AML requirements for covered institutions and individuals

Enforcement and regulation

Which government entities enforce the AML regime and regulate covered institutions and persons in your jurisdiction? Do the AML rules provide for ongoing and periodic assessments of covered institutions and persons?

The Australian Transaction Reports and Analysis Centre (AUSTRAC) is Australia’s financial intelligence agency with regulatory responsibility for AML and counter-terrorist financing. AUSTRAC administers the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (the AML/CTF Act).

AUSTRAC has several Commonwealth, state and territory partner agencies, including the Australian Federal Police, the Australian Criminal Intelligence Commission and the Australian Securities and Investments Commission.

Entities regulated by the AML/CTF Act (reporting entities) are required to comply with reporting obligations, including submitting to AUSTRAC an annual compliance report confirming compliance or identifying instances of non-compliance with the AML/CTF Act. AUSTRAC has information-gathering powers under the AML/CTF Act, and reporting entities have an obligation to adopt procedures to apply any feedback and recommendations received from AUSTRAC as a result of surveillance or assessment.

Covered institutions and persons

Which institutions and persons must have AML measures in place?

Broadly, the AML/CTF Act regulates reporting entities, which are defined in the Act as persons who provide a designated service (also as defined in the Act). Designated services include financial, bullion and gambling services. The AML/CTF Act was amended in 2017 to include digital currency exchange providers within the scope of providing a designated service.

The AML/CTF Act regulates only those designated services with a connection to Australia, referred to as the geographical link test. The test will be satisfied where:

  • the designated service is provided to the customer at or through a permanent establishment of the reporting entity (including any place where it carries on business through an agent) in Australia; or
  • the reporting entity is a resident of Australia and the designated service is provided at or through a permanent establishment of the reporting entity in a foreign country, or the reporting entity is a subsidiary of an Australian company and the service is provided at or through a permanent establishment of the subsidiary in a foreign country.


Where the AML/CTF Act applies, reporting entities’ obligations include:

  • enrolling with AUSTRAC;
  • adopting and maintaining a compliant AML and counter-terrorist financing programme (AML/CTF programme);
  • conducting customer due diligence (CDD) procedures; and
  • reporting to AUSTRAC annually, and as required, on the occurrence of suspicious matters, threshold transactions of A$10,000 or more, all international funds transfer instructions and record-keeping.

Do the AML laws applicable in your jurisdiction require covered institutions and persons to implement AML compliance programmes? What are the required elements of such programmes?

Under the AML/CTF Act, reporting entities must adopt and maintain an AML/CTF programme that complies with the AML/CTF Act and the Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1) (Cth).

AML/CTF programmes are risk-based and relate to the size and nature of each business, the designated services offered to and its money laundering or terrorism financing (ML/TF) risk profile. Reporting entities must develop and document an AML/CTF programme that is tailored to their specific business needs and is proportionate to the level of ML/TF risk that their businesses face.

An AML/CTF programme generally comprises two parts: Part A and Part B.

The primary purpose of Part A is to identify, mitigate and manage the ML/TF risks arising from the provision of a designated service by a reporting entity. It includes:

  • an ML/TF financing risk assessment, which must be periodically reviewed and updated;
  • approval and ongoing oversight by boards and senior management;
  • appointment of a compliance officer;
  • regular independent review of Part A;
  • a due diligence programme for employees;
  • a risk awareness training programme for employees;
  • procedures to respond to and apply AUSTRAC feedback;
  • systems and controls to ensure compliance with reporting obligations; and
  • ongoing CDD procedures.


Part B of the AML/CTF programme includes a framework to ensure the reporting entity is reasonably satisfied that:

  • an individual customer is who they claim to be;
  • for a non-individual customer, the customer exists and their beneficial ownership details are known; and
  • procedures for collecting and verifying customer and beneficial owner information.
Breach of AML requirements

What constitutes breach of AML duties imposed by the law?

The AML/CTF Act sets forth that producing false or misleading information or documentation, forging documentation for use in customer identification procedures, providing or receiving a designated service using a false customer name or customer anonymity, or structuring a transaction to avoid a reporting obligation under the AML/CTF Act are offences.

Further, contraventions of obligations under the AML/CTF Act generally result in civil penalty provisions. For example, if a reporting entity provides a designated service to a customer prior to adopting, or where it does not maintain, a compliant AML/CTF programme, that entity has breached a civil penalty provision.

Where a reporting entity has formed a suspicion about a customer, or has submitted a suspicious matter report (SMR) to AUSTRAC about a customer, the AML/CTF Act generally prohibits the reporting entity from disclosing that suspicion or report to the customer. Disclosing such a suspicion or report would constitute the offence of tipping off under the AML/CTF Act.

Customer and business partner due diligence

Describe due diligence requirements in your jurisdiction’s AML regime.

The AML/CTF Act generally requires that a reporting entity adopt and maintain an AML/CTF programme, comprising Part A and Part B.

With respect to due diligence procedures, Part A of an AML/CTF programme must contain an employee due diligence programme that documents procedures for screening staff members to minimise any exposure to risk. The procedures must set out appropriate risk-based systems and controls for the reporting entity to determine whether to screen a prospective employee or rescreen an existing employee (eg, where such employee is promoted or transferred and may be in a position to facilitate the commission of a money laundering or terrorism financing offence). The procedures should enable a reporting entity to identify and verify the identity of prospective or existing employees, confirm their employment history and determine if they are suitable to be employed in a particular position in the business. The procedures should take into account the role of the employee and the nature, size and complexity of the business, and the type of risk it might reasonably face. Additionally, the AML/CTF programme should outline policies for managing employees who fail to comply with any system, control or procedure under the programme.

The primary purpose of Part B is to ensure the reporting entity knows its customers and understands its customers’ financial activities. The reporting entity must establish a framework and document its CDD procedures in detail. The purpose of undertaking CDD procedures is to enable the reporting entity to be reasonably satisfied that, in relation to an individual customer, the customer is who they claim to be and, in relation to a non-individual customer, the customer exists and its beneficial ownership details are known.

Broadly, the CDD requirements include:

  • collecting and verifying customer identification information;
  • identifying and verifying the beneficial owners of a customer;
  • identifying whether a customer is a politically exposed person (PEP) (or an associate of a PEP) and establishing the source of funds used during the business relationship or transaction; and
  • gathering information on the purpose and intended nature of the business relationship.


The minimum customer information a reporting entity must collect and verify will depend on the type of customer it is dealing with, as prescribed in the Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1) (Cth). The method of verification will also depend on the customer type, but must come from a reliable and independent source.

Part A of an AML/CTF programme must also contain the reporting entity’s ongoing customer due diligence (OCDD) procedures. Reporting entities are required to have in place appropriate OCDD systems and controls to determine whether additional customer information (including beneficial owner information) should be collected or verified on an ongoing basis to ensure that the reporting entity holds up-to-date information about its customers. The decision to apply the OCDD process to a particular customer depends on the customer’s level of assessed ML/TF risk.

The OCDD procedures should include implementing a transaction monitoring programme and developing an enhanced CDD programme. The transaction monitoring programme is a risk-based programme of systems and controls to monitor transactions, which is capable of identifying complex transactions, unusually large transactions and unusual patterns of transactions. The enhanced CDD programme is the process of undertaking additional customer identification and verification measures in certain circumstances deemed to be high risk.

High-risk categories of customers, business partners and transactions

Do the AML rules applicable in your jurisdiction require that covered institutions and persons conduct risk-based analyses? Which high-risk categories are specified? What level of due diligence is expected in relation to customers assessed to be high risk?

The AML/CTF Act requires reporting entities to undertake a money laundering and terrorism financing risk assessment to measure the level of risk associated with providing each designated service. In particular, a reporting entity must consider the risk posed by:

  • customer types, including any customers who are PEPs and their associates;
  • the types of designated services it provides;
  • how the entity provides its designated services (eg, over the counter or online); and
  • the foreign jurisdictions with which it operates or conducts business.


The Australian government has declared via regulations to the AML/CTF Act that Iran and North Korea are prescribed foreign countries for the purposes of the AML/CTF Act and are subject to countermeasures, including enhanced CDD obligations and certain prohibitions on dealings.

Other than in relation to prescribed foreign countries, the AML/CTF Act does not specify high-risk categories of customers or designated services. Rather, it is up to the reporting entity to determine whether a particular designated service or customer is high risk. The risk level determines the risk-based customer identification procedures to be conducted, including whether enhanced CDD procedures will be undertaken and additional identification information collected and verified. Reporting obligations may also apply depending on the nature of a transaction.

For all foreign PEPs and high-risk domestic or international organisation PEPs, reporting entities must closely monitor the transactions conducted by that customer. If a reporting entity suspects that a transaction undertaken by a PEP involves funds that are the proceeds of corruption or other criminal activity, it must submit a SMR to AUSTRAC.

Record-keeping and reporting requirements

Describe the record-keeping and reporting requirements for covered institutions and persons.

Record-keeping requirements

Reporting entities have record-keeping obligations under the AML/CTF Act. The types of records to be kept depend on the type of designated service provided. Specifically, the types of records that must be retained are records of or about:

  • transactions;
  • identification procedures;
  • electronic funds transfer instructions;
  • AML/CTF programmes; and
  • due diligence assessments of correspondent banking relationships.


Reporting requirements

The AML/CTF Act creates five reporting obligations:

  • annual compliance reports;
  • SMRs;
  • threshold transaction reports;
  • international funds transfer instruction reports; and
  • cross-border movement reports.


Annual compliance report

All reporting entities must submit an annual compliance report, unless an exemption applies. Reports are due annually by 31 March, relating to the prior reporting (calendar) year.


Suspicious matter report

The obligation to submit an SMR arises where, in the course of a dealing with a customer, a reporting entity forms a suspicion (on reasonable grounds) that:

  • the customer is not who they claim to be;
  • information the reporting entity has may be:
    • relevant to investigate or prosecute a person for an evasion of tax law or an offence against a Commonwealth, state or territory law; or
    • of assistance enforcing the Proceeds of Crime Act 2002 (Cth) or a corresponding state or territory legislation; and
  • providing a designated service may be:
    • preparatory to committing an offence related to money laundering or terrorism financing; or
    • relevant to the investigation or prosecution of a person for an offence related to money laundering or terrorism financing.


The report must include details about the reporting entity’s business, the suspicious matter, the persons to which the matter relates and any related transactions. The report must be submitted within 24 hours of the time the suspicion is formed if relating to terrorism financing. If in relation to any other offence, the relevant reporting time frame is three business days after the day in which the relevant suspicion was formed.


Threshold transaction report

If a reporting entity commences providing, or provides, a designated service to a customer that involves a transfer of physical or digital currency of A$10,000 or more (or foreign currency equivalent), they must submit a threshold transaction report to AUSTRAC within 10 business days of the day in which the transaction occurred. The threshold transaction report must include the business details of the reporting entity, the customer of the designated service and further details of the transaction, including cash, digital currency and other components.


International funds transfer instruction

A reporting entity that sends an international funds transfer instruction transmitted out of Australia or receives such an instruction transmitted into Australia must report the instruction to AUSTRAC within 10 business days of the day in which the instruction was sent or received.


Cross-border movement reports

All persons, including reporting entities, must report cross-border movements of physical currency of A$10,000 or more. Such a report must be made before currency is sent or carried out of or into Australia, or within five business days of receiving currency sent into Australia. In addition, if requested by a police or customs officer, a person may be required to give AUSTRAC or the relevant officer a report immediately about any cross-border movement of bearer negotiable instruments (eg, cheques or money orders) of any amount.

Privacy laws

Describe any privacy laws that affect record-keeping requirements, due diligence efforts and information sharing.

The Privacy Act 1988 (Cth) (the Privacy Act) regulates the handling of personal information by Australian government agencies, Australian Capital Territory agencies and private sector organisations with an aggregate group revenue of at least A$3 million. The Privacy Act also applies to all reporting entities under the AML/CTF Act regardless of turnover.

The Privacy Act includes 13 Australian Privacy Principles, which create obligations on the collection, use, disclosure, retention and destruction of personal information. The Australian Privacy Principles include:

  • open and transparent management of personal information;
  • disclosure to a person that their personal information will be collected;
  • restrictions on the use and disclosure of personal information;
  • obligations to ensure the accuracy of collected personal information; and
  • obligations to protect personal information.


Personal information means information or an opinion about an identified individual, or one who is reasonably identifiable whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not.

The effect of this is that information collected about an individual in the course of undertaking CDD procedures would generally constitute personal information for the purposes of the Privacy Act, and requires that reporting entities comply with the Privacy Act in relation to personal information collected from customers, personal information recorded by reporting entities and personal information shared with other entities.

Where there has been a breach of data (ie, unauthorised access to or disclosure of information), the Notifiable Data Breaches scheme (introduced in February 2018) requires entities regulated under the Privacy Act to notify any affected individuals and the Office of the Australian Information Commissioner where the breach is likely to result in serious harm to those individuals. The Notifiable Data Breaches scheme applies to agencies and organisations if the Privacy Act requires them to take steps to secure certain categories of personal information.

In addition to complying with the Privacy Act as it relates to the collection, use and handling of personal information, reporting entities must comply with the AML/CTF Act with respect to disclosure of personal information to credit reporting bodies. The AML/CTF Act authorises the use and disclosure of certain personal information held by a credit reporting body to a reporting entity for the purposes of verifying the individual’s identity under the AML/CTF Act, provided that the reporting entity discloses certain information to the customer and obtains the customer’s express consent prior to disclosing such information.

Resolutions and sanctions

What is the range of outcomes in AML controversies? What are the possible sanctions for breach of AML laws?

There are a variety of enforcement outcomes that AUSTRAC can pursue in the event of non-compliance with the AML/CTF Act. These include:

  • seeking civil penalty orders under the AML/CTF Act and, if the Federal Court of Australia is satisfied that a reporting entity has contravened a civil penalty provision, a pecuniary penalty may be payable to the government (as at May 2023, the maximum pecuniary penalty for bodies corporate is A$27.5 million, and A$5.5 million for individuals and other entities);
  • accepting an enforceable undertaking, which is a written undertaking that is enforceable in court and used as an alternative to civil or administrative action;
  • issuing an infringement notice, whereby payment of the specified penalty will discharge any liability and no criminal or civil penalty proceedings will be brought;
  • issuing a remedial direction, which requires a reporting entity to take specified action to ensure that it does not contravene a civil penalty provision in the future; and
  • requiring that a reporting entity take certain actions in relation to auditing (eg, appointing an external auditor and arranging for an audit report).
Limitation periods for AML enforcement

What are the limitation periods governing AML matters?

Proceedings for a civil penalty order under the AML/CTF Act must be commenced no later than six years after the date of contravention.


Do your jurisdiction’s AML laws have extraterritorial reach?

The AML/CTF Act states that, unless the contrary is provided in the Act, it extends to acts, omissions, matters and things outside Australia. However, a geographical link to Australia, with respect to the relevant designated service, must be present.