AML/CTF Compliance for Australian Financial Services SMBs: A Plain-English Guide

Anti-money laundering and counter-terrorism financing (AML/CTF) compliance is one of the least-understood regulatory obligations for small Australian financial services businesses. It doesn't come up in the same conversations as AFSL obligations or privacy law — but for the businesses it applies to, it is mandatory, technical, and carries significant consequences for non-compliance.

AML/CTF compliance for small businesses in Australia is governed primarily by the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (the AML/CTF Act) and is administered by AUSTRAC (the Australian Transaction Reports and Analysis Centre). This guide explains who it applies to, what it requires, and what the upcoming reforms mean for your financial services business — in plain English.

What Is AML/CTF and Why Does It Matter?

Money laundering is the process of concealing the origins of illegally obtained money so that it appears to come from a legitimate source. Counter-terrorism financing refers to the movement of funds — whether from legitimate or illegal sources — to support terrorist activities. Both represent significant threats to Australia's financial system and broader community.

The AML/CTF framework requires businesses in specific sectors to put in place systems to:

• Verify who their customers are (Know Your Customer, or KYC)
• Monitor transactions for unusual or suspicious patterns
• Report certain transactions and suspicious activity to AUSTRAC
• Avoid facilitating the movement of criminal proceeds or terrorism financing

AUSTRAC has made clear through enforcement action against major institutions that AML/CTF compliance failures are treated seriously. Penalties imposed in high-profile cases against Australian banks have been substantial — in the hundreds of millions of dollars. While those cases involved systemic failures at scale, they illustrate the regulatory culture: AUSTRAC takes this area seriously, and so should every reporting entity regardless of size.

Who Does AML/CTF Apply To?

The AML/CTF Act applies to businesses that provide designated services — a defined list of financial services and activities set out in the Act. If your business provides one or more designated services, you are a reporting entity with obligations under the Act.

Designated services relevant to small financial services businesses include:

• Providing financial services — including operating a bank account, making or receiving electronic funds transfers, and related transaction services (primarily applies to authorised deposit-taking institutions, but also some non-bank providers)
• Lending — providing credit, including mortgage broking and consumer lending
• Currency exchange — buying and selling foreign currency or exchanging one currency for another
• Bullion dealing — buying or selling precious metals
• Remittance — transferring value on behalf of customers (international remittance services)
• Digital currency exchange — exchanging Australian dollars or other currency for digital currency (such as cryptocurrency), or vice versa
• Trustee and company services — acting as a trustee, forming companies, or providing registered agent services in certain circumstances
• Gambling — certain gambling services (casinos, online gambling platforms) are designated services
• Real estate — the AML/CTF reforms expanding the Act's scope to real estate agents are discussed below

This is not an exhaustive list — the full definition of designated services runs to more than 70 items across Schedule 2 of the Act. If you are uncertain whether your business provides a designated service, seek specific legal advice or check AUSTRAC's guidance materials.

What If You're a Financial Adviser?

Financial advisers providing personal financial advice on financial products are generally not reporting entities under the current AML/CTF Act — advice is not itself a designated service. However, if your advice business is associated with a product issuer or dealer group that provides designated services (such as processing transactions on behalf of clients), those services may bring AML/CTF obligations into the picture. Check carefully.

AUSTRAC Enrolment vs Registration

If your business provides designated services, your first obligation is to enrol or register with AUSTRAC.

Enrolment applies to most reporting entities. Enrolment involves registering your business details with AUSTRAC through the AUSTRAC Online portal. Enrolment must occur before you commence providing designated services.

Registration (not just enrolment) is required for remittance service providers and digital currency exchange providers. Registration is a more rigorous process than enrolment and involves AUSTRAC assessing whether the business is suitable to provide these higher-risk services.

Operating a designated service without being enrolled or registered with AUSTRAC is a breach of the AML/CTF Act. If you have commenced providing designated services without taking this step, remediate immediately.

What Must Your AML/CTF Programme Include?

Every reporting entity must have an AML/CTF programme in place. The programme is your documented system for managing your money laundering and terrorism financing risks. Under the AML/CTF Act, a programme must have two parts.

Part A: Your AML/CTF Risk Management Programme

Part A is your overarching risk management approach. It must:

• Identify the money laundering and terrorism financing risks associated with your business — the kinds of customers you deal with, the services you provide, how transactions are conducted, and the countries involved
• Assess those risks (likelihood and potential impact)
• Document the controls you have in place to manage those risks
• Set out your employee due diligence, training, and awareness programme
• Establish procedures for identifying and reporting suspicious matters
• Include a monitoring and review mechanism so the programme is kept current

Part A is an internal document. It does not need to be submitted to AUSTRAC, but it must exist, be implemented, and be able to be produced if AUSTRAC asks for it.

A "tick and flick" Part A that does not reflect how your business actually operates is not compliant. The programme needs to be tailored to your specific business — its services, its customer profile, its risk profile.

Part B: Customer Due Diligence

Part B deals specifically with how you identify and verify your customers. At its core, customer due diligence (CDD) requires you to:

• Know who your customers are
• Verify that they are who they say they are
• Understand the nature of their business (for business customers)
• Monitor the ongoing relationship for transactions or behaviour that is inconsistent with what you know about the customer

Standard Customer Due Diligence

For most customers, standard CDD involves:

• Collecting the customer's name, date of birth (for individuals), and address
• Verifying identity using reliable, independent source documents — typically government-issued photo ID such as a passport or driver's licence, sometimes complemented by a second document such as a Medicare card
• For companies: collecting ABN/ACN, company name, registered address, and details of beneficial owners (those who ultimately own or control the company)
• Maintaining records of the CDD process and the documents collected

Under the AML/CTF Rules, certain specified verification methods are acceptable (face-to-face review of original documents, electronic verification against trusted databases). AUSTRAC has approved a range of electronic verification pathways that make CDD more efficient for businesses with digital onboarding processes.

Simplified Due Diligence

For some lower-risk customers and relationships, simplified CDD is permitted — a reduced level of verification is acceptable because the money laundering/terrorism financing risk is assessed as low. The eligibility criteria for simplified CDD are set out in the AML/CTF Rules.

Enhanced Due Diligence

For higher-risk customers and relationships, enhanced due diligence (EDD) is required. EDD means going beyond standard verification — understanding more about the customer's source of wealth, source of funds, business activities, and beneficial ownership. EDD is required for:

• Politically exposed persons (PEPs) — individuals who hold (or have recently held) prominent public positions, such as senior government officials, politicians, senior military officers, or senior executives of state-owned enterprises, and their close associates and family members
• Customers from countries or jurisdictions with higher money laundering or terrorism financing risk (AUSTRAC provides guidance on high-risk jurisdictions)
• Customers whose transactions or business profile raises concerns
• Correspondent banking relationships and other specific high-risk categories

EDD is not just about collecting more documents. It involves a more thorough assessment of the risk the customer presents and maintaining heightened ongoing monitoring of the relationship.

Transaction Monitoring

Your AML/CTF programme must include transaction monitoring — ongoing surveillance of transactions to identify patterns, anomalies, or activity that is inconsistent with what you know about the customer or that may indicate money laundering or terrorism financing.

For small financial services businesses, transaction monitoring does not necessarily require sophisticated software. The key is having a system — even a manual one for lower transaction volumes — that:

• Applies monitoring criteria relevant to your services and risk profile
• Flags transactions or patterns that meet those criteria for review
• Documents the review process and the outcome
• Results in action where suspicious activity is identified (see suspicious matter reporting below)

As your business grows and transaction volumes increase, automated transaction monitoring becomes more practical and more necessary.

Reporting Obligations

Reporting entities have specific obligations to report certain transactions and events to AUSTRAC. There are three main reporting obligations relevant to small financial services businesses.

Threshold Transaction Reports

A Threshold Transaction Report (TTR) must be lodged with AUSTRAC whenever you conduct a transaction involving the transfer of physical currency of AUD $10,000 or more. TTRs must be lodged within 10 business days of the transaction.

The threshold applies to cash — notes and coins. It does not apply to electronic transfers or cheques per se (though suspicious electronic transfers may require a Suspicious Matter Report).

Note: you cannot split a transaction to avoid the threshold. Structuring transactions to avoid TTR obligations is itself an offence under the AML/CTF Act.

Suspicious Matter Reports

A Suspicious Matter Report (SMR) must be lodged with AUSTRAC where you have reasonable grounds to suspect that:

• A customer is not who they claim to be
• A transaction may involve proceeds of crime
• A transaction may relate to terrorism financing
• A customer is trying to use your service to engage in illegal activity

SMRs must generally be lodged with AUSTRAC within three business days of the matter becoming suspicious (or one business day if the transaction relates to terrorism financing). AUSTRAC provides guidance on what makes a matter suspicious.

Critically: you must not tip off the customer that you have lodged or are considering lodging an SMR. Tipping off is a separate offence under the Act.

International Funds Transfer Instructions

If your business sends or receives international funds transfer instructions (IFTIs) — as part of a remittance service, for example — these must be reported to AUSTRAC. Specific rules apply to IFTIs, and remittance providers have additional obligations.

Annual Compliance Report

Every reporting entity must lodge an Annual Compliance Report with AUSTRAC each year. The Annual Compliance Report is due by 31 March each year and covers the preceding calendar year.

The report requires you to declare whether your AML/CTF programme has been assessed by a qualified person for the relevant period, whether you have met your customer identification and verification obligations, and your transaction reporting status.

Missing the 31 March Annual Compliance Report deadline is a reportable failure. Set a calendar reminder — ideally well before March — so this does not slip.

Record-Keeping Obligations

Reporting entities must retain records relating to:

• Customer identification and verification (generally for 7 years from the end of the business relationship)
• Transactions (generally for 7 years from the date of the transaction)
• AML/CTF programme documents
• Transaction monitoring outcomes
• Reports lodged with AUSTRAC

Records must be kept in a form that allows AUSTRAC to access and examine them.

Consequences of Non-Compliance

AUSTRAC has a range of enforcement tools available for non-compliance with the AML/CTF Act:

• Remedial directions — requiring a reporting entity to take specific steps to address compliance issues
• Civil penalties — significant penalties can be imposed for breaches of AML/CTF obligations; AUSTRAC has demonstrated willingness to pursue substantial penalties in major cases
• Criminal prosecution — for intentional, knowing, or reckless breaches of certain AML/CTF obligations

For small businesses, the most likely AUSTRAC response to non-compliance is a remedial direction or civil enforcement action — but the fact that AUSTRAC has historically focused attention on larger institutions does not mean smaller reporting entities are immune. Enrolment failures, programme failures, and failure to lodge required reports are all enforceable breaches.

The Upcoming AML/CTF Reforms: What's Changing

Australia's AML/CTF framework is undergoing its most significant expansion since the Act was introduced in 2006. The reforms, which were legislated through the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024, expand the scope of the Act to capture what are called Tranche 2 entities — businesses in professions that handle large amounts of money but were previously outside the AML/CTF regime.

The Tranche 2 reforms expand designated services to include services provided by:

• Lawyers — when providing certain legal services involving financial transactions (such as conveyancing, managing client funds, creating or managing companies and trusts)
• Accountants — when providing certain accounting services
• Real estate agents — when facilitating the buying and selling of real property
• Trust and company service providers — an expanded definition covering a broader range of formation and management services

The reforms also modernise the customer due diligence framework (moving to a risk-based model), simplify the programme structure, and update reporting obligations.

The commencement date for most Tranche 2 obligations is 1 July 2026, with some aspects phased in over a longer period. If your business is in one of the newly captured sectors, you need to be thinking about AML/CTF programme development, AUSTRAC enrolment, and staff training now — not after the deadline.

If your business is an existing reporting entity, the reforms will also affect your programme and CDD obligations. Review AUSTRAC's guidance as it is published throughout 2025 and 2026.

Getting Started: A Practical AML/CTF Compliance Checklist

For small financial services businesses subject to the AML/CTF Act:

• [ ] Confirm whether your business provides designated services and is a reporting entity
• [ ] Enrol or register with AUSTRAC (if not already done)
• [ ] Develop or review your AML/CTF programme — both Part A (risk management) and Part B (customer due diligence)
• [ ] Implement customer identification and verification processes for standard, simplified, and enhanced due diligence
• [ ] Train staff on AML/CTF obligations, suspicious matter indicators, and your internal procedures
• [ ] Implement transaction monitoring procedures appropriate to your business size and risk profile
• [ ] Establish processes for lodging Threshold Transaction Reports ($10,000+ cash) within 10 business days
• [ ] Establish processes for identifying suspicious matters and lodging Suspicious Matter Reports
• [ ] Set a calendar reminder for the 31 March Annual Compliance Report deadline each year
• [ ] Maintain records for the required retention periods
• [ ] Review and assess your AML/CTF programme regularly (at minimum annually)
• [ ] Monitor AUSTRAC guidance on Tranche 2 reforms if your business is in a newly captured sector

How Reguladar Helps

AML/CTF compliance sits alongside your AFSL obligations, privacy law, employment law, and tax obligations — a complex, ongoing compliance picture for small financial services businesses.

Reguladar gives Australian financial services businesses a single compliance dashboard that tracks deadlines (including the AUSTRAC Annual Compliance Report), licence obligations, and every other regulatory requirement in one place. You get reminders before deadlines, not after.

Start your free compliance check at Reguladar →

This article is general information only and is not legal advice. AML/CTF obligations are complex and fact-specific. Seek qualified legal or compliance advice for your specific business circumstances. Refer to AUSTRAC's published guidance (austrac.gov.au) for authoritative information on your reporting obligations.