The Australian Government has introduced significant reforms to the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act). From 31 March 2026, a new cohort of businesses defined as “Designated Non-Financial Businesses and Professions (DNFBPs)” will be subject to the “Tranche 2” regulations.
For these businesses, preparedness for these reforms is not merely a regulatory obligation, but a strategic imperative that critically intertwines with robust data protection and compliance measures.
What are the AML/CTF Reforms?
The reforms are designed to address the persistent and evolving threat from serious and organised crime. These criminal operations exploit legitimate businesses to obscure the origins of their proceeds of crime, channeling laundered funds into further criminal activities.
The reforms are a central pillar in the nation’s efforts to deny criminals the profits of their illegal activities and prevent funds from reaching the hands of criminals or terrorists.
The AML/CTF Act currently regulates businesses in sectors identified as high-risk for money laundering and terrorism financing such as financial institutions and gambling companies.
The upcoming “Tranche 2” reforms will broaden the AML/CTF regime to include additional high-risk services, bringing more professions under the scope of regulation. These “Designated Non-Financial Businesses and Professions (DNFBPs)” are now recognised as critical in combating financial crime. They include:
- Real estate professionals: Such as real estate agents, buyers’ agents, and property developers involved in brokering the sale, purchase, or transfer of real estate.
- Dealers in precious metals and precious stones: This encompasses those dealing in gem-quality stones and products made from precious metals or stones.
- Professional service providers: This is a broad category that significantly expands the reach of the Act and includes:
- Lawyers/conveyancers: For services related to planning or executing transactions to buy, sell, or transfer real estate, or assisting with financial transactions for bodies corporate or legal arrangements.
- Accountants: When providing certain services that involve managing or dealing with client money, accounts, or property.
- Trust and company service providers: Those who assist in the formation, operation, or management of companies and trusts, which can be exploited for illicit purposes.
The inclusion of these sectors aims to close critical vulnerabilities that have long been exploited by criminals, bringing Australia into closer alignment with international standards set by bodies like the Financial Action Task Force (FATF). All businesses providing these “designated services” will be classified as “reporting entities” and will be obligated to enroll with AUSTRAC and comply with the AML/CTF Act’s requirements.
What do businesses need to do to comply?
Businesses affected by Australia’s AML/CTF reforms will need to undertake a series of critical reporting and compliance measures to meet their obligations and avoid significant penalties. These measures are designed to help identify, mitigate, and manage the risks of money laundering and terrorism financing.
This will include developing a written AML/CTF program tailored to their specific operations, nature, size, and complexity. This program should identify and assess the money laundering and terrorism financing (ML/TF) risks posed by their customers, services, delivery channels, and geographical dealings. It should also identify measures to be undertaken for compliance such as due diligence, training, auditing and governance.
The key compliance requirement will be reporting to AUSTRAC. Reporting entities must submit the following reports when applicable:
Suspicious Matter Reports (SMRs): If they have “reasonable grounds” to suspect that a person is not who they claim to be, or a transaction or activity is related to criminal activity, proceeds of crime, tax evasion, fraud, or terrorism financing.
Threshold Transaction Reports (TTRs): Required for physical currency transactions (cash) involving A$10,000 or more (or foreign currency equivalent).
International Funds Transfer Instruction Reports (IFTIs): Required for any instruction to send or receive money overseas, regardless of the value, if sent electronically or by a remittance service provider.
Cross-Border Movement Reports (CBMs): Submitted when physically carrying, mailing, or shipping monetary instruments (e.g., physical currency or bearer negotiable instruments) valued at A$10,000 or more into or out of Australia.
AUSTRAC Compliance Reports: Annually, businesses must submit a compliance report summarising how they met their AML/CTF obligations for the previous calendar year (January 1 to December 31). This report is typically due between January 1 and March 31 of the following year.
Additionally, keeping rigorous records of customer identification and verification procedures, transactions undertaken, AML/CTF program documentation and any variations, audit results and reports is essential. These records must be readily available to law enforcement if required for investigations.
Data security and AML/CTF compliance
The efficacy of these measures hinges not just on procedural compliance, but on the integrity and security of the data that underpins them. In an era of rampant cybercrime, data protection has emerged as an indispensable component of effective AML/CTF readiness.
Businesses must navigate these intricate requirements while striving to maintain operational efficiency, a challenge that can lead to increased costs and potential reputational damage if not addressed effectively. The need for streamlined, secure, and automated solutions has, therefore, never been more critical.
To effectively mitigate these ever-present data risks and ensure the integrity of sensitive client information, businesses must adopt best practice strategies that address the full spectrum of data protection. Key principles, derived from successful implementations, include:
- Digital onboarding: Implementing secure digital onboarding platforms that replace manual processes and protect data more effectively.
- Client control: Utilising dynamic consent management tools to give clients control over their data sharing preferences, fostering transparency and trust.
- Verification: Automating document verification processes to reduce manual errors and free up staff.
- AML/CTF checks: Integrating pre-configured compliance workflows that automate key AML/CTF checks such as identity verification and transaction monitoring.
- Real-time monitoring: Leveraging real-time compliance measures like dashboards to monitor risk exposure and maintain audit readiness. Proactively adapting to evolving regulatory requirements through continuous monitoring.
- Encryption: Encrypting all client data and storing it in secure digital vaults accessible only by authorised personnel.
- Audit trails: Maintaining comprehensive audit trails to enhance accountability and data governance.
- Safe data sharing: Implementing secure data sharing protocols, including encrypted communication channels.
- Training: Providing thorough training to staff on data protection and AML/CTF policies.
- Support: Offering dedicated customer support for seamless implementation and ongoing use of data protection systems.
While these comprehensive compliance measures may seem daunting to implement, leaning on technology solutions can be a great help. At Owen Hodge Lawyers we’ve partnered with My Databoss to meet our AML/CTF obligations, handle sensitive data securely, minimise manual error, offer an auditable trail, and respect client privacy via a centralised, secure platform.
Our experience demonstrates that getting AML/CTF ready, particularly for “Tranche 2”, does not require hiring a large compliance team, but rather a deliberate and foresightful investment in secure, integrated solutions.
Key takeaways
Australia’s AML/CTF reforms represent a vital evolution in the fight against serious financial crime.
Failing to comply with these obligations can lead to significant penalties, including substantial civil and criminal fines, injunctions, and reputational damage. Proactive implementation is crucial for businesses to navigate these reforms successfully.
By prioritising data protection, businesses can transform a compliance challenge into an opportunity to safeguard their clients, their reputation, and the broader community.
This article provides general information only.
Keep up to date with our stories on LinkedIn, Twitter, Facebook and Instagram.
