AML/CTF compliance in Australia undergoes its most significant expansion in two decades, extending full obligations to accountants, lawyers, real estate agents, and trust service providers under the AML/CTF Amendment Act 2024.
Table of Contents
The compliance gap closes on 1 July 2026
For nearly two decades, the framework had a structural blind spot — banks were regulated, fintechs were regulated, casinos were regulated, but the lawyers who structured the transactions, the accountants who moved the money, and the real estate agents who settled the assets operated, for the most part, outside the perimeter.
That changes on 1 July 2026.
The Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 is the most significant AML/CTF compliance reform in Australia in two decades. It extends the full suite of obligations to professional services firms for the first time — making accountants, lawyers, real estate agents, trust and company service providers, and certain dealers in precious metals designated reporting entities under Australian law.
Compliance is no longer a back-office consideration that applies to someone else’s industry. For thousands of Australian professional services firms, it is now a legal obligation — and the preparation required is far more substantial than most currently appreciate.
This guide covers everything a professional services firm needs to achieve AML/CTF compliance in Australia: who is captured, what the reforms actually changed, what compliance requires in practice, the penalty framework, and the action timeline your firm needs to follow now.
Why Australia's regulatory gap became untenable
Australia did not arrive at these reforms voluntarily. The Financial Action Task Force (FATF) — the Paris-based intergovernmental body that sets global AML/CTF standards — had been documenting and criticising Australia’s blind spot for years.
In its 2015 mutual evaluation of Australia, FATF rated the country non-compliant or partially compliant across multiple technical requirements, specifically citing the absence of AML/CTF compliance obligations for lawyers, accountants, and real estate agents — categories FATF designates as Designated Non-Financial Businesses and Professions (DNFBPs). Australia was placed on enhanced follow-up: a status that carries reputational and practical consequences for a jurisdiction positioning itself as a regional financial hub.
In public statements and parliamentary submissions regarding the Tranche 2 reforms, AUSTRAC has consistently identified professional services as a persistent gap in Australia's financial crime defences — citing the country's particular exposure to money laundering through real property transactions and layered corporate structures as the primary justification for the expansion.
in estimated proceeds of crime flowing through the Australian economy annually — Attorney-General's Department, 2023 Tranche 2 Consultation
That figure is not an abstraction. It represents real client funds, real property transactions, and real professional relationships that have, for two decades, operated without the oversight that equivalent jurisdictions in the UK, EU, Canada, and Singapore have long required.
The AML/CTF Amendment Act 2024 was Australia’s formal response. The Tranche 2 obligations extending AML/CTF compliance to professional services commence 1 July 2026. The window to build a compliant program is open now. It will not stay open.
Who is captured — the designated services test
The single most important concept for understanding AML/CTF compliance in Australia is the designated services test. A firm does not become a reporting entity because of what type of business it is — it becomes one because of what services it actually provides.
The following service categories trigger full reporting entity obligations:
- Accounting and bookkeeping services — where the firm manages client funds, prepares financial statements in connection with transactions, or provides tax advice connected to asset structuring or disposal
- Legal practitioners — engaged in real property transactions, forming or administering trusts or companies, managing client trust accounts, or acting in business acquisitions and disposals
- Real estate agents and property developers — for the purchase or sale of residential or commercial property above $10,000, which captures the vast majority of Australian property transactions
- Trust and company service providers (TCSPs) — firms that form, administer, or provide registered office services for trusts or corporate entities
- Dealers in precious metals, precious stones, and luxury goods — for transactions above applicable thresholds
- Certain financial advisers and mortgage brokers — those not already captured under existing AFSL conditions
A firm providing multiple designated services triggers multiple independent obligations. An accounting firm that manages client trust accounts, prepares transactional financial statements, and provides registered office services may be captured across three separate categories simultaneously.
Many firms are assessing their exposure by asking "what type of firm are we?" rather than "what services do we actually provide?" The designated services test is activity-based, not entity-based. A firm that has never considered itself subject to financial regulation may find that several of its core service lines independently trigger reporting entity obligations.
The 9 changes that define the new AML/CTF compliance regime
The reforms do not simply extend existing rules to new sectors. In several important respects, the AML/CTF framework itself has been restructured. Here is what changed — and what it means for every affected firm.
Area | Before 1 July 2026 | From 1 July 2026 |
Who must comply | Banks, fintechs, remittance providers, casinos, bullion dealers | All of the above PLUS accountants, lawyers, real estate agents, TCSPs, and select financial advisers |
AML/CTF program | Two-part: Part A (risk management) + Part B (customer identification) | Single integrated, risk-based program — Part A/B structure abolished by the Amendment Act 2024 |
Customer due diligence | Required at onboarding; limited ongoing triggers | Required at onboarding PLUS mandatory ongoing refresh when risk profile changes |
Beneficial ownership | Banks and financial institutions only | ALL reporting entities — identify natural persons with 25%+ control of any corporate or trust client |
PEP obligations | Foreign PEPs only required enhanced CDD | Domestic AND foreign PEPs both require enhanced CDD |
Tipping-off prohibition | Applied to financial institutions | Applies to ALL reporting entities — including lawyers and accountants |
AUSTRAC registration | Existing entities only | Mandatory for all Tranche 2 entities before providing designated services |
Record retention | 7 years (existing entities) | 7 years — same standard, newly applied to ALL reporting entities including professional services |
Enforcement exposure | Primarily financial institutions | All reporting entities, including newly regulated professional services firms |
1. 10,000 new reporting entities — the largest expansion in 20 years
AUSTRAC estimates the reforms bring approximately 10,000 new reporting entities into the regime — the largest single-cohort addition since the Act passed in 2006. For the legal and accounting professions, this is a change in professional obligations with no modern precedent in Australia.
2. Single integrated program — the Part A / Part B structure is gone
The old two-document structure — Part A for risk management, Part B for customer identification — is abolished by the Amendment Act 2024. Every reporting entity now maintains a single, integrated risk-based AML/CTF program. For newly designated firms, the flexibility this creates is real — but so is the obligation. A risk-based program requires genuine risk assessment capability, not template-filling.
The most common failure mode for newly regulated entities is treating program drafting as the end of the compliance exercise rather than the beginning. AUSTRAC's supervisory approach is focused on evidence of program execution — training logs, CDD file notes, documented escalation decisions — not the existence of a policy document. A program that lives in a folder and is not embedded in daily operating procedure will not withstand a supervisory review.
3. Beneficial ownership — looking through the structure
All reporting entities must now identify any natural person with 25% or more ownership or control of any corporate or trust client — at onboarding, not merely when a transaction is flagged. This means looking through layered company structures, discretionary trust deeds, and nominee arrangements to identify real individuals.
Beneficial ownership identification is not a documentation exercise — it is an understanding exercise. Collecting a certificate of incorporation is not sufficient. Understanding who actually controls the entity is the standard.
4. Domestic PEPs — enhanced CDD now applies
Enhanced customer due diligence was previously mandatory only for foreign Politically Exposed Persons. Domestic PEPs — Australian politicians, senior public servants, senior judiciary members, and their close associates — require the same level of enhanced CDD. For accounting and legal firms with government clients, this has immediate practical implications.
5. Ongoing CDD — from event-based to relationship-based compliance
Customer due diligence is no longer an onboarding event. It is an ongoing obligation tied to the client relationship itself. Risk profiles must be monitored and refreshed when circumstances change — or when defined periods have elapsed (typically one to three years for standard-risk clients). For a firm with hundreds of established client relationships, this is a fundamental operating change.
6. Tipping-off — a criminal offence now applicable to lawyers and accountants
The prohibition on informing a client that a Suspicious Matter Report has been or may be lodged is a criminal offence under the AML/CTF Act. Its extension to lawyers and accountants introduces genuine complexity — particularly the intersection with legal professional privilege.
The Law Council has been actively engaged with the Attorney-General's Department on the tension between the tipping-off prohibition and lawyers' existing duties of confidentiality and legal professional privilege. Firms should not wait for final guidance before establishing internal SMR escalation protocols — the obligation applies regardless of whether privilege guidance has been finalised.
7. Single customer identification procedure — known-client exemptions removed
Multiple old identification pathways are replaced by a single standard: identity collection, verification, and beneficial ownership analysis in one coherent process. Known-client exemptions and informal identification practices no longer satisfy the obligation. Every client relationship must be built on a documented identification and verification record.
8. Seven-year record retention — applies to all reporting entities
All AML/CTF records — customer identification documents, transaction records, CDD file notes, training logs, and SMR decisions — must be retained for a minimum of seven years and must be producible to AUSTRAC at any time. This is not a new obligation for existing reporting entities, but it is a new operational requirement for every Tranche 2 firm.
9. Proactive supervision — AUSTRAC is not waiting
AUSTRAC has signalled clearly that its supervisory model for Tranche 2 entities will be proactive from day one — not reactive. Its published guidance states an expectation of operationalised programs at commencement, not programs in development. AUSTRAC has been building supervisory capacity, specifically to apply it to newly regulated firms.
Do not assume a grace period. The regulator's track record of significant enforcement action against major financial institutions makes clear that good intent does not substitute for a compliant, operational program.
6 AML/CTF compliance obligations you must implement
Understanding what changed is the first step. The second is building what is required. Every newly designated reporting entity must implement the following six AML/CTF compliance obligations.
1. Register with AUSTRAC — on or before 30 June 2026
Every new reporting entity must register with AUSTRAC via AUSTRAC Online before providing designated services. Required disclosures include the firm’s ownership structure, key management personnel, and the designated service categories being offered. Operating without registration after 1 July 2026 is a civil penalty offence.
2. Draft and adopt a single integrated AML/CTF program
identification and KYC procedures; beneficial ownership identification; ongoing CDD triggers; staff training requirements; a designated compliance officer; an independent review mechanism; and seven-year record-keeping procedures. This is a single document — not Part A and Part B.
3. Know Your Customer (KYC) and customer due diligence
Collect and verify identity before providing designated services. Standard CDD — full legal name, date of birth, address, and beneficial ownership for all clients — applies to most relationships. Enhanced CDD is mandatory for domestic and foreign PEPs, clients from FATF high-risk jurisdictions, unusual transaction structures, and clients who are reluctant to provide satisfactory identification.
4. Ongoing monitoring and CDD refresh
Monitor client relationships continuously. Refresh CDD when risk profiles change materially, when transactions are inconsistent with known client profiles, when new information emerges, or when program-defined periods have elapsed.
5. Lodge Suspicious Matter Reports when required
Where reasonable grounds exist to suspect money laundering, terrorism financing, tax evasion, or related offences, lodge an SMR with AUSTRAC within 3 business days of forming a suspicion — or 24 hours where the suspicion relates to terrorism financing. Establish internal escalation protocols that comply with the tipping-off prohibition.
6. Retain all records for a minimum of 7 years
Customer identification documents, transaction records, CDD file notes, training logs, and SMR decisions — all must be retained and producible to AUSTRAC at any time.
The penalty framework — what non-compliance actually costs
AUSTRAC has not been shy about enforcement, and the penalties for AML/CTF compliance failures are significant. Its actions against Westpac ($1.3 billion in 2020) and the Commonwealth Bank ($700 million in 2018) established that failures carry consequences at the highest levels of Australian business. For newly regulated professional services firms, the scale is different — the framework is not.
maximum civil penalty per contravention for body corporates (10,000 penalty units at current rate)
Beyond direct financial penalties, AUSTRAC’s most commonly deployed tool for non-serious non-compliance is the enforceable undertaking — a mandatory remediation program conducted entirely at the entity’s cost, on AUSTRAC’s timeline and to AUSTRAC’s standard. For most professional services firms, this represents a far greater business disruption than the direct penalty figure.
Firms that fail to implement a compliant program from day one create a documented compliance deficit that compounds over time. When AUSTRAC identifies this deficit — and its supervisory model is designed specifically to do so — the cost of mandated remediation is almost always greater than the cost of building the program correctly in the first place.
The action timeline — what your firm must do and when
Building a defensible, operationally embedded AML/CTF compliance program takes considerably longer than most newly regulated firms currently anticipate. The following is the minimum action sequence required:
Timeframe | Action Required |
Immediately | Determine whether your firm’s service activities make it a designated reporting entity |
Within 30 days | Conduct an ML/TF risk assessment across your client base, service lines, and geographies |
Within 60 days | Register with AUSTRAC via AUSTRAC Online — before providing designated services |
Within 90 days | Draft, adopt, and operationalise your single integrated AML/CTF program |
Within 90 days | Complete AML/CTF awareness training for all relevant staff |
Before 1 July 2026 | Implement KYC and CDD procedures for all new client onboarding |
Within 12 months post-commencement | Complete a CDD refresh for your existing high-risk client base |
Ongoing | Monitor client relationships, refresh CDD, lodge SMRs when required |
The critical standard is operationalisation. A program that exists as a document but is not embedded in how your firm onboards clients, monitors relationships, and escalates concerns will not satisfy an AUSTRAC supervisory review. The standard is evidence of practice — training logs, CDD file notes, documented SMR decisions — not evidence of paperwork.
What this reform is really about
Beneath the AML/CTF compliance requirements lies a deeper question that every affected professional services firm should sit with: who are you actually working for, and do you know enough about them to be certain?
FATF Typologies research consistently identifies lawyers, accountants, and real estate professionals as among the most commonly exploited facilitators of money laundering — not because they are corrupt, but because they are trusted. A lawyer who forms a trust, an accountant who manages the entity’s books, and a real estate agent who settles the property purchase have, in combination, provided the complete infrastructure for a money laundering scheme — without any of them being aware of the whole.
The KYC requirement is not bureaucratic friction. It is the mechanism by which professional services firms are asked to genuinely know their clients — who they are, how they are structured, where their money comes from, and why they are seeking the service. That is not a compliance exercise. It is a professional responsibility.
The AML/CTF expansion to professional services is fundamentally an integrity question, not just a compliance one. Every professional services firm must ask not merely whether it is compliant — but whether it genuinely knows who it is working for, and whether its services could be enabling financial crime that it is not aware of. The KYC obligation is not bureaucratic friction. It is the mechanism by which that question gets answered.
AML/CTF compliance as competitive infrastructure
Australia’s AML/CTF compliance reforms close a gap that the global financial crime community had been documenting for years. For professional services firms, the 1 July 2026 deadline is not a distant event — it is a specific operational deadline with a specific set of requirements that must be built, documented, and embedded into how the firm works.
The firms that emerge strongest will not be those that met the minimum AML/CTF compliance standard at the last moment. They will be those that understood what the reforms represent — a permanent elevation of the compliance standard for Australian professional services — and built their programs accordingly.
Strategy is common. Control is rare. The firms that hard-code compliance into their operational fabric — not as a checklist, but as a genuine institutional standard — will be the ones that clients trust, regulators respect, and competitors cannot replicate.
Build it before you need it. That is the standard that withstands scrutiny.
How DBA Advisory supports
Navigating AML/CTF compliance in Australia for the first time is a significant operational undertaking — particularly for firms that have never operated inside a formal regulatory framework. DBA Advisory works with professional services firms, financial businesses, and private enterprises across Australia to build programs that are genuinely defensible: tailored to the firm’s specific risk profile, embedded in its operating procedures, and built to withstand AUSTRAC scrutiny.
Our AML/CTF compliance practice covers AUSTRAC registration, ML/TF risk assessment, AML/CTF program drafting, KYC and CDD procedure design, beneficial ownership frameworks, staff training, and independent program review — all delivered on a fixed-fee basis, so the cost of compliance is certain before the work begins.
Frequently Asked Questions (FAQs)
AML/CTF compliance in Australia refers to the obligations imposed by the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 — as amended by the AML/CTF Amendment Act 2024 — on businesses that provide designated services. These obligations extend to professional services firms for the first time, making accountants, lawyers, real estate agents, trust and company service providers, and dealers in precious metals designated reporting entities under Australian law. Every designated reporting entity must register with AUSTRAC, maintain a single integrated AML/CTF program, conduct KYC and customer due diligence, report suspicious matters, and retain records for seven years.
The test is not firm type but designated services. Accounting firms managing client funds, preparing financial statements for transactions, or providing tax advice on asset structuring are captured. Legal practitioners handling real property transactions, forming trusts or companies, managing trust accounts, or acting in business acquisitions are captured. Real estate agents handling transactions above $10,000, TCSPs, certain financial advisers and mortgage brokers, and dealers in precious metals are also in scope. A firm providing multiple designated services may trigger multiple independent obligations simultaneously.
Under the old framework, reporting entities maintained two separate documents: Part A (focusing on ML/TF risk management) and Part B (setting out customer identification procedures). The AML/CTF Amendment Act 2024 abolishes this two-part structure. All reporting entities — including new Tranche 2 entities — must maintain a single, integrated, risk-based AML/CTF program that covers all required elements in one document. Any guidance or template referencing a Part A/Part B structure reflects the old law and should not be relied upon.
Beneficial ownership refers to the natural person or persons who ultimately own or control a legal entity — typically any individual with 25% or more ownership or control rights. Under the reformed AML/CTF Act, all reporting entities must identify and verify beneficial owners of their corporate and trust clients at onboarding, not just when a transaction is flagged. AUSTRAC describes this as an understanding exercise rather than a documentation exercise — collecting a certificate of incorporation is not sufficient. The firm must understand who actually controls the entity.
Domestic Politically Exposed Persons (PEPs) are senior figures in Australian public life — including federal and state politicians, senior public servants, members of the senior judiciary, senior military officers, and their immediate family members and close associates. Under the previous framework, enhanced CDD was mandatory only for foreign PEPs. The Tranche 2 reforms extend this requirement to domestic PEPs — a significant change for professional services firms that advise government clients or individuals connected to public office.
The tipping-off prohibition makes it a criminal offence under the AML/CTF Act to inform a client that a Suspicious Matter Report has been or may be lodged. Under the Tranche 2 reforms, this prohibition now applies directly to lawyers and accountants — professions that also carry duties of client confidentiality and, in the case of lawyers, legal professional privilege. Firms must establish internal SMR escalation protocols that allow compliance with the reporting obligation without inadvertent client disclosure.
Civil penalties for body corporates reach 10,000 penalty units per contravention — currently approximately $3.3 million per contravention. Criminal penalties apply to serious and deliberate non-compliance. AUSTRAC's most commonly deployed enforcement tool for non-serious breaches is the enforceable undertaking — a mandatory remediation program conducted at the entity's cost and on AUSTRAC's timeline. For most professional services firms, the disruption of a mandated remediation program is a more significant practical consequence than the direct financial penalty.
Building a defensible, operationally embedded AML/CTF program — covering risk assessment, program drafting, KYC procedure design, beneficial ownership frameworks, and staff training — typically requires 60 to 90 days of focused work. Firms that have not begun by April 2026 risk not completing implementation before the 1 July 2026 commencement date. AUSTRAC has indicated no grace period for newly designated entities. The risk assessment phase alone, on which the program's risk calibration depends, takes two to four weeks for most professional services firms.
An operationalised AML/CTF program is one that is embedded in how the firm actually works — not one that exists only as a document. Operationalisation means KYC procedures are applied at every new client onboarding, CDD refresh is scheduled and tracked for existing clients, suspicious matter escalation follows a defined internal protocol, staff are trained and can demonstrate awareness, and decisions are documented. AUSTRAC supervisory reviews look for evidence of practice — transaction records, training logs, CDD file notes, documented SMR decisions. A policy document alone will not satisfy a supervisory review.
services firms, financial businesses, and private enterprises navigating the Tranche 2 reforms. Our services cover AUSTRAC registration, ML/TF risk assessment, AML/CTF program drafting, KYC and CDD procedure design, beneficial ownership frameworks, staff training, and independent program review. All engagements are delivered on a fixed-fee basis, so firms can plan the cost of AML/CTF compliance with certainty before the work begins. Book a Compliance Readiness Consultation at dbaadvisory.com.
Disclaimer
© DBA Advisory 2026. This article is intended as general information only and does not constitute legal or compliance advice. Businesses should seek qualified advice specific to their circumstances before acting on any information contained in this article.
Related content
What to Expect Next
We build the resilient operational foundations
empowering you to
scale your business with absolute certainty
Get in touch
Alquin Dagamina
Manager Business Transformation and Technology Services Division
- Alquin.Dagamina@dbaadvisory.com
- 09158918379
