Eight key changes to the new AML/CTF Rules for existing entities

Part one of the revised AML/CTF Rules introduces a range of new and clarified definitions. These include terms such as ‘tokenised reference’, ‘virtual asset wallet address’, and ‘ultimate parent’, alongside refinements to existing terms like ‘beneficial owner’ and ‘transfer of value.

These definitions are now directly linked to compliance obligations across Customer Due Diligence (CDD), transaction monitoring, and reporting. The scope of obligations has also been broadened to include Virtual Asset Service Providers (VASPs), with terminology reflecting developments in digital finance and distributed ledger technologies, and the need for IT systems and controls to be capable of capturing new data fields.

Part two of the AML/CTF Rules outlines new governance requirements for designated business groups. A lead entity must now be appointed to oversee group compliance, with fallback mechanisms in place to ensure continuity if agreement cannot be reached. Membership protocols have been strengthened, requiring written consent for joining or leaving a group and mandatory notification to AUSTRAC of any changes. Non-reporting entities are now eligible for group membership but must meet applicable due diligence and training standards.

Parts three and four of the AML/CTF Rules expand the enrolment and registration requirements. Entities must now provide more detailed disclosures on services, beneficial ownership, and financials. VASPs are subject to additional requirements, including wallet-level data. A new earnings reporting framework introduces tailored definitions and exemptions for smaller entities. Registration terms are standardised to three years, with a 90-day renewal window. Suspension and cancellation procedures have been clarified, and legal protections now exclude spent convictions under certain conditions.

Part five of the AML/CTF Rules introduces enhanced expectations for AML/CTF Programs. Entities are required to conduct and document risk assessments following adverse events and implement detailed mitigation strategies. These include enhanced due diligence for high-risk scenarios and compliance with targeted sanctions. Governance requirements have been expanded to include independent evaluations, senior management oversight, and staff training. Sector-specific controls have been introduced for real estate and virtual asset transactions.

Part six of the AML/CTF Rules recalibrates CDD obligations to better reflect customer risk profiles. The changes introduce tailored procedures based on customer type, mandating the collection of granular data including beneficial ownership and control information. Delayed verification is permitted under specific conditions, such as account opening or foreign services, with time-bound deadlines depending on the context. Simplified CDD is allowed for low-risk customers with documented justification, while enhanced CDD is required for high-risk scenarios, including politically exposed persons (PEPs) and virtual asset transactions, with stricter verification and senior management approval.

The term ‘persons associated with the customer’ now consolidates agents, beneficial owners, and trustees, and reliance on third-party KYC must be reassessed biennially. Sector-specific requirements apply to real estate and insurance services, and ongoing monitoring obligations have been expanded to cover a broader range of suspicious behaviours. Transitional provisions allow temporary exemptions and recognise new prescribed agencies, with continuity measures in place for pre-2026 customers.

Part eight of the AML/CTF Rules provides clearer definitions of institutional roles in value transfers and introduces enhanced data collection and transmission standards. These include requirements for payer and payee identification, tracing information, and transaction references. The Rules also clarify how to determine the jurisdictional location of value, based on wallet, account, or establishment location, which affects cross-border compliance obligations.

Part nine of the AML/CTF Rules expands the scope of reporting obligations. Suspicious matter reports must now include more detailed personal, transactional, and contextual data, including virtual asset activity. Threshold transaction reports have also been updated to capture a broader range of information, with clarified exemptions and reporting conditions. These changes aim to improve the accuracy and completeness of reporting to AUSTRAC.

Part twelve of the AML/CTF Rules outlines transitional arrangements to support implementation. Entities may continue using legacy formats for suspicious and threshold transaction reports until 1 July 2026. Existing exemptions under the 2007 Rules remain valid but are subject to expiry or revocation. The requirement for a lead entity within reporting groups has been reinforced to ensure structured compliance.