AML/CTF Rules 2025: A plain-English overview for busy professionals

Disclaimer: The content on this website is general and is not legal advice. Before you make a decision or take a particular action based on the content on this website, you should check its accuracy, completeness, currency and relevance for your purposes. You may wish to seek independent professional advice.

The new AML/CTF Rules take effect from 31 March 2026 for existing Tranche 1 entities, and 1 July 2026 for new reporting entities under Tranche 2 (law, real estate, accounting, and others).

This guide is written for partners, managers and operations leads in law, accounting and real estate who need the gist of Australia’s new AML/CTF Rules 2025 without reading the full technical document.

It's a plain-language overview of the Parts most relevant to Tranche 2, plus links to the full breakdowns. At a glance:

• Part 1 - Preliminary: Key terms and definitions

• Part 2 – Reporting groups: How firms can share one AML program

• Part 3 – Enrolment: Registering with AUSTRAC and keeping details current

• Part 5 – AML/CTF programs: Building your compliance framework

• Part 6 – Customer due diligence: What to collect, verify, and monitor

• Part 9 – Reporting: Suspicious matters, cash thresholds, and annual reports

Use this blog as your short-cut glossary and roadmap: plain English, practical examples, and links to dive deeper when you need them.

Part 1 — Preliminary

What it's about

This section is the groundwork — it names the rules, states when they begin, sets out who made them, and defines important terms used throughout.

What you need to know:

• Name: Officially called the Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Rules 2025.
• Commencement: They kick in on 31 March 2026.
• Authority: Made under the AML/CTF Act 2006.
• Definitions: The Rules use a mix of terms from the Act plus some defined here. These definitions matter because they frame how every obligation works.

Key terms you’ll see often:

• Designated service: A regulated activity covered by the law (e.g. property sales, trust account services).
• Reporting entity: A business providing designated services — this is you if you’re in law, accounting or real estate.
• Governing body: The group or individual in charge of your AML program (for example, your board).
• Senior manager: Someone with enough authority to make compliance decisions.
• Transfer of value: Any way money or assets move (cash, bank transfers, even crypto).
• Nested services relationship: When your service relies on another provider further down the chain (e.g. a law firm uses a fintech that uses a global bank).
• PEP (Politically exposed person): Defined in the Act, but Part 1 lists the Australian roles that count (like judges, senior defence officers, heads of government departments, and party executives).
• Identifiers: ABN, ACN, ARBN, ARSN — standard business numbers you’ll often need to provide.
• Merchant payments, tracing info, unique transaction reference numbers: Technical definitions that become relevant in reporting or payment transfer contexts.

Why this matters

Think of Part 1 as the dictionary and instruction sheet. If you’re unsure what a term means in later sections (like “beneficial owner” or “lead entity”), it’s usually defined here or in the Act. Getting the definitions right avoids misinterpreting obligations later.

Want the full glossary, including every acronym and technical payment term? Read the Rules.

Part 2 — Reporting groups

What it's about

Related or cooperating businesses can share one AML/CTF program under a single lead entity to reduce duplication.

Two ways to form a group:

• Business group: Companies under common ownership or control operate under one program.
• Elected group: Separate firms agree to comply together under one program.

Lead entity essentials

• Every member agrees in writing who the lead is.
• The lead must have real authority to set AML policies for the group.
• The lead must be an Australian company, a registered foreign company, a trust with an Australian trustee, or an Australian resident individual.
• The lead cannot be controlled by another group member that provides regulated services.

Joining, leaving and staying compliant

• New members need the lead’s consent and you must update AUSTRAC enrolment details.
• If one member of a business group joins or leaves an elected group, all members of that business group move with them. It is a package deal.
• You must always have a lead. If the lead exits, the group has 28 days to appoint a new one. Members keep following the previous policies in the meantime.

 Who can do what

• Members can perform AML obligations for each other within the group.
• If a non-reporting entity performs obligations, it must do staff background checks and training to the same standard as the reporting entity.

Practical examples

• Law franchise: Company-owned offices form a business group. Independent franchisees opt in via an elected group with the franchisor as lead.
• Accounting network: Independent firms create an elected group to share one policy set and centralised training.

Want the details? Click for the full guide to Part 2 — Reporting groups.

Part 3 — Enrolment

What it's about

If you provide designated services (regulated services listed in the law), you must enrol with AUSTRAC and keep your details current.

What AUSTRAC wants to know

• Your services: What they are, when they started, where you provide them, and which industry they sit in. Extra declarations if you handle remittance, virtual assets or certain gambling exemptions.
• Your business: Legal names and trading names, ABN/ACN, addresses, structure, beneficial owners, employee count, industry associations, contacts, website, what you do, and last year’s turnover.
• Extra by entity type:
  • Companies: directors, director IDs, place of incorporation and any parent details.
  • Partnerships, trusts, associations, co-ops, government bodies: decision-makers, governing documents, and equivalent identifiers.

If you are in a reporting group

• Say whether you are the lead.
• If lead, list other reporting entity members.
• If not lead, name who is.

Earnings disclosure (for larger groups)

• Some entities must provide earnings data. Thresholds and definitions vary by ownership and sector. Groups may need to report combined earnings. Under $100m total earnings is generally out of scope.

Keep it up to date

• Notify AUSTRAC when services, ownership, directors or contacts change.
  Update earnings annually.
• AUSTRAC can correct or remove records. You can ask to be removed if you stop providing services.

Practical example

• Real estate agency: Starts brokering property sales in August 2026. Must enrol within 28 days and keep details current if directors or offices change.

Want the details? Click for the full guide to Part 3 — Enrolment.

Part 4 — Registration

Not usually for Tranche 2 reporting entities: This part primarily covers financial service providers. Tranche 2 entities like law, accounting and real estate can skim this.

Part 5 — AML/CTF programs

What it's about

You need a written AML/CTF program before you provide any designated service. It covers risk assessment, controls, training, governance, reporting quality and periodic independent evaluation.

Key concepts explained once

• ML/TF risk: Money laundering and terrorism financing risk.
• KYC: Know Your Customer identification and verification.
• SoW/SoF: Source of wealth and source of funds.
• PEP: Politically exposed person.
• Governing body: Your board or equivalent oversight group.
• Independent evaluation: External test of your program’s design and operation.

What your program must cover

1. Risk assessment and reviews: If an independent evaluation finds issues, review promptly.
2. Customer due diligence (CDD): When to do initial and ongoing checks and when to seek SoW/SoF.
3. Sanctions: Never deal with listed persons or their assets.
4. Fixing findings: How you update policies after adverse findings.
5. Senior manager approvals: Required for higher-risk scenarios, for example foreign PEPs, high-risk domestic PEPs, or nested service chains.
6. Governance and reporting: Regular AMLCO reports to the governing body.
7. People controls: Staff vetting and role-relevant training.
8. Independent evaluation: Scope, written report, board visibility, and your response plan.
9. Report quality: Ensure SMRs, TTRs and other reports are complete and accurate.
10. SMR process and no tipping off: Decide quickly if suspicion exists and keep SMR information confidential.
11. Lead entity record-keeping: If you are a lead, keep membership records up to date.
12. Real estate-specific rules: Verify IDs before settlement. You can rely on another reporting entity to complete verification within 15 days of contract exchange if there is a proper reliance arrangement.

Practical examples

• Law firm: Family law client becomes a property buyer via a company. Re-verify directors, confirm SoF, and seek senior approval if a PEP is involved.
• Real estate: Agency confirms a buyer’s identity and risk-rates them, then relies on the buyer’s lawyer to complete verification within 15 days under a written arrangement.

Want the details? Click for the full guide to Part 5 — AML/CTF programs.

Part 6 — Customer due diligence (CDD)

What it's about

CDD is not one-and-done. You collect, verify and keep current the right information based on risk, with simplified steps for low risk and enhanced steps for higher risk.

What to collect depends on the customer type

• Sole trader: Names, ABN, business address, and what they do and why they need you.
• Company, partnership, association: Names, ABN/ACN, addresses, governance documents, decision-makers, beneficial owners, and nature and purpose.
• Trust: Trust type and deed, trustees, settlor and appointor details, beneficiaries or beneficiary classes, and control.
• Government body: Establishing statute, key officials, and purpose.

Associated persons you may need to identify

• People on whose behalf the customer acts.
• Agents acting for the customer.
• Beneficial owners who ultimately own or control the customer.

PEPs and higher risk

• Foreign PEPs always need enhanced checks including SoW and SoF.
• Domestic and international organisation PEPs need enhancement when overall risk is high.
• Keep monitoring PEP status over time.

Delayed verification

• You can start a low-risk service before finishing verification in limited cases, but you cannot move money or assets until CDD is complete.
• General time limit: 20 business days.
• Real estate transactions have their own rule: complete within 15 days of contract exchange or by settlement, whichever comes first.

Simplified CDD

Possible for low-risk customers who do not trigger enhanced due diligence. You still risk-rate, collect appropriate KYC, and verify identity proportionately.

Enhanced CDD

Needed for unusual, complex or large services, higher-risk countries, nested relationships, SMR-related relationships you continue, virtual asset risk, or where the Rules specify. Always consider SoW and SoF.

Special situations

• No standard ID: Use alternative reliable evidence and manage the higher risk.
• Previous foreign CDD: You may rely on it if it met FATF standards and records are accessible.
• Transferred customers: You can rely on the seller’s initial CDD after a business transfer, but you must continue ongoing monitoring.
• Reliance on others’ KYC: Allowed with proper agreements or case-by-case assurance and documented reasoning. You remain accountable.

Practical examples

• Accounting firm: Long-standing SME client appoints a new foreign director. Refresh CDD, check PEP status, and confirm SoF for a large related-party loan.
• Conveyancer: Buyer verified by agency. Under a written reliance arrangement, you complete beneficial owner verification within 15 days and share records before settlement.

Want the details? Click for the full guide to Part 6 — CDD.

Part 7 — Correspondent banking

Not applicable to most Tranche 2 entities: Primarily for banks.

Part 8 — Transfers of value

Mostly for financial institutions: Rules for payment and value transfers handled by banks, remitters, fintechs and crypto exchanges.

Edge case to note

• If you start offering payment or virtual asset transfers or enter a nested services chain that supports others’ customers, seek senior approval and expect these rules to apply.

Part 9 — Reporting

What it's about

You must submit quality reports on time, mainly Suspicious Matter Reports (SMRs) and Threshold Transaction Reports (TTRs).

SMRs

• File when you suspect identity crime, tax evasion, ML/TF, sanctions breaches or other serious crime.
• Include details about people, entities, transactions, accounts, property and any virtual assets, plus the story of why you are suspicious.
• Lawyers note: legal privilege can affect timing, but the obligation remains once privilege issues are resolved.

TTRs

• File whenever cash or similar physical currency meets or exceeds AUD 10,000, even if nothing looks suspicious.
• Include persons, roles and transaction facts. There are narrow exceptions for people acting on behalf of the customer for purely mechanical cash deposits with no personal contact.

Compliance report

• Lodge your annual AML/CTF compliance report to AUSTRAC by 31 March for the previous calendar year.

Practical examples

• Real estate: Multiple cash top-ups toward a deposit that collectively exceed the threshold. Lodge a TTR and consider whether an SMR is warranted.
• Law firm: Client requests a complex trust restructure with unclear purpose and mismatched funding. Consider an SMR and pause activity until CDD is complete.

Want the details? Click for the full guide to Part 9 — Reporting.

Bringing it together: your next 5 steps

1. Confirm scope: List your designated services and enrol with AUSTRAC if required.
2. Choose your model: Standalone program or join a reporting group with a clear lead.
3. Write it down: Finalise a risk assessment and AML/CTF program before providing services.
4. Operationalise CDD: Map low-risk “happy path” and add branches for companies, trusts, PEPs and cross-border matters.
5. Train, monitor, evaluate: Role-based training, ongoing monitoring, clean reporting, and an independent evaluation cycle.