Australia runs its anti-money-laundering regime through AUSTRAC under the AML/CTF Act 2006. If your business provides a designated service, you are a reporting entity. That triggers a sequence: enrol with AUSTRAC, build an AML/CTF Program with a Part A (manage your risk) and a Part B (identify your customers), run ongoing customer due diligence and transaction monitoring, and lodge the reports when they are due. The reports are suspicious matter reports, threshold transaction reports, and international funds transfer instructions. The Tranche 2 expansion brings more sectors into the regime, so businesses that were outside it should check whether they are inside it now.
We have spent more than a decade inside compliance programs, and the same pattern repeats across borders. A business launches a product, money starts moving, and someone realizes late that the product is a regulated service with obligations attached. Australia works the same way. What triggers the obligations is the service you provide rather than the name on your door, and they begin the day you start providing it.
This guide walks the Australian regime the way a practitioner walks it on the first day of an engagement: who is covered, what they enrol for, what goes in the program, how customer due diligence and monitoring work, which reports fall due, who runs the program, and how the independent review keeps it honest. The Australian facts here stay distinct from the United States BSA framework. The regulator is AUSTRAC, the suspicious-activity report is a suspicious matter report, and the law is the AML/CTF Act 2006. Where a specific scope or threshold is still moving, check AUSTRAC rather than guess.
Who regulates this, and where the obligations come from
The regulator is AUSTRAC, the Australian Transaction Reports and Analysis Centre. It is both the supervisor that examines compliance and the financial intelligence unit that receives and analyzes reports. The governing law is the Anti-Money Laundering and Counter-Terrorism Financing Act 2006, supported by the AML/CTF Rules. Together they set out who is covered, what a compliant program looks like, and what has to be reported.
For a compliance professional moving from a United States program, the mapping helps as long as you hold the differences in mind. AUSTRAC plays the financial-intelligence-unit role that FinCEN plays in the United States, but the statute, the defined services, the report types, and the thresholds are Australian and stand on their own.
Who is a reporting entity
A reporting entity is any business that provides one or more designated services listed in the AML/CTF Act 2006. The designated service carries the whole regime. The Act enumerates the services that bring a business inside it, and providing any one of them to a customer makes you a reporting entity with obligations attached.
Designated services run across financial and non-financial activity. The list includes the services below. For the controlling detail of any item, check AUSTRAC guidance.
| Service area | Examples of designated services |
|---|---|
| Banking and accounts | Opening and maintaining accounts, taking deposits, and allowing transactions on accounts. |
| Lending and finance | Making loans and providing finance in the course of carrying on a business. |
| Remittance | Providing a remittance (money transfer) service, including as an independent remittance dealer or a network affiliate. |
| Currency exchange | Exchanging one currency for another, whether physical or electronic. |
| Digital currency exchange | Exchanging digital currency for money, or money for digital currency. |
| Gambling | Providing certain gambling services, including by casinos and other gambling operators. |
| Bullion | Buying or selling bullion in the course of carrying on a business. |
The point a new business misses is timing. There is no opting in and no letter to wait for. You become a reporting entity the moment you start providing a designated service, and the obligations attach from that point. If you are unsure whether a product is a designated service, resolve the question against the Act and AUSTRAC guidance before launch.
Enrolment and registration with AUSTRAC
Once a business provides a designated service, it has to enrol with AUSTRAC and appear on the Reporting Entities Roll. Enrolment tells AUSTRAC who you are, what designated services you provide, and how to reach the people accountable for your program. Some activities carry an additional registration step on top of enrolment. Remittance service providers and digital currency exchange providers, for example, need to be registered with AUSTRAC to operate, not only enrolled.
Treat enrolment and registration as the entry gate. Operating a service that requires registration without being registered is a serious failure, and a supervisor checks for it early. Confirm the current enrolment and registration requirements for your specific services with AUSTRAC before you go live.
The AML/CTF Program: Part A and Part B
Every reporting entity has to build and maintain an AML/CTF Program. The program holds the whole obligation set together, and it comes in two parts that do different jobs.
Part A: the general part
Part A is where the business identifies, manages, and mitigates the money-laundering and terrorism-financing risk it faces. It is risk-led by design, the same discipline a strong program follows anywhere. You understand your customers, products, channels, and geographies, you rate the risk, and you build controls that match it. A complete Part A covers the elements below.
| Part A element | What it does |
|---|---|
| Risk assessment | Identifies and assesses the ML/TF risk across the business: customer types, the designated services provided, delivery channels, and the jurisdictions involved. |
| Governance and oversight | Sets the board-and-senior-management approval and oversight of the program, and names the accountable compliance officer. |
| Ongoing customer due diligence | Keeps customer information current and applies enhanced measures to higher-risk customers and relationships. |
| Transaction monitoring | Monitors customer transactions to identify activity that is unusual, complex, or inconsistent with what is known about the customer. |
| Employee due diligence and training | Screens staff in relevant roles and trains them to recognize and act on ML/TF risk. |
| Independent review | Provides for regular review of Part A by a party independent of the people who run the program. |
Part B: customer identification
Part B sets out the applicable customer identification procedures, the know-your-customer steps the business follows before it provides a designated service. It specifies how you collect and verify who your customer is, how you handle individuals, companies, trusts, and other entity types, and how you identify the beneficial owners behind a customer where that applies. The general rule is that you identify and verify the customer before you provide the designated service. The rules set out the limited circumstances where verification can follow.
The two parts work together. Part B gives you a verified customer at the start of the relationship, and Part A keeps that knowledge current while it watches the activity that follows.
Customer due diligence
Customer due diligence is the work of knowing who you are dealing with and what you should expect from them. In the Australian regime it spans both parts of the program. The initial identification sits in Part B; the ongoing scrutiny sits in Part A.
- Initial customer due diligence. Collect and verify the customer's identity before providing the designated service, using the procedures set out in Part B. For non-individual customers, this extends to understanding the structure and identifying the beneficial owners.
- Enhanced customer due diligence. Apply deeper scrutiny where the risk is higher: politically exposed persons, higher-risk countries, complex or unusual structures, and situations where a suspicion has formed. Enhanced measures can include gathering more information about the customer and the source of their funds, and seeking senior approval to continue the relationship.
- Simplified measures. Where the risk is demonstrably low and the rules allow it, lighter measures may apply. Low risk is a conclusion you document from the assessment, never an assumption you start with.
The discipline that travels across every regime is that due diligence is risk-based and the rating has to mean something. A program that rates every customer the same way cannot separate the ordinary business from the money mule. The rating is what sets the depth of identification, how closely you monitor, and how fast you escalate.
Ongoing customer due diligence and transaction monitoring
Identifying a customer once is only the start. Part A requires ongoing customer due diligence, which keeps customer information current and reassesses risk as the relationship changes, and a transaction monitoring program that watches activity over time.
Effective monitoring rests on knowing what normal looks like for a given customer and surfacing the activity that departs from it. The strongest monitoring compares a customer's behavior against a sensible baseline for customers like them, instead of firing on a single fixed number that flags the large customer constantly and the small one never. What you want at the end is a manageable set of meaningful alerts that a person reviews and dispositions, with the genuinely suspicious cases moving toward a report. Bury the team in noise and the real activity slips through.
The reports: SMR, TTR, and IFTI
Reporting is the point where the program reaches AUSTRAC. Three core report types answer different triggers. Hold them apart from the United States equivalents: in Australia the suspicious-activity report is a suspicious matter report submitted to AUSTRAC, never a SAR submitted to FinCEN.
| Report | What triggers it | What it captures |
|---|---|---|
| SMR Suspicious matter report | The reporting entity forms a relevant suspicion about a customer or a transaction, including suspected money laundering, terrorism financing, or other serious offences. | The matter and the grounds for suspicion, reported to AUSTRAC within the timeframes set by the Act and rules. |
| TTR Threshold transaction report | A transaction involving physical currency or e-currency at or above the reporting threshold set in the regime. | The threshold transaction and its details. The current threshold and what counts toward it are confirmed against AUSTRAC guidance. |
| IFTI International funds transfer instruction | An instruction to transfer money or property into or out of Australia. | The cross-border instruction and the parties to it, reported to AUSTRAC. |
Alongside these transaction-driven reports, reporting entities lodge a periodic compliance report to AUSTRAC describing their compliance with their obligations. Timeframes and thresholds for each report are set in the Act and the AML/CTF Rules, and the operating detail is confirmed against AUSTRAC guidance rather than assumed.
A suspicious matter report carries the same weight a suspicious activity report carries in the United States, and the same writing discipline applies. The grounds for suspicion have to be specific. Name the customer, the transactions, the dates, the amounts, and the reason the activity does not fit the customer's profile, and AUSTRAC can act on it. A vague report that asserts suspicion without the facts behind it gives an investigator nothing to work with.
The AML/CTF compliance officer
A reporting entity has to designate an AML/CTF compliance officer at management level, accountable for the program. The same principle sits at the center of strong programs everywhere. One named senior person owns compliance, with the resources to do the job and the standing to be heard by the board and senior management.
The role works only with real authority and real time behind it. A compliance officer who is also carrying a large revenue-side job, or who reports through the function whose activity they are supposed to challenge, has little chance of doing it well. Keep the designation current, state the authority plainly, and arrange cover for when the officer is away.
Independent review
Part A has to be reviewed regularly by a party independent of the people who designed and run the program. The independent review tests whether Part A suits the business's risk, whether the business actually follows it, and whether it works. The word that carries this requirement is independent, because a team cannot honestly assess its own program. Internal audit can perform the review where that function is genuinely independent of compliance, or an external party can.
Findings go to senior management and the board, with management responses and a record of remediation. If nobody tracks the findings to closure, the review may as well not have happened.
The Tranche 2 expansion
For most of the regime's life, the AML/CTF obligations sat on financial and a defined set of other businesses. Tranche 2 is the expansion of the regime to additional sectors that were previously outside it, commonly described as certain professional and high-value-dealer services. The sectors associated with the expansion include the following.
- Legal practitioners providing relevant services.
- Accountants providing relevant services.
- Trust and company service providers.
- Real estate professionals involved in property transactions.
- Dealers in precious metals and stones and other high-value goods, as covered.
If your business sits in one of these sectors, you start where every reporting entity starts: do you provide a designated service. If you do, the sequence follows from there. Enrol with AUSTRAC, register where required, build the AML/CTF Program with its Part A and Part B, and stand up due diligence, monitoring, and reporting. Tranche 2 now has a timeline: enrolment for the newly covered sectors opens 31 March 2026, the new obligations commence 1 July 2026, and newly regulated entities must enrol with AUSTRAC by 29 July 2026. Existing reporting entities have to implement the new AML/CTF Rules by 31 March 2026. Confirm the exact scope and any sector-specific detail against current AUSTRAC guidance.
A readiness checklist
Run this before you assume your Australian program is in order.
- You have determined whether you provide a designated service, confirmed against the Act and AUSTRAC guidance.
- You are enrolled with AUSTRAC, and registered where your services require it.
- You have a documented AML/CTF Program with a Part A and a Part B.
- Part A includes a current risk assessment covering customers, services, channels, and jurisdictions.
- Part B sets out customer identification procedures, including beneficial ownership where it applies.
- Ongoing customer due diligence keeps customer information current and applies enhanced measures to higher-risk relationships.
- A transaction monitoring program surfaces unusual activity against a sensible baseline.
- You lodge SMRs, TTRs, and IFTIs when triggered, within the required timeframes, plus the periodic compliance report.
- An AML/CTF compliance officer at management level owns the program with real authority.
- Part A is subject to a regular independent review, with findings tracked to closure.
- Staff in relevant roles receive training appropriate to their part in the program.
The Australian regime asks a lot, but it reads clearly. Know who you serve, watch what they do, report what you have to report, and prove the program works through a review you do not control. Get those right and you have a documented program that thinks for itself, which is what holds up when AUSTRAC looks closely.
For the plain-language definitions behind the terms in this guide, see the Australia AML/CTF glossary.