Consultation on Australia's new AML/CTF Rules May 2025: Cutting through the jargon

AUSTRAC has just released their second consultation on the draft AML/CTF Rules. It's a heavy read, so we've written this article to help you make sense of it in a practical way.

Note that AUSTRAC invites submissions on the proposals discussed in this consultation paper. You can provide submissions via AUSTRAC’s consultation page. The closing date for submissions is 11:59PM Friday 27 June 2025. Your feedback will assist AUSTRAC to determine whether measures in the ED2 Rules require amendment, or whether additional rules are required.

New content in Second Exposure Draft Rules - in plain terms

Enrolment details

If your business provides AML-covered services (captured services), you must enrol with AUSTRAC within 28 days of starting.

This applies to:

• Anyone providing a designated service
• Lead entities of reporting groups
• AUSTRAC uses this info to understand your business, give you system access and provide tailored guidance.

The new rules update enrolment requirements to reflect Tranche 2; including asking for staff numbers and industry memberships. New online forms are also on the way.

Registration details

If you offer remittance or crypto services, you must register with AUSTRAC before starting. This is on top of your enrolment requirement.

Unlike enrolment, registration involves a formal review. AUSTRAC checks:

• Your AML program and risk controls
• The background of key staff
• Whether you pose a high risk of money laundering or terrorism financing
• Your overseas operations (if any)

This tougher process is based on global standards (like in the UK and Singapore) and is being introduced because these sectors are high risk.

The goal is to stop criminals from registering, raise compliance standards and give banks more confidence in working with remitters and crypto firms.

AML/CTF policies relating to financial sanctions

AUSTRAC is introducing a new rule that says businesses must have clear AML policies to make sure they don’t accidentally break financial sanctions laws;  such as dealing with people or organisations whose assets are supposed to be frozen.

This closes a long-standing gap in Australia's AML system that was criticised back in 2015 by the global watchdog FATF.

What this means in practice is:

• You’ll need to check if your customer, or anyone behind them like a beneficial owner, trustee or agent, is on a sanctions list.
• You must have a plan for what to do if they are. For example, how to freeze funds, report the issue and make sure you don’t help move money in or out of those accounts.
• This also helps you avoid mistakes, like giving back money to someone you shouldn’t, thinking it lowers your risk.

Customer due diligence

Date and place of birth

• The old draft required reporting entities to collect and verify a person’s place of birth.
• Many said this was hard to do, unnecessary and didn’t add value.
• That requirement has now been removed. You no longer need to ask for or check place of birth.

However, date of birth still matters. If you’re dealing with a situation that falls under the global “travel rule” (used for sending money between institutions), you must still verify the person’s date of birth - because international rules expect it.

Delayed verification

AUSTRAC is making it easier for businesses to start working with a customer before all identity checks are complete, in specific situations, especially when dealing with trusts, beneficial owners or similar setups under foreign laws.

You can delay verifying certain people as long as:

• It would disrupt normal business if you had to wait for all checks to be done before starting the service.
• You have a clear plan in your AML policies to finish those checks within 30 days.
• The risk of money laundering or terrorism financing is low and you’ve put controls in place to manage that small risk.
• Before starting, you’ve already assessed the customer’s risk using readily available KYC information.
• You’ve collected the essential KYC info that’s relevant to that risk; such as who owns or controls the customer and who benefits from the service.

No beneficial ownership due diligence required for certain low risk customers

You don’t need to check beneficial ownership if your customer is low risk and is one of the following:

• A government body
• A regulated entity (like a bank or insurer)
• A strata or community title body
• A listed public company with transparent ownership

This applies even if the customer is overseas, as long as they’re regulated and low risk. You must still apply enhanced checks if any risk red flags appear.

Identifying any person on whose behalf the customer is receiving the service

AUSTRAC has clarified: you only need to identify beneficiaries of a trust (or similar structure).
You don’t need to investigate your customer’s customers.

Deemed compliance where a reporting entity is involved in mergers or acquisitions

If you buy another business or client book and you receive complete customer records, you’ll be treated as having already done the required identity checks; no need to re-do them.

Suspicious matter reports and threshold transaction reports

You must report to AUSTRAC if:

• You suspect a customer is lying about who they are, or
• A service you provide might involve money laundering, terrorism financing, crime, tax evasion or criminal proceeds

This is called a Suspicious Matter Report (SMR).

You must also report cash transactions of $10,000 or more (or equivalent foreign currency). These are Threshold Transaction Reports (TTRs).

AUSTRAC is updating both forms to:

• Collect more useful and targeted data
• Reflect modern crime methods and digital services
• Help law enforcement spot risks faster
• Support new industries joining under Tranche 2

The new forms will be more consistent, smarter and easier to use.

Transitional arrangements for international value transfer reports

AUSTRAC and the Department of Home Affairs will keep the current rules for international funds transfers in place until sometime after 2026. This gives time to:

• Develop proper rules for value transfers, including crypto wallets
• Consult with industry and build workable systems

So for now: keep using the existing process for international transfers.

Part 1 – Preliminary

1. Automatic reporting groups

What AUSTRAC heard:
Can we opt out of being in a reporting group if we’re part of a corporate structure?

Plain English response:
If one company controls others, you’re automatically grouped for AML purposes. You can’t opt out. If there’s no control link, joining is optional.

2. Lead entity of a business group

What AUSTRAC heard:
The rule about which company gets chosen as the lead entity is too strict.

Plain English response:
Groups can now agree who the lead is, as long as they’re not controlled by someone else and are connected to Australia.

3. Non-operating holding companies as lead entities

What AUSTRAC heard:
Can a parent company be the lead entity, even if it has no staff or services?

Plain English response:
Yes. A non-operating holding company can be the lead entity if it meets the rule’s criteria.

4. Lead entity in elective reporting groups

What AUSTRAC heard:
The draft didn’t make it clear how lead entities are chosen when groups form voluntarily.

Plain English response:
The updated rules let members agree on the lead, as long as they aren’t under another’s control and are linked to Australia.

5. Discharge of member's obligations

What AUSTRAC heard:
Can one group member do the compliance work for another?

Plain English response:
Yes , tasks can be shared, but the legal responsibility stays with the entity the rule applies to. Lead entities must document and oversee it.

6. Group exemptions (section 26T)

What AUSTRAC heard:
If one member qualifies for an exemption, does that apply to the whole group?

Plain English response:
Exemptions apply individually. A member can still be exempt even if others aren’t. But lead entities may inherit some responsibilities. 

7. Enrolment of non-reporting group members

What AUSTRAC heard:
Do all group members need to enrol with AUSTRAC?

Plain English response:
No. Only reporting entities providing designated services and lead entities must enrol. Others don’t, they’ll get access to AUSTRAC’s systems in other ways.

Part 4 – Programs (parts 2 & 3 not included in Annexure C)

8. Review of ML/TF risk assessment

What AUSTRAC heard:
The term “adverse findings” is too broad and might force unnecessary reviews.

Plain English response:
You only need to review your risk assessment if the independent review finds a genuine problem with how you did it. Not every issue triggers a full update.

9.Interaction of risk assessment review with section 26T exemptions

What AUSTRAC heard:
Do small firms, exempt under section 26T, still have to do risk assessment reviews?

Plain English response:
No. If you're exempt from needing an independent evaluation, the rule to review your risk assessment doesn't apply.

10. Personnel due diligence (who needs checking?)

What AUSTRAC heard:
The draft rule was too broad , it seemed like we had to vet every contractor, even if they don’t do AML work.

Plain English response:
You only need to check people doing AML-related tasks. AUSTRAC expects you to evaluate who these people are based on their roles.

11. Personnel due diligence (recognition of other checks)

What AUSTRAC heard:
Can we rely on existing vetting processes (e.g. legal practising certificates, APRA fit and proper tests)?

Plain English response:
Yes , but you must assess if those checks meet your AML needs. AUSTRAC won’t list every accepted regime, but will offer guidance on how to align existing checks with AML rules.

12. Personnel due diligence (scope)

What AUSTRAC heard:
The rule felt too rigid. Can we take a risk-based approach instead of doing detailed checks for everyone?

Plain English response:
You must assess people’s integrity and AML skills if they do AML tasks. This can be scaled based on business size and role. Poor hiring = poor controls.

13. Personnel due diligence (outsourcing) 

What AUSTRAC heard:
Can we outsource these checks to a third party?

Plain English response:
Yes. But the responsibility stays with you. If your vendor does a poor job, you're still responsible. 

14. Purpose of independent evaluation

What AUSTRAC heard:
Why should solo operators or micro businesses pay for external reviews?

Plain English response:
Evaluations help you know if your AML program is working. But if you’re exempt (e.g. under section 26T), you won’t need to do one.

15. Scope of independent evaluation

What AUSTRAC heard:
Should the independent evaluation only review the parts of their AML policy required by Australian law ; not extra stuff added for foreign regulators.

Plain English response:
The independent review must cover all of your AML/CTF policies, not just the sections required under Australian law. If you’ve included additional material (e.g. for overseas compliance), the reviewer can comment on those too.

If the review finds issues with how your policies are designed or how well they match your risks, you’re expected to update them.

16. Independent evaluator qualifications

What AUSTRAC heard:
Shouldn’t AUSTRAC define who’s qualified to do an evaluation?

Plain English response:
Your AML policies must include a plan for how often independent reviews happen; at least once every 3 years, or more often if needed for your business.

But what counts as independent? AUSTRAC says:
Use the plain meaning: the reviewer must not be influenced by, or part of, the team that runs your AML program. They must be able to give an honest, unbiased assessment.

AUSTRAC will publish more guidance, but for now: you must be able to show the reviewer is truly separate from your AML team.

17. Small business exemption for independent evaluations

What AUSTRAC heard:
The cost of a full independent review outweighs the potential benefits for low risk reporting entities, sole traders, small businesses and small partnerships.

Plain English response:
AUSTRAC says independent reviews are still required, but they should be scaled to fit your size and risk. Starter programs will help small businesses, but you’re still responsible for making sure your AML setup is working.

18. 'Senior manager' definition and approvals

What AUSTRAC heard:
It's not practical for only top execs to approve all AML matters, especially in large organisations.

Plain English response:
Senior manager doesn’t just mean C-suite. It includes anyone who helps make key decisions for a substantial part of the business. You can’t delegate senior manager responsibilities, but you can name more than one to share the load. Whether someone qualifies depends on their role, not their title.

19. Senior manager approval and notification exemption

What AUSTRAC heard:
Some asked for an exemption from senior manager approvals because their sector is low risk.

Plain English response:
No. AUSTRAC says all designated services carry some risk and must follow global AML standards. Senior manager oversight is essential because they control resources and set priorities; so every reporting entity must meet this requirement, no matter how low their risk

20. AML/CTF policies relating to reporting obligations

What AUSTRAC heard:
AUSTRAC says all information you report, including who sent the money, must be correct and unchanged. Some businesses asked:

• Does this rule apply to payer details too?
• And if it does, how much checking are we expected to do?

Plain English response:
Some reports (like international transfers and crypto wallet reports) must be complete, accurate and unchanged. This is now in section 4-9.

The rule doesn’t apply to the travel rule, since that’s not a report to AUSTRAC.

More detail on what must be reported (and how) will come later through further consultation.

21.  AML/CTF policies relating to reporting obligations - interpretation and application of ‘accurate’

What AUSTRAC heard:
Some asked AUSTRAC to explain what “accurate” really means. For example:

• Does it include small mistakes, like typos or missing middle names?
• How serious does the inaccuracy have to be before it’s a problem?
• Is it enough if the info looks right, or does it need to be fully confirmed?

Plain English response:
When you submit reports to AUSTRAC, such as suspicious activity, large cash transactions, or crypto transfers, the information must be complete and correct.

If you knowingly give false or misleading info, or leave something out that makes it misleading, you could face criminal charges.

To avoid this, businesses must have proper checks and systems in place to make sure the information in reports hasn’t been changed and is as accurate as possible.

AUSTRAC depends on this information to spot and stop financial crime. If reports are wrong or incomplete, it makes their job harder.

22. AML/CTF policies for ordering and beneficiary institutions

What AUSTRAC heard:
Can institutions use a risk-based approach when deciding whether to release funds if details are missing or suspicious, especially for international transfers?

Plain English response:
Yes, you can take a risk-based approach. If information is missing or wrong, you can hold the funds. But if you're handling crypto, you must have accurate information before releasing funds, unless another provider in the chain genuinely can’t pass on the information securely.

23. Counterparty due diligence for virtual asset transfers

What AUSTRAC heard:
Clarify when you need to check who you're transacting with (the counterparty) when transferring virtual assets.

Plain English response:
All institutions involved in the transfer must follow the rules based on their role. Most of these providers already fall under AML rules anyway. 

24. AML/CTF Compliance Officers (‘management level’)

What AUSTRAC heard:
 Some submissions said it's unclear what “management level” means for AML/CTF compliance officers and asked for more guidance, since this can vary between organisations.

Plain English response:
 This rule about appointing a management-level AML/CTF compliance officer has existed since 2007. AUSTRAC will give more guidance soon. What counts as “management level” can differ depending on the size and structure of the business.

25. AML/CTF Compliance Officers (fit and proper)

What AUSTRAC heard:
Some people raised concerns that the draft rules say you must consider any past criminal convictions when deciding if someone is suitable to be an AML/CTF compliance officer, even if the crime isn’t related to financial wrongdoing, like drink driving or domestic violence. They’re worried this could unfairly affect people’s careers and lead to discrimination in hiring.

Plain English response:
Section 4-18 lists factors to consider when deciding if someone is fit to be an AML/CTF compliance officer, but how much each factor matters depends on the role. AUSTRAC says convictions for offences with two years or more jail time are relevant, especially if they show disregard for the law. Spent convictions laws still apply. 

26. AML/CTF Compliance Officer reporting to governing body

What AUSTRAC heard:
Some people thought section 12 of the draft rules meant that AML/CTF compliance officers must report directly to the board or top decision-makers in the business.

Plain English response:

The requirement in section 12 of ED1 Rules (now section 4-4 of ED2 Rules) is simply for the AML/CTF Compliance Officer to give reports (whether written, oral, video etc.) to the governing body regarding the matters in subsection (1) of that rule.

Beyond the requirement that the AML/CTF Compliance Officer be at management level, there are no requirements on the chain of command that applies to reporting entities. Notwithstanding, AUSTRAC has updated ‘reporting’ in subsection 4-4(1) of ED2 Rules to ‘reports’ to provide greater clarity.

27. AML/CTF Compliance Officer reporting to governing body (sole trader)

What AUSTRAC heard:
Responders noted that the requirement for AML/CTF compliance officer reporting to the governing body is redundant in the context of a reporting entity that is a sole trader or single employee business.

Plain English response:
AUSTRAC has clarified that if a business is run by one person and that person is also the AML/CTF compliance officer, they don’t need to report to themselves. The rule is meant to support good internal governance, but it doesn’t make sense to apply it in cases where one person fills both roles, like a sole trader. 

Part 5 – Customer due diligence

28. Establishing matters under subsection 28(2) of the Amended AML/CTF Act on reasonable grounds

What AUSTRAC heard:
 Submissions asked for clarity on “reasonable grounds,” noting that property law uses a “reasonable steps” standard with safe harbour options to help smaller firms comply and manage risk.

Plain English response:
The law doesn’t specify what information must be used to meet the “reasonable grounds” test, except that tax file numbers can't be used. What’s required depends on the customer’s risk. AML policies should be scaled to suit the size and complexity of the business. 

29. Conducting initial CDD on a customer more than once

What AUSTRAC heard:
Submissions raised concern that, after 31 March 2026, CDD might be needed for every new service. They suggested a rule confirming that past CDD should still count if it was properly done.

Plain English response:
AUSTRAC has clarified that from 31 March 2026, once a customer’s identity is established on reasonable grounds, it doesn’t need to be re-done for every new service, unless something significant changes. Ongoing CDD will cover any changes over time.

30. Place of birth

What AUSTRAC heard:
Submissions noted that place of birth is hard to collect and verify digitally. It usually requires a passport or birth certificate, which many people don’t have, especially those born overseas.

Plain English response:
AUSTRAC saw value in collecting place of birth but removed the rule after feedback about the difficulty of verifying it. Now, it only needs to be included in reports if already collected through CDD.

31.  Trading names and registered names

What AUSTRAC heard:
Submissions asked whether “registered name” meant “registered business name” and suggested clearer wording to match ASIC terminology. They proposed that rules should require only the customer’s full name and registered business name, not trading names.

Plain English response:
AUSTRAC updated the rules to reflect that trading names will no longer appear on the ABR after November 2025. However, overseas unregistered names should still be known by reporting entities.

32. Exclusion of tax file numbers

What AUSTRAC heard:
Submissions asked if a foreign tax ID can be used to identify a business customer, since the rules only ban use of Australian tax file numbers, not foreign ones.

Plain English response:
Australian law prohibits collecting or recording local tax file numbers for AML purposes, so this is excluded in the rules. However, foreign tax IDs aren't automatically excluded; whether they can be used depends on the laws of the country that issued them. Reporting entities need to check local laws and update their CDD policies accordingly. 

33. Safe harbour for small reporting entities

What AUSTRAC heard:
Some responders asked for a 'safe harbour' option for smaller firms, similar to the ARNECC rules, where taking ‘reasonable steps’ to verify identity is enough to meet compliance and manage risk.

Plain English response:
AUSTRAC won’t include a ‘safe harbour’ for CDD, as this can lead to a one-size-fits-all approach that ignores actual risk. Existing processes like ARNECC ID checks can help but must be supplemented to meet AML/CTF requirements. AUSTRAC will support smaller firms through starter programs and detailed guidance.

34. Understanding the intent of ‘how a customer is regulated’

What AUSTRAC heard:
Submissions suggested clarifying subsection 27(4), as the phrase ‘demonstrates how the customer is regulated’ sounds like it refers to government oversight, when the real intent may be to understand the customer’s governance structure.

Plain English response:
AUSTRAC acknowledged that the phrase ‘how a customer is regulated’ was unclear and have updated the rule to focus on the customer’s governance structure, in line with FATF recommendation 10.

35. Establishing matters regarding trusts

What AUSTRAC heard:
Submissions said the new rule makes it harder for businesses to know when a customer is acting as a trustee. They felt the old rule, triggered when a customer says they’re a trustee, was clearer and less burdensome and asked for it to stay that way.

Plain English response:
AUSTRAC confirmed that reporting entities must know what type of customer they’re dealing with, including whether it’s a trust. This is essential to assess ML/TF risk and identify any high-risk beneficiaries like PEPs or sanctioned individuals.

36. Settlors of a trust

What AUSTRAC heard:
Submissions said identifying the settlor is often hard, as they may be deceased or uninvolved. They asked AUSTRAC to clarify if it’s enough to just match the name in the trust deed.

Plain English response:
AUSTRAC agreed and have updated paragraph 27(5)(b) of ED1 Rules (now paragraph 5-2(6)(b) of ED2 Rules) to make it clearer that only the name of the settlor is required.

37. PEP screening of agents

What AUSTRAC heard:
Submissions noted that under the draft rules, agents must be treated like customers, meaning full checks, such as source of funds, may be needed if they’re PEPs. They pointed out this goes beyond FATF requirements, which only require verifying the agent’s identity and authority to act.

Plain English response:
AUSTRAC clarified that source of funds and wealth checks are only needed for PEPs who are the customer, a beneficial owner, or someone the service is for; not for PEPs acting on the customer’s behalf. Agents still need to be identified and checked, but not to that extent.

38. Agents and former verifying officer process

What AUSTRAC heard:
Submissions asked for clarity on the term ‘agent,’ noting it could be confused with the old verifying officer role. They also said full CDD on agents may be too costly given their limited role.

Plain English response:
AUSTRAC confirmed agents must be identified and verified, as per FATF. The new rules are more flexible, though firms can still use the old verifying officer method if it meets legal standards, though it won’t count as independent verification. The “management and control” test only applies to signatories.

39. Investment managers as customers rather than agents

What AUSTRAC heard:
Submissions asked for clarity on treating investment managers as customers, noting it's hard to get KYC info on underlying funds. They suggested following overseas practice where, if the manager is the customer, no extra checks on the fund are needed.

Plain English response:
AUSTRAC clarified that whether the investment manager or the fund is the customer depends on the setup. But in either case, both parties must be identified: the fund if it receives the service and the manager if acting as agent or trustee. Simplified CDD may still apply if the situation meets the requirements under section 31.

40. Use of town agents for real estate settlement

What AUSTRAC heard:
Submissions asked for an exemption from initial CDD when solicitors use town agents for real estate settlements. They noted it’s common practice, often unpaid or low-cost and important for enabling settlements in rural and remote areas.

Plain English response:
AUSTRAC says no exemption is needed. If a solicitor uses a town agent for settlement, the agent is acting on the solicitor’s behalf, not providing a designated service themselves, so they don’t need to do CDD. However, their role should be covered in the solicitor’s AML/CTF policies.

41. Timing of real estate transactions

What AUSTRAC heard:
Submissions proposed delaying CDD in real estate deals, especially auctions, suggesting it be done after the contract is unconditional but before settlement to balance practicality and compliance.

Plain English response:
AUSTRAC has allowed delayed CDD for certain real estate transactions under section 5-7 of the new rules. This applies where timing is tight, like auctions, but only if ML/TF risk is low, controls are in place and settlement is conditional on CDD being completed. More detail on this new rule can be found in the exposure draft explanatory statement.

42. Other delayed verifications circumstances

What AUSTRAC heard:
Submissions provided examples of situations where urgent services make it hard to complete CDD upfront and asked for flexibility to delay verification in those cases.

Plain English response:
AUSTRAC has expanded delayed verification under section 5-6 of the new rules. It now allows a 30-day delay for verifying key KYC details like beneficial owners and those acting on behalf of the customer. This applies to all designated services and should cover most urgent scenarios raised in submissions.

43. Determining the customer’s ML/TF risk when utilising a delayed verification rule

What AUSTRAC heard:
Submissions asked how to assess a customer’s ML/TF risk if verification is delayed, since that information helps determine the risk. They suggested a rule stating that risk rating isn’t required during the delay period set out in section 29(c) of the Act.

Plain English response:
AUSTRAC says no exemption is needed. Risk must be assessed using whatever KYC information is reasonably available at the time. If key information such as PEP status isn’t known due to delayed verification, the risk can be reviewed and updated later as part of ongoing CDD.

44. Utility of reliance provisions

What AUSTRAC heard:
Submissions said the reliance provisions in the draft rules aren’t useful because reporting entities are still fully liable if another entity’s KYC process is flawed. This doesn’t reduce the compliance burden in practice.

Plain English response:
AUSTRAC says the reliance rules aim to lower CDD costs while keeping standards high. Written agreements can offer safe harbour for isolated breaches if due diligence is done, though responsibility to fix issues still rests with the relying entity. Case-by-case reliance carries full liability. Entities must assess if using reliance is appropriate for their situation.

45. CDD reliance for all real estate transactions

What AUSTRAC heard:
Responders proposed allowing shared CDD in real estate deals via e-conveyancing platforms. Solicitors would handle complex checks, agents would do basic ID and safeguards like client consent and transaction holds would apply to reduce duplication and improve efficiency.

Plain English response:
AUSTRAC’s new section 5-15 allows forward-looking CDD sharing in real estate deals to cut duplication and costs. Each entity must ID their customer and understand the relationship, but complex checks can be done by another party. It’s optional and platform-neutral.

46. Interaction of reliance provisions with section 26T exemption

What AUSTRAC heard:
Submissions said reliance agreements can force item 54 entities to take on extra duties they're exempt from, like ongoing CDD, due to terms set by financial product providers in distribution deals.

Plain English response:
AUSTRAC clarified that reliance rules only cover initial CDD. It’s up to each reporting entity to assess any agreements they enter into and ensure they don’t take on obligations that conflict with their legal exemptions under the AML/CTF regime.

47. Application of alternate CDD Verification

What AUSTRAC heard:
Submissions asked for section 38 to be expanded to cover non-individuals, noting that without this, customers may struggle to authorise others to act on their behalf and could face financial exclusion, like de-banking.

Plain English response:
Section 5-16 applies to individuals but can also help when verifying non-individuals in related roles, like agents. AUSTRAC advises using flexible risk-based measures instead of de-banking, especially where low-risk products are involved.

48. Monitoring for money laundering predicate offences

What AUSTRAC heard:
Submissions were concerned that section 39 would raise costs by requiring system changes and more resources, without clear benefit. They suggested limiting the rule to ML/TF/PF risks to avoid over-reporting.

Plain English response:
AUSTRAC clarified that section 5-20 narrows monitoring requirements to focus only on serious offences linked to ML/TF/PF, in line with FATF. This is meant to reduce the burden on reporting entities by avoiding the need to monitor for unrelated crimes, like minor or outdated offences.

49. Foreign and domestic PEPs and permanent establishments outside of Australia

What AUSTRAC heard:
Submissions asked AUSTRAC to clarify how to classify PEPs, foreign or domestic, when a customer receives a service through an overseas branch. They suggested defining PEP status based on the country where the service is provided.

Plain English response:
AUSTRAC can't redefine PEPs by jurisdiction, but new rules let entities treat a local PEP as domestic if the service is provided in the same country. E.g. a US branch serving a US Senator applies domestic PEP rules.

50. ‘Domestic PEP’ definition (local government)

What AUSTRAC heard:
Submissions said the domestic PEP definition is too broad, capturing low-risk roles like charity boards and local councillors. They recommended narrowing it to focus on true public authority roles to align with FATF and reduce compliance burden.

Plain English response:
AUSTRAC kept mayors and councillors as domestic PEPs due to their influence but narrowed the definition to include only heads and members of state or territory bodies overseen by an integrity or anti-corruption agency.

51. Interaction between senior manager approval for PEP customers, delayed verification of PEPs and SOW/F checks

What AUSTRAC heard:
Submissions noted a conflict between delayed PEP checks and the rule requiring senior manager approval before service. They proposed amending the rule to require approval as soon as possible after PEP status is known.

Plain English response:
AUSTRAC updated the rules so senior manager approval and source of wealth checks for PEPs are triggered once PEP status is confirmed. These obligations can be delayed if verification is delayed, but key info must still be collected early.

52.  Enhanced CDD – nested services relationships

What AUSTRAC heard:
 Financial institutions said the definition of nested services is too vague and broader than intended by FATF. They also found section 42 hard to apply, especially when assessing a customer’s systems and controls, calling it overly burdensome.

Plain English response:
AUSTRAC clarified that nested services rules apply to cross-border services between financial institutions, remitters, or VASPs, but exclude correspondent banking. They recommend using existing correspondent bank assessment tools to meet these requirements.

53. ‘Business group’ in the context of nested services relationship due diligence and correspondent banking due diligence

What AUSTRAC heard:
Financial institutions said the new requirement to check an entire “business group” is too broad and more burdensome than the previous rule, which focused only on related bodies under the Corporations Act.

Plain English response:
AUSTRAC has narrowed the rule so due diligence only needs to cover members of the respondent’s business group that are financial institutions, VASPs or remitters, reducing the compliance burden.

54. Beneficial owners

What AUSTRAC heard:
Responders asked for a rule allowing beneficial owners to be excluded from identification in certain cases, similar to the current exemption in subparagraph 4.12.2(2) of the 2007 Rules, to support deemed compliance with section 28(2)(d).

Plain English response:
AUSTRAC has added section 5-15 to ED2 Rules, allowing deemed compliance for beneficial owner checks if the customer is low risk, not covered by section 32 and is a prescribed entity type. In these cases, reporting entities must instead identify the individuals responsible for the customer's governance and decisions.

55. Foreign customers

What AUSTRAC heard:
Responders queried whether simplified CDD can be applied to customers based overseas (e.g. foreign companies) or whether its application is limited to customers based in Australia.

Plain English response:
Simplified CDD can be used if the customer is low risk and enhanced CDD doesn’t apply. Reporting entities must assess this based on available KYC info and reflect it in their AML/CTF policies. Section 5-15 allows simplified beneficial ownership checks if key conditions are met.

56. Nature of a customer’s business

What AUSTRAC heard:
Submissions asked if section 27 means reporting entities must always ask if a service relates to the customer’s business, or only when it’s already clear the customer is carrying on a business.

Plain English response:
AUSTRAC expects reporting entities to ask, at a high level, why a customer is using their services. If it's for business, they should also understand the nature of that business. If a customer’s behaviour later doesn’t match what’s expected, ongoing CDD must be applied.

Part 7 – Transfers of value (part 6 not included in Annexure C)

57. Card-based pull payment

What AUSTRAC heard:
Submissions asked AUSTRAC to explain what “card-based pull payment” means, since it’s not defined in the rules. They also requested examples of the types of payments this term is meant to cover.

Plain English response:
 A card-based pull payment is when a merchant pulls money from a payer’s account using a credit, debit, or stored value card. The payer consents and the merchant sends the instruction to the card issuer to complete the payment.

58. ‘Payer Information’ definition

What AUSTRAC heard:
Submissions asked whether payer information reported under section 56 must also meet the standard of being “complete and accurate” under section 17 and how reporting entities are expected to assess that completeness and accuracy.

Plain English response:
AUSTRAC clarified that the completeness and accuracy rule in section 17 (now 4-9) applies only to specific reporting obligations; not to ‘travel rule’ requirements like payer information under section 56. Travel rule details will be addressed in future rules, with possible qualifiers like “if known.”

59. Interpretation and application of ‘offsetting arrangement’

What AUSTRAC heard:
Submissions asked AUSTRAC to clarify the term ‘offsetting arrangement’ in the rules. While it includes hawala-type payments, they noted the term isn’t limited to that and requested a clearer definition.

Plain English response:
An offsetting arrangement is a way to transfer value using matched payments in different locations, without money crossing borders. It's common in informal systems like hawala and creates the same effect as a traditional transfer.

60. Interpretation and application of ‘accept an instruction’

What AUSTRAC heard:
Submissions sought clarification as to the meaning of ‘accept an instruction’ as used in ED1 Rules, noting that it is unclear what real-world action would constitute an acceptance (e.g. simply receiving it, or the review the instruction, or the first act in carrying out the instruction).

Plain English response:
Section 7-1 of ED2 Rules says an ordering institution must accept a transfer instruction, meaning it has the ability to carry it out. AUSTRAC will provide examples in future guidance to clarify what acceptance looks like in practice.

61. 'Another source'

What AUSTRAC heard:
Submissions sought clarification of the meaning of ‘another source’ used in paragraph 54(3)(b) of ED1 Rules.

Plain English response:
Section 54 of ED1 Rules (now section 7-1 of ED2 Rules) has been amended so that it no longer refers to ‘another source’. The rule has been clarified to refer to a third-party deposit taker or credit provider.

62. Interpretation of the ‘ordering institution’, ‘beneficiary institution’ and ‘intermediary institution’ definitions

What AUSTRAC heard:
Submissions sought clarity on how to apply the ‘priority’ concept and identify parties in complex transactions and asked that software providers not be unintentionally captured by the definitions.

Plain English response:
AUSTRAC removed the ‘priority’ concept and clarified that an ordering institution is the one that accepts and can act on a payer’s instruction. A beneficiary institution controls when funds are made available to the payee. Entities that just pass on instructions are intermediaries, but messaging platforms like Swift or NPP are not. Further guidance will include examples.

63. Interpretation and application of ‘reasonable steps to monitor’

What AUSTRAC heard:
Submissions sought clarification of the meaning of ‘reasonable steps to monitor’ as used in sections 57 and 58 of ED1 Rules

Plain English response:
Beneficiary institutions must check they receive required info and that payee details are accurate, based on their size and risk. Intermediaries must check info is received but not verify accuracy. What’s “reasonable” depends on the business; manual checks for small firms, sampling for larger ones.

64. Practical implications from requirements to collect payer and payee information

What AUSTRAC heard:
Submissions raised concerns about how to verify payer info under sections 56–58, especially in virtual asset transfers where it may be harder and slower to collect. They also flagged that the rules could lead to duplicated information collection across institutions.

Plain English response:
AUSTRAC clarified that reliance rules only cover initial CDD. It’s up to each reporting entity to assess any agreements they enter into and ensure they don’t take on obligations that conflict with their legal exemptions under the AML/CTF regime.

65. Scope of bank-to-bank transfer exemption

What AUSTRAC heard:
 Submissions asked whether “bank-to-bank” transfers exempt under subsections 59(2)–(3) of ED1 Rules are also exempt from international value transfer reporting under section 46 of the Act.

Plain English response:
AUSTRAC will develop and consult about rules related to International Value Transfer Service reporting in future.

66. Sunrise issue

What AUSTRAC heard:
Submissions flagged that differences in how countries implement FATF rules create challenges, like missing transfer information or unclear roles and regulation of overseas counterparties.

Plain English response:
 AUSTRAC confirmed that Australian reporting entities must meet travel rule requirements, and can't proceed with a transfer if they can't comply. To address global misalignment, limited exceptions apply where it's objectively shown that a counterparty can't securely comply or protect the data. These exceptions must be documented. There’s no minimum threshold in Australia due to the risks even low-value transfers pose.

67. Risk of breach of privacy laws

What AUSTRAC heard:
Submissions raised concerns that collecting or sharing payer/payee info under sections 56–58 could breach privacy laws, especially overseas regulations like the EU’s GDPR, if done without the individual’s consent.

Plain English response:
AUSTRAC clarified that sharing payer/payee info under the travel rule is allowed under Australian law and not restricted by the Privacy Act. The EU also follows similar rules under its crypto regulations. An exception exists if there's a documented risk that a beneficiary can’t protect the data.

68. Incidental exemptions

What AUSTRAC heard:
Submissions asked AUSTRAC to clarify how the incidental exemption in paragraph 63A(4)(a) of the Amended AML/CTF Act works and to provide real-world examples of when a value transfer is truly incidental to another service and doesn’t make the provider an ordering institution.

Plain English response:
 AUSTRAC clarified that if the main service isn't a value transfer, such as managing a car fleet, then any transfer of money linked to it may be exempt. But if the main service is a value transfer, the exemption doesn’t apply. More examples will be provided in future guidance.

69. Technology agnostic AML/CTF regime

What AUSTRAC heard:
Submissions noted the AML/CTF regime is mostly technology agnostic but now references payment systems. They asked if AUSTRAC plans to list recognised platforms and sought clarity on FinTech obligations and how current system limitations, like with BECS, will be handled.

Plain English response:
The updated AML/CTF regime applies to all value transfers, not just electronic money. Legacy systems like BECS are accounted for, requiring only information that can be transmitted. FinTechs are regulated like any other entity if they meet the definitions.

General feedback

70. Request for notes within the AML/CTF Rules

What AUSTRAC heard:
Submissions asked for explanatory notes to be added throughout the AML/CTF Rules to help smaller or new reporting entities better understand terms like "governing body" and apply the rules correctly. They suggested notes to clarify how to interpret definitions and when existing processes can be used.

Plain English response:
AUSTRAC will not add notes to the AML/CTF Rules, as this could risk misinterpretation. Instead, it will provide guidance to help small businesses understand roles like ‘governing body’ and how one person can meet multiple obligations. Guidance will also cover how existing protocols can be used for due diligence.