Tranche 2: A practical guide to the draft Australian AML/CTF Rules

On 29 November 2024, Parliament passed the Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Amendment Bill. 

Along with the Bill, AUSTRAC has released a draft update to the Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No.1), commonly referred to as the ‘the Rules’.  These Rules specify the detailed requirements and exemptions reporting entities must follow to ensure compliance. Note that the Rules are draft only and open for consultation from 11 December 2024 to 14 February 2025 via AUSTRAC’s site. 

The commentary in this article is based on the rules as they are currently drafted and we give examples based on equivalent rules in the UK and New Zealand. Once final rules are agreed we will release an updated version. 

Outcome-based focus

The draft Rules focus on simplifying existing regulations, aligning with recommendations from the 2016 Statutory Review of the AML/CTF regime. By shifting away from overly prescriptive requirements, the updates offer practical and scalable guidance for reporting entities. This approach allows businesses to tailor their compliance measures to fit their size, operations, and risk profile.

The revisions aim to clarify and streamline obligations, making them easier to understand and implement. The emphasis is on an "outcome-based" framework for all reporting entities.  This means that what is appropriate for a small rural law firm will be simpler and inappropriate for a multinational or city-based firm.

What’s changing?

The draft Rules outline several key areas of reform, including:

• AML/CTF programs
• Reporting groups (previously known as ‘designated business groups’)
• Customer due diligence (CDD)
• Travel rule compliance
• Compliance reporting
• Keep open notices (previously referred to as ‘Chapter 75 notices’)
• Correspondent banking relationships

Key updates in the draft Rules

Expanded scope of AML/CTF obligations

From 1 July 2026, AML/CTF obligations will extend to a broader range of services that are exposed to higher money laundering risks. Businesses in the following industries will need to comply with the new AML/CTF rules:

• Real estate professionals (including agents, buyers’ agents, and property developers)
• Dealers in precious stones, metals, and products
• Lawyers and conveyancers
• Accountants
• Trust and company service providers

In addition, virtual asset-related services will come under AML/CTF regulation starting 31 March 2026. To see if you might be regulated under these new rules check with AUSTRAC here.

For further information on the Amended AML/CTF Act, see AUSTRAC’s summaries for new regulated entities and current regulated entities

Reporting groups (formerly known as designated business groups)

The Amended AML/CTF Act Part 1 and draft Rules introduce a new concept: reporting groups, replacing the existing designated business groups framework. 

A reporting group is a collective structure that allows reporting entities to work together to meet AML/CTF obligations and share compliance-related information to meet AML/CTF requirements. This framework includes traditional corporate groups and extends to non-corporate structures, such as franchises, partnerships or trust networks, which are increasingly common in newly regulated reporting entities and non-reporting entities.  

Key features of reporting groups

• Group-level AML/CTF programs
  Each reporting group must have a lead entity responsible for developing and maintaining a group-wide AML/CTF program. The program should assess, mitigate, and manage ML/TF risks across all group members. For example, a head office of an accounting partnership might act as the lead entity for the other state-wide accounting firms.
• Flexibility in compliance
  Group members can fulfil each other’s AML/CTF obligations, subject to conditions outlined in the AML/CTF Rules. From what we’ve seen in the UK and New Zealand, this could look like the head office of a law firm in the UK conducting CDD for all European based activities. The CDD conducted by the head office can then be reused (subject to no changes) by other European offices. 
• Automatic formation
  A reporting group is automatically formed if at least one member provides a designated service and meets any applicable conditions in the Rules. For example, businesses providing designated services and controlled by a parent company will typically form a reporting group.

The draft rules outline the lead entity requirements for a reporting group:

• The lead entity must be a resident of Australia.
• It must provide a designated service or be registered under the Corporations Act 2001.
• It must control all other group members providing designated services.

Customer due diligence (CDD)

The draft Rules propose several important changes to customer due diligence requirements, replacing the previous "Applicable Customer Identification Procedures”. These measures align Australia closer with international AML standards and provide more flexibility for reporting entities.

Individual Verification 

• New identity requirements
  Reporting entities must collect and verify the customer’s date and place of birth for accounts and transfers of value services. Note this would assume collection of passport or birth certificate documentation for individuals.  
• Flexibility to use existing processes
  Existing verification processes (e.g., ARNECC standards) may continue, with additional steps for high-risk clients e.g. clients who are Politically Exposed Persons (PEPs) or sanctioned. In the UK, we see that these extra steps often include using the UK HM Land Registry Identification requirements as a firm-wide process for identity verification.

Corporate Verification 

• Collection and verification requirements
  Reporting entities must collect and verify the following information about their corporate customer e.g. company, sole trader, trust/SMSF, partnership, etc.
  • Legal and trading name
  • Unique identification number e.g. company number
  • Address of registered and principal place of business
  • The nature of the customer’s business (note this does not need to be verified)
• Ownership and control information
  Reporting entities are required to gather detailed information on ownership, control, and management structures.
• Legal and official documentation
  Reporting entities are required to collect documentation that demonstrates how a customer is regulated. Examples include a company constitution, a partnership agreement, or a trust deed.
• Trustee verification
  If a trust is involved in the structure, a reporting entity must collect and verify specific details about trustees, including:
  
  • The type of trust (e.g., discretionary, unit, or bare trust)
  • The identities of the settlor 
  • The identities of any appointors, guardians, or protectors

Mandatory Enhanced due diligence (EDD)

• Foreign PEPs and high-risk PEPs: Reporting entities must conduct source of wealth and source of funds for all foreign PEPs and high-risk domestic/foreign PEPs. 

Deemed Compliance for Previously Conducted ACIP

Please note this applies only to current reporting entities, not tranche 2 entities.

• Acceptable Customer Identification Procedures (ACIP): Reporting entities are considered compliant with identification requirements if they have completed ACIP for a customer before 31 March 2026.
• This ensures that entities regulated before the amendments do not need to collect or verify additional KYC information for existing customers.

Deemed Compliance through Passporting

• Foreign CDD measures
  Reporting entities or their group members are deemed compliant if they have applied foreign CDD measures in line with FATF recommendations on customer due diligence and record-keeping, provided specific criteria are met.
• The "passporting" provision reduces the burden of duplicate work, allowing reporting entities to rely on customer due diligence conducted under different AML/CTF regimes.

AML/CTF compliance officers

The compliance officer's role is central to managing and mitigating money laundering and terrorism financing risks effectively in a reporting entity.  To ensure the right individual takes on this responsibility, the amended legislation outlines specific eligibility criteria for compliance officers. The individual must:

• Reside in Australia (if the reporting entity operates through a permanent establishment in Australia).
• Be a fit and proper person, meeting AUSTRAC’s outlined requirements.
• Meet the requirements outlined in the AML/CTF Rules (Section 23)

What are the Section 23 requirements and what does "Fit and Proper" mean?

Section 23 of the draft Rules provides a framework for assessing whether a person is fit and proper for this role. Reporting entities must evaluate:

1. Character and Competence: Does the person have the honesty, integrity, judgement, and diligence to fulfil the role?
2. Legal and Regulatory Background: Has the individual been convicted of a serious offence, engaged in misconduct, or faced adverse regulatory findings?
3. Financial Standing: Is the person an undischarged bankrupt or have they entered into a personal insolvency agreement?
4. Conflict of Interest: Could any conflicts materially risk their ability to discharge their duties effectively?

These considerations align with Australian regulatory practices and international standards.

Timeline for compliance

The new rules will take effect for existing reporting entities on 31 March 2026. The newly covered reporting entities will have until 1 July 2026 to fully comply, with AUSTRAC accepting enrollments starting 31 March 2026.

What’s next? 

Compliance professionals should familiarise themselves with the draft Rules for existing reporting entities and assess how these changes might affect their current compliance programs. 

For new reporting entities, firms should start preparing now for the 2026 transition. This should include understanding your new obligations, conducting risk assessments, and implementing appropriate compliance measures. 

AUSTRAC is seeking feedback on the draft Rules as part of a public consultation process. The draft Rules and a consultation paper are open for submissions on the AUSTRAC website until 14 February 2025.  A second exposure draft 2 is planned for consultation in 2025. 

For more information, refer to the AUSTRAC consultation page and the full exposure draft of the Rules.