Skip to content
LegalVision

Does the AML/CTF Law Apply to Your Fintech Business?

By Stephen Drysdale
Practice Leader

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn | Share on Reddit

Summary

  • Any business providing a “designated service” in Australia must register with AUSTRAC and comply with AML/CTF obligations, including conducting know-your-customer checks, reporting suspicious activities, and reporting cash transfers over $10,000 or international fund instructions.
  • Reporting entities must prepare and maintain an AML/CTF program that addresses how they will identify and mitigate money laundering and terrorism financing risks, screen staff, train employees, and monitor customers on an ongoing basis.
  • Reporting entities must also comply with Australian privacy law when handling personal information collected under the AML/CTF regime, regardless of business size, as the small business exemption does not apply to providers of designated services.
  • This article explains how AML/CTF law applies to fintech businesses operating in Australia.
  • LegalVision, a commercial law firm specialising in advising clients on fintech regulation and AML/CTF compliance, outlines when the law applies, key obligations, and privacy requirements for reporting entities.

Tips for Businesses

Determine whether your services qualify as designated services before commencing operations. If so, register with AUSTRAC and develop a compliant AML/CTF program. Ensure your privacy policy reflects how customer information collected for AML/CTF purposes will be used, stored, and protected.

Summarise with:
ChatGPT logo ChatGPT Perplexity logo Perplexity

Open now
On this page

Australia’s anti-money laundering and counter-terrorism financing (AML/CTF) law requires businesses that provide certain high-risk services to actively detect and prevent financial crime. If your fintech business provides any of these services, you must register with AUSTRAC and meet a range of compliance obligations. This article explores how the AML/CTF law may apply to your fintech business and summarises some obligations your fintech business must comply with if the AML/CTF law applies.

Front page of publication
Complete Guide to Expanding Your Startup to Australia

After proving your startup’s success in your home country, you may be thinking about the next step for growth — expanding overseas.

This free guide aims to introduce startup founders to the Australian startup market.

Download Now

What is AML/CTF Law?

AML/CTF law refers to Australia’s anti-money laundering and counter-terrorism financing law. One main piece of Australian legislation sets out the anti-money laundering and counter-terrorism financing law: the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (the Act) and its related AML/CTF Rules.

Purpose of AML/CTF Law

The purpose of the AML/CTF law is to prevent money laundering and terrorism financing from occurring in Australia. It requires Australian providers (“reporting entities”) of certain services (“designated services”) to comply with several obligations under the Act, including:

  • supplying information to the Australian Transaction Reports and Analysis Centre (AUSTRAC) about financial transactions occurring by way of their services;
  • conducting know-your-customer (KYC) checks on their customers; and 
  • implementing surveillance and reporting mechanisms and systems. 

Information provided by those reporting entities enables AUSTRAC to prevent, monitor, track and deter any money laundering and terrorism financing in Australia.

Continue reading this article below the form
Need legal advice?
Call 1300 544 755 for urgent assistance.
Otherwise, complete this form, and we will contact you within one business day.

When Does the AML/CTF Law Apply?

Any person providing services considered a “designated service” must register with AUSTRAC and comply with the AML/CTF law. The Australian AML/CTF legislation provides a list of designated services in Australia. The Australian law recognises these services as posing a greater risk of money laundering and terrorism financing. 

Examples of the designated services include, among others:

  • banking services, like enabling a person to open a bank account, accepting money as a deposit and issuing a debit card;
  • lending money in the course of a lending business, including factoring receivables;
  • supplying goods by way of hire-purchase or finance lease; 
  • enabling the acquisition and disposal of products, such as security, derivatives and foreign exchange contracts; and
  • digital currency exchange services. 

If your fintech business provides a designated service, your business will need to register with AUSTRAC and comply with AML/CTF obligations.

AML/CTF Obligations

Some of the AML/CTF obligations include:

  • enrolling or registering with AUSTRAC as a provider of designated services;
  • having in place an AML/CTF program (see more on this below);
  • collecting and verifying certain know-your-customer information about a customer’s identity before providing the designated services;
  • reporting to AUSTRAC of any suspicious activities that come to the reporting entities’ attention. Note that AUSTRAC can impose heavy penalties on reporting entities that do not report suspicious activities to AUSTRAC; 
  • reporting to AUSTRAC of any cash transfer of over $10,000 or all international fund instructions; and
  • complying with the relevant Australian privacy law (see more on this below).

AML/CTF Program 

Each reporting entity must prepare and maintain an AML/CTF program. The program is a document that addresses how the reporting entity will comply with AML/CTF law. The AML/CTF Rules, a secondary legislative instrument, set out what must be included in the AML/CTF program. The program will vary depending on the designated services of the reporting entity and its customers.

At a high level, an AML/CTF program should include the following:

  • process for identifying, mitigating and identifying money laundering and terrorism financing risks associated with the designated service the reporting entity is providing;
  • process to complete know-your-customer checks on the customers;
  • procedure of screening workers before employment;
  • process to train and ensure the reporting entity’s staff are aware of AML/CTF risks and obligations; 
  • mechanism to ensure the reporting entity remains compliant with AML/CTF laws; and
  • mechanisms to ensure customers are monitored on an ongoing basis to ensure the reporting entities can identify and report any suspicious activities to AUSTRAC. 

Privacy Obligations of Reporting Entities

All reporting entities must comply with the Australian privacy law when handling personal information collected in compliance with AML/CTF law. Generally, a small business with a turnover of less than $3 million is exempted from complying with these privacy laws. However, this exemption does not apply where that small business provides a designated service. 

Some of the privacy obligations that reporting entities must comply with include the following:

  • reporting entities must only collect information that is strictly necessary to comply with the AML/CTF law; 
  • generally, information on the customers must be collected directly from them; 
  • the reporting entities must tell the customers how the information will be used and disclosed; and
  • reporting entities must take reasonable measures to ensure the personal information is secure and not misused, lost or subjected to unauthorised access. If there is a data breach, the reporting entities must inform the customers and AUSTRAC, where customers are likely to face serious harm from the data breach.

Key Statistics

  1. 100,000: Reporting entities are projected to rise from around 19,000 to nearly 100,000 under Tranche 2 reforms, capturing most law firms from July 2026.
  2. $13.9 billion: Estimated compliance costs over ten years for businesses and legal professionals from the expanded AML/CTF obligations.
  3. 90,000: Legal practitioners will face new AML/CTF due-diligence and reporting requirements starting in 2026.

Sources

  1. AUSTRAC (March 2026)
  2. Australian Parliament – Bills Digest (2024)
  3. Law Council of Australia (2024)

Key Takeaways

The Australian anti-money laundering and counter-terrorism financing law are intended to track and deter money laundering and terrorism financing in Australia. Any person providing any services recognised as a designated service in Australia must comply with the AML/CTF law. Obligations include:

  • completing know-your-customer checks on customers before delivering services; 
  • ongoing reporting obligations to AUSTRAC; and 
  • monitoring customers for any suspicious activity.

If you want to know more about AML/CTF law and how it may affect your fintech business, LegalVision provides ongoing legal support for businesses through our fixed-fee legal membership. Our experienced fintech lawyers help businesses manage contracts, employment law, disputes, intellectual property, and more, with unlimited access to specialist lawyers for a fixed monthly fee. To learn more about LegalVision’s legal membership, call 1300 544 755 or visit our membership page.

Frequently Asked Questions

What is AML/CTF law?

AML/CTF law refers to Australia’s anti-money laundering and counter-terrorism financing law. The main piece of legislation is the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (the Act). The AML/CTF law aims to prevent money laundering and terrorism financing from occurring in Australia. 

When does the AML/CTF law apply?

Any person providing services that are considered a “designated service” is obligated to register with AUSTRAC and comply with the AML/CTF law. The Australian AML/CTF legislation provides a list of designated services in Australia. 

What are the consequences of failing to report suspicious activities to AUSTRAC?

AUSTRAC can impose heavy penalties on reporting entities that fail to report suspicious activities. You must also report all cash transfers over $10,000 and all international fund instructions, making timely and accurate reporting a critical compliance obligation for your fintech business.

Do small fintech businesses need to comply with Australian privacy laws when collecting AML/CTF information?

Yes. While small businesses with turnover under $3 million are generally exempt from Australian privacy laws, this exemption does not apply if your business provides a designated service. All reporting entities must handle customer information securely, collect only what is necessary, and notify customers and AUSTRAC of any data breach likely to cause serious harm.

Register for our free webinars

AI in the Workplace: New Employer Obligations and Risk Exposure

Online
Learn how to meet your AI-related workplace obligations and manage legal risks as an employer. Register for our free webinar.
Register Now

Managing Rising Costs: Safely Exiting Contracts, Reducing Headcount and Leasing Options

Online
Know your legal options before making costly decisions about contracts, staff and leases. Register now.
Register Now

Protecting Your Brand: From Idea to Commercialisation with IP Australia

Online
Learn how to protect your brand with a trade mark and stop competitors from copying what you've built. Register for our free webinar.
Register Now

EOFY Is Coming: The Costly Legal and Tax Mistakes Businesses Make

Online
Avoid EOFY pitfalls and get your business ready for success. Register for our free webinar.
Register Now
See more webinars >

Stephen Drysdale

Practice Leader | View profile

Stephen is a Practice Leader in LegalVision’s Commercial team. He works closely with startups, SMEs and enterprise clients to provide commercially pragmatic advice and also assists them in complying with regulations that apply to their businesses. He is qualified and has a practising certificate in New Zealand, Australia and California.

Qualifications: Bachelor of Laws (Hons), University of Waikato.

Read all articles by Stephen

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

My FinTech Business Manages a Managed Investment Scheme. What are the Legal Obligations?

Are Your Crypto Services Considered a Financial Service?

Do I Need to Register For the Consumer Data Right?

FTX Ripple Effects into Australian Crypto Regulation in 2023?

LegalVision is an award-winning business law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards