Artboard 1Icon/UI/CalendarIcons/Ionic/Social/social-pinterestIcon/UI/Video-outline

Final checklist before 1 July: Are you ready for Australia’s AML/CTF reforms?

22 June 2026

7 min read

#Governance

Published by:

Final checklist before 1 July: Are you ready for Australia’s AML/CTF reforms?

With Australia’s Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) reforms taking effect on 1 July 2026, the countdown is on for Tranche 2 businesses. Real estate agents, property developers, accounting firms, law firms and other newly captured entities should now be moving from awareness to implementation.

By 1 July 2026, businesses should be able to demonstrate that they have assessed whether they provide designated services, documented their money laundering (ML), terrorism financing (TF) and proliferation financing (PF) risks, approved an appropriate AML/CTF program, implemented practical systems and controls, trained staff, tested workflows, and retained the records needed to evidence compliance.

The checklist below outlines the key steps, evidence and documentation that businesses should have in place, including readiness to complete any required AUSTRAC enrolment by the critical cut-off date of 29 July 2026.

What should businesses have in place by 1 July?

A business that provides, or intends to provide, an AML/CTF designated service from 1 July 2026 should have the following in place by the commencement date:

  • service line mapping report: The business should have prepared a documented factual analysis of its services, client types, transaction types, payment flows, funds handling, delivery channels, geographic exposure, third-party involvement and related operational processes to identify designated services under the AML/CTF regime. The analysis should be conducted by an independent investigator or reviewer to provide a clear evidence base for the subsequent legal assessment
  • designated services and reporting entity assessment: The business should obtain a documented assessment of whether its mapped activities constitute AML/CTF designated services and whether the business is a reporting entity. Best practice is for this assessment to be provided by a lawyer, using the service line mapping report as evidence, with the legal advice provided under legal professional privilege where appropriate. The assessment should identify activities that are in scope, out of scope or require further review, and address any group structure, related entity or AUSTRAC enrolment issues. This is also when property developers should assess whether the travel rule applies
  • business ML/TF/PF risk assessment: If the business provides one or more designated services, it must prepare a documented assessment of its ML/TF/PF risks. The assessment should consider the business’s designated services, customer types, matter or transaction types, payment methods, geographic exposure, delivery channels, use of intermediaries, sanctions and PEP exposure, source of funds and source of wealth risks, PF risks and other relevant operational risks. The risk assessment should inform the design of the AML/CTF program
  • AML/CTF governance framework settled for program preparation: Before finalising the AML/CTF program, the business should confirm who will perform the key AML/CTF governance and operational roles. This includes identifying the governing body or equivalent oversight function, the senior manager responsible for AML/CTF oversight, the AML/CTF compliance officer, and the personnel responsible for implementing the program. The governance framework may be developed during preparation of the AML/CTF program, but roles and responsibilities should be clearly documented in the program and approved by a senior manager
  • compliant AML/CTF program: Reporting entities must adopt and maintain a written AML/CTF program that complies with the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) as amended, AML/CTF Rules as amended and applicable AUSTRAC guidance that is appropriate to the nature, size, complexity and ML/TF/PF risk profile of the business. The program should establish the entity’s AML/CTF governance framework and document how ML/TF/PF risks are identified, assessed, managed and mitigated. It should also cover program review and updates, independent evaluation, record-keeping, customer due diligence, personnel due diligence and training, AUSTRAC reporting obligations, and any relevant exemptions or modifications relied on by the entity
  • senior manager approval and sign-off records: The AML/CTF program should be formally approved by a senior manager before commencement. The approval should confirm that the program is based on the business's ML/TF/PF risk assessment, that key AML/CTF governance roles and responsibilities have been allocated, and that the business is satisfied the program is ready for implementation
  • AUSTRAC enrolment readiness: Where the business is a reporting entity, it should identify and complete the necessary AUSTRAC pre-enrolment steps prior to and no later than 28 days after the date of providing the designated service. Any newly regulated business that provides designated services from 1 July 2026 must enrol with AUSTRAC no later than 28 days after the date it starts providing those services (by 29 July 2026). When enrolling, the business will need to provide information that may include expanded or amended designated services, beneficial owners of the business, details of the AML/CTF compliance officer, updated organisation profile and reporting group details where relevant. This is done through the AUSTRAC online portal. If the business is part of a reporting group, both the lead entity and the reporting entity must enrol.
  • operational systems: The business should implement the practical systems and workflows, whether manual, software-based or hybrid, needed to operate its AML/CTF program. These should cover customer due diligence, customer and matter risk-rating, beneficial ownership checks, enhanced due diligence, sanctions and PEP screening, source of funds and source of wealth enquiries, transaction or matter monitoring, internal escalation, suspicious matter reporting, approval gates, record-keeping and management reporting. The systems should be proportionate to the business’s risk profile and sufficiently documented to show how the program operates in practice
  • staff training and awareness: Relevant staff should have appropriate training tailored to their specific role in the AML/CTF processes the business is implementing. This includes staff, the AML compliance officer, senior manager and governing body or equivalent. Training should have been completed before the commencement of the new reforms on 1 July 2026
  • pre-commencement testing: Before ‘go-live’, the business should have tested its AML/CTF controls, procedures, systems and workflows. Testing should confirm that key processes operate as intended, including onboarding, verification, risk-rating, enhanced due diligence, screening, monitoring, escalation, reporting, approval and record-keeping. Issues identified during testing should be remediated before commencement
  • evidence of implementation and readiness: The business should maintain a complete readiness file demonstrating it completed the key steps before 1 July 2026. This should include the service line mapping report, designated services and reporting entity assessment, legal advice (where obtained), ML/TF/PF risk assessment, governance planning records, AML/CTF program, senior manager sign-off, AML/CTF compliance officer acknowledgement, AUSTRAC enrolment records, operational materials, training records, testing records, issue logs, remediation records and operational readiness confirmation.

What if a business is not ready?

Although the new laws are enforceable from 1 July 2026, businesses providing a designated service will have until 29 July 2026 to enrol with AUSTRAC. Those who fail to do so, and are reasonably suspected of providing a designated service, could receive a section 167 notice from AUSTRAC.

The notice requires a person or business to produce documents or information relating to an entity’s AML/CTF compliance.

Those served with the notice must respond in accordance with the details specified within. Failure to comply with the requirements imposed by an authorised officer carries a maximum penalty of six months imprisonment and/or 30 penalty units (currently $19,800).

As a practical step, businesses should consider preparing a well-documented response. This may include an independent service line mapping report and legal submission where appropriate. An independent report’s objectivity strengthens the business's response and provides a factual evidentiary basis for the covering submission.

Other enforcement risks and considerations

The section 167 notice is an investigative tool that assists AUSTRAC in commencing enforcement action for non-compliance, including infringement notices, enforceable undertakings, civil penalty proceedings and, in some cases, criminal prosecution.

AUSTRAC’s policy indicates that it will take a strict approach to wilful blindness or complicity. Those who fall into these categories can expect little regulatory leniency.

Compliance is key

Businesses providing designated services should treat the coming days as a final readiness check. Even where all elements of an AML/CTF program are not yet fully implemented, clearly documented procedures and evidence of genuine implementation efforts will be critical in demonstrating compliance and avoiding enforcement action by AUSTRAC.

If you have questions about your AML/CTF program or are unsure whether you have everything in place by the critical enrolment date of 29 July, please contact us here.

Disclaimer
The information in this article is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this article is accurate at the date it is received or that it will continue to be accurate in the future.

Published by:

Share this