Australia’s 2026 AML/CTF Reforms: What is Changing on 31 March 2026

Introduction

Australia is currently implementing a significant overhaul of its financial security framework through the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 (Cth) (AML/CTF Amendment Act 2024). These reforms amend the existing Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act 2006) and introduce a new AML/CTF framework under the amended act. Alongside the Anti-Money Laundering and Counter-Terrorism Financing Rules 2025 (Cth) (AML/CTF Rules 2025), this new framework commences in stages leading up to 31 March 2026. 

This guide provides a clear overview of the strategic shift from a prescriptive “tick-box” approach to an outcomes-focused, risk-based compliance model. By understanding these new obligations, both existing reporting entities and newly regulated Tranche 2 businesses can effectively prepare for the mandatory implementation deadlines arriving in 2026.

Why Australia’s AML & CTF Framework Is Being Reformed

A Shift to a Risk-Based & Outcomes-Focused Framework

The modernisation of Australia’s AML/CTF framework is designed to strengthen the integrity of the financial system and align Australia with standards set by the Financial Action Task Force (FATF). 

Historically, Australia has not regulated certain “Tranche 2” sectors, creating gaps in intelligence and supervision. These professions often act as gatekeepers to the financial system, making them attractive targets for those seeking to legitimise illicit funds. 

The AML/CTF Amendment Act 2024 (Cth) moves the framework towards an outcomes-focused model. It restructures the current AML/CTF Act 2006 (Cth) and replaces the former Part A / Part B program model with a unified AML/CTF policy framework under Section 26F of the amended act.

Under the new regime, the Australian Transaction Reports and Analysis Centre (AUSTRAC) is expected to assess AML/CTF programs not just on the existence of controls, but on the quality of judgment and the defensibility of the data behind them. While this grants businesses greater flexibility to tailor programs to their unique risk profiles, it also increases the burden of proof on senior management to demonstrate that their chosen measures are working. This change requires compliance to become:

• A dynamic and adaptive process.
• Integrated into core business strategy.
• No longer treated as a static, administrative exercise.

The reforms place increased emphasis on whether a reporting entity has effectively identified, assessed, and mitigated the specific AML/CTF risks it faces. This approach acknowledges that a one-size-fits-all approach is ineffective for a diverse economy.

Enhanced Governance & Accountability for Businesses

Board & Senior Management: The New Personal Liability Standard

The 2026 reform places accountability for compliance failures directly with company leadership.

Moving beyond general oversight, Section 26H of the amended AML/CTF Act 2006 (Cth) states that the governing body of a reporting entity must take reasonable steps to ensure compliance with its AML/CTF policies and appropriately manage its ML/TF risks. 

This strengthens governance accountability and increases exposure to regulatory action where governing bodies fail to take reasonable steps, ensuring that AML/CTF risk management is treated as a core strategic function rather than a back-office task.

To meet this standard, board members and senior managers must be able to demonstrate they have:

• Actively overseen the AML/CTF program through regular and meaningful reporting.
• Ensured the program is adequately resourced with the necessary staff and technology.
• Promoted a strong culture of compliance from the top down.
• Engaged with the AML/CTF Compliance Officer, ensuring they have the authority to act.

The reforms, under Section 26F(4) of the amended AML/CTF Act 2006 (Cth), also introduce the concept of a ‘senior manager’ who is responsible for approving the AML/CTF policies and ML/TF risk assessment of the reporting entity, as well as any changes and updates in the same.

The governing body, in turn, must maintain strategic oversight to ensure these measures are effective in mitigating AML/CTF risks.

Mandatory Independent Evaluations & the AML/CTF Compliance Officer Role

A key feature of the enhanced governance framework is the mandatory requirement for periodic independent evaluations under Section 26F(4)(f) of the amended AML/CTF Act 2006 (Cth), read with Rule 5-10 of the AML/CTF Rules 2025 (Cth).

Under Section 26F(4)(f), reporting entities must conduct an independent evaluation at least once every three years, with the exact frequency determined by the nature, size, complexity, and risk profile of your business.

Under Rule 5-10(2), the evaluator must produce a written report, which must be provided to the governing body and the senior manager responsible for approving the AML/CTF program.

If adverse findings require updates to AML/CTF policies, those changes must be documented in writing within 14 days under Rule 5-15(2).

The evaluation must be performed by a person who was not involved in developing, implementing, or maintaining the program. This can be an internal auditor from a separate division or a qualified external party, such as a specialised lawyer or consultant.

The reviewer must assess the following aspects:

• The program’s effectiveness.
• Compliance with the rules.
• Practical implementation.
• The business’s adherence to its policies.

As per transitional rules, the deadline for the first independent evaluation for newly regulated businesses will be at least 3 years from the original commencement date. This means the first deadline for a newly regulated business will be required to complete an independent evaluation will be 1 July 2029, with further deadlines staggered at 6-month intervals from this date.

Sections 26J-26M of the amended AML/CTF Act 2006 (Cth) and Rule 5-14 of the AML/CTF Rules 2025 (Cth) also formalise the AML/CTF Compliance Officer role, responsible for the day-to-day implementation of the program. Reporting entities must appoint a “fit and proper” individual to this position who meets specific criteria, including that they:

• Are employed or engaged at a management level.
• Possess the necessary skills, knowledge, and integrity for the role.
• Have sufficient authority and independence to perform their duties effectively.
• Are an Australian resident if the designated services are provided through a permanent establishment in Australia.

To ease the transition, reporting entities have an extended period to inform AUSTRAC of their appointed compliance officer:

• Existing reporting entities have until 30 May 2026.
• Newly regulated Tranche 2 businesses have until 29 July 2026.

Key Changes to Your AML/CTF Program & Customer Due Diligence

Unified Program Structure & New Risk Assessment Requirements

The new streamlined and integrated AML/CTF program under Sections 26A-26V of the amended AML/CTF Act 2006 (Cth) replaces the former Part A/ Part B program model. It creates a unified, outcomes-focused framework that reduces duplication and is easier for reporting entities to implement.

Under Section 26C of the amended AML/CTF Act 2006 (Cth), your business is explicitly required to conduct and document a comprehensive risk assessment addressing: 

• Customer types
• The designated services you provide
• Methods of service delivery
• The jurisdictions in which you operate
• Any information communicated by AUSTRAC identifying the risks associated with your designated services

A significant expansion of this obligation is the explicit statutory requirement to include proliferation financing risk alongside AML/CTF. Furthermore, these risk assessments must be dynamic, meaning they must be reviewed and updated:

• Whenever there is a material change to your business
• At a minimum, every three years

Stronger Corporate Transparency & Beneficial Owner Requirements

A beneficial owner is the natural person who ultimately owns or controls 25% or more of an entity, either directly or indirectly. The reforms modernise beneficial ownership identification obligations under the designated professional services framework in Table 6 of Section 6 of the amended AML/CTF Act 2006 (Cth), to combat the use of complex corporate structures to hide illicit funds. 

As part of initial customer due diligence under Section 28 and enhanced customer due diligence under Section 32 of the amended AML/CTF Act 2006 (Cth), reporting entities must take reasonable steps to identify any beneficial owner of their customers. This is aimed at preventing the use of shell companies and nominee arrangements. However, the obligation goes beyond a simple percentage check. You must also:

• Determine if any beneficial owner is a politically exposed person or designated for targeted financial sanctions
• Establish the source of wealth and source of funds for high-risk customers

Repeal of Safe Harbour Customer Verification 

The reforms move away from the Applicable Customer Identification Procedures (ACIP) for customer identification. ACIP, also called “Safe Harbour” procedures, allowed reporting entities to satisfy verification obligations by following a specific list of approved identity documents and steps. 

This is being replaced with a flexible, risk-based standard known as Initial Customer Due Diligence (Initial CDD) under Section 28 of the amended AML/CTF Act 2006 (Cth). Under this new approach, there is no single checklist of acceptable documents.

Instead, the level of CDD required will be determined by the customer’s risk profile:

• Simplified CDD for a low-risk customer, as per Section 31 
• Enhanced CDD for a high-risk customer, as per Section 32

Rather, reporting entities must ensure the information they collect and verify is reliable, independent, and appropriate to the customer’s risk profile. It may be sourced from physical documentation, electronic identity systems, or multiple independent data sources, echoing the reform’s technology-neutral orientation.

As per transitional rules, existing reporting entities will have a three-year period, from 31 March 2026 to 30 March 2029. During this time, they can choose to continue using their existing customer identification procedures before fully adopting the new Initial CDD standard.

Impact on Tranche 2 Entities & Modernised Designated Services

Tranche 2 Reforms: Impact on Lawyers, Accountants & Real Estate Professionals

The AML/CTF reforms significantly expand Australia’s regulatory framework to include professions considered gatekeepers to the financial system, a complex area where financial services lawyers can provide critical guidance.

The reforms expand the definition of reporting entities by modernising designated services under the newly inserted Table 6 of Section 6 of the amended AML/CTF Act 2006 (Cth). These regulated sectors include a range of professional services that have been identified as vulnerable to exploitation by organised crime.

From 1 July 2026, the following professions will be required to comply with the new regime:

• Legal practitioners, where they provide specified transactional services (for example, assisting with the buying and selling of real property, managing client funds, or creating legal persons and arrangements);
• Accountants, where they provide captured designated services of a similar transactional nature;
• Real estate professionals, including real estate agents and buyer’s agents involved in property transactions;
• Conveyancers; and
• Trust and company service providers (TCSPs) involved in forming companies, acting as directors or trustees, or providing registered office services.

This expansion is a core component of the Tranche 2 reforms and marks a monumental shift for these professions, which must now integrate AML/CTF risk management into their daily operations.

Understanding New Designated Service Definitions

The new obligations are not triggered by a professional’s title, but by the specific activities they perform. If your business assists clients with any of the following activities, you will likely be captured by the Tranche 2 reforms:

• Property Transactions: Assisting in the planning or execution of a transaction to buy, sell, or transfer real estate. For example, a conveyancer acting on a property settlement is providing a designated service, whereas a lawyer providing general advice on a contract clause without acting on the transaction is not.
• Managing Client Assets: Receiving, holding, or managing a client’s money, securities, or virtual assets in relation to a transaction. This does not typically include funds held solely for professional fees.
• Corporate Structuring: Creating, restructuring, or managing a legal entity like a company or trust. This includes an accountant drafting a trust deed or a lawyer facilitating a corporate merger.
• Financing Transactions: Assisting in organising equity or debt financing for a body corporate.
• Selling Shelf Companies: Providing and transferring an “off-the-shelf” company to a client.
• Acting in Nominee Roles: Serving as a nominee director, secretary, partner, or trustee for a client’s company or trust.
• Providing a Registered Address: Allowing a client to use your firm’s address as their registered office or principal place of business.

It is important to note that while these obligations are extensive, the reforms also provide clear protections for information subject to legal professional privilege. 

AUSTRAC’s New Powers & the Role of Technology

AUSTRAC’s New Supervisory Powers & Intervention Thresholds

The AML/CTF reform significantly broadens AUSTRAC’s supervisory powers, providing the agency with a more directive role in managing financial crime risks. The AML/CTF Amendment Act 2024 (Cth) equips the AUSTRAC CEO with an expanded toolkit of enforcement options to ensure compliance.

A key new power allows the AUSTRAC CEO to prohibit or restrict certain high-risk products, services, or delivery channels across an entire sector. This is a responsive measure designed to let AUSTRAC act swiftly if a particular financial innovation becomes a primary method for money laundering.

This power moves beyond the previous limitation of only acting against individual reporting entities. The threshold for intervention is no longer just about a rule breach, but whether an entity’s failure to manage risk poses an unacceptable threat to the community.

AUSTRAC’s enforcement powers have also been enhanced with new information-gathering capabilities that align it with other financial regulators, such as ASIC and APRA. These include:

• An examination power to obtain information and documents, including requiring a person to appear before an examiner
• A notice to produce power to request information or documents relevant to AUSTRAC’s functions
• An ‘authorisation to produce’ to protect co-operative entities from legal risk when voluntarily providing information

These powers are complemented by a range of enforcement tools, from remedial directions and infringement notices for minor breaches to enforceable undertakings and substantial civil penalties for systemic failures.

Using Technology to Meet Outcomes-Based Standards

The shift to an outcomes-focused framework makes the adoption of technology indispensable for reporting entities. Manual transaction monitoring is no longer considered feasible to manage the volume and complexity of modern financial activities, making Regulatory Technology (RegTech) essential for demonstrating effective compliance.

Advanced RegTech solutions offer critical capabilities that support the new regime’s requirements. These technologies are vital for filtering vast amounts of data to identify genuine risk signals and justify risk-based decisions to AUSTRAC. Key solutions include:

• Adaptive Monitoring: AI-driven systems can learn from emerging money laundering typologies and detect complex transaction patterns that static, rule-based systems might miss.
• Digital Identity Verification: The move away from prescriptive document lists is supported by digital identity providers that can verify a customer’s information against multiple independent databases in real-time.
• Reduced False Positives: Advanced analytics help to minimise the number of incorrect alerts, allowing compliance officers to focus their resources on investigating genuinely suspicious matters.
• Auditable Trails: Modern platforms provide clear, explainable records that demonstrate why a specific risk-based decision was made, which is a core requirement of the outcomes-based approach.

While technology is a critical enabler, regulators have clarified that a “human in the loop” remains a central requirement. The final decision on whether to report a suspicious matter must still be made by a human compliance officer, ensuring accountability is maintained.

Preparing for 2026: A Practical Transitional Timeline

Key Milestones for Current & Newly Regulated Entities

The roadmap to full implementation of the AML/CTF reforms is structured in phases. This requires immediate action from both current reporting entities and newly regulated businesses. AUSTRAC has emphasised that it does not expect perfect compliance from day one, but it requires genuine and sustained efforts to meet the new obligations.

The transitional timeline includes several critical dates and milestones:

• 31 March 2025: The reformed “tipping-off” offence became effective, shifting the focus to a harm-prevention model.
• 31 March 2026: This is a key commencement date.
  • Reformed AML/CTF program and supervisory obligations take effect for existing reporting entities.
  • The revised Customer Due Diligence framework commences.
  • A three-year transitional period for initial CDD begins for existing reporting entities (31 March 2026 – 30 March 2029). 
  • Ongoing CDD obligations under section 30 apply to existing reporting entities from this date without transitional relief.
  • Enrolment opens for newly regulated Tranche 2 entities and newly regulated virtual asset service providers.
• 1 July 2026:
  • Full obligations commence for all Tranche 2 entities.
  • The “travel rule” becomes mandatory for virtual asset transfers.
  • AML/CTF obligations for newly captured virtual asset services commence (following deferral under the transitional rules).
• 29 July 2026: This is the final deadline for newly regulated businesses to enrol with AUSTRAC.

Transitional arrangements are also in place to ease the burden. For example:

• Existing reporting entities have a three-year period, until 30 March 2029, to transition to the new initial CDD standard.
• Extended deadlines apply for notifying AUSTRAC of AML/CTF compliance officers (30 May 2026 for existing entities; 29 July 2026 for newly regulated entities).
• Initial independent evaluation deadlines for newly regulated entities will be staggered, with the first evaluation not required before 1 July 2029.
• Certain reporting obligations, such as international value transfer service reporting reforms, are deferred until 2029.

Navigating Tipping-Off Provisions & Foreign Jurisdiction Risk

Effective from 31 March 2025, the tipping-off offence under Section 123 of the existing AML/CTF Act 2006 (Cth) was reformed to a “harm-prevention” model. Previously, the rules were highly restrictive, making it difficult for businesses to ask routine questions. Under the new standard, disclosure is only an offence if it would or could reasonably be expected to prejudice an investigation. This allows for more effective internal risk management.

Section 26F of the amended AML/CTF Act 2006 (Cth) also introduces a requirement for reporting entities to explicitly assess the risks associated with foreign countries. This involves incorporating “foreign jurisdiction risk” into your overall risk assessment. You must systematically evaluate the geographic locations of customers, beneficial owners, and fund destinations.

Key compliance responses include:

• Monitoring lists from the FATF for high-risk jurisdictions.
• Applying Enhanced Customer Due Diligence (ECDD) for any customer from a country identified by FATF as high-risk. This includes verifying the customer’s source of wealth and funds.
• Integrating sanctions screening into your onboarding processes to identify individuals or entities from sanctioned jurisdictions.

Conclusion

Australia’s 2026 AML/CTF reforms represent a landmark shift, expanding the regulatory regime to Tranche 2 professions and moving from prescriptive rules to an outcomes-focused compliance framework. This strategic overhaul introduces personal liability for senior management, modernises CDD processes, and requires businesses to demonstrate the effectiveness of their risk mitigation strategies.

Navigating these complex changes, including the new mandate for periodic AML independent reviews, requires proactive preparation and expert guidance to ensure your operations are compliant. Contact Click Legal’s specialist AML/CTF lawyers today for tailored support in assessing your risks, developing a robust AML/CTF program, and confidently meeting the 2026 deadline.