I've come to the role of AUSTRAC CEO at a momentous time for AML/CTF regulation. We’re about to embark on the most ambitious overhaul of Australia’s anti-money laundering laws in a generation. 

It’s such a significant change that will impact each and every one of you. These reforms will enable us to be more effective in the fight against financial crime and the harm it causes Australia. 

Serious and organised crime is costing Australia more than $68 billion every year. These crimes fund the worst types of behaviour, which is why all of us here are dedicated to tackling this problem.

AUSTRAC is Australia’s anti-money laundering and counter-terrorism financing regulator as well as Australia’s financial intelligence unit. We currently regulate just under 18,000 businesses but that will rise to around 100,000 as we bring so called ‘tranche 2’ entities. 

As a consequence of that, we’ve spent time considering the best way to take on this new cohort of businesses while continuing to effectively reduce risks and harms associated with money laundering.

We’ve decided we need a major evolution in our regulatory approach. 

Like the reforms to the AML/CTF Act itself, we are shifting our regulatory approach from just looking at compliance, to focus on outcomes and, specifically, the harms resulting from businesses failing to manage money laundering risks or report correctly to AUSTRAC. These harms are not sector-specific and can arise through channels, jurisdictions and customers common to many sectors and businesses.

The current state of the regulatory focus has been on understanding, in depth, the compliance of individual businesses. We have focused our efforts on compliance assessments, remediation and enforcement actions against large, high risk businesses. There is a limit to what can be achieved by only focusing in depth on purely individual businesses. As a regulator, we need to be more ambitious and seek to influence change across the broader financial community

What does this look like in practice? 

We’ll be looking at the Industry and sector level, rather than individual businesses. We will be focused on changes needed to manage money laundering risks across industry sectors. We will be prepared to intervene if businesses do not manage their risks appropriately, be more directive about what we’d like to see and what the risks are. We will identify the changes we want to see across an industry sector or specific part of it and over what specific timeframe. We will use our full suite of regulatory tools to achieve these changes. 

And we’ve already started this work. You may have heard in the media over the last few weeks, the work we’ve been doing through our cryptocurrency Taskforce. This Taskforce was established late last year to ensure digital currency exchanges, initially focused on those provide crypto ATM services, meet acceptable standards and have robust practices in place to identify and minimise the risk that their machines will be used to move money associated with scams, fraud or other proceeds of crime. We’ve seen a dramatic rise in the number of crypto ATMs operating in Australia. In 2019 there were just 23. Now, there are upwards of 1,800. 

The Taskforce is a great example of this new approach. We established the taskforce because we know the crypto ATM area is very risky and, we considered that the high risks across the sector were not being effectively managed. So we’ve used our powers to gather significant data, including conducting on chain tracing and building specific risk profiles for individual businesses to identify in detail what the risk actually is, and what action we can take action to change behaviour right across the industry – rather than in just one business. 

And we’ve had some interesting findings so far. The Taskforce has uncovered disturbing trends, including patterns of suspicious activity which are indicative of scam and fraud-related transactions. There is clear evidence of these machines being the channel for major international scams and money mule activity - we think up to one in ten transactions could be illicit. 

Most users are over 50, with the 60–70 age group accounting for nearly 30% of transaction value. It is a huge concern that people in this demographic are over-represented as customers and, as evidence suggests, that a large number of this age group are victims of scam activity, and then often themselves becoming money mules

As a result, we’ve recently announced our decision to put additional controls on crypto ATM operators. Those extra conditions impose minimum standards including a $5,000 limit on cash deposits and withdrawals, enhanced customer due diligence obligations and mandatory scam warnings and on chain tracing. And if they don’t follows these conditions, they risk losing the ability to operate in Australia. 

Traditionally, we’ve said to businesses like cryptocurrency ATM providers, you need to understand your risk and put in place controls to mitigate that risk. But after a deep dive into that sector and engagement with participants, now we’re saying, your risks are at least X, Y and Z and if you want to be registered to operate, here’s the minimum you must do to mitigate those risks. It’s an approach that aims to reduce the risk of criminal activity in those businesses and the harms that result. It’s a much more direct approach and involves much more engagement with businesses. 

As I mentioned earlier, the AML Landscape in Australia has evolved and we need to evolve with it. We have a huge variety of responses to AML in Australia from large sophisticated institutions spending millions of dollars and thousands of staff looking at financial crime, and great work happening in smaller and medium sizes business also. We also still have large amounts of businesses that are negligent in their responsibilities and some very organised criminals in others.  It would be a mistake for a regulator to see them our through the same prism. So if we are focusing heavily on risk, what does it mean for those business doing well in AML. It means taking a more sophisticated variation in our approach. It means we can start to work with them as partners. Work together to tackle crime, share data in new and more effective ways and work together to test what works in regulatory controls. We are all facing significant challenges with growing speed and volume of transactions, growth of purely online financial businesses and service delivery, the development of agentic financial services and the growing criminal use of AI at scale. Many of our regulatory and legislative regimes to combat financial crime were designed at a different time and not with these circumstances in mind. We need to work together to understand how to manage risk in these circumstances.  It’s quite a change from how we operate now. 

But that doesn’t mean those ‘good’ businesses can drop the ball on managing their money laundering risks. We will be monitoring indicators of risk and harm and, where we see gaps emerging, we will take action. In the meantime, we prefer these businesses focus on tackling crime than preparing for intensive and regular compliance assessments. 

AUSTRAC already has partnerships in place through our Fintel Alliance. We’re already partnering with major banks, remittance service providers, gambling operators, digital currency exchanges as well as law enforcement and government agencies. Established in 2017, Fintel Alliance consists of representatives from public and private partner organizations that work together to combat complex or emerging crimes impacting the community -those that require a multilateral public-private approach.

Let me share a great example of how this model can achieve results. We held a week of action late last year where Fintel Alliance partners from Australia’s four largest banks worked together to combine data on cash deposit transactions under $10,000. They used the new Collaborative Analytics Hub which enabled them to share their data and analyse it on one common platform. Sitting in the same room, they jointly looked for criminal patterns within more than 50 million data points. There was a palpable buzz in the room once the analysts started crunching the numbers and finding anomalies. When a suspicious pattern or person was flagged, it was quickly shared with the other analysts, allowing them to paint a picture of what the criminal was up to. Using the combined datasets and new software, we were able to see things that were not visible before. In just a few days we identified criminal networks now subject to law enforcement action. This shows the power of intelligence, partnerships and collective effort.

In addition, Fintel Alliance’s success has led to the decision to expand the operation and make the Collaborative Analytics Hub a permanent fixture. Industry has upped the investment too. Including ANZ sending a permanent co-director to work with us. The expansion of Fintel Alliance has become a necessary strategic investment, and part of AUSTRAC’s transformation into a bigger agency. Through Fintel Alliance, AUSTRAC is facilitating stronger partnerships above and beyond its intelligence-gathering powers and these partnerships have resulted in tangible outcomes that AUSTRAC will produce on a larger, more dedicated scale. This will enhance AUSTRAC’s ability to disrupt criminal activity above and beyond our existing intelligence efforts and regulatory reach. 

We’re also broadening our scope when it comes to sourcing data. We’ve built a new Data Division which will allow us to take in as much external data as we can that might indicate other levels of risk. We’re looking into a partnership with PEXA, for example, to source real estate data for our Tranche 2 implementation. 

As regulated businesses improve their money laundering, we know criminals will look for the next vulnerability to launder their dirty money. That’s why we’re also looking at industries we don’t currently regulate.  We have eyes on the risks associated with privately managed ATMs and Cash-in-transit services. Our National Risk Assessment highlighted the money laundering vulnerabilities that exist where businesses offer other cash-intensive services in addition to their main commercial activity. These private ATMs are appearing everywhere – a lot of them are popping up in tobacco shops, or pubs and clubs for example. Places with a high cash turnover and sectors linked to organised crime. And who’s cleaning out these ATMs? Who are the Cash-in-transit operators involved? We know Cash-in-transit services may be particularly vulnerable to criminal exploitation, given their ability to securely transport bulk cash offshore and hide the original source of funds.

You may have seen in the news about a fortnight ago, the conclusion of an operation by the Queensland Joint Organised Crime Taskforce, where AUSTRAC intelligence played a crucial role in the arrest of 4 people involved in a money laundering scheme which used cash-in-transit businesses.  The operation was almost two years in the making and was progressed because AUSTRAC analysts identified a number of suspicious transactions between an individual and a company account. Intelligence showed the sophisticated money laundering operation was allegedly being run through the armoured transport unit of a security company that transferred $190 million dollars’ worth of cash into cryptocurrency. The security company, which transferred cash between businesses and banks, allegedly mixed cash from its legitimate business arm with illicit funds deposited by suspected criminals. AUSTRAC intelligence later revealed they were also using online payment platforms and cryptocurrency to launder dirty money. This case is a good example of how we’re examining externally sourced data, from an area we don’t regulate, and drawing conclusions about risk and money laundering and building detailed pictures of criminal business models

I started this speech talking about how momentous the changes to the AML/CTF legislation are. As many of you know, AUSTRAC is currently working with businesses, both existing and new entities, to co-design the ‘Rules’, which sit alongside the Act.

These ‘Rules’ will provide detail to businesses on their obligations, allow them greater flexibility in how they meet those obligations, reduce regulatory impacts and support them to better detect and prevent financial crime.

We’re pleased to report that we received a lot of constructive feedback during the first round of consultation on the ‘Rules’. 

We don't run real estate agencies or law firms or big banks so we need advice from the people who do run these business, so we can make the Rules not just lawful, but practical. We want to make sure they’re responsive to people’s business needs. The volume and complexity of the responses we’ve received so far increases the chances that the final version of the Rules will reflect the operational realities of the industries that will sit under the legislation. 

The second round of consultation wraps up this Friday – so you’ve got a few more days if you want to provide feedback - we will then consider the responses and finalise the Rules. 

Don’t worry, you won’t have to wait too much longer to know what the Rules contain. We’re hoping to have the finalised Rules ready for you all to look at in August. 

We know it’s been a long time coming but we want to get it right. We recognise the timeframes for implementing the reforms are tight – for business and for AUSTRAC. By taking a little more time to develop the Rules with industry, we seek to reduce the burden of implementation and improve the effectiveness of the new law once implemented. We recognise that reporting entities cannot finalise their implementation plans until the Rules are finalised. For tranche 2 entities in particular, we do not expect you to develop programs or engage service providers now. The law is not finalised yet and, for smaller, low complexity businesses, the starter kits are yet to be finalised. These starter kits will include a risk assessment and program and will be available before the end of the year. For tranche 2 entities keen to get on with it, keep doing what you’re doing by attending today’s conference – learning about money laundering through education and information provided by AUSTRAC and your industry bodies.

Let’s get out the crystal ball and look ahead to 1 July 2026, when the obligations on T2 entities commence. We don’t expect perfection on ‘day one’. We won’t be throwing the book at businesses who are trying to follow the law. AML is a practice and we will be supporting and educating you on the types of ML risks in your sectors and the controls needed to manage them. On day one, we expect tranche 2 businesses to be enrolled with AUSTRAC, have an AML program and have trained their staff, so they are ready to ask clients questions and, if something suspicious comes up, submit a report. You won’t be perfect straight away - this is a new practice for many of your staff. 

Be warned - if a business is wilfully ignoring the obligation to enrol, or we suspect a business is complicit with or wilfully blind to money laundering, they will be the focus of our enforcement efforts.

For tranche 1 entities, your ‘day 1’ is 31 March 2026. We recognise that some of you will need to change processes and technology systems to meet the letter of the law. We do not expect perfection with the letter of the law on ‘day 1’. Your focus, now and in March 2026, needs to be on managing your money laundering risks. We expect that you will develop implementation plans identifying how you will move to the new law while managing those risks. There will be some things you can do before March 2026, like updating your risk assessment, AML program and governance. Where changes will take a bit longer, we expect to see realistic plans and sustained efforts against those plans. And we are speaking to industry bodies about realistic transitional plans, our focus will be on outcomes, not checklists.

I want to conclude by reiterating how excited I am about the year ahead. These historic reforms will help us close a number of gaps that organised crime is out to exploit. 

AUSTRAC’s new regulatory approach, together with strong business and law enforcement partnerships, will ensure we’re evolving to strengthen Australia’s financial system and resist ever more sophisticated criminal infiltration.

To borrow a phrase from Henry Ford “If everyone is moving forward together, then success takes care of itself."

I’m confident, that together, we can deliver meaningful reform that will stamp out illegal activity and protect the Australian community from the harm it causes. 

Thank you.