Understanding changes to AML/CTF obligations and the Privacy Act for reporting entities
InsightUnderstanding changes to AML/CTF obligations and the Privacy Act: what reporting entities need to know.
Congratulations to our new Partners and Principal. Read more now.
By: Neil Jeans, Martin Stone, Alan Connor
13 Apr 2026 11 min read

The following legislation is in effect from 31 March 2026:
The AML/CTF Act is not intended to operate in isolation. It sets the overarching legislative framework and enables additional rules to be made, giving effect to the obligations. To remain compliant, obligations in the AML/CTF Act and supplementary rules must be incorporated into your compliance framework.
In November 2024, Parliament enacted the AML/CTF Amendment Act 2024, updating the original Act. The changes expanded the AML/CTF framework to include higher-risk services offered by real estate professionals, as well as professional service providers ('Tranche 2' entities). The amendments also updated the AML/CTF regime to better align with evolving business models, technologies, and methods used for illicit financing.
To put the amended Act into practice, AUSTRAC created the AML/CTF Rules in August 2025. These Rules have replaced the AML/CTF Rules Instrument 2007 (No. 1) and are in effect from 31 March 2026.
After their introduction, AUSTRAC discovered that certain targeted amendments were necessary to enhance the effectiveness of the AML/CTF Rules and correct minor errors in drafting.
The AML/CTF (2025 Rules) Amendment Rules 2026 (in effect from 31 March 2026) include some key changes Grant Thornton considers important for reporting entities. These include:
The purpose of the AML/CTF (Class Exemptions and Other Matters) Amendment Rules 2026 is to update, clarify and modernise the existing class exemptions and ancillary rules so they align with the reformed AML/CTF regime that commenced on 31 March 2026.
The instrument created class exemptions where AUSTRAC considers the ML/TF risk to be low or appropriately managed by other means, with the intent of avoiding unnecessary regulatory burden where full AML/CTF obligations would be disproportionate.
The exemptions are in effect from 31 March 2026, and include:
The AML/CTF Transitional Rules 2026 sit alongside the broader AML/CTF reforms introduced through the AML/CTF Amendment Act and the AML/CTF Rules 2025. They provide businesses with extra time to update their processes and systems for certain requirements while continuing to manage ML/TF risks effectively.
Key Transitional Arrangements for Reporting Entities:
Extended period for Initial Customer Due Diligence (ICDD)
One of the most significant transitional provisions is the three-year transition period for initial CDD obligations. From 31 March 2026 to 30 March 2029, existing reporting entities will have the option to:
The transition applies only to initial CDD - ongoing CDD obligations apply without exception from 31 March 2026.
AUSTRAC have stated that reporting entities who intend to rely on the ICDD transitional rule must have a transitional policy that describes the following by 1 July 2026:
2. Compliance officer notification deadlines
Transitional rules also extend the timeframe for notifying AUSTRAC of appointed AML/CTF compliance officers:
These extensions provide reporting entities with additional time to establish appropriate governance arrangements and properly communicate to AUSTRAC.
3. Staggered independent evaluations
To avoid compliance bottlenecks, both existing and newly regulated entities will be able to stagger their initial independent evaluation deadlines based on AUSTRAC account numbers. This means businesses won’t face the same evaluation date and can prioritise compliance in line with capacity and risk profile.
Existing reporting entities that have had at least one independent review under the pre-reform Rules, must conduct their first independent evaluation by the later of:
AUSTRAC expects reporting entities to revise their AML/CTF policies to ensure that the evaluation schedule is consistent with the identified deadline.
4. Registration clarifications and roll-over
The transitional rules confirm that:
This continuity avoids administrative duplication and supports operational stability through the reform phase.
5. Deferred obligations for certain Virtual Asset Services (VAS)
While obligations for many virtual asset services begin in line with tranche 2 timing, the transitional rules defer certain AML/CTF requirements until 1 July 2026, consistent with tranche 2 commencement dates. This deferral provides aligned timing for newly regulated virtual asset businesses to enrol, register and prepare for full compliance.
Notably:
6. Financial advisers becoming Tranche 2 entities
While these obligations generally commence in line with tranche 2 implementation, transitional arrangements apply to certain existing reporting entities. Specifically, entities that previously qualified for pre-reform special AML/CTF programs will not be required to apply AML/CTF obligations to the newly designated tranche 2 services until 1 July 2026. This ensures consistent commencement timing across tranche 2 sectors and allows affected advisers time to update systems, controls, and compliance frameworks.
7. Transition to International Value Transfer Service (IVTS) reporting
The transitional rules delay the commencement of the IVTS reporting framework to allow sufficient time for reporting entities and AUSTRAC to update or implement required systems changes.
Reporting entities IVTS reporting transition date will either be:
Until a reporting entity nominates a transition date, the existing International Funds Transfer Instructions (IFTI) reporting framework remains in force for them.
AUSTRAC’s transitional rules give businesses flexibility to adopt the AML/CTF reforms in stages, but they also set clear expectations on how reporting entities should prepare.
The three‑year transition period for initial CDD, from 31 March 2026 to 30 March 2029, allows existing reporting entities to choose when to shift to the reformed initial CDD requirements. They may continue using their current Applicable Customer Identification Procedures (ACIP) or adopt the new obligations earlier, but whichever method they choose must be applied consistently across each nominated class of customer.
However, ongoing CDD obligations begin for everyone on 31 March 2026, so businesses must be ready to operate ongoing monitoring and risk management at the new standard from that date.
The extended deadlines for appointing and notifying AUSTRAC of compliance officers – 30 May 2026 for existing reporting entities and 29 July 2026 for newly regulated businesses, including Tranche 2 sectors and Virtual Asset Service Providers (VASPs) – give organisations more time to establish strong governance foundations.
These roles should be fully defined, empowered, and integrated into compliance well before the deadline.
Newly regulated entities will be assigned staggered independent evaluation deadlines based on AUSTRAC account numbers, helping avoid industry‑wide bottlenecks. Existing entities have extended timing if they recently completed an independent review.
Businesses should map their evaluation timeline as soon as their AUSTRAC account number is issued.
Existing digital currency exchange providers will automatically transition to the new VASP category, and current remittance providers retain their existing status, reducing administrative effort during the transition.
Some VASP‑specific obligations commence later, including:
These delays give VASPs time to prepare systems and processes needed for enhanced data‑sharing and monitoring.
AUSTRAC emphasises that businesses - particularly newly regulated sectors such as legal, accounting, and real estate – must take a risk‑based and outcomes-focused approach to implementing the reforms. Entities should prioritise changes that address their highest money laundering and terrorism financing risks.
For businesses across regulated sectors, keeping up to date with the evolving Rules and acting on the transitional arrangements will be essential to meet new compliance expectations without disruption, ensuring your AML/CTF program remains robust, risk-aware, and future-ready. If you would like to discuss any of the above, please reach out to our team of experts today.
Understanding changes to AML/CTF obligations and the Privacy Act: what reporting entities need to know.
From 1 July, the updated AML/CTF regime takes effect for Tranche 2 organisations including the real estate industry. There is already commentary, interpretation and subsequently confusion in the aged care market.
The AML/CTF Amendment Bill 2026 gives AUSTRAC new powers to restrict or prohibit the use of high‑risk mechanisms such as crypto ATMs by reporting entities.