AUSTRAC AML/CTF Compliance in 2026: What Reporting Entities Need to Know

If you’re a reporting entity under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006, your compliance obligations have never been more scrutinised. AUSTRAC’s enforcement posture has shifted from guidance-led to penalty-led, with civil penalties reaching into the hundreds of millions.

This guide covers what reporting entities need to know in 2026: the regulatory framework, what AUSTRAC is actually enforcing, and how to assess whether your program has gaps.

Who is a reporting entity?

A reporting entity is any person who provides a designated service. This includes:

• Banks and ADIs: Account services, loan services, stored value cards
• Remittance service providers: International funds transfer services
• Gambling operators: Casino services, online gambling
• Bullion dealers: Buying or selling bullion
• Digital currency exchange providers: Exchange services involving digital currency
• Other financial services: Insurance, securities, derivatives, superannuation

If you provide any designated service listed in Section 6 of the AML/CTF Act, you’re a reporting entity with the full suite of obligations.

The regulatory framework

The AML/CTF compliance framework has three layers:

1. The Act (AML/CTF Act 2006)

The primary legislation establishing the reporting entity obligations, AUSTRAC’s powers, and the penalty framework. This sets the high-level requirements.

2. The Rules (two instruments)

AML/CTF Rules 2007 — the existing detailed rules for traditional financial services: 614 rules across 20 chapters covering customer identification, reporting, record keeping, and more.

AML/CTF Rules 2025 (Tranche 2, effective 31 March 2026) — the new instrument extending AML/CTF obligations to real estate agents, accountants, lawyers, and trust and company service providers. 154 rules across 12 Parts, bringing an estimated 70,000-90,000 new businesses under AUSTRAC’s regime.

AuditDSS maps both instruments: 768 rules total (154 from 2025 + 614 from 2007), decomposed into 5,534 testable obligations.

3. The Regulations

Supporting regulations that provide additional detail on specific topics (exemptions, thresholds, etc.).

Most compliance programs focus on the Act and treat the Rules as secondary. This is backwards. The Rules contain the specific, testable obligations that AUSTRAC enforces against.

What AUSTRAC is actually enforcing

AUSTRAC has taken 23 formal enforcement actions under the AML/CTF framework. The pattern is clear:

High-enforcement categories

Customer identification and due diligence: The most frequently enforced category. AUSTRAC consistently targets failures to:

• Verify customer identity before providing services
• Conduct ongoing CDD when trigger events occur
• Apply enhanced CDD to higher-risk customers
• Identify and verify beneficial owners

Transaction monitoring and reporting: The second-most enforced category, including the landmark CBA case. Key obligations:

• Filing threshold transaction reports (TTRs) within required timeframes
• Maintaining transaction monitoring systems that detect suspicious patterns
• Filing suspicious matter reports (SMRs) when indicators are identified

AML/CTF program adequacy: AUSTRAC increasingly targets the program itself — not just individual control failures but whether the overall program framework is adequate, documented, and proportionate to risk.

The penalty scale

The penalty scale has escalated dramatically:

Year	Entity	Penalty	Primary issue
2018	CBA	$700M	TTR failures, monitoring gaps
2020	Westpac	$1.3B	IFTI failures, child exploitation risk
2022	SkyCity	$67M	Program deficiencies, CDD failures
2023-24	Multiple	$5M-$25M	Various CDD and reporting failures

The trend is clear: penalties are increasing, enforcement is broadening beyond the Big Four banks, and the threshold for what constitutes “adequate” compliance is rising.

How to assess your AML/CTF program

Step 1: Move from rule-level to obligation-level

The most common mistake is assessing compliance at the rule level — one checkbox per section. The AUSTRAC Rules contain 5,534 distinct obligations across both instruments (3,559 from the 2007 Rules and 1,975 from the 2025 Rules). A single rule like “ongoing customer due diligence” contains 5-10 separate testable requirements.

Step 2: Score gaps by risk, not just presence

Not all gaps are equal. A gap in customer identification (frequently enforced, high cascade impact) carries more risk than a gap in schedule formatting (never enforced, no dependencies). Risk scoring should consider:

• Structural importance: Where does this obligation sit in the regulatory framework?
• Enforcement history: Has AUSTRAC enforced this category before?
• Violation frequency: How commonly is this obligation breached across the industry?
• Cascade impact: How many other obligations depend on this one?

Step 3: Map dependencies

Regulatory obligations don’t exist in isolation. Customer identification failures cascade to:

• Due diligence failures (CDD depends on CID)
• Enhanced CDD failures (ECDD depends on risk assessment, which depends on CID)
• Ongoing monitoring failures (monitoring depends on customer risk profile)
• Reporting failures (SMR detection depends on adequate monitoring)

Understanding these cascades changes the priority order of your remediation efforts.

Step 4: Calibrate against enforcement data

Your risk assessment should reflect what AUSTRAC is actually enforcing, not just what the Rules say. Categories with active enforcement actions carry higher compliance risk than categories where AUSTRAC has been silent.

Step 5: Assess regularly

Your AML/CTF program isn’t static. New products, new customers, new geographies, staff changes, and system updates all affect coverage. A point-in-time assessment becomes stale within months.

Best practice is quarterly assessment of your AML/CTF program against the full obligation set, with monthly reviews of high-risk areas.

The compliance posture shift

The shift from guidance-led to penalty-led regulation means the standard for “adequate” compliance has risen significantly. What was acceptable in 2018 may not be acceptable in 2026.

Key shifts:

• Documentation matters more: AUSTRAC expects your methodology, risk assessments, and control designs to be documented and defensible
• Proportionality is tested: Simply having controls isn’t enough — they must be proportionate to your specific risk profile
• Ongoing obligations are enforced: Initial compliance at onboarding isn’t enough — ongoing monitoring, updating, and review obligations are actively tested
• Individual accountability: The Tranche 2 reforms increase personal liability for compliance officers and directors
• New sectors, same expectations: The 2025 Rules bring real estate agents, accountants, lawyers, and TCSPs under the same enforcement framework. AUSTRAC has not signalled a lenient approach — new Tranche 2 entities should expect the same rigour applied to financial institutions

Practical next steps

1. Assess your current coverage: Run your AML/CTF program through an obligation-level gap analysis. Not a rule-level checklist — an obligation-level assessment that tests every condition and threshold.

2. Prioritise by enforcement risk: Focus remediation on the obligation categories that AUSTRAC is actively enforcing, not just the ones that are easiest to fix.

3. Build in regular assessment: Move from annual compliance reviews to quarterly (or monthly) automated assessments that catch gaps as they emerge.

4. Document your methodology: Make sure your risk assessment methodology, proportionality judgments, and control design decisions are documented and defensible.

---

AuditDSS provides obligation-level compliance scoring for AUSTRAC AML/CTF — covering both the 2025 Rules (Tranche 2) and 2007 Rules. 768 rules, 5,534 obligations, 4-axis risk scoring calibrated on 23 enforcement actions and 133 FATF assessments. Score your AML/CTF program.