AML/CTF Compliance Australia: The Complete Guide (2026)

Australia’s anti-money laundering and counter-terrorism financing regime is entering its most significant period of reform since the original legislation passed in 2006. The AML/CTF Amendment Act 2024 has rewritten the Rules. Tranche 2 obligations take effect on 1 July 2026, bringing lawyers, accountants, real estate agents, and dealers in precious metals and stones under AUSTRAC regulation for the first time. Existing reporting entities already face changed obligations under the reformed Rules that commenced 31 March 2026.

For compliance officers, risk managers, and heads of digital across financial services, lending, and fintech, this is not a future problem. It is an operational one. Programs that were fit for purpose under the old Act need to be reassessed against a new framework that places greater weight on outcomes, risk-based CDD, and documented decision-making.

This guide covers what AML/CTF compliance requires in 2026: the regulatory framework, KYC and customer due diligence, risk rating models, identity verification methods, Tranche 2 changes, fintech-specific requirements, and how to evaluate compliance technology. Whether you’re building a program from scratch or stress-testing an existing one, the aim is to give you a single, current reference point.

What Is AML/CTF Compliance?

AML/CTF compliance refers to the controls, policies, and processes that regulated businesses use to detect, prevent, and report money laundering and terrorism financing. In Australia, these obligations sit under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (the AML/CTF Act) and the AML/CTF Rules 2025, which replaced the previous Rules on 31 March 2026.

Reporting entities (the term the Act uses for regulated businesses) are required to do three things. First, know who their customers are: verify identity before providing a designated service and understand the nature and purpose of the relationship. Second, assess and manage risk: not every customer or transaction carries the same ML/TF profile, and programs need to reflect that. Third, report: suspicious matters, threshold transactions, and international value transfers all carry mandatory reporting obligations to AUSTRAC.

The practical scope of an AML/CTF program includes customer identification and verification (KYC), initial and ongoing customer due diligence, transaction monitoring, sanctions and PEP screening, record keeping, staff training, and board-level governance. Under the reformed Act, non-compliance with any of the reporting entity’s AML/CTF policies now constitutes a civil penalty offence. That is a meaningful shift from the previous regime and raises the stakes for how programs are documented and maintained.

AUSTRAC has demonstrated it will pursue enforcement at scale. Westpac was ordered to pay
$1.3 billion in penalties. Crown Resorts was fined $450 million. SkyCity Adelaide paid $67 million. These were not edge cases. They reflected systemic failures in transaction monitoring, risk management, and reporting. The penalties for getting AML/CTF wrong are among the largest in Australian corporate law.

Who Regulates AML/CTF in Australia? (AUSTRAC)

AUSTRAC (the Australian Transaction Reports and Analysis Centre) is Australia’s AML/CTF regulator and financial intelligence unit. It operates under the AML/CTF Act with both a regulatory function (setting expectations, conducting supervisory assessments, taking enforcement action) and an intelligence function (receiving and analysing financial intelligence from mandatory reports).

AUSTRAC’s regulatory posture has evolved considerably. The agency now describes its approach as outcomes-focused: it expects reporting entities to demonstrate that their programs are actually managing ML/TF risk, not just that the policies exist on paper. The regulatory priorities for 2025–26 reinforce this, with a focus on effective risk management, implementation planning, and compliance officer accountability.

For Tranche 2 entities, AUSTRAC has been clear about its expectations. Enrolment opened on 31 March 2026, with a deadline of 29 July 2026. By 1 July 2026, newly regulated entities must have an AML/CTF program in place (either using AUSTRAC’s starter program or their own), an appointed compliance officer, and trained staff ready to identify and report suspicious matters. AUSTRAC has stated it will prioritise enforcement after 1 July 2026 against entities that wilfully ignore the obligation to enrol or are complicit with money laundering activities.

Australia’s framework is broadly aligned with the Financial Action Task Force (FATF) standards, but the operational detail sits in the AML/CTF Act, the AML/CTF Rules 2025, and AUSTRAC’s sector-specific guidance. Businesses operating across borders should note that each jurisdiction maintains its own regulatory body and requirements.

KYC and Customer Due Diligence Requirements

Know Your Customer (KYC) is the foundation of AML/CTF compliance. Before providing a designated service, a reporting entity must verify the customer’s identity and conduct initial customer due diligence (CDD). But KYC is not a single check at onboarding. Under the reformed Act, it’s a continuous obligation that spans the customer lifecycle.

The reformed CDD framework replaces the previous “applicable customer identification procedures” (ACIP) with a more flexible, risk-based model. Existing reporting entities have a three-year transition period (31 March 2026 to 30 March 2029) to move from ACIP to the new initial CDD requirements. Tranche 2 entities must apply the new CDD framework from day one.

For a detailed overview of KYC and AML fundamentals, see FrankieOne’s KYC and AML guide.

Standard Customer Due Diligence

Standard CDD applies to most customers and involves verifying the customer’s identity using reliable and independent sources, understanding the nature and purpose of the business relationship, and assessing the ML/TF risk the customer presents. For individuals, this means confirming name, date of birth, and address against government-issued documents or electronic data sources. For companies, it includes identifying beneficial owners and verifying the entity’s existence and structure.

Enhanced Customer Due Diligence

Enhanced CDD (ECDD) is required where the ML/TF risk is higher than standard. This includes politically exposed persons, customers from higher-risk jurisdictions, complex ownership structures, unusual transaction patterns, or any situation where the reporting entity’s risk assessment indicates elevated risk. ECDD involves deeper investigation: understanding the source of funds and wealth, more frequent monitoring, and senior management sign-off on the relationship.

Under the reformed Act, the ECDD obligation is more explicitly tied to the entity’s own risk assessment. If your program identifies a risk factor as requiring enhanced measures, failing to apply them is a compliance failure, not a judgment call.

Simplified Customer Due Diligence

Simplified CDD can be applied where the ML/TF risk is demonstrably lower. This doesn’t mean skipping verification. It means adjusting the depth and frequency of measures to match the risk. A low-value, low-risk product with limited functionality might warrant simplified measures, provided the entity has documented the risk assessment supporting that decision.

The key word is “documented.” AUSTRAC expects entities to show their working. If you apply simplified CDD, the risk assessment that supports that decision needs to exist on paper, not just as an assumption.

The Shift to Electronic Verification

Electronic identity verification (eIDV) has moved from an alternative method to the expected standard for most reporting entities. Matching customer-provided information against government databases, credit bureaus, and other authoritative data sources provides a level of reliability and auditability that paper-based processes cannot match.

In practice, eIDV means verifying a customer’s identity against the Document Verification Service (DVS), which checks presented documents against issuing agency records, combined with data from credit bureaus and other independent electronic sources. For higher-risk scenarios, layering biometric verification on top of document and database checks creates a stronger confidence chain.

The business case is operational as much as regulatory. Manual, paper-based KYC is slow, error-prone, and difficult to audit. Electronic verification produces a timestamped, auditable record of what was checked, what the result was, and what decision was made. That audit trail matters when AUSTRAC comes asking.

Customer Risk Rating: How It Works

A customer risk rating is a structured assessment of the ML/TF risk that each customer presents to your business. It drives decisions about what level of due diligence to apply, how often to review the relationship, and what transaction monitoring thresholds to set. Under the reformed AML/CTF Act, the risk-based approach is the organising principle of the entire compliance framework.

Risk rating models typically assess a combination of customer factors, product and service factors, delivery channel factors, and geographic factors. The table below illustrates how these work in practice.

For a deeper look at how risk-based approaches apply to onboarding workflows, see FrankieOne’s guide to risk-based onboarding.

Building a Risk Rating Model

An effective risk rating model does three things: it assigns risk scores consistently, it drives real decisions about CDD levels and monitoring intensity, and it is reviewable. The last point is the one most programs get wrong. A model that assigns a risk score but doesn’t change what happens next is theatre, not compliance.

Start with the risk factors relevant to your business. Weight them according to your ML/TF risk assessment. Define clear thresholds: what score triggers standard CDD, what triggers enhanced measures, and what triggers a decline or exit. Document the methodology. Build a review cycle so the model is recalibrated as your business, customer base, and regulatory environment change.

Technology matters here. Manual risk scoring is possible for small portfolios, but it breaks down at scale. Automated risk rating, integrated with your onboarding and monitoring workflows, ensures that every customer is assessed consistently and that escalations happen in real time rather than in a quarterly review.

AML Identity Verification: Methods and Best Practice

Identity verification is where compliance meets the customer. It is the control that establishes who you are dealing with, and the strength of that verification determines how much confidence you can place in every subsequent interaction. In AML/CTF compliance, “good enough” verification at onboarding creates risk that compounds across the entire relationship.

Document Verification

Document verification confirms that an identity document (passport, driver’s licence, Medicare card) is authentic and matches the person presenting it. In Australia, the gold standard is verification against the Document Verification Service (DVS), which checks document details against the records of the issuing government agency.

The threat landscape has shifted materially. AI-generated documents, including payslips, bank statements, and even identity documents, are now sophisticated enough to pass visual inspection. The distinction that matters is not whether a document looks real, but whether it was issued by the entity it claims to represent. That distinction requires verification against primary source data, not just OCR and template matching.

Biometric Verification

Biometric verification uses facial recognition and liveness detection to establish that the person completing the verification is physically present and matches the photo on their identity document. It creates a durable, re-usable identity anchor that persists beyond the onboarding moment.

The value of biometrics extends well past account opening. A biometric enrolled at onboarding can be re-invoked at high-risk moments: changes to account details, large transactions, settlement instructions. This step-up authentication is considerably stronger than the password-and-SMS fallback that most institutions still rely on post-onboarding.

Learn more about how biometric verification works in practice.

Database Verification (Multi-Bureau)

Database verification matches customer-provided information against multiple independent data sources: government registries, credit bureaus, telecommunications records, and electoral rolls. Multi-bureau verification (checking across several data sources rather than relying on one) improves both accuracy and resilience. If one source is unavailable or returns incomplete data, others fill the gap.

For business verification (KYB), database checks extend to company registries, ASIC records, beneficial ownership data, and directorship information. The AML/CTF Rules require reporting entities to verify beneficial ownership, which means identifying the natural persons who ultimately own or control a customer entity.

PEP and Sanctions Screening

Screening customers against sanctions lists, politically exposed person (PEP) databases, and adverse media is a core AML/CTF obligation. Under the reformed Rules, sanctions screening is more explicitly integrated into the CDD framework. Reporting entities must have policies ensuring they do not provide designated services in contravention of targeted financial sanctions.

Effective screening is not a one-time check. It requires ongoing monitoring, because a customer’s PEP or sanctions status can change after onboarding. The practical challenge is managing false positives: screening systems that flag too many matches create operational bottlenecks without improving risk outcomes. Configurable screening rules, tuned to your customer base and risk appetite, make the difference between a useful control and a compliance tax.

Tranche 2: What’s Changing in Australian AML/CTF

Tranche 2 is the most significant expansion of Australia’s AML/CTF regime since its inception. From
1 July 2026, the following sectors become reporting entities under AUSTRAC for the first time:

These professions have historically been identified as “gatekeepers” because of their role in facilitating financial transactions. Real estate, trust structures, and company formation are well-documented channels for laundering proceeds of crime, and Australia’s FATF mutual evaluation had long identified the absence of Tranche 2 regulation as a gap in the national framework.

AUSTRAC estimates that 80,000 to 90,000 new reporting entities will enter the regime. For these businesses, the obligations are real: an AML/CTF program, a compliance officer, staff training, CDD on customers, transaction monitoring, and mandatory reporting of suspicious matters.

AUSTRAC has provided starter program kits designed for small businesses in newly regulated sectors and has committed to a risk-based, collaborative approach to the transition. But the regulator has also been explicit: after 1 July 2026, entities that wilfully ignore the obligation to enrol or are complicit with money laundering will face enforcement action.

For a deeper analysis of Tranche 2 and what it means for your sector, see FrankieOne’s Tranche 2 guide.

KYC Requirements for Australian Fintechs

Fintechs occupy a particular position in the AML/CTF landscape. They are building digital-first products in a regulatory framework originally written for banks, and they typically face the same compliance obligations with a fraction of the headcount and budget. That creates both pressure and opportunity.

What Australian Fintechs Must Do

If you provide a designated service under the AML/CTF Act (which includes most lending, payments, remittance, and digital currency services), you are a reporting entity. That means enrolling with AUSTRAC, maintaining an AML/CTF program, appointing a compliance officer, verifying customer identity before providing services, conducting ongoing CDD, monitoring transactions, screening against sanctions and PEP lists, filing suspicious matter reports and threshold transaction reports, and maintaining records for seven years.

The obligations are the same whether you are a major bank or a Series A fintech. AUSTRAC’s regulatory expectations do not scale down because you have 15 employees.

The Fintech Compliance Dilemma

The dilemma is structural. Fintechs compete on speed, simplicity, and user experience. AML/CTF compliance, done badly, is the opposite of all three. A verification process that takes 48 hours, requires physical document submission, and flags 30% of applications for manual review will kill conversion rates before the product hits its stride.

The answer is not to cut corners on compliance. It is to choose technology that makes compliance fast, accurate, and invisible to the customer. Automated eIDV that returns a result in seconds. Risk-based workflows that apply the right level of friction to the right customers. Multi-bureau verification with intelligent fallback so a single data source failure does not generate a manual review queue.

FrankieOne’s risk-based onboarding approach is built for exactly this problem: configurable verification flows that match regulatory requirements to your risk appetite without forcing every customer through the same process.

Common Pitfalls for Fintechs

The most common pitfalls fall into predictable categories. Treating compliance as a one-time setup rather than an ongoing program. Relying on a single data source for identity verification, which creates a single point of failure. Building manual review workflows that work at 100 customers a month but collapse at 10,000. Failing to document the risk assessment methodology. Underinvesting in transaction monitoring because volumes are still low. And neglecting ongoing CDD so the verification completed at onboarding is never updated even as the customer relationship evolves.

The fintechs that get compliance right tend to treat it as a product problem: something to be designed, measured, and iterated on, not a box to be ticked annually.

How to Choose an AML/CTF Compliance Platform

The technology you choose to support your AML/CTF program shapes what is operationally possible. A platform that is rigid, slow to configure, or limited to a single verification method will constrain your program from day one. Here is what to look for.

Must-Have Capabilities

KYC and eIDV: Document verification against the DVS, biometric verification, and multi-bureau database checks. These are table-stakes. If a platform cannot cover all three, you will need to supplement it with additional vendors, adding complexity and integration risk.

KYB and beneficial ownership: Business verification that includes company registry checks, directorship lookups, and beneficial ownership identification. See FrankieOne’s business verification for how this works in practice.

Risk-based orchestration: The ability to configure different verification workflows for different customer risk profiles. Not every customer needs the same level of friction. Your platform should let you define rules that route low-risk applications through streamlined flows and flag high-risk applications for enhanced measures.

Sanctions and PEP screening: Real-time and ongoing screening against global sanctions lists, PEP databases, and adverse media, with configurable matching thresholds to manage false positives.

Ongoing monitoring: AML/CTF compliance does not end at onboarding. The platform needs to support ongoing CDD, including re-screening, transaction monitoring triggers, and alerts when customer risk profiles change.

Audit trails: Timestamped, immutable records of every verification check, risk decision, and screening result. This is what you show AUSTRAC when they ask how you made a decision. If the platform cannot produce this, it is not fit for purpose.

Multi-jurisdictional support: If you operate across borders, the platform needs to handle different regulatory requirements, data sources, and verification methods for each market through a single integration.

Questions to Ask Vendors

When evaluating vendors, push past the marketing deck. Ask: How many data sources can you orchestrate in a single verification flow? What happens when one source is unavailable? Can I configure different workflows for different risk profiles without engineering support? What does your DVS integration look like? What is the false positive rate on your PEP and sanctions screening, and how do I tune it? How quickly can I change a rule or add a new data source? And critically: what does the audit trail look like for a single customer verification, end to end?

See how FrankieOne answers these questions →

Why Australian Expertise Matters

AML/CTF compliance is jurisdiction-specific. A platform built primarily for the US or European market may not have deep integration with the DVS, understand AUSTRAC’s specific expectations around CDD, or support the Australian data sources that make eIDV reliable. This becomes even more important with Tranche 2, where the designated services and regulatory expectations are specific to Australian law.

The ideal vendor combines global reach (so you can expand without re-platforming) with deep Australian regulatory expertise (so your compliance program meets AUSTRAC’s expectations from day one).

Frequently Asked Questions

What is AML/CTF compliance?

AML/CTF compliance is the set of controls, policies, and processes that regulated businesses use to detect, prevent, and report money laundering and terrorism financing. In Australia, it is governed by the AML/CTF Act 2006 and the AML/CTF Rules 2025, and regulated by AUSTRAC.

Who needs to comply with AML/CTF in Australia?

Any business that provides a designated service under the AML/CTF Act is a reporting entity and must comply. This includes banks, lenders, insurers, superannuation funds, remittance providers, gambling operators, digital currency exchanges, and (from 1 July 2026 under Tranche 2) lawyers, accountants, real estate agents, trust and company service providers, and dealers in precious metals and stones.

What is Tranche 2?

Tranche 2 refers to the extension of AML/CTF obligations to designated non-financial businesses and professions (DNFBPs) that were not covered by the original legislation. This includes legal professionals, accountants, real estate agents, trust and company service providers, and dealers in precious metals and stones. These sectors must enrol with AUSTRAC, implement AML/CTF programs, and meet the same CDD and reporting obligations that financial services businesses have held since 2006.

When does Tranche 2 start?

Tranche 2 obligations commence on 1 July 2026. Enrolment with AUSTRAC opened on 31 March 2026, and newly regulated entities must be enrolled by 29 July 2026. AUSTRAC expects entities to have an AML/CTF program, a compliance officer, and trained staff in place by 1 July 2026.

What is a customer risk rating?

A customer risk rating is a structured assessment of the money laundering and terrorism financing risk that a customer presents to your business. It considers factors including customer type, geographic risk, product or service type, delivery channel, and transaction behaviour. The risk rating drives decisions about what level of due diligence to apply and how intensively to monitor the relationship.

What is electronic identity verification (eIDV)?

Electronic identity verification (eIDV) is the process of verifying a customer’s identity by matching their information against authoritative electronic data sources, including government databases (such as the DVS), credit bureaus, and other independent records. It is the expected standard for identity verification in Australian AML/CTF compliance.

How do I choose an AML/CTF compliance platform?

Look for a platform that covers KYC, KYB, biometric verification, sanctions and PEP screening, and ongoing monitoring through a single integration. It should support configurable, risk-based workflows, provide auditable decision records, and have deep integration with Australian data sources including the DVS. Evaluate the vendor’s understanding of Australian regulatory requirements and their ability to support your business across jurisdictions.

What are the penalties for non-compliance?

Penalties under the AML/CTF Act can be severe. Civil penalties can reach up to $23 million per contravention for corporations. AUSTRAC has pursued penalties of $1.3 billion (Westpac), $450 million (Crown), and $67 million (SkyCity) for systemic non-compliance. Under the reformed Act, non-compliance with a reporting entity’s own AML/CTF policies is now a civil penalty offence. Criminal penalties, including imprisonment, can apply for wilful or reckless non-compliance.

Ready to simplify AML/CTF compliance?

See how FrankieOne helps 100+ Australian businesses automate identity verification, risk scoring, and ongoing monitoring - from a single API.

 Talk to the FrankieOne team.