Anti-Money Laundering: Obligations & Compliance

Matt LeeburnWritten byMatt Leeburn
Updated 12 Mar 2026

What is anti-money laundering?

Anti-money laundering (AML) describes the set of laws, controls and processes designed to stop criminals from turning proceeds of crime into apparently legitimate funds. Under the AML/CTF (anti-money laundering and counter-terrorism financing) regime in Australia you, as a regulated entity, have duties to detect, deter and report suspected money laundering and terrorism financing. Effective AML reduces harm — it protects financial integrity, prevents crime-funded activity, and limits legal, financial and reputational risk for businesses and advisers.

If you handle payments, property, crypto, trust services or merchant finance, confirm whether you are a reporting entity and register with AUSTRAC. Start a simple risk assessment to document high-risk customers and channels. Put in place basic KYC, monitoring and record-keeping within 30–60 days.

How money laundering works (stages)

Understanding the classic three stages helps you design controls that target real risks:

  • Placement: introducing illicit funds into the financial system. Example: depositing large cash sums into multiple merchant accounts.
  • Layering: obscuring origins by moving money through complex transactions. Example: rapid transfers between accounts, conversion to crypto then to overseas accounts.
  • Integration: funds re-enter the economy as apparently lawful. Example: investing criminal proceeds into property, business loans or high-value goods.

A syndicate receives cash from illegal sales (placement), splits it through payment processors and crypto (layering), then buys commercial equipment or loans it to related entities to create legitimate income (integration). Recognising where each step might occur in your business is the first step to mitigating risk.

Legal framework and who regulates it

The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) is the central statute that sets out obligations for reporting entities. The primary regulator overseeing the regime and enforcing the Act is AUSTRAC; other agencies involved in enforcement, intelligence or policy include the Department of Home Affairs and prosecuting authorities. International standards are set by the Financial Action Task Force (FATF).

Key authoritative sources:

  • AUSTRAC — AML/CTF Act overview and guidance: https://www.austrac.gov.au/business/legislation/amlctf-act
  • Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (full text): https://www.legislation.gov.au/C2006A00169/latest/text
  • Department of Home Affairs — AML/CTF portfolio: https://www.homeaffairs.gov.au/about-us/our-portfolios/criminal-justice/anti-money-laundering-and-counter-terrorism-financing
  • FATF global standards: https://www.fatf-gafi.org
  • Australian Securities & Investments Commission (ASIC): https://asic.gov.au
  • Australian Taxation Office (ATO): https://www.ato.gov.au

AUSTRAC publishes rules, guidance and reporting forms; keep these sources bookmarked and check them regularly for updates to stay compliant with AML/CTF obligations.

Who must comply

"Reporting entities" under the AML/CTF Act cover a wide set of sectors. Typical categories include:

  • Financial services providers and credit providers
  • Remittance and foreign exchange services
  • Casinos and gaming operators
  • Digital currency exchanges and some crypto service providers
  • Real-estate agents and conveyancers (in certain services)
  • Legal and accounting professionals when providing specified trust or conveyancing services
  • Trust and company service providers
  • High-value dealers and bullion or precious stones dealers
  • Some business finance providers and merchant services

If you provide one of the covered services, you are likely a reporting entity and must register with AUSTRAC and meet obligations. If you are unsure, refer to AUSTRAC's guidance and the AML/CTF Act text linked above.

Core obligations for reporting entities

Reporting entities face several core obligations. Below are the practical duties and links to further reading.

Customer identification and due diligence (KYC/CDD)

Verify customer identity at account opening or when providing a designated service. Conduct enhanced due diligence (EDD) for higher-risk customers (politically exposed persons, high-value clients, unknown beneficial owners). For more detail, see the guide to KYC and customer due diligence.

Ongoing transaction monitoring

Implement systems to monitor for unusual patterns and to escalate suspicious activity.

Suspicious matter reporting (SMR)

Submit an SMR to AUSTRAC when you suspect a transaction or relationship involves proceeds of crime or terrorist financing. File promptly once suspicion is formed.

Threshold transaction reports (TTR)

Report certain large cash transactions or those triggered by specified thresholds. Check AUSTRAC guidance for exact triggers and procedures.

International funds transfer reporting (IFTR / IFTI)

Report prescribed information when funds are sent or received internationally via designated instruments.

Registration and record-keeping

Register with AUSTRAC if you are a reporting entity and keep required records (identification, transaction history, policies) for statutory periods.

Maintain an AML/CTF compliance program

Your program must be risk-based and include roles, policies, training and independent review. AUSTRAC expects a designated compliance officer and documented procedures.

These obligations interlock: accurate KYC feeds effective monitoring; monitoring identifies potential SMRs; record-keeping supports audits and enforcement reviews.

Building an effective AML/CTF compliance program

A practical, risk-focused program includes the following elements.

Risk assessment (start here)

Identify customer, product, delivery channel and geographic risks. Document why certain customers or services present higher exposure.

Written program and policies

Produce a written AML/CTF program that defines procedures for KYC, monitoring, reporting and escalation.

Designated AML/CTF Compliance Officer (ACO)

Assign responsibility and clearly document authorities and reporting lines.

Customer due diligence procedures

Standard ID verification steps, beneficial ownership checks and enhanced due diligence triggers.

Transaction monitoring and red flags

Use rules-based alerts and scenario testing. Maintain a list of sector-specific red flags.

Training and culture

Regular, role-specific training for staff and contractors; keep attendance records.

Independent review and continuous improvement

Commission periodic independent reviews of your program and remediate findings promptly.

Technology and record retention

Select appropriate systems for case management and secure record storage for required statutory periods.

Incident response and remediation

Define how you investigate internally, escalate and prepare SMRs or remedial reports.

Start with a one-page starter checklist (KYC checklist, first 30-day tasks, contact points) and scale documentation proportionately to your risk.

Reporting and enforcement: penalties and cases

AUSTRAC has investigative and enforcement powers, including civil penalty proceedings, remediation directions and criminal referrals. Penalties can include:

  • Civil penalties and pecuniary fines
  • Court-ordered remedial action and monitoring
  • Criminal charges where intentional conduct is established
  • Reputational damage and licensing restrictions

Two enforcement summaries highlight key lessons:

AUSTRAC v Westpac (proceedings commenced 2019–2020)

AUSTRAC alleged widespread reporting and compliance failures, including missing transaction reporting and inadequate KYC controls. The case highlighted the consequences of weak monitoring systems and the need for remediation programs. See AUSTRAC media releases and court documents on AUSTRAC's site for the timeline and outcomes.

AUSTRAC enforcement against a major betting/gaming operator (public action in 2020)

AUSTRAC alleged deficiencies in customer due diligence and transaction monitoring in wagering services. The outcome emphasised tailored controls for sectoral risks and the importance of record keeping and staff training.

Enforcement focuses on systemic failures — incomplete programs, missing or ineffective transaction monitoring, and poor management oversight. Keep contemporaneous records of remediation steps and independent reviews to demonstrate good faith.

For a current list of AUSTRAC actions and media releases, visit: https://www.austrac.gov.au/news-and-media/media-releases

Sector-specific considerations

Different sectors face distinct risks and practical challenges. Below are concise notes by sector.

Crypto exchanges and wallets

High risk due to anonymity and cross-border flows. Enhanced CDD, wallet provenance checks and robust transaction tracing are common controls.

Remittance and foreign exchange

Rapid cross-border flows require strict IFTR/IFTI reporting and payer/beneficiary screening. Monitor multiple low-value transfers that aggregate to significant sums.

Real-estate and conveyancing

Property transactions can be used to integrate illicit funds. Apply enhanced due diligence on unusual source-of-funds declarations and complex ownership structures.

Legal and accounting services

When providing trust or conveyancing services, apply CDD and record beneficial ownership. Maintain clear conflict-of-interest processes.

Non-profits and charities

Focus on donor vetting and program legitimacy, especially with cross-border funding or high-risk geographic exposure.

Business finance, invoice and merchant services

Invoice manipulation and sham transactions are common laundering methods. Implement transaction validation and beneficiary verification. If you provide or facilitate business lending or merchant products, specialised controls apply. For background on finance products and typical abuse vectors, relevant A-Z guides include Invoice Finance, Merchant Cash Advance, Asset Finance, Finance Lease, Novated Lease, Secured Business Loans, and Unsecured Business Loans.

Practical steps for small businesses and first actions

If you are a small or first-time reporting entity, follow this starter checklist:

Day 0–7: Confirm whether you are a reporting entity and register with AUSTRAC if required.

Day 7–30: Complete a simple risk assessment identifying customers, products, channels, jurisdictions and delivery methods posing highest risk.

Day 30–60: Adopt a written AML/CTF program tailored to your risk profile.

First 3 months: Implement basic KYC checks, train frontline staff on red flags, and set up a simple monitoring rule set (manual or automated).

Ongoing: Conduct an independent review at least annually or when you change product lines; keep records and update policies when risk changes.

Where to get help:

  • AUSTRAC guidance pages and templates (registration, reporting and forms): https://www.austrac.gov.au
  • Specialist compliance consultants and lawyers when needed

Recommended cadence: review your program every 6–12 months, or sooner after major regulatory updates.

FAQ

When should I submit an SMR?

Submit a Suspicious Matter Report once you form a suspicion that a transaction or activity involves proceeds of crime or terrorism financing. File promptly in line with AUSTRAC reporting channels.

What is a TTR?

A Threshold Transaction Report is required for certain large cash transactions or other prescribed thresholds. Exact triggers are defined by AUSTRAC; check their guidance for current thresholds.

How long must I keep AML records?

Statutory retention periods are set out in legislation and AUSTRAC guidance. Keep records secure and retrievable for the required timeframe; verify exact periods on AUSTRAC's pages.

Can I rely on third-party verification?

Relying on a trusted, regulated third party for CDD may be possible, but you remain responsible for meeting obligations. Document reliance arrangements and ensure the counterparty is a suitable, regulated provider.

What are common red flags?

Rapid movement of funds, mismatched customer information, frequent transfers to high-risk jurisdictions, use of shell companies or nominee shareholders, sudden changes in transaction patterns. Tailor red flags to your sector.

Key takeaways

AML/CTF compliance in Australia requires regulated entities to implement risk-based programs covering customer due diligence, transaction monitoring, and suspicious matter reporting. AUSTRAC enforcement emphasises the importance of documented procedures, staff training, and contemporaneous record-keeping. Starting with a basic risk assessment and simple KYC procedures, businesses can scale their compliance programs proportionately to their risk exposure and sector.

Further reading

  • AUSTRAC official guidance and forms: https://www.austrac.gov.au
  • AML/CTF Act full text: https://www.legislation.gov.au/C2006A00169/latest/text
  • Department of Home Affairs AML/CTF portfolio: https://www.homeaffairs.gov.au/about-us/our-portfolios/criminal-justice/anti-money-laundering-and-counter-terrorism-financing
  • FATF typologies and global guidance: https://www.fatf-gafi.org
  • AUSTRAC media releases (enforcement summaries): https://www.austrac.gov.au/news-and-media/media-releases
  • ASIC (regulatory context and enforcement): https://asic.gov.au
  • ATO (tax and reporting intersections): https://www.ato.gov.au

This article is general information only and is not legal, tax or financial advice.

Get your quote in less than 3 minutes

More from the A to Z of Asset Finance

A

ABN loan: Guide to eligibility, types & how to apply

ReadA

ACCC: Role, Powers and How It Protects Consumers

ReadA

Accelerated Depreciation: Methods & Tax Guide

Read

Browse A to Z

ABCDEFGHIJKLMNOPQRSTUVWXYZ