Understanding changes to AML/CTF obligations and the Privacy Act for reporting entities
InsightUnderstanding changes to AML/CTF obligations and the Privacy Act: what reporting entities need to know.
Congratulations to our new Partners and Principal. Read more now.
By: Neil Jeans, Katherine Shamai, Annelies Homersham, Martin Stone
03 Mar 2025 8 min read

Initial CDD involves identifying and verifying customers' identities before providing designated services, crucial for understanding customers and assessing money laundering and terrorism financing (ML/TF) risks.
The transition from ACIP under the AML/CTF Rules to initial CDD under the new AML/CTF Act introduces several key changes that reporting entities must address.
The initial CDD requirements are now directly subject to civil penalty provisions, underscoring the importance of compliance with these requirements.
Chapter four of the AML/CTF Rules currently outlines the Applicable Customer Identification Procedures (ACIP) that reporting entities must follow to comply with their CDD obligations.
Australia's AML reforms are transitioning the initial CDD requirements from the AML/CTF Rules to the AML/CTF Act. The changes focus on establishing an outcomes-based framework, enhancing the clarity and effectiveness of CDD processes, and ensuring that reporting entities can better identify and manage risks associated with their customers.
CDD involves identifying and verifying customers' identities before providing them with designated services. This process is crucial for understanding who customers are and assessing the ML/TF risks they may pose.
Initial CDD helps identify potential ML/TF risks associated with new customers, enabling entities to respond appropriately to mitigate these risks.
Establishing a comprehensive customer profile during initial CDD supports due diligence efforts by identifying higher-risk customers who may require enhanced due diligence measures.
The collection and verification of accurate customer information from initial CDD also aids in effective transaction monitoring and the detection of suspicious activities and ensures that reporting entities have the necessary information to meet their reporting obligations.
Initial CDD aims to support a risk-based approach, as it requires reporting entities to tailor their AML/CTF controls based on the specific risks posed by customers and allocate resources more effectively to areas that require greater attention.
Initial CDD also directly supports the adoption of an outcomes-based framework for AML/CTF, as it ensures that entities have a solid foundation for achieving meaningful results in preventing ML/TF and addressing the specific risks faced while promoting innovation and efficiency.
The key requirements of Chapter four of the current AML/CTF Rules are:
To achieve compliance with ACIP and effectively mitigate the risks associated with money laundering and terrorism financing, reporting entities are required to undertake the following steps:
Australia's AML reforms are transitioning the initial Customer Due Diligence (CDD) requirements from the AML/CTF Rules to the AML/CTF Act. This shift aims to establish an outcomes-based framework, enhancing clarity and effectiveness in compliance. The changes result in an approach that is focused on the following:
To prepare for the changes to CDD under the AML reforms, reporting entities should follow these steps:
Following these steps, reporting entities can effectively prepare for the changes and ensure compliance with the new CDD requirements.
The amended AML/CTF Act introduces initial CDD requirements as civil penalty provisions, increasing the regulatory risk of non-compliance.
Unlike the current Chapter 32 of the AML/CTF Act, the new obligations in the AML/CTF Act have direct civil penalty provisions, including for failing to:
Although the new AML/CTF requirements won't be enforced until April 2026 for existing entities and July 2026 for new entities, it is vital to start planning and preparing for compliance with the revised AML/CTF requirements now.
With a short lead time to compliance and limited AML/CTF experts across Australia, demand will only continue to increase as the compliance date approaches.
If you would like to discuss any of the above with one of our AML/CTF specialists, please reach out.
Understanding changes to AML/CTF obligations and the Privacy Act: what reporting entities need to know.
From 1 July, the updated AML/CTF regime takes effect for Tranche 2 organisations including the real estate industry. There is already commentary, interpretation and subsequently confusion in the aged care market.
The AML/CTF Amendment Bill 2026 gives AUSTRAC new powers to restrict or prohibit the use of high‑risk mechanisms such as crypto ATMs by reporting entities.