Skip to main content

Changes to AML/CTF program requirements

The Anti-Money Laundering and Counter-Terrorism Financing Amendment Bill 2024 (the Bill) would update the anti-money laundering and counter-terrorism financing (AML/CTF) program requirements to:

  • remove the current ‘check box’ compliance approach
  • set outcomes-focused obligations for an effective AML/CTF program
  • require reporting entities to take a risk-based approach to their AML/CTF program.

The Bill also removes the current prescriptive requirement for separate Parts A and B of an AML/CTF program, and provides reporting entities flexibility to structure their AML/CTF program—as long as it effectively identifies, mitigates and manages their risks.

The revised AML/CTF program obligations include:

  • An overarching risk assessment obligation: reporting entities would be required to assess the risk of money laundering, terrorism financing or proliferation financing that they may reasonably face in the provision of a designated service.
  • Proportionate risk mitigation measures: reporting entities would be required to implement commensurate risk mitigation measures in response to its risk assessment. The reporting entity must extend these measures to its internal policies, systems and controls to ensure a culture of compliance within its business.
  • Simplified business group concept: the current ‘designated business group’ concept would be replaced with a simplified ‘reporting group’ concept that will extend to all related entities, including non-AML/CTF reporting entities where appropriate. This would allow a group of related businesses to meet their AML/CTF obligations together. The changes would facilitate greater information sharing between members of a business group and allow for appropriate group-wide risk management and sharing of AML/CTF obligations.
  • Specific internal controls: the Bill would clarify the roles and responsibilities of a reporting entity’s board or equivalent senior management and its AML/CTF compliance officer. The role of the AML/CTF compliance officer would be clarified to be that of an individual in management who oversees the operational implementation of the AML/CTF program. These roles would be flexible enough to account for small businesses and sole traders.
  • Simplified obligations for foreign branches and subsidiaries: the Bill would simplify and clarify requirements for reporting entities with foreign branches and subsidiaries. This would reduce complexity when Australian AML/CTF obligations interact with local laws in the host country.

The Bill would establish a clear requirement that a reporting entity must conduct a money laundering, terrorism financing, and proliferation financing risk assessment, known as an ML/TF risk assessment. The reporting entity must identify and assess the risks of money laundering, terrorism financing and proliferation financing it may reasonably expect to face in providing designated services to its customers. The ML/TF risk assessment would then be used to inform the policies, procedures, systems and controls that a reporting entity includes in its AML/CTF program to mitigate and manage the risk of money laundering, terrorism financing and proliferation financing. See Risk mitigation measures for details.

The Bill would require a reporting entity’s AML/CTF program to:

  • consider the nature, size and complexity of its business in determining risk level
  • incorporate relevant risks identified and communicated to the reporting entity, or otherwise published by AUSTRAC.

At a minimum, reporting entities would be required to consider risks related to:

  • their types of customers
  • the types of designated services they provide
  • the methods of delivery
  • the jurisdictions they deal with.

The Bill would amend the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) to clarify that the ML/TF risk assessment must be reviewed to remain up to date. The AML/CTF Act would specify triggers for the review and update of the risk assessment.

New requirement to consider proliferation financing

To align with the FATF Standards, reporting entities must consider the risk that their business may facilitate proliferation financing when conducting a risk assessment. Proliferation financing refers to the provision of financial services, or dealing with funds or other assets, in contravention of an Australian law aimed at combating weapons of mass destruction proliferation. Most notably, this includes UN Security Council sanctions.

Exposure to proliferation financing risk will vary significantly between sectors and businesses, and the AML/CTF regime would recognise that many businesses do not have material proliferation financing exposure.

Businesses that reasonably assess their proliferation financing exposure could be mitigated by existing measures which address money laundering or terrorism financing risks, or that the proliferation financing risk is immaterial, would not be required to implement additional policies, procedures, systems or controls.

AUSTRAC published a National Risk Assessment in 2022 that can help reporting entities incorporate proliferation financing in their ML/TF risk assessment.

The Bill would require that reporting entities develop, implement and maintain enterprise-wide policies, procedures, systems and controls proportionate to the nature, size and complexity of their business. These would collectively be known as ‘AML/CTF policies’ and form part of the AML/CTF program.

The amended AML/CTF Act would not specify mitigation activities or measures, but instead allow reporting entities to establish proportionate measures and leverage existing practices where appropriate.

This Bill would set out a non-exhaustive list of what the risk management and mitigation policies must cover: :

  • ensure that risk is considered across the reporting entity’s day-to-day operations (enterprise-wide risk management practices)
  • how the policies, systems and controls mitigate and manage the risks identified in the risk assessment
  • customer due diligence
  • risk mitigation measures in response to updates to the risk assessment (including when adopting new technologies)
  • identifying and reporting suspicious matters.

The AML/CTF Rules may provide further detail where required.

The Bill would include an express obligation in the amended AML/CTF Act that requires a reporting entity to establish internal practices that ensure the business, its managers, employees and agents comply with AML/CTF obligations. These are necessary to support risk mitigation measures and ensure a culture of compliance.

Board or governing body responsibilities

A reporting entity’s board or governing body would be required to:

  • oversee the AML/CTF program
  • take reasonable steps to ensure that the reporting entity effectively identifies and mitigates the risks it may reasonably face.

The board or governing body would not be required to approve changes to the risk assessment, nor would it be required to exercise oversight of day-to-day, operational measures.

Where an entity does not have a board or other equivalent body to act as the governing body, this role may be performed by the individual or group of individuals with responsibility for governance and executive decision making.

AML/CTF compliance officer role and responsibilities

Reporting entities are required to designate an AML/CTF compliance officer at the management level, who will manage the implementation of operational measures.

The AML/CTF compliance officer would be responsible for:

  • oversight and coordination of the AML/CTF program
  • ensuring that any changes made to the AML/CTF program are approved by an individual in senior management (for example, the chief risk officer) and notified to the governing body.

For smaller entities such as sole traders, it may be appropriate for one individual to fulfil multiple roles. AUSTRAC will provide additional information in guidance.

The Bill would replace the current concept of a ‘designated business group’ under the amended AML/CTF Act with a simplified ‘reporting group’ concept.

All reporting groups would be required to have a lead entity, which would be responsible for:

  • assessing money laundering and terrorism financing risk across the group and its members
  • developing a group-wide AML/CTF program
  • applying the group-wide AML/CTF program to all Australian business group members
  • ensuring that all group members are compliant with the group-wide AML/CTF program.

Membership of reporting groups can be extended to related non-reporting entities to facilitate information sharing between group members for customer due diligence and risk management.

The concept would also allow other members (including non-reporting entities) within reporting groups to fulfil AML/CTF obligations on behalf of reporting entities. A non-reporting entity member of a business group will not, however, be subject to direct AML/CTF regulation for functions delegated to them. Liability for any failings in carrying out AML/CTF obligations would remain with the reporting entity on whose behalf the obligation is carried out.

Automatic or default reporting groups

The simplified ‘reporting group’ concept would automatically capture traditional corporate group arrangements as found in the financial services sector.

Elected reporting groups

Related entities in other non-corporate structures such as franchise arrangements and partnerships would also be able to elect to form a reporting group to manage their common risks.

Lead entities in a reporting group

Under a group-wide AML/CTF program, lead entities in a reporting group would be required to provide for:

  • sharing of customer due diligence information and related record-keeping requirements for customer due diligence reliance within the group
  • arrangements for a group member to fulfil AML/CTF obligations on behalf of another reporting entity in the reporting group
  • sharing of information about customers for risk management and mitigation as well as to support group-level compliance, audit and AML/CTF functions
  • safeguarding the confidentiality of shared information, including to manage the risk of tipping off.

The Bill would clarify the requirements for Australian reporting entities with offshore branches and subsidiaries. If the Bill passes, the amended AML/CTF Act would provide:

  • the high-level and outcomes-focused principles that would be applied to all reporting entities providing designated services generally
  • more specific obligations that would be applied only to those designated services provided in Australia, and not to those provided overseas.

To align with FATF Recommendation 18, the AML/CTF Act would require reporting entities to notify AUSTRAC where the laws of a host country prevent their foreign branch or subsidiary from complying with the

high-level general principles in the Australian legislation. This would provide the reporting entity with a defence from civil penalty liability, should the reporting entity take steps to effectively mitigate and manage the risk presented by the conflict.

Implementation and commencement

These changes would commence on 31 March 2026.

AUSTRAC will develop guidance and educational materials to support reporting entities transition to, and comply with, the changes to the AML/CTF regime.