Understanding changes to AML/CTF obligations and the Privacy Act for reporting entities
InsightUnderstanding changes to AML/CTF obligations and the Privacy Act: what reporting entities need to know.
Congratulations to our new Partners and Principal. Read more now.
By: Neil Jeans, Katherine Shamai, Martin Stone, Annelies Homersham
18 Feb 2025 8 min read

Under the AML/CTF Act 2006, all reporting entities must have (before providing designated services) and maintain (throughout the time they are providing designated services) an AML/CTF program that appropriately identifies, mitigates, and manages their ML/TF risk and addresses the AML/CTF system and control requirements set out in the AML/CTF Rules.
The amended AML/CTF Act introduces significant changes to the existing AML/CTF program, shifting from a prescriptive, compliance-based approach to a more flexible, outcomes-based framework.
This new approach emphasises the importance of the effectiveness of AML/CTF measures set out in the AML/CTF program. It allows reporting entities to tailor their AML/CTF programs to their specific risk profiles, improve the overall effectiveness of AML/CTF measures, and ensure a focus on achieving meaningful results in preventing ML/TF.
For reporting entities, the transition to the amended AML/CTF Act will require significant adjustments to their existing AML/CTF programs.
An AML/CTF program is a comprehensive set of policies, procedures, and controls designed to prevent, detect, and report money laundering and terrorism financing (ML/TF) activities. The primary goal of an AML/CTF program is to ensure that reporting entities can identify, mitigate and manage their risks associated with ML/TF.
The current AML/CTF program is divided into two parts:
The AML reforms introduce significant changes to the AML/CTF program requirements, shifting from a prescriptive, compliance-based approach to a more flexible, outcomes-based framework as follows:
The amended AML/CTF Act introduces a significant change by replacing the concept of a ‘designated business group’ with a ‘reporting group’ concept. This new framework allows related entities, including non-AML/CTF reporting entities where appropriate, to meet their AML/CTF obligations collectively.
The AML/CTF program changes are intended to support reporting entities in enhancing their AML/CTF measures, ensuring better compliance and more effective risk management.
Under the amended Australian AML/CTF Act, an AML/CTF program comprises several key documents, each crucial in ensuring compliance with revised AML/CTF obligations.
This document sets out the systematic and structured identification of ML/TF risks, an assessment of the likelihood and impact of those risks, and the documentation of the risk assessment process.
Forms the foundation of the AML/CTF program by identifying and evaluating the specific risks faced by the reporting entity and guiding the development of tailored AML/CTF policies and procedures.
The risk assessment informs all other documents, ensuring the AML/CTF program is risk-based and focused on the most significant threats.
This document outlines the reporting entity's approach to managing and mitigating identified ML/TF risks and ensuring compliance with the general requirements in the AML/CTF Act and AML/CTF Rules.
The AML/CTF policies must be developed based on the ML/TF risk assessment and provide the framework for the procedures manual.
This document provides detailed instructions on implementing AML/CTF policies, ensuring consistency and effectiveness in applying AML/CTF measures.
The procedures manual operationalises the policies and is informed by the risk assessment by providing detailed procedural guidance to ensure consistency and effectiveness in applying AML/CTF measures.
The procedures manual provides practical guidance for staff on how to comply with AML/CTF obligations. It is crucial for these documents to inform the building of employee training content to ensure that employees with relevant roles are aware of their responsibilities and obligations within the reporting entity’s AML/CTF environment.
To prepare for and address the changes to the AML/CTF program under the amended AML/CTF Act, reporting entities should follow a structured, step-by-step approach:
Review and, where necessary, create a detailed risk assessment document that evaluates the specific ML and TF risks faced, including consideration of proliferation financing (PF) risks.
AML/CTF policies are required to address the identified risks and comply with the new AML/CTF Act requirements. The policies must align with the outcomes-based framework and adequately cover ML/TF/PF risks identified in the risk assessment.
Whilst it is possible to revise an existing AML/CTF program document to create a new one that will be a policy document, given the nature of the changes set out in the AML/CTF Act, it is recommended that existing reporting entities develop a new AML/CTF policy document. This will support the parallel management of compliance with the current AML/CTF requirements while preparing for compliance with the new AML/CTF requirements.
Where there are any new risks identified by a new risk assessment, the relevant sections in the AML/CTF policies should also be updated.
Review and, where necessary, revise or develop a procedures manual(s) that provide detailed instructions on implementing the AML/CTF policies set out in the AML/CTF policy document(s), ensuring the manual promotes consistency and effectiveness in applying AML/CTF measures. Where there are any new risks identified by a new risk assessment, the relevant sections in the procedures manual should also be updated.
Monitor for additional AML/CTF Rule requirements and guidance AUSTRAC provides. It is understood that the AML/CTF Rules will be published around June 2025, with core Guidance published by AUSTRAC in August 2025.
The amended AML/CTF Act introduces new civil penalty provisions related to the development and maintenance of an AML/CTF program, increasing the regulatory risk related to non-compliance. These include civil penalty provisions for failure to document an AML/CTF program, failure of the AML/CTF program to cover mandated requirements, and failure to notify the governing body of AML/CTF program changes.
Although the new AML/CTF requirements won't be enforced until April 2026 for existing entities, it is vital to start planning and preparing for compliance with the revised AML/CTF requirements now.
With a short lead time to compliance and limited AML/CTF experts across Australia, demand will only continue to increase as the compliance date approaches.
If you would like to discuss any of the above with one of our AML/CTF specialists, please reach out.
Understanding changes to AML/CTF obligations and the Privacy Act: what reporting entities need to know.
From 1 July, the updated AML/CTF regime takes effect for Tranche 2 organisations including the real estate industry. There is already commentary, interpretation and subsequently confusion in the aged care market.
The AML/CTF Amendment Bill 2026 gives AUSTRAC new powers to restrict or prohibit the use of high‑risk mechanisms such as crypto ATMs by reporting entities.