AML/CTF Regime Explained: AUSTRAC Obligations and Tranche 2

What the regime is

The AML/CTF regime is the set of legal obligations Australia uses to detect and deter money laundering and terrorism financing. It sits under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) and supporting Rules. The regulator is AUSTRAC, which acts as both Australia's financial intelligence unit and the supervisor of regulated businesses.

The regime applies to businesses that provide "designated services" listed in the Act. These businesses are called reporting entities. If you provide a designated service, the obligations are not optional and non-compliance can attract civil penalties and enforcement action.

What it covers

A reporting entity carries a defined set of core obligations. In broad terms, these are:

Enrol and register with AUSTRAC where required.
Develop and maintain an AML/CTF program that identifies, assesses, and manages money laundering and terrorism financing risk.
Conduct customer due diligence, which means verifying who your customer is and, where relevant, the beneficial owner, before and during the relationship.
Report suspicious matters to AUSTRAC.
Report threshold transactions, such as cash transactions at or above the reporting threshold, and certain international transfers.
Keep records that evidence the above.

AUSTRAC's core guidance sets out how each obligation operates in practice, including program starter kits for newer entities.

Who it applies to

Historically the regime captured banks, remittance providers, gambling operators, and digital currency exchanges. The Tranche 2 reforms, introduced by the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 which passed Parliament on 29 November 2024, expand the regime to additional professions: certain lawyers, accountants, conveyancers, real estate professionals, and dealers in precious metals and stones.

The timing matters. Broader reforms affecting existing reporting entities commenced on 31 March 2026. Newly regulated Tranche 2 businesses will be regulated by AUSTRAC from 1 July 2026, with some flexibility under transitional rules. AUSTRAC has published an overview of the reforms and a tool to check whether a business will be captured.

Where AI fits

AI is increasingly used in transaction monitoring, customer screening, and sanctions checks. Where a reporting entity uses AI for these functions, the AI does not sit outside the regime. The obligation to apply appropriate risk-based systems and controls still rests with the entity, and the entity must be able to explain and defend the outputs.

Practical implications include model governance, the ability to evidence why an alert was or was not escalated, and avoiding "black box" tools whose decisions cannot be justified to a regulator. Human oversight of automated decisions, and clear records of that oversight, support both the customer due diligence and suspicious matter reporting obligations.

What practitioners should do

If you advise or operate within a captured business, confirm whether it is a reporting entity and whether Tranche 2 newly captures it. Map the designated services provided, then test the AML/CTF program against the current Rules rather than an older version, given the 31 March 2026 and 1 July 2026 milestones.

For AI-assisted monitoring, treat the tooling as an extension of the program, not a substitute for it. Document the risk rationale, retain explainability evidence, and keep a human in the loop for escalation decisions. When in doubt about scope, AUSTRAC's check tool and core guidance are the authoritative starting points.

TheAICommand. Intelligence, At Your Command.*

TheAICommand. Intelligence, At Your Command.

Frequently asked questions

What is the AML/CTF regime in Australia?

It is Australia's framework for preventing money laundering and terrorism financing, set out in the AML/CTF Act 2006 and administered by AUSTRAC. Regulated businesses, called reporting entities, must enrol with AUSTRAC, maintain a compliance program, verify customers, and report suspicious and threshold transactions.

Who regulates AML/CTF compliance in Australia?

AUSTRAC, the Australian Transaction Reports and Analysis Centre, is the regulator. It is both Australia's financial intelligence unit and the supervisor of reporting entities. AUSTRAC publishes the AML/CTF Rules, guidance, and program starter kits, and it takes enforcement action against businesses that fail to meet their obligations.

What are the core obligations for a reporting entity?

A reporting entity must enrol and register with AUSTRAC, develop and maintain a risk-based AML/CTF program, conduct customer due diligence, report suspicious matters, report threshold transactions such as large cash dealings, and keep supporting records. The exact services that trigger these obligations are the designated services listed in the Act.

What changes under the Tranche 2 reforms and when?

The AML/CTF Amendment Act 2024 extends the regime to more professions, including certain lawyers, accountants, conveyancers, real estate professionals, and dealers in precious metals and stones. Broader reforms commenced 31 March 2026, and newly regulated Tranche 2 businesses are regulated by AUSTRAC from 1 July 2026, subject to transitional rules.

Does using AI for transaction monitoring change my AML/CTF obligations?

No. The obligation to apply appropriate risk-based controls remains with the reporting entity, not the tool. If you use AI for monitoring or customer due diligence, you must be able to explain its outputs, govern the model, keep records of escalation decisions, and maintain human oversight so the system supports rather than replaces your compliance program.