Navigating Australia's AML/CTF Reforms

This post summarises his Equifax Frontiers: Championing Digital Trust presentation. He highlighted the significant preparation required by businesses to get ready for the AML/CTF reforms, which come into effect from 31 March 2026.

"This is a fundamental change”, explains Neil. “Anybody that says ‘this is simply rejigging what is currently there’ is deluding themselves."
 

Why the reforms are happening now

Australia's existing AML/CTF laws were drafted in 2005 - a vastly different time from today's digital, interconnected world. The previous legislation simply hasn't kept pace with the evolving threats posed by serious and organised crime. This has allowed criminals to exploit legitimate businesses to launder money. These illicit funds are often reinvested in further criminal activities, like child exploitation, drug trafficking, scams and fraud.

The Tranche 2 reforms also ensure that Australia’s AML/CTP regime aligns with the Financial Action Task Force (FATF), the global body that sets international standards for combating money laundering. Neil highlighted that Australia was one of only a few countries - along with Haiti and Madagascar - that had not yet brought Designated Non-Financial Businesses and Professions (DNFBPs) into its AML/CTF regime. 

With a FATF evaluation on the horizon, Australia faced the threat of being ‘grey-listed’, a designation that could cause an approximate 8% drag on GDP.¹

The new reforms have these core objectives:

• Simplify and clarify: To make the regime clearer for businesses to comply with their obligations.
• Modernise: To reflect changing business structures, technologies, and illicit financing methods.
• Extend: To encompass higher-risk services provided by Tranche 2 entities, including real estate professionals, lawyers, accountants, trust and company service providers, and dealers in precious stones and metals.

A new focus: from tick-box to harm prevention

One of the most significant shifts in the AML/CTF reforms is the move away from a prescriptive, rules-based system to one focused on risk-based outcomes. “The focus of this legislation is harm prevention”, says Neil. “It’s no longer about ticking boxes - businesses must do a lot of work and a lot of planning on how to protect against the evolving threats posed by money laundering, terrorism financing, and other serious and organised crime.”

Neil explains, "This is a rear-view mirror assessment. It's 'did you prevent harm?'. That's how you'll be judged."

This new approach means businesses must be proactive. AUSTRAC, the financial intelligence and regulatory agency, will be looking to see that organisations are achieving meaningful outcomes in managing their risks and preventing their business from being used by criminals.

What businesses need to do now

With the clock ticking towards implementation, these are some of the key measures organisations must be planning to implement:

1. Re-evaluate your AML/CTF program

There is no longer a requirement to structure your AML/CTF program into rigid Part A and Part B formats. This shift provides proportionality and flexibility, empowering businesses to tailor their programs to the actual risks they face. 

The new focus is on outcomes, not process. The goal is to design a program that best suits your operational context, provided it effectively identifies, mitigates, and manages your risks. This is about establishing effective internal controls and fostering a culture of compliance that allows you to focus on preventing actual harm and disrupting criminal activity.

2. Sharpen your customer due diligence (CDD)

This is a major area of complexity under the new rules.

• Individuals: You will have to strengthen or develop a risk based approach to how you identify and verify a customer. “You'll be judged with hindsight on whether your method was sufficient to prevent harm” says Neil, “requiring businesses to really think through the robustness of their approach”.
• Non-individuals: The amount of information you'll need to collect on non-individual customers is going "glacial", according to Neil. Beyond beneficial owners and directors, you'll also be required to collect the full names of individuals with primary responsibility for governance and executive decisions. Extensive information, including ownership, legal and control structure, is needed before providing a designated service, not after the fact.
• Enhanced CDD: The triggers for Enhanced Customer Due Diligence (ECDD) are expanding. In addition to high money laundering/terrorism financing risk, foreign PEPs, Suspicious Matter Reports (SMRs) and FATF blacklisted entities, ECDD is now mandatory for transactions that have no apparent economic or legal purpose, or those that are unusually complex or large or involve an unusual pattern of activity. You'll also need to define additional high-risk scenarios that require ECDD based on customer type, designated services, delivery channels and jurisdictions.

3. Integrate sanctions compliance

Under the new regime, AUSTRAC is effectively becoming the sanctions regulator. Your sanctions policy must now be integrated into your AML/CTF program. This means you are now required to screen all customers for sanctions and Politically Exposed Persons (PEPs) before providing a designated service, though the rules offer some flexibility for sanctions screening timing. This means working through the practical issues of what you are currently doing, whether this will still work or whether you need a different approach.

4. Clarity on compliance officer accountability 

The new rules explicitly define the roles and responsibilities of the governing body, responsible officer, and AML compliance officer (AMLCO) to strengthen governance. The compliance officer must be assessed as a Fit and Proper person, including a review of their capability, honesty, integrity, and financial status, ensuring they have the necessary skills, knowledge, and resources to perform their duties without a conflict of interest.

5. Navigate the new travel rule

If you are a financial institution providing designated services, you may be classified as a Value Transfer Services Ordering Institution or Beneficiary Institution. This means you will have to comply with the Travel Rule, which mandates the sharing of a structured set of information with every payment that leaves your organisation and monitoring for that information coming in. Failing to do so is a direct civil penalty provision under the Act.

6. Rethink your reporting group structure

The current Designated Business Group (DBG) regime is being replaced with a new "lead entity" arrangement. The new rules place significant liabilities on the lead entity, which is deemed to be providing and is liable for all designated services across the group. “That may be okay if you're a small organisation within Australia”, says Neil, “but  for international businesses, a subsidiary could make the parent company fully liable for non-compliance.” 
There is no grandfathering rule for designated business groups, meaning existing groups will not be exempt from the new requirements.

Embracing technology to overcome complexity

The complexities of the AML/CTF reforms are challenging, but they are also an opportunity to build a more resilient and efficient business. Effective risk management is key. 

Start with a comprehensive risk assessment to pinpoint potential vulnerabilities and develop a clearer understanding of your risk exposure. Then use technology solutions that offer you an end-to-end layered approach to simplify your implementation of simplified and enhanced customer due diligence. By front-loading these checks, you can improve efficiency: “Performing strong identity checks upfront means your downstream processes can be more efficient”, says Neil.

Technology is your ally in this process. It allows for a more intelligent, dynamic business logic during onboarding, tailoring checks to the risk level of each customer. This means you can meet your obligations without creating unnecessary friction.

The new rules demand a new approach. At Equifax, we are here to help you navigate this complex landscape. We have a proven track record, trusted by businesses across many sectors.

To learn how our tools can help you stay compliant, including our secure and efficient verification processes; contact us today for a free consultation.

The content of this document is provided for information purposes only. It does not constitute legal or compliance advice and should not be used as such. Further, the information in this document is provided on the basis that all persons accessing it undertake responsibility for assessing the relevance and accuracy of its content. Should you consider it necessary, please seek your own legal or compliance advice for application of any this information to your own circumstances.