How to prepare for the AML/CTF reforms – a practical guide

With the AML/CTF Rules finalised and the commencement date of the AML/CTF reforms drawing closer (31 March 2026 for existing reporting entities), it is critical that reporting entities start preparing their business to implement the new or changed requirements.

Sophie Grace provides a high-level summary of practical steps that reporting entities can take to transition to the new regime in an orderly manner.

Note: We have covered the new or changed requirements in our previous article here.

Step 1 - Determine who is responsible for leading the implementation of the reform

The reforms impose obligations on governing bodies (people with primary responsibility for governance and executive decisions within the reporting entity) to oversee and lead the reporting entity's compliance with the AML/CTF regime. This means that AML/CTF compliance should be driven with a top-down approach. Reporting entities should determine which staff members in their business (for example, directors, senior managers, compliance/risk teams) are responsible for overseeing and implementing the transition. If a reporting entity is a small business, the director will be responsible for the implementation of new processes.

Step 2 - Appoint an AML/CTF compliance officer for your business

The AML/CTF Compliance Officer ("AML/CTF CO") will be a key player in the day-to-day implementation of AML/CTF processes within the business, both at this transition stage and on an ongoing basis. The reforms impose criteria for selecting a person to be the AML/CTF CO of the reporting entity.

For existing reporting entities who have already nominated an AML/CTF CO, consideration should be given as to whether the person meets the new requirements to be an AML/CTF CO.

Step 3 - Consider if you will be part of a Reporting Group

If a reporting entity is currently part of a designated business group (DBG), or belongs to a wider corporate group, franchise or partnership arrangement, the reporting entity may consider forming a "Reporting Group" so that AML/CTF functions can be shared across the group (for example, this allows one entity to discharge customer due diligence obligations on behalf of the other reporting entities within the group).

There are two types of reporting groups:

1. The first type is appropriate where there is a control relationship between one entity and the rest of the entities in the group (for example, corporate groups).
2. The second type would be more appropriate for other groups where there is not a control structure (for example, partnerships, franchises and joint ventures).

If reporting entities decide to form a Reporting Group, they must identify who will be the lead entity of the group. The lead entity is the entity who has overall responsibility for the group's compliance with their AML/CTF obligations.

After forming a Reporting Group, the group must determine clearly:

• which entities have AML/CTF obligations and what those obligations are;
• which of those obligations are to be performed by another entity in the group;
• which entity in the group will perform those AML/CTF obligations - and whether that entity has adequate resources and capabilities to properly discharge those obligations; and
• procedures to enable appropriate information sharing within the group to enable an entity to perform obligations on behalf of another.

Step 4 - Develop an implementation plan for the transition of existing processes to the new regime

Reporting entities should develop a timeline for actioning the various steps in the transition, including who is responsible for performing which tasks. Persons responsible should have a clear understanding of what they need to do. Reporting entities may like to consider engaging external advisors to assist and provide support where necessary - please refer to this page for some considerations when outsourcing your AML/CTF functions. Reporting entities may also need to set aside additional resources to implement the reforms effectively.

There are four key elements that reporting entities should pay attention to when developing an implementation plan. These elements will be familiar to existing reporting entities, but there have been changes to the various obligations:

The reporting entity's ML/TF risk assessment

Under the reforms, conducting a risk assessment is the overarching obligation and therefore your business risk assessment is an important document. Reporting entities should consider:

• What ML/TF risks your business faces, taking into account your customer types, delivery channels/methods, jurisdictions where you operate from, and the types of services and products you provide;
• How likely is it that these risks will occur?
• What are the impacts if these risks occur?
• What measures have you put in place to mitigate and manage these risks?
• Are the measures appropriate for your business, considering its size, nature and complexity?

Customer due diligence (CDD) and transaction monitoring procedures

CDD procedures are split into two categories: initial CDD and ongoing CDD. Reporting entities must reconsider their CDD procedures, particularly in light of enhanced KYC information to be collected at various stages. From 31 March 2026, reporting entities are also required to conduct a risk assessment on each of their customers.

• What types of information do you collect from customers?
• What types of information do you verify?
• Do you engage any external service providers to assist with customer identification and verification?
• How do you identify and assess the ML/TF risks associated with each customer?
• What are the factors or circumstances that will trigger the conduct of enhanced CDD procedures?. Have you implemented the prescribed triggers?
• How do you monitor your customer's transactions?
• What triggers the requirement for a customer's KYC information to be updated? Have you implemented the prescribed triggers?
• Are records appropriately kept?
• Do you have measures to ensure compliance with reporting obligations?

AML/CTF program

Under the reforms, an AML/CTF Program is no longer split into Part A and Part B. Instead, there are two key elements to the Program

a) the risk assessment and

b) the policies and procedures you implement to identify, mitigate and manage your ML/TF risk.

Reporting entities should consider the following questions:

• Has your program been updated to reflect the new or changed requirements under the reforms?
• Has your program been tailored to the nature, size and complexity of your business?
• When was your program last reviewed?
• Has your updated program been approved by a senior manager of the business?
• Is there someone in your business who is tasked to ensure the business complies with its program in its day-to-day operations?

Employees

• Are your employees and representatives aware of the business' AML/CTF procedures?
• Can your employees identify red flags when dealing with customers and escalate issues to the appropriate persons?
• Do you impose any training requirements for your employees, so that they can stay up to date on the ML/TF risks applicable to the business?
• What measures do you have to ensure that your employees do not facilitate the commission of ML/TF offences?

Step 5 - Update your details with AUSTRAC

Reporting entities must ensure their details are up-to-date with AUSTRAC. As part of this transition, it will be a good opportunity for reporting entities to review their AUSTRAC enrolment, such as:

• contact details (emails, addresses, phone numbers);
• business names;
• websites;
• AML/CTF CO details;
• Key person details - directors, shareholders, beneficial owners; and
• Reporting Group membership information (if applicable).

Reporting entities should also ensure that the relevant persons have access to their AUSTRAC Online account.

Step 6 - Stay up to date with AUSTRAC guidance and materials

AUSTRAC publishes plenty of guidance on its website, which is helpful for reporting entities to understand what various AML/CTF obligations mean for their business and how to implement them effectively. We encourage all reporting entities to subscribe to AUSTRAC's alerts, particularly as AUSTRAC releases more materials in relation to the reforms in the coming months.

If your business requires assistance with adjusting to the AML/CTF reform, please contact us.

Further Reading

• AUSTRAC webpage - Preparing for the changes as a current reporting entity
• AUSTRAC regulatory expectations and priorities for 2025-26
• AUSTRAC regulatory expectations for the implementation of the AML/CTF reforms

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.