Navigating AML/CTF reforms

31 March 2026

1 July 2026

Lawyers and accountants are key players in the fight against money laundering and terrorism financing. They offer services that can be exploited for illegal activities, such as managing client funds and assets. Their role is crucial in:

• Conducting due diligence
• Managing client money, securities, or other assets
• Ensuring compliance with AMLCTF regulations

By adopting a risk-based approach and maintaining high standards, they help protect their professions and prevent criminals from misusing their services. Vigilance in client interactions is essential to identify and combat potential threats.

1. Buying and selling real estate.
2. Managing client money, securities, or other assets (including operating a trust account).
3. Managing bank, savings, or securities accounts.
4. Organising contributions for the creation, operation, or management of companies.
5. Creating, operating, or managing companies, trusts, or other types of legal persons or arrangements.
6. Buying and selling businesses.
7. Acting as a formation agent of companies, trusts or similar entities.
8. Acting as (or arranging for another person to act as) a director or secretary of a company, a partner of a partnership, or a similar position in relation to other legal persons.
9. Providing a registered office, business address, or accommodation, correspondence, or administrative address for a company, a partnership, or any other legal person or arrangement.
10. Acting as (or arranging for another person to act as) a trustee of an express trust or performing the equivalent function for another form of legal arrangement.
11. Acting as (or arranging for another person to act as) a nominee shareholder for another person.

Under the amended regime, reporting entities are required to maintain comprehensive and accurate records, with the retention period being 7 years, with any client identification procedure records needing to be maintained for the duration of your relationship with the customer, and for an additional seven years after you stop providing any designated services to them. These records include:

• Customer Due Diligence (CDD):
  Maintain records of Know Your Client (KYC) procedures, including the steps taken to identify clients and any documentation provided. While copying documents is not mandatory, if copies are made, they must be retained. Records should also include information on clients identified as Politically Exposed Persons (PEPs) or sanctioned individuals, along with any ongoing monitoring requirements.
• International Funds Transfer Instructions (EFTI):
  Keep records of any instructions to transfer funds electronically between financial institutions, whether the transfer is between different accounts of the same person or from one person to another.
• Transaction records:
  Document all transaction details, including parties involved, dates, and descriptions. Any documents provided by customers (or their agents) related to designated services must be retained.
• Reporting records:
  Maintain records necessary for lodging annual reports with AUSTRAC. This includes records of suspicious transaction reports, especially if further investigations are required.
• AMLCTF program documentation:
  Keep records of the adoption date of the AMLCTF program (e.g., board minutes), details of program approval, the program itself, and any subsequent changes.
• Staff training sessions:
  Document details of training sessions conducted for staff.
• Audit results:
  Maintain records of audit results related to compliance with the AMLCTF program

When conducting Know Your Client (KYC) or Client Due Diligence (CDD), it is crucial to be vigilant for potential “red flags’ that may indicate suspicious activity. These red flags can sometimes be subtle, such as a general feeling of unease or inconsistencies in the information provided by the client. Key indicators to watch for include:

1. Client identity issues:

• Association with high-risk countries or unusual sources of funds.
• Political exposure or connections to politically exposed persons (PEPs).
• Provision of identification documents that are misleading, vague, or difficult to verify.
• Attempts to disguise identity.
• Criminal convictions or ongoing investigations for serious crimes.

2. Client behaviour concerns:

• Reluctance to provide identity documents or submission of false documents.
• Difficulty in contacting the client after funds are deposited.
• Unusual secrecy about identity or transactions.
• Involvement in cash-intensive businesses or high-risk activities.
• Offering unusually high fees for expedited transactions.

3. Relationship with the practice:

• Seeking services outside the practice's expertise.
• Frequent changes of solicitors without valid reasons.
• Requests to use the practice's trust account as a banking facility.

4. Funds or assets concerns:

• Small payments that suggest “structuring” to avoid detection.
• Real estate purchases lacking a logical connection to the buyer.
• Large private funding from offshore accounts without explanation.
• Requests for payments to third parties without logical explanations.   

5. Jurisdictional risks:

• Transactions involving high-risk countries without logical connections.

6. Commercial activity or use of companies/trusts:

• Use of complex legal structures without business necessity.
• Frequent changes in management or legal structures without reason.
• Involvement in frequent transactions with similar elements without explanation.

The key dates for all Tranche 2 reporting entities include: 

• 31 March 2026. Enrolments open for Tranche 2 reporting entities to enrol with AUSTRAC.
• April/May 2026: This is the period in which Tranche 2 reporting entities should be communicating their AML/CTF Know Your Client (“KYC”) and Client Due Diligence (“CDD”) obligations with their clients to prepare them for the additional documentation that they will need to start providing and explain the rationale behind these reforms.
• June 2026: Training staff. This is an opportune time to train and test your employees to review the effectiveness of your Money Laundering and Terrorism Financing controls. It would be prudent to conduct employee due diligence in this period as well.
• 1 July 2026: The new AML/CTF Act commences, and the Privacy Act 1988 (Cth) applies to Tranche 2 reporting entities.
• 29 July 2026: This is the last date for Tranche 2 reporting entities to enrol with AUSTRAC. 

Simplified Due Diligence (“SDD”) refers to a reduced level of customer due diligence that may be applied in certain circumstances where the money laundering or terrorism financing risk is assessed to be lower.

The AML/CTF Rules specify that for certain types of customers, such as listed public companies, majority-owned subsidiaries of listed public companies, or entities regulated by a Commonwealth regulator, a simplified verification procedure can be used.

This involves confirming the customer's status through reliable sources such as public documents, ASIC records, or stock exchange listings, rather than full verification of all beneficial owners.

The simplified verification procedure is designed to streamline compliance while still managing risk appropriately.  Additionally, for trusts and other entities, similar simplified verification procedures exist if they meet certain regulatory criteria.

The use of simplified due diligence is subject to the reporting entity's risk assessment and must be consistent with the AML/CTF program's risk-based approach.

Under the Definition section of the updated AMLCTF Rules, there is a comprehensive explanation of who would be classified as a domestic Politically Exposed Person (“PEP”) in Australia. This includes:

1. Governor General;
2. Governor of a State;
3. Administrator of a Territory;
4. Justice of the High Court;
5. Judge of the Federal Court of Australia;
6. Judge of the Supreme Court of a State or Territory;
7. accountable authority, or member of the accountable authority, of a Commonwealth entity within the meaning of the Public Governance, Performance and Accountability Act 2013;
8. member of the governing body of a wholly owned Commonwealth company within the meaning of the Public Governance, Performance and Accountability Act 2013;
9. head (however described) of:
    (i) a Department of State of a State or Territory; or
    (ii) an agency or authority of a State or Territory that has a prominent public function;
10. head (however described) of a local government council in a State or Territory;
11. any of the following offices of a company or other incorporated body that is wholly owned or majority owned by a State or Territory:
     (i) chair of the board;
     (ii) chief executive officer;
     (iii) chief financial officer;
12. Chief of the Defence Force, Vice Chief of the Defence Force, Chief of Navy, Chief of Army or Chief of Air Force;
13. officer of the Navy of the rank of Vice Admiral or a higher rank;
14. officer of the Army of the rank of Lieutenant General or a higher rank;
15. officer of the Air Force of the rank of Air Marshal or a higher rank;
16. any of the following offices of the Commonwealth in a foreign country, or to a public international organisation, to which appointments are made by the Governor General:
     (i) Ambassador;
     (ii) High Commissioner;
     (iii) Consul General;
     (iv) Australian Representative;
     (v) Special Representative;
     (vi) Representative;
     (vii) Permanent Representative;
     (viii) Chargé d’Affaires;
17. member of the governing body of a political party represented in the legislature of the Commonwealth or a State or Territory.

An important consideration for Tranche 2 reporting entities is that the definition of Domestic PEPs may also be extended to include family members: spouse/de facto partner, child, and parent. Therefore, when conducting KYC processes on any potential domestic PEPs, ensure you cast a wide net to capture any applicable family members. 

Enhanced Due Diligence (EDD) under the AML/CTF Rules involves additional measures that reporting entities must apply when the money laundering or terrorism financing (ML/TF) risk is higher.

The operational and practical considerations for EDD include:

1. Triggers for EDD:

• EDD is required when the customer is assessed as high risk, including when the customer is a foreign politically exposed person (PEP), or when the service is provided in a nested service relationship.
• EDD is also triggered by unusual or complex transactions, the transaction has no apparent economic or legal purpose, or when the customer is involved in high-risk jurisdictions or activities.

2. EDD measures:

• Collecting additional customer due diligence (CDD) information beyond the standard requirements.
• Verifying the source of funds and source of wealth of the customer.
• Obtaining more detailed information about the customer's business, ownership, and control structures.
• Increasing the frequency and depth of ongoing monitoring of the customer’s transactions and behaviour.
• Applying senior management approval for onboarding or continuing relationships with high-risk customers.

3. Policy requirements:

• Reporting entities must have AML/CTF policies that specify when and how EDD is applied.
• Policies must include procedures for obtaining and verifying additional information, and for escalating decisions to senior management.
• Policies should be risk-based and proportionate to the level of risk presented.

4. Practical considerations:

• EDD requires more resources and expertise, including skilled personnel capable of assessing complex risks.
• Entities must balance the need for thorough due diligence with customer service and operational efficiency.
• There may be challenges in obtaining reliable information, especially for customers from high-risk or less transparent jurisdictions.
• Entities should document all EDD steps and decisions to demonstrate compliance.

5. Timing:

• EDD should be conducted promptly, especially when triggered by adverse findings or suspicious activity.

Conducting source of wealth and source of funds checks are part of enhanced customer due diligence (EDD) measures. These checks are required when the source of wealth or source of funds information is relevant to the money laundering and terrorism financing (ML/TF) risk of the customer, and when enhanced CDD is triggered by certain conditions such as the customer being high risk, a suspicious matter report (SMR) being filed, or the customer or associated person being from a high-risk jurisdiction.

Specifically, section 6-21 of the Rules states that reporting entities must conduct source of wealth and source of funds checks as part of EDD when:

• The customer’s ML/TF risk is high.
• An SMR has been filed related to the customer.
• The customer or associated person is from a jurisdiction identified by FATF as high risk.

The enhanced CDD measures may include collecting additional information, verifying this information using reliable and independent data, and taking further steps to understand the background and financial situation of the customer and related parties. Verification methods may include obtaining documentary evidence, conducting background checks, and ongoing monitoring of transactions and customer behaviour.

These requirements align with the Financial Action Task Force (“FATF”) recommendations and are designed to mitigate the risks of money laundering and terrorism financing by ensuring that reporting entities have a clear understanding of the origins of the customer's wealth and funds.

In practice, reporting entities develop AML/CTF policies that specify when and how to collect and verify source of wealth and source of funds information, including triggers for enhanced due diligence such as high-risk customers or transactions. 

Overall, the process involves a risk-based approach where the extent of checks is proportional to the assessed risk, ensuring compliance with the AML/CTF regime and international standards. 

Tranche 2 reporting entities’ AML/CTF obligations interact with the Privacy Act 1988 (Cth) and the Australian Privacy Principles primarily through the collection, use, disclosure, and protection of personal information. Reporting entities must comply with the Privacy Act while fulfilling their AML/CTF duties, which involve extensive data collection and retention of sensitive personal and financial information about customers, beneficial owners, and key personnel. This includes names, dates and places of birth, addresses, contact details, unique identifiers, citizenship, tax residency, occupation, legal structure, and for high-risk individuals, source of wealth and funds.

Tranche 2 reporting entities must adhere to requirements under the AML/CTF Act while remaining compliant with the Australian Privacy Act and principles. 

Key considerations for Tranche 2 reporting entities include: 

• Ensure that the collection of personal information is not excessive and is limited to what is necessary for AML/CTF compliance.
• Implement robust data protection measures to safeguard personal information from unauthorised access or disclosure, including secure storage and controlled access protocols.
• Assess the suitability and integrity of personnel involved in AML/CTF functions to prevent insider risks to privacy and compliance.
• When relying on third parties for Know Your Customer (KYC) and customer identification and verification, reporting entities must have written agreements that document responsibilities, enable access to all required KYC information, and allow prompt access to records of identification procedures and verification documents. These arrangements must be approved by the governing board or senior management, and the reporting entity must regularly assess the third party's compliance with AML/CTF measures, keeping records to demonstrate compliance.
• Ensure you have AML/CTF policies that require safeguards to prevent "tipping off" customers about investigations, ensuring confidentiality and appropriate use of information by internal personnel.  This protection is for the integrity of investigations rather than customer privacy from mandatory reporting itself.

In summary, AML/CTF obligations impose significant privacy considerations that require careful balancing with the Privacy Act and Australian Privacy Principles to ensure lawful, necessary, and secure handling of personal information while fulfilling AML/CTF compliance requirements.