In November 2024, the Australian Parliament passed the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 (the 2024 Act) which introduced sweeping reforms to Australia's Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act). In this article, we will refer to the AML/CTF Act as amended by the 2024 Act as the Amended AML/CTF Act. The 171 page 2024 Act (which is accompanied by an 179 page Explanatory Memorandum (Explanatory Memorandum)) is intended to:
extend Australia's AML/CTF regime to cover additional services that are recognised by the Financial Action Task Force (FATF) as posing high AML/CTF risks;
reframe and clarify the AML/CTF regime and customer due diligence obligations;
enable the Australian Transaction Reports and Analysis Centre (AUSTRAC) to require the disclosure of information and conduct examinations; and
update the AML/CTF regime to reflect changing business structures, technologies, and illicit financing methods.
Shortly after the passing of the 2024 Act, AUSTRAC released exposure draft legislation detailing proposed amendments to the Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No.1) (Rules) for public consultation (Exposure Draft). The consultation period remains open until next Friday.
The revised rules are intended to align with the Amended AML/CTF Act and, if implemented, effect reforms in areas such as AML/CTF programs, customer due diligence, introducing/harmonising FATF's internationally recognised "Travel Rule", compliance reporting, correspondent banking, and reporting group structures.
This is round one of a two part consultation on changes to the Rules, with further consultations expected on these and other measures (including enrolment and registration processes) in due course. Ultimately, there will be two sets of rules, the General Rules, and certain existing rules contained in a modified version of the current rules known as the Exemption Rules.
Too long, didn't read - what do I need to know?
In this article, we summarise some of the key changes in respect of the following focus areas:
Changes for the crypto-asset or "virtual assets" sector and the Travel Rule;
Changes for the financial sector;
Changes to the AML/CTF program requirements;
Changes to customer due diligence requirements; and
Reporting groups and lead entities.
Reporting entities will of course need to grapple with the full details of these changes in the coming months ahead of full implementation commencing in 2026.
1) Changes for the crypto-asset sector and the Travel Rule
The proposed reforms will significantly expand the regulation of crypto-assets by replacing the definition of "digital currency" with a broader "virtual asset" category (aligning with FATF's lexicon). This includes certain NFTs, governance tokens, and private stablecoins, but excludes central bank digital currencies, loyalty points, and in-game tokens.
Entities providing "digital asset" related "designated services" under Table 1 of section 6 of the AML/CTF Act will need to comply with the new regime. These services will now be referred to as "registrable virtual asset services", and any business that provide such services are required to register with AUSTRAC as "Virtual Asset Service Providers". Key obligations include the Travel Rule, which mandates VASPs to transmit payer and payee information with transactions, conduct due diligence on wallets, and report unverified self-hosted wallets to AUSTRAC.
The reforms amend several of the digital asset related designated services (including separating Item 50A into three constituent parts) as follows:
Category of designated service | Description of activity | Proposed item number in Table 1 of Section 6 of the AML/CTF Act |
Transfer of value involving virtual assets | As an "ordering institution", accept instructions to transfer a virtual asset; or as a "beneficiary institution", make a virtual asset available to a payee in relation to a transfer of value | 29 and 30 (amended items) |
Virtual asset safekeeping | Providing a virtual asset safekeeping service where the service is provided in the course of carrying on a business as a virtual asset service provider (i.e., custodians) | 46A (new item) |
Exchange of virtual assets | Exchanging or making arrangements for the exchange of a virtual asset for money (whether Australian or not) or vice versa (on-off ramp); and exchanges between same or different type of virtual assets (crypto-to-crypto) | 50A and 50B (new items) |
Offer or sale of virtual asset | Providing another designated service under Table 1 of section 6 of the AML/CTF Act in connection with the offer or sale of a virtual asset | 50C (new item) |
VASPs must also report international value transfers, prepare risk assessments, and ensure compliance with the new registration and reporting requirements expected to be implemented under AUSTRAC’s draft AML/CTF Rules.
VASPs initiating or receiving virtual asset transfers will have to comply with a modified Travel Rule, ensuring transaction details are shared between institutions and steps are taken to verify the ownership of unhosted wallets or report unverified digital wall transactions to AUSTRAC. These changes are intended to bring Australia in line with FATF standards but will likely prove controversial with privacy advocates.
VASPs should engage qualified experts and begin compliance preparations now, as the implementation of the above into business operations may take time. Changes are expected to become effective by as early as March 2026.
2) Changes for the financial sector
The Amended AML/CTF Act introduces measures affecting all reporting entities providing financial designated services, including banks, VASPs, and remittance service providers.
Value transfer obligations are streamlined into a single value transfer chain, ensuring key transfer information is passed along regardless of technology. The reforms introduce International Value Transfer Service (IVTS) reports, replacing International Funds Transfer Instruction (IFTI) reports. Value transfer service obligations begin on 31 March 2026, while IVTS obligations will commence later, with transitional rules maintaining IFTI reporting until technical updates are complete.
The Amended AML/CTF Act also revises the bearer negotiable instrument definition to align with FATF standards, excluding non-bearer and non-negotiable instruments from cross-border movement reporting. This change is intended to address industry concerns about the previous broad definition and reduce regulatory compliance burdens.
3) Changes to the AML/CTF program requirements
The reforms introduce a (welcome) major overhaul to AML/CTF programs requirements in an effort to streamline compliance and risk management obligations for reporting entities.
In summary:
the distinction between Part A and Part B of AML/CTF Programs is removed;
risk assessments are now compulsory in AML/CTF programs with mandated risk assessment triggers;
regular reporting to a reporting entity's 'governing body' (e.g. board) will be mandated to enable it to exercise its oversight role;
an eligible AML/CTF compliance officer must be designated;
due diligence and training requirements will apply for employees and contractors engaged in AML/CTF related functions;
reporting entities must implement safeguards against tipping off;
a simplified regime for Australian companies operating overseas through a foreign branch or subsidiary of an Australian reporting entity will be created; and
risk mitigation strategies such as a senior manager approval requirement for high-risk customers will be implemented.
A reporting entity must have a AML/CTF policies in place before a business begins offering designated services. These reforms are expected to become effective in March 2026.
4) Changes to customer due diligence requirements
The reforms introduce a more flexible, principles-based approach, requiring businesses to rethink their onboarding and monitoring processes. While the reforms eliminate rigid verification steps, they also create new compliance challenges.
Businesses will no longer follow prescribed CDD steps for specific customer types but must instead determine appropriate measures based on risk. Certain exemptions apply, including deferrals for politically exposed persons (PEPs) in specific circumstances. In some cases, compliance can be deemed met through foreign laws or transitional provisions, and ongoing monitoring now extends beyond money laundering to broader serious crime risks.
One key change is the new requirement to collect and verify a customer’s place of birth for designated services under travel rule obligations, which could prove practically difficult due to limited documentation availability. Similarly, businesses dealing with trustees must go beyond simply identifying a class of beneficiaries and be prepared to verify individual beneficiaries when distributions occur.
With these changes set to take effect by 31 March 2026, businesses will need to review and refine their AML/CTF programs, ensuring their KYC and CDD frameworks are robust enough to meet the new principles-based requirements.
5) Reporting groups and lead entities
The Amended AML/CTF Act replaces “designated business groups” with “reporting groups,” introducing a new compliance framework. A reporting group is a business group where at least one member provides a designated service, and a lead entity is required for each reporting group. The lead entity is liable for the group’s AML/CTF compliance and must have direct control over other members providing designated services.
The reforms aim to simplify the previous framework by removing the requirement that all group members be reporting entities.
Conclusion
The sweeping reforms introduced by the Amended AML/CTF Act will bring significant regulatory changes, creating both compliance challenges and operational uncertainties for businesses. With new obligations affecting the crypto sector (or should we say, "virtual asset" sector), financial services, AML/CTF programs, customer due diligence, and reporting groups, businesses must be proactive in understanding and implementing these changes.
Given the complexity and breadth of the reforms (which are set to take effect as early as March 2026), businesses should not wait to assess their compliance obligations. Engaging with legal and regulatory professionals in advance will help navigate possible uncertainties and avoid costly missteps.
Written by Steven Pettigrove and Luke Higgins
Comments