AML/CTF penalties in Australia can reach up to $3.3 million per contravention and AUSTRAC is signalling proactive supervision from day one. Professional services firms have a narrow window to build defensible programs before 1 July 2026. DBA Advisory sets out the penalty framework, the minimum action timeline, and what genuine operationalised compliance looks like.
Table of Contents
What non-compliance actually costs your firm
AML/CTF compliance failures in Australia are expensive. AUSTRAC’s civil penalty actions against Westpac ($1.3 billion, 2020) and the Commonwealth Bank ($700 million, 2018) established that non-compliance carries consequences at the highest levels of Australian business. For accounting firms and law practices, the direct penalty figures are smaller than those applied to major banks — the enforcement framework is identical.
For smaller, newly regulated professional services firms, the scale of penalties is different — but the framework is unambiguous under the reformed Act:
maximum civil penalty per contravention for body corporates (10,000 penalty units at current rate)
- Civil penalties of up to 10,000 penalty units (~$3.3 million) per contravention for body corporates
- Criminal penalties for serious and deliberate non-compliance
- Enforceable undertakings requiring remediation programs at the entity’s cost, on AUSTRAC’s schedule
- Public naming and reputational consequences in enforcement outcomes
Firms that fail to build a compliant program from day one create a documented compliance deficit that compounds over time. When AUSTRAC identifies this deficit through its supervisory process, the cost of mandated remediation — conducted on AUSTRAC's timeline, at the firm's expense — is almost always greater than the cost of building the program correctly in the first place.
The most common enforcement outcome for non-serious breaches is an enforceable undertaking — a mandatory remediation program conducted on AUSTRAC's timeline, at the firm's cost. For most newly regulated professional services firms, this represents a more significant business disruption than the direct financial penalty.
What non-compliance actually costs your firm
Building a defensible, operationally embedded AML/CTF program takes longer than most newly regulated firms currently anticipate. The following is the minimum action sequence necessary to meet the 1 July 2026 deadline:
Timeframe | Action |
Immediately | Map your firm’s service activities against the designated services list — confirm reporting entity status |
Within 30 days | Conduct an internal ML/TF risk assessment across your client base and service lines |
Within 60 days | Register with AUSTRAC via AUSTRAC Online |
Within 90 days | Draft, adopt, and operationalise your AML/CTF program |
Within 90 days | Complete staff awareness training |
Before 1 July 2026 | Implement KYC and CDD procedures for all new clients |
Within 12 months post-commencement | Complete a CDD refresh for your existing high-risk client base |
Ongoing | Monitor transactions, refresh CDD, and lodge SMRs as required |
A program that exists as a document but is not embedded in how your firm actually onboards clients, monitors transactions, and escalates concerns will not satisfy an AUSTRAC review. The standard is evidence of practice — not evidence of paperwork.
What genuine compliance looks like
Genuine AML/CTF compliance in Australia has three markers that distinguish it from documentation compliance:
- It is documented and accessible. Your AML/CTF program is written, version-controlled, and understood by the people responsible for implementing it — not filed and forgotten.
- It is operationalised. KYC procedures happen at every client onboarding. CDD refresh is scheduled and tracked. Suspicious matters are escalated through a defined internal channel, with decisions documented regardless of outcome.
- It leaves a trail. Training logs exist. CDD file notes exist. SMR decisions — made or declined — are documented with reasoning. When AUSTRAC asks, you can show your work.
The firms that treat compliance as a floor — the minimum required to avoid a penalty — will build programs defensible on paper but fragile in practice. The firms that treat it as a standard will build something that actually protects their business, their clients, and the integrity of their professional relationships.
Genuine AML/CTF compliance is not just about avoiding AUSTRAC penalties — it is about whether your firm can honestly say it knows who its clients are, where their money comes from, and what its services are being used for. That is the standard that withstands scrutiny, builds lasting client trust, and represents what the reforms were designed to achieve.
Build it before you need it
Australia’s AML/CTF reforms represent the end of a long period of regulatory exceptionalism for professional services. For two decades, lawyers, accountants, and real estate agents operated without the obligations that equivalent firms in the UK, Europe, Canada, and Singapore have carried for years. That gap was not a mark of sophistication — it was a structural vulnerability.
The 1 July 2026 deadline marks the formal close of that era. These obligations are permanent. The question is not whether your business needs to comply — for most professional services firms, it does. The question is whether your program will be ready, and whether it will hold up when it is tested.
That is the standard that withstands scrutiny — and the standard that protects everything your firm has built.
How DBA Advisory supports
DBA Advisory works with professional services firms, financial businesses, and private enterprises across Australia to build AML/CTF programs that are genuinely defensible — tailored to your firm’s specific risk profile, embedded in your operating procedures, and built to withstand AUSTRAC scrutiny. All engagements are delivered on a fixed-fee basis — so the cost of compliance is certain before the work begins.
Frequently Asked Questions (FAQs)
Under the reformed AML/CTF Act, civil penalties for body corporates reach 10,000 penalty units per contravention — currently approximately $3.3 million per contravention. Criminal penalties apply to serious and deliberate non-compliance. AUSTRAC can also impose enforceable undertakings requiring remediation programs at the entity's cost and on AUSTRAC's timeline. Public naming in enforcement outcomes is an additional consequence. Legal practitioners familiar with AUSTRAC proceedings have noted that mandatory remediation programs typically cause greater business disruption than direct financial penalties.
DBA Advisory's experience with newly regulated entities indicates that building a defensible, operationally embedded AML/CTF program — including AUSTRAC registration, ML/TF risk assessment, program drafting, KYC procedure design, beneficial ownership frameworks, and staff training — typically requires 60 to 90 days of focused work. Firms that begin after 30 April 2026 risk not completing program implementation before the 1 July 2026 commencement date. The risk assessment phase alone — on which the program's risk calibration depends — takes two to four weeks for most professional services firms.
An operationalised AML/CTF program is one that is embedded in how the firm actually works — not one that exists as a document. Operationalisation means: KYC procedures happen at every new client onboarding; CDD refresh is scheduled and tracked for existing clients; suspicious matter escalation follows a defined internal protocol; staff have been trained and can demonstrate awareness; and decisions are documented. AUSTRAC's supervisory reviews look for evidence of practice — transaction records, training logs, CDD file notes, documented SMR decisions — not just the existence of a policy document.
AUSTRAC has not announced any grace period for newly regulated entities, and its published guidance indicates an expectation of compliant, operationalised programs from the commencement date of 1 July 2026. AUSTRAC has made clear it will supervise newly regulated entities proactively — not reactively — from the first day of commencement. Firms should not assume that registration alone, or a program in draft form, will satisfy AUSTRAC's supervisory expectations in the period immediately after 1 July 2026.
A compliance readiness review is a structured assessment of a firm's current position against its AML/CTF obligations — typically covering designated services confirmation, ML/TF risk profile, existing KYC practices, client base risk stratification, and the gap between current state and required program elements. DBA Advisory's Compliance Readiness Review is designed specifically for professional services firms facing Tranche 2 obligations for the first time. It is delivered on a fixed-fee basis and produces a written remediation plan with prioritised actions and timelines. Most firms benefit from completing a readiness review before beginning program drafting, as the risk assessment findings directly shape the program's content.
Disclaimer
© DBA Advisory 2026. This article is intended as general information only and does not constitute legal or compliance advice. Businesses should seek qualified advice specific to their circumstances before acting on any information contained in this article.
Related content
We build the resilient foundations
empowering you
to scale your business
Get in touch
Alquin Dagamina
Manager Business Transformation and Technology Services Division
- Alquin.Dagamina@dbaadvisory.com
- 09158918379
