment — $100 Million (2024)

AUSTRAC's action against Star echoed Crown's: inadequate AML/CTF program for a high-risk casino environment, failure to conduct ECDD on high-value patrons, and insufficient transaction monitoring for cash and chip transactions. Star's penalty reinforced that AUSTRAC will not accept industry-wide underperformance as a mitigating factor.

Lesson: Peer benchmarking is not a defence. Your program must be adequate for your specific risk environment, regardless of what others in your industry are doing.

Common AML/CTF Gaps GoComply Detects

GoComply's scanner analyses your AML/CTF program documents against the AML/CTF Act, AUSTRAC Rules, and FATF methodology. The most common deficiencies we detect are:

• No documented ML/TF risk assessment — or a risk assessment that is undated, not version-controlled, or predates a significant business change (new product, new channel, change in customer mix)
• PEP procedures that are incomplete or threshold-based only — programs that screen for foreign PEPs but lack adequate procedures for domestic PEPs, family members, or close associates; or that treat all PEPs as a binary pass/fail rather than applying proportionate ECDD
• Beneficial ownership identification gaps — trust CDD that does not identify all required parties, or company CDD that identifies only the registered controllers without tracing the ultimate beneficial ownership chain
• Transaction monitoring program not updated for current products — TMPs that reference legacy product names, thresholds set years ago without review, or monitoring rules that do not cover digital channels or new payment types
• No documented SMR decision trail — the program describes the obligation to submit SMRs but does not document the investigation, escalation, and sign-off process; this leaves the entity unable to demonstrate it has a functioning detection and reporting process in an AUSTRAC audit

AML/CTF Program Review Cadence

AUSTRAC's Rules do not set a fixed review frequency, but AUSTRAC guidance and enforcement outcomes make clear what is expected. At minimum:

• Annual review — the full AML/CTF program, including both Part A and Part B, should be reviewed and the board should receive a compliance report
• Triggered review — any material change to your business, product set, customer base, or the external threat landscape should trigger an out-of-cycle review of the affected program sections
• Post-incident review — after any suspicious matter is reported or a significant anomaly is identified through transaction monitoring, review the relevant program sections to assess whether the detection resulted from effective controls or from chance

Tranche 2 Reforms — What Is Coming

The AML/CTF Amendment Act 2024 extends reporting entity obligations to lawyers, accountants, real estate agents, and dealers in precious metals and stones for the first time. These "Tranche 2" entities are expected to begin enrolling with AUSTRAC from 2026. If your organisation is in one of these sectors — or if you provide services to entities in these sectors — you should begin your AML/CTF program build-out now.

Key differences for Tranche 2 entities include simplified program requirements for lower-risk businesses, risk-based CDD rather than prescriptive verification rules, and a longer transition period for implementation. However, the core obligations — maintain a program, identify your customers, monitor transactions, report suspicious matters — apply equally.

Related Regulations

AML/CTF compliance intersects with several other obligations your compliance team must consider:

• Privacy Act 1988 — customer identity data collected for AML/CTF purposes is subject to the Australian Privacy Principles; data minimisation, purpose limitation, and breach notification obligations apply
• APRA CPS 230 — for APRA-regulated entities, AML/CTF program systems (transaction monitoring, customer databases) are likely critical operations requiring tolerance levels and BCP coverage
• ASIC financial services laws — for AFS licensees, AML/CTF obligations run alongside ASIC's client identification requirements for certain product types
• Financial Accountability Regime (FAR) — accountable persons at major banks and insurers must have AML/CTF responsibilities explicitly allocated under their accountability statements
• Corporations Act continuous disclosure — AUSTRAC investigations, enforcement actions, and material AML/CTF program deficiencies may be market-sensitive information for listed entities

This guide is for informational purposes and does not constitute legal advice. AML/CTF obligations vary by entity type, designated service, and risk profile. Consult qualified AML/CTF compliance professionals for advice specific to your business. GoComply covers 37 Australian financial regulations — try the chatbot for instant clause-level answers.