Obligations for businesses currently regulated under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) change on 31 March 2026. This update sets out our expectations for current regulated businesses in progressing towards implementing these changes and meeting their obligations. In particular, it also sets out our expectations in respect of implementation plans.

The updated statement builds on, and should be read together with, our regulatory expectations for implementation of the AML/CTF reforms of 3 July 2025. 

Regulatory approach

Our approach to regulation recognises that regulated businesses are our partners. Supporting, collaborating with and building the capability of the regulated business population is critical to us achieving our vision of a community protected from financially-enabled crime.

We recognise that most regulated businesses want to comply with their obligations and do their part to prevent, detect and respond to criminal misuse of their business. We also recognise that the reforms to the AML/CTF regime are extensive and the impact on regulated businesses will vary depending on scale, services and circumstances. For some existing regulated businesses and their reporting groups, the changes will have a significant impact and require substantial changes to their systems over time. 

We continue to support and assist regulated businesses on meeting their AML/CTF obligations, including new or changed obligations. We do this by providing user-friendly guidance and extensive industry outreach and education activities. We understand that even with this support and their best efforts, many existing regulated businesses will be unable to implement all the required changes to meet their obligations in the required timeframes.

Managing money laundering risks remains our priority

AUSTRAC uses financial intelligence and regulation to detect, deter and disrupt money laundering, terrorism financing and other serious crime. We support regulated businesses to be aware of contemporary money laundering, terrorism financing and proliferation financing risks, along with specific serious crime typologies such as child sexual exploitation and the illicit tobacco trade. We expect all existing regulated businesses to have completed an effective risk assessment to understand how this broader consideration of money laundering and terrorism financing (ML/TF) risk is relevant in their own business.

If your systems and controls are not effective in managing ML/TF risks, or you are ignoring your obligations, you will continue to face regulatory action. This could include AUSTRAC commencing civil penalty proceedings or cancelling or suspending the registration of regulated businesses with unacceptably high ML/TF risks. Failing to manage your risks is a serious regulatory concern now and will be a serious concern after 31 March 2026. Now is the time to act.

Before providing designated services, all regulated businesses must have an AML/CTF program in place focused on reducing ML/TF risks. We recognise that aspects of 

AML/CTF program and other obligations will change on 31 March 2026 and some regulated businesses may have an implementation plan for meeting those changes. However, all regulated businesses must:

• have and implement an AML/CTF program focused on the core principles of identifying, managing and mitigating ML/TF risks they reasonably face
• exercise due care and diligence to meet the core elements of their obligations, including reporting suspicious matters and transactions to us in a timely manner. 

An implementation plan provides regulated businesses with clarity about how they will continue to manage ML/TF risks, while they make necessary changes to systems, policies and processes leading up to and after 31 March 2026. It does not excuse regulated businesses who have, or are currently, failing to meet their AML/CTF obligations.

Implementation plans

On 31 March 2026, if you are unable to meet your new or changed obligations within the required timeframes, we expect you to have a documented implementation plan. This would have to say how you will manage your ML/TF risks while you transition to meet your changed obligations. 

This plan should identify:

• how you will continue to manage your ML/TF risks, including the maintenance of any controls associated with your existing AML/CTF obligations, during the transition period
• the gaps you have between your current state and your future state of being able to satisfy your changed obligations
• your plan for addressing those gaps, including a timeline and accountable roles or people
• the reasons you have these gaps and any ongoing key risks to delivering the required uplift in your plan within reasonable timeframes
• your plans for mitigating any existing or temporary risks of money laundering and terrorism financing that are associated with the gaps and/or the change process
• how you will monitor the effectiveness of your ML/TF risk management as you change your underlying policies, procedures and systems.

Your implementation plan needs to be reasonable. Your timeline for addressing gaps should align with the scale and complexity of the work required to implement systems and processes to meet the obligation. We expect regulated businesses to prioritise changes necessary to manage ML/TF risks. We do not expect tactical responses that technically meet an obligation but reduce the effectiveness of AML/CTF controls. Equally, we expect that regulated businesses will implement timely changes to meet their obligations, rather than delaying change until the optimal approach is developed. 

While we do not require a particular format for implementation plans, your plan should provide sufficient detail to enable the board, senior management and staff to understand how changes will be implemented. However, we expect that you will focus greater attention on implementing the changes than preparing a perfect plan.

We expect that your implementation plan will be endorsed by your senior management and provided to your board. We recognise that some regulated businesses may need to change or adapt their implementation plan after 31 March 2026. We expect that material changes would be endorsed by senior management and provided to your board. 

Implementation plans in regulation

Implementation plans will be relevant to AUSTRAC’s regulatory activities in 2026. 

Under section 212 of the AML/CTF Act, the AUSTRAC CEO must consider, as part of performing any of their functions, a range of matters, including matters the CEO considers relevant. For this purpose, when exercising functions to regulate businesses enrolled prior to 31 March 2026 in respect of new or changed obligations, the AUSTRAC CEO will consider as a relevant matter whether the regulated business has:

• a reasonable implementation plan
• made sustained effort and reasonable progress against the implementation plan
• exercised due care and diligence to manage their ML/TF risks while working towards meeting new or changed obligations.

Unless requested, you are not required to provide us with a copy of your implementation plan. You can expect that we will discuss your progress made against your implementation plans during our engagements with you. This engagement will inform our regulatory activities and our understanding of the progress of implementation of the reforms across the regulated business population. This engagement will also assist us to identify where regulated businesses may be exposing themselves or the community to risk by not meeting the requirements under the plan or not adequately managing their ML/TF risk during the transition period. 

Where a regulated business is not adequately managing their ML/TF risks during the transition period, despite its best efforts to deliver to a reasonable implementation plan, we will work pragmatically with that business to:

• understand any specific constraints and challenges
• identify any appropriate steps to remediate those concerns if appropriate. 

Our approach to our existing regulated businesses’ compliance with their new or changed obligations will be pragmatic and proportionate. Our primary goal remains keeping Australia safe from criminal harm. This focus will not waiver while regulated businesses work to embed the reforms.

Risk remains at the centre of Australia’s AML/CTF regime. We expect you to maintain your focus on identifying, mitigating and managing your ML/TF risks as you work towards meeting your obligations. If you fail to identify, mitigate and manage your ML/TF risks or fail to meet the above expectations, you risk regulatory action by AUSTRAC. This may include civil penalty proceedings and, for registered businesses, cancelled or suspended registration.

New businesses that deliver currently regulated services

We acknowledge that the introduction of reformed laws poses challenges for businesses that deliver currently regulated services and intend to commence operation before 31 March 2026. 

We recognise that complying with the current AML/CTF regime for three months and then adapting to the new laws would be inefficient and undesirable in terms of managing ML/TF risks. 

We recommend that businesses commencing operation prior to 31 March 2026 establish AML/CTF systems and processes to meet the new requirements from the outset. We will regulate this cohort of businesses in line with this recommendation.

Katie Miller
Acting AUSTRAC CEO
18 December 2025