AML requirements for covered institutions and individuals

Enforcement and regulation

Which government entities enforce your jurisdiction’s AML regime and regulate covered institutions and persons? Do the AML rules provide for ongoing and periodic assessments of covered institutions and persons?

The Australian Transaction Reports and Analysis Centre (AUSTRAC) is Australia’s financial intelligence agency with regulatory responsibility for anti-money laundering and counter-terrorism financing. AUSTRAC administers the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (the AML/CTF Act).

AUSTRAC has several federal, state and territory partner agencies, including the Australian Federal Police, the Australian Crime Commission and the Australian Securities and Investments Commission.

Entities regulated by the AML/CTF Act (‘reporting entities’) are required to comply with reporting obligations, including submitting to AUSTRAC an annual compliance report confirming compliance, or identifying instances of non-compliance, with the AML/CTF Act. AUSTRAC has information gathering powers under the AML/CTF Act, and reporting entities have an obligation to adopt procedures to apply any feedback and recommendations received from AUSTRAC as a result of surveillance or assessment.

Covered institutions and persons

Which institutions and persons must carry out AML measures?

Broadly, the AML/CTF Act regulates reporting entities, which are defined in the AML/CTF Act as persons who provide a ‘designated service’ (also as defined in the AML/CTF Act). Designated services include financial services (eg, account or deposit-taking services, cash carrying or payroll services, currency exchange services, life insurance services, loan services, remittance services, investment services and Australian financial services licence (AFSL) holders arranging for another entity to provide a designated service), bullion services and gambling services. The AML/CTF Act was amended in 2017 to include digital currency exchange providers within the scope of providing a ‘designated service’.

The AML/CTF Act regulates only designated services with a connection to Australia, referred to as the ‘geographical link’ test. The test is satisfied where the designated service is provided to the customer at or through a permanent establishment of the service provider in Australia, or the service provider is a resident of Australia and the designated service is provided at or through a permanent establishment of the service provider in a foreign country or the service provider is a subsidiary of an Australian company and the service is provided at or through a permanent establishment of the subsidiary in a foreign country.

Where the AML/CTF Act applies, reporting entities’ obligations include enrolling with AUSTRAC, adopting and maintaining an anti-money laundering and counter-terrorism financing compliance programme (AML/CTF programme), conducting customer due diligence procedures and reporting to AUSTRAC annually and as required on the occurrence of suspicious matters, threshold transactions of A$10,000 or more, all international funds transfer instructions and record keeping.


Do the AML laws in your jurisdiction require covered institutions and persons to implement AML compliance programmes? What are the required elements of such programmes?

Under the AML/CTF Act, reporting entities must adopt and maintain an AML/CTF programme that complies with the AML/CTF Act and the Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1) (Cth) (the AML/CTF Rules).

AML/CTF programmes are risk-based and relate to the size and nature of each business, the designated services it offers customers and its money laundering or terrorism financing (ML/TF) risk profile. Reporting entities must develop and document an AML/CTF programme that is tailored to their specific business needs and that is proportionate to the level of ML/TF risk that the business faces. There are three types of AML/CTF programme:

  • a standard programme for individual entities;
  • a joint programme for entities in a designated business group that have elected to operate under a joint AML/CTF programme; and
  • a special programme that applies to individual entities that hold an AFSL and arrange for a person to receive another designated service from a separate reporting entity.


An AML/CTF programme generally comprises a Part A and a Part B; however, special programmes comprise only a Part B.

The primary purpose of Part A of an AML/CTF programme is to identify, mitigate and manage the ML/TF risk arising from the provision of a designated service by a reporting entity. It includes:

  • an ML/TF financing risk assessment, which must be periodically reviewed and updated;
  • approval and ongoing oversight by boards and senior management;
  • appointment of a compliance officer;
  • regular independent review of Part A;
  • a due diligence programme for employees;
  • a risk awareness training programme for employees;
  • procedures to respond to and apply AUSTRAC feedback;
  • systems and controls to ensure compliance with reporting obligations; and
  • ongoing customer due diligence (OCDD) procedures.


Part B of the AML/CTF programme includes a framework to ensure the reporting entity:

  • is reasonably satisfied that an individual customer is who they claim to be;
  • is reasonably satisfied that for a non-individual customer, the customer exists and their beneficial ownership details are known; and
  • has procedures for collecting and verifying customer and beneficial owner information.
Breach of AML requirements

What constitutes breach of AML duties imposed by the law?

The AML/CTF Act provides that it is an offence to produce false or misleading information or documentation, forge documentation for use in customer identification procedures, provide or receive a designated service using a false customer name or customer anonymity or structure a transaction to avoid a reporting obligation under the AML/CTF Act.

Further, contraventions of obligations under the AML/CTF Act generally constitute civil penalty provisions; for example, a reporting entity that provides a designated service to a customer before adopting, or where it does not maintain a compliant AML/CTF programme, breaches a civil penalty provision.

Where a reporting entity has formed a suspicion about a customer, or has submitted a suspicious matter report (SMR) to AUSTRAC about a customer, the AML/CTF Act generally prohibits the reporting entity from disclosing that suspicion or report to the customer. Disclosing the suspicion or report would constitute the offence of tipping off under the AML/CTF Act.

Customer and business partner due diligence

Describe due diligence requirements in your jurisdiction’s AML regime.

The AML/CTF Act requires that a reporting entity adopt and maintain an AML/CTF programme, comprising a Part A and a Part B.

With respect to due diligence procedures, Part A of an AML/CTF programme must contain an employee due diligence programme that documents procedures for screening staff members to minimise any exposure to risk. The procedures must set out appropriate risk-based systems and controls for the reporting entity to determine whether to screen a prospective employee or rescreen an existing employee (eg, where the employee is promoted or transferred and may be in a position to facilitate the commission of an ML/TF offence). The procedures should enable a reporting entity to identify and verify the identity of prospective or existing employees, confirm their employment history and determine if they are suitable to be employed in a particular position in the business. The procedures should take into account the role of the employee and the nature, size and complexity of the business, as well as the type of risk it might reasonably face. Additionally, the programme should outline policies for managing employees who fail to comply with any system, control or procedure under the AML/CTF programme.

The primary purpose of Part B is to ensure the reporting entity knows its customers and understands its customers’ financial activities. The reporting entity must establish a framework and document its customer due diligence (CDD) procedures in detail. The purpose of undertaking CDD procedures is to enable the reporting entity to be reasonably satisfied that, in relation to an individual customer, the customer is who they claim to be and, in relation to a non-individual customer, the customer exists and their beneficial ownership details are known.

Broadly, the CDD requirements include:

  • collecting and verifying customer identification information;
  • identifying and verifying the beneficial owners of a customer;
  • identifying whether a customer is a ‘politically exposed person’ (PEP) (or an associate of a PEP) and establishing the source of funds used during the business relationship or transaction; and
  • gathering information on the purpose and intended nature of the business relationship.


The minimum customer information that a reporting entity must collect and verify depends on the type of customer it is dealing with, and this information is prescribed in the AML/CTF Rules. The method of verification also depends on the customer type, but it must come from a reliable and independent source.

Part A of an AML/CTF programme must also contain the reporting entity’s OCDD procedures. Reporting entities must have in place appropriate OCDD systems and controls to determine whether additional customer information (including beneficial owner information) should be collected or verified on an ongoing basis to ensure that the reporting entity holds up-to-date information about its customers. The decision to apply the OCDD process to a particular customer depends on the customer’s level of assessed ML/TF risk.

The OCDD procedures should include implementing a transaction monitoring programme and developing an enhanced CDD programme. The transaction monitoring programme is a risk-based programme of systems and controls to monitor transactions, which is capable of identifying complex transactions, unusually large transactions and unusual patterns of transactions. The enhanced CDD programme is the process of undertaking additional customer identification and verification measures in certain circumstances deemed to be high risk.

High-risk categories of customers, business partners and transactions

Do your jurisdiction’s AML rules require that covered institutions and persons conduct risk-based analyses? Which high-risk categories are specified?

The AML/CTF Act requires reporting entities to undertake an ML/TF risk assessment to measure the level of risk associated with providing each designated service. In particular, a reporting entity must consider the risk posed by the following:

  • customer types, including any customers who are PEPs and their associates;
  • the types of designated services it provides;
  • how the entity provides its designated services (eg, over the counter or online); and
  • the foreign jurisdictions with which it operates or conducts business.


The government declared via regulations to the AML/CTF Act that Iran and North Korea are proscribed foreign countries for the purposes of the AML/CTF Act and are subject to anti-money laundering and counter-terrorism financing (AML/CTF) countermeasures, including enhanced CDD obligations and certain prohibitions on dealings.

Other than in relation to proscribed foreign countries, the AML/CTF Act does not specify high-risk categories of customers or designated services. Rather, it is up to the reporting entity to determine whether a particular designated service or customer is high risk. The risk level determines the risk-based customer identification procedures to be conducted, including whether enhanced CDD procedures will be undertaken and additional identification information collected and verified. Reporting obligations may also apply depending on the nature of the transaction.

For all foreign PEPs and high-risk domestic or international organisation PEPs, reporting entities must closely monitor the transactions conducted by that customer. If a reporting entity suspects that a transaction undertaken by a PEP involves funds that are the proceeds of corruption or other criminal activity, it must submit an SMR to AUSTRAC.

Record-keeping and reporting requirements

Describe the record-keeping and reporting requirements for covered institutions and persons.

Record-keeping requirements

Reporting entities have record keeping obligations under the AML/CTF Act. The types of records to be kept depend on the type of designated service provided. Specifically, the types of records that must be retained are records of or about:

  • transactions;
  • identification procedures;
  • electronic funds transfer instructions;
  • AML/CTF programmes; and
  • due diligence assessments of correspondent banking relationships.
Reporting requirements

The AML/CTF Act creates five reporting obligations:

  • annual compliance reports;
  • SMRs;
  • threshold transaction reports;
  • international funds transfer instruction reports; and
  • cross-border movement reports.
Annual compliance report

AML/CTF compliance reports provide AUSTRAC with information about a reporting entity’s compliance with the AML/CTF Act and associated rules and regulations. All reporting entities must submit an annual compliance report unless an exemption applies (eg, for AFSL holders that arrange for customers to receive a designated service from another reporting entity, and do not provide any other designated service). Reports are due annually by 31 March, relating to the previous reporting (calendar) year.

Suspicious matter report

The obligation to submit a SMR arises where, in the course of a dealing with a customer, a reporting entity forms a suspicion (on reasonable grounds) that:

  • the customer is not who it claims to be;
  • information the reporting entity has may be relevant to investigate or prosecute a person for an evasion of tax law or an offence against a Commonwealth, state or territory law, or of assistance to enforce the Proceeds of Crime Act 2002 (Cth) or a corresponding state or territory legislation; and
  • providing a designated service may be preparatory to committing an offence related to ML/TF or relevant to the investigation or prosecution of a person for an offence related to ML/TF.


The report must include details about the reporting entity’s business, the suspicious matter, the persons to which the matter relates and any related transactions. The report must be submitted within 24 hours after the time the suspicion was formed if it relates to terrorism financing. If it is in relation to any other offence, the relevant reporting time frame is three business days after the day on which the relevant suspicion was formed.

Threshold transaction report

If a reporting entity commences to provide, or provides, a designated service to a customer that involves a transfer of physical currency or e-currency of A$10,000 or more (or a foreign currency equivalent), they must submit a threshold transaction report to AUSTRAC within 10 business days after the day the transaction occurred. A threshold transaction report must include the business details of the reporting entity, the customer of the designated service and further details of the transaction, including cash, digital currency and other components.

International funds transfer instruction

A reporting entity that sends an international funds transfer instruction (IFTI) transmitted out of Australia or receives an international funds transfer instruction transmitted into Australia must report the instruction to AUSTRAC within 10 business days of the day the instruction was sent or received. The information that must be included in an IFTI report differs depending on whether the IFTI is categorised as an international electronic funds transfer instruction or as instructions given under a designated remittance arrangement.

Cross-border movement reports

All persons, including reporting entities, must report cross-border movements of physical currency of A$10,000 or more. The report must be made before currency is sent or carried out of or into Australia, or within five business days of receiving currency sent into Australia. In addition, if requested by a police officer or a customs officer, a person may be required to give AUSTRAC or the relevant officer a report immediately about any cross-border movement of bearer negotiable instruments (eg, cheques or money orders) of any amount.

Privacy laws

Describe any privacy laws that affect record-keeping requirements, due diligence efforts and information sharing.

The Privacy Act 1988 (Cth) (the Privacy Act) regulates the handling of personal information by Australian government agencies, Australian Capital Territory agencies and private sector organisations with an aggregate group revenue of at least A$3 million. The Privacy Act also applies to all reporting entities under the AML/CTF Act regardless of turnover.

The Privacy Act includes 13 Australian Privacy Principles (APPs), which create obligations on the collection, use, disclosure, retention and destruction of personal information. The APPs include:

  • open and transparent management of personal information;
  • disclosure to a person that his or her personal information will be collected;
  • restrictions on the use and disclosure of personal information;
  • obligations to ensure the accuracy of collected personal information; and
  • obligations to protect personal information.


Personal information means information or an opinion about an identified individual, or one who is reasonably identifiable whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not.

The effect of this is that information collected about an individual in the course of undertaking CDD procedures would generally constitute personal information for the purposes of the Privacy Act and require that reporting entities comply with the Privacy Act in relation to personal information collected from customers, personal information recorded by reporting entities and personal information shared with other entities.

Where there has been a breach of data (ie, unauthorised access to or disclosure of information), the Notifiable Data Breaches (NDB) scheme (in effect from February 2018) requires entities regulated under the Privacy Act to notify any affected individuals and the Office of the Australian Information Commissioner where the breach is likely to result in serious harm to those individuals. The NDB scheme applies to agencies and organisations that the Privacy Act requires to take steps to secure certain categories of personal information.

In addition to complying with the Privacy Act as it relates to the collection, use and handling of personal information, reporting entities must comply with the AML/CTF Act with respect to the disclosure of personal information to credit reporting bodies. The AML/CTF Act authorises the use and disclosure of certain personal information held by a credit reporting body to a reporting entity for the purposes of verifying the individual’s identity under the AML/CTF Act, provided the reporting entity discloses certain information to the customer and obtains the customer’s express consent prior to disclosing such information.

Resolutions and sanctions

What is the range of outcomes in AML controversies? What are the possible sanctions for breach of AML laws?

There are a variety of enforcement outcomes that AUSTRAC can pursue in the event of non-compliance with the AML/CTF Act. These include:

  • seeking civil penalty orders under the AML/CTF Act, and if the Federal Court of Australia is satisfied that a reporting entity has contravened a civil penalty provision, a pecuniary penalty may be payable to the Commonwealth. As at the date of writing, the maximum pecuniary penalty for body corporates is A$21 million and A$4.2 million for individuals and other entities;
  • accepting an enforceable undertaking, which is a written undertaking that is enforceable in court and used as an alternative to civil or administrative action;
  • issuing an infringement notice, whereby payment of the specified penalty will satisfy any liability, and no criminal or civil penalty proceedings will be brought;
  • issuing a remedial direction, which requires a reporting entity to take specified action to ensure that it does not contravene a civil penalty provision in the future; and
  • requiring that a reporting entity take certain actions in relation to auditing (eg, appointing an external auditor and arranging for an audit report).
Limitation periods for AML enforcement

What are the limitation periods governing AML matters?

Proceedings for a civil penalty order under the AML/CTF Act must be commenced no later than six years after the date of contravention.


Do your jurisdiction’s AML laws have extraterritorial reach?

The AML/CTF Act states that unless the contrary is provided in the Act, its scope extends to acts, omissions, matters and things outside Australia. However, a geographical link to Australia, with respect to the relevant designated service, must be present.

Law stated date

Correct on

Give the date on which the above information is accurate

28 May 2020.