Webinar Summary: The New Anti-Money Laundering Obligations: What Your Business Must Do Now

Summarise with:

ChatGPT Gemini Perplexity Microsoft Copilot

Open now

---

On this page

• What Is Money Laundering, and Why Does It Matter?
• The Legal Framework
• What Is Changing, and Why
• Who Is Newly Regulated?
• How to Comply: The Five Key Steps
• Customer Due Diligence in More Detail
• Suspicious Matter Reporting
• The Tipping Off Offence
• Consequences of Non-Compliance
• Key Takeaways
• Questions from the Audience
• How LegalVision Can Help

Australia’s anti-money laundering and counter-terrorism financing (AML/CTF) regime is undergoing its most significant expansion in nearly two decades. From 1 July 2026, real estate professionals, lawyers, conveyancers, accountants, trust and company service providers, and dealers in precious stones and metals will be drawn into the regime as Tranche 2 reporting entities.

In this LegalVision webinar, Rebecca Wood and Stephen Drysdale walk through what the reforms mean in practice, who is newly captured, what you need to do to comply, and the consequences of getting it wrong. The article below is a structured write-up of the webinar discussion.

Anti-Money Laundering Factsheet

As a business, you are legally obligated to comply with Australia’s Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) laws, which protect the financial system from misuse. This factsheet outlines your obligations under the law and highlights upcoming changes.

Download Now

What Is Money Laundering, and Why Does It Matter?

Stephen Drysdale: Money laundering is the process by which illegal funds, usually generated through crime or other illicit activities, are introduced into the economy as lawful funds through a series of transactions or steps. That might include setting up multiple companies or structures, or disguising the origin of money to make it difficult for law enforcement, banks, and financial institutions to identify where it came from and to take appropriate action.

It is a focus for most governments for two reasons. First, international policy in the space sets expectations for what countries should do in respect of money laundering and counter-terrorism financing. Second, the introduction of illicit funds destabilises the economy and erodes trust in our institutions.

The key thing to understand as you go through this article is that the whole design of the system is to create barriers and hurdles to prevent the risk of money laundering. If you are subject to this legislation, your job is not to fight money laundering or go out and combat it. Your job is to put a system of processes and checks in place, and to flag and report things so that appropriate action can be taken by the regulator.

The Legal Framework

Rebecca Wood: Australia’s anti-money laundering and counter-terrorism financing laws, commonly referred to as AML/CTF, set out the rules that businesses need to follow to detect and prevent financial crime.

The key piece of legislation is the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth). Under this federal law, any business that provides certain designated services must meet a number of obligations. There are five key ones:

1. Enrolment with the regulator, AUSTRAC.
2. Developing and maintaining an AML/CTF program tailored to your business.
3. Conducting customer due diligence (the “know your client” checks), both at the start of a client relationship and on an ongoing basis.
4. Reporting particular transactions or suspicious activities to AUSTRAC.
5. Making and keeping records.

The overall purpose of this framework is to deter, detect, and disrupt money laundering and terrorism financing in Australia.

What Is Changing, and Why

Rebecca Wood: The regime is changing significantly. Until recently, these laws have only regulated businesses in the financial and gambling sectors, which are traditionally the sectors where we would see a lot of criminal activity.

However, the previous framework had a number of gaps, particularly in high-risk sectors where significant obligations were missing. Those gaps gave players in the criminal sphere the opportunity to exploit the system. We have seen high-profile cases involving millions of dollars laundered through real estate purchases and schemes enabled by professional service providers.

The new legislation is aimed at closing those gaps, meeting international standards (there has been a lot of criticism of Australia falling below the bar internationally), modernising the regime, and shifting from a tick-the-box approach to a more risk-based model.

The AML/CTF regime has been expanded to cover high-risk services including real estate professionals, precious stone and metal dealers, lawyers, conveyancers, accountants, and trust and company service providers, among other professional service providers. The new legislation also gives AUSTRAC stronger powers to request information and documents for investigations, enforcement decisions, and court proceedings.

Who Is Newly Regulated?

Real Estate

Stephen Drysdale: “Designated services” are the categories of services regulated by the AML/CTF Act. The legislation sets out tables that specify what is captured. For the real estate sector, there are two main provisions: one for situations where you are acting as an independent agent, and another for situations where you may have in-house agents or are providing real estate services directly.

The key concept is what counts as “real estate” under the Act. The term is defined narrowly:

• Freehold interests (such as a Torrens title or Strata title).
• Long-term leasehold interests (leases over 30 years). Importantly, the obligations do not apply to leases of less than 30 years.
• Land use entitlements, such as company title or unit title arrangements.

The regime does not capture easements (such as rights of way), or contracts giving someone the right to take trees, minerals, or similar things from land. The focus is on substantial property transactions involving the sale of land outright or long-term leases.

If you are an agency, you most likely fall into the first category (Item 1 of Table 5), which captures brokering or assisting in transactions involving real estate as an independent agent. This commonly captures buyer’s agents and seller’s agents.

The second limb (Item 2) captures the same activity where there is no independent broker involved. This might apply to a property developer selling house and land packages, an off-the-plan apartment seller, or a business with its own in-house team of real estate agents.

There are nuances worth noting. Some site operators may be captured under both limbs. A common example is aged care, where you might be selling 99-year leases to the underlying land while the homeowner owns the building. Caravan parks with long-term leases are another example to keep in mind.

An important exclusion is property management. Residential property management services, including rent collection, tenant management, maintenance coordination, and other routine property management activities, are not captured by the regime. You still need to think about it when you are acting as a buyer’s or seller’s agent, or facilitating property sales or long-term leases.

Professional Service Providers

Stephen Drysdale: For accountants, lawyers, and other corporate service providers, the list of relevant designated services is much longer. For accountants, this includes matters involving company structure, company setup, and certain advisory and governance work.

The legislation is broad in scope. It covers a wide range of entity types, including body corporates (such as companies) and legal arrangements (such as trusts and partnerships). It is designed to capture as much as possible. There are some exemptions, including for testamentary trusts and wills, which is more relevant for estates and planning lawyers.

If your business helps clients set up companies or trusts, or appoint or change directors or trustees, you are likely providing a designated service. The same applies if you:

• Provide director services (for example, resident directors for companies that do not have a local director).
• Set up structures using nominee directors or shareholders.
• Provide an office or mailing address for clients.
• Conduct financial due diligence as part of a business sale or purchase.

You also need to think about whether you are involved in a wider transaction that is itself a designated service, even if you are not the one carrying out the core transaction.

How to Comply: The Five Key Steps

Rebecca Wood: Understanding the designated services and how your business may fall within Tranche 2 is just the first step. Once you know you are caught by the new regime, the practical question is what you need to do, and by when. There are five key things.

1. Enrolment

This is the fundamental first step. If your business provides any of the newly regulated designated services, you must enrol with AUSTRAC. This is not optional, and a failure to enrol is itself a breach of the Act.

The enrolment process involves registering your business and providing details about the designated services you provide. The deadline is 29 July 2026. It might feel a way off, but once you get into the groundwork, the time will come around quickly.

2. Develop and Maintain an AML/CTF Program

Every reporting entity must have an AML/CTF program in place. This is the most substantive compliance task you will need to undertake. Generic templates are not sufficient. Templates on the AUSTRAC website can be a useful starting point, but the program must be tailored to the way your business operates and the specific designated services you provide.

The program has two core parts:

Risk assessment. Identifying and assessing the specific money laundering and terrorism financing risks your business faces. This involves looking at your customers, the services you provide, the channels through which you deliver them, and the jurisdictions you operate in or deal with.

Policies, procedures, and controls. These are the practical measures you put in place to mitigate and manage the risks you have identified. You need to ensure you are meeting your AML/CTF obligations on a day-to-day basis, in compliance with the documents and policies you have put in place.

The program must be a living document, reviewed and updated regularly as your business and risk profile evolve. The deadline for the program is 1 July 2026.

3. Appoint an AML/CTF Compliance Officer

You need a dedicated compliance officer within your organisation. This should be someone senior with access to the relevant business information to oversee day-to-day compliance effectively. They will be your main point of contact with AUSTRAC.

This is not a token role. The compliance officer needs a deep understanding of the regulatory obligations and visibility over the business’s AML/CTF activities. They need powers to act when issues arise and decision-making authority.

The compliance officer must be appointed by 1 July 2026, with details notified to AUSTRAC by 29 July 2026.

4. Train Your Staff

AML/CTF compliance is not something a token person can oversee on their own. It is not just an issue for senior management either. It needs to be a practice embedded across your business.

You will be required to ensure that all relevant staff are trained on your AML/CTF obligations and know where to access internal policies and procedures. New hires need to be trained shortly after joining. Staff with direct exposure to AML/CTF designated services may also be subject to background checks as part of your onboarding processes.

Training for existing staff must be completed by 1 July 2026. The training is not a one-off exercise. It must be ongoing as obligations evolve and your business changes.

5. Conduct Customer Due Diligence and Keep Records

Before providing a designated service, you must carry out due diligence on your customers. This is sometimes known as Know Your Customer (KYC) and involves collecting and verifying information about the customers or clients you are dealing with.

The level of due diligence varies depending on the customer type and risk profile. An individual will generally require less information than a corporate entity or a trust structure, where control may be less transparent.

Ongoing due diligence is also required throughout the customer relationship. This is not a set-and-forget obligation.

You must also make and retain all AML/CTF records for seven years. This includes records relating to customer due diligence, transactions, and the AML/CTF program itself. Robust record-keeping is important for compliance, and AUSTRAC may request access to those records in the course of an investigation or audit. These obligations commence on 1 July 2026.

Customer Due Diligence in More Detail

Stephen Drysdale: There are different types of customer due diligence depending on the stage of the relationship and the risk profile of the customer.

Initial customer due diligence must generally be undertaken before providing a designated service. There are some narrow situations where delayed due diligence is appropriate. A good example for the real estate sector is an auction, where you do not know who the buyer is until the auction is finished. In most cases, however, you need to complete due diligence before you start providing the service.

Simplified due diligence is generally the starting point for individuals, applying a risk-based approach. It varies depending on your industry, your risk profile, who you are dealing with, and where they are from. Are they from a high-risk jurisdiction for money laundering or terrorism financing, or are they from Australia, which might be lower risk?

Simplified due diligence typically includes an identity check and verification (confirming the person is who they say they are). For a company, it usually involves confirming the company exists (for example, with an ASIC extract), looking at the directors and conducting ID and address checks on them, and finding out who actually owns the company. The whole point of KYC is to identify who is behind the corporate veil, so that if there is an investigation, AUSTRAC has access to that information for its data mapping.

Enhanced due diligence applies to higher-risk customers, transactions, or jurisdictions. Trusts are a good example. Enhanced due diligence may involve obtaining a copy of the trust deed, conducting identity checks on the settlor, trustees, and named beneficiaries, and asking questions about the source of wealth and source of funds. Where is the trust money coming from, who is funding it, and how?

Many businesses engage electronic identity verification (EIV) providers or outsourced KYC providers to handle this. A good provider offers risk-based profiles tailored to your business and reflects the regulator’s guidance. You can send new customers a link to start the process, capture the data safely for audit and reporting, and free up internal resources.

If you are a smaller operator with only a handful of customers, you may handle the process manually. Either way, you have obligations under the Privacy Act 1988 (Cth) about how you store data, so you need to be confident in your cybersecurity and data controls.

AUSTRAC also maintains guidance on sanctions, sanctioned countries, and high-risk jurisdictions. These are inputs you can draw on when assessing risk in your industry. For many sectors, risk increases once you start dealing with people outside of Australia, particularly from jurisdictions that may not have money laundering protections in place.

Suspicious Matter Reporting

Stephen Drysdale: Suspicious matter reporting is one of the key ongoing obligations if you are subject to the AML/CTF Act. You are essentially the eyes on the ground for the regulator, observing what you can see and hear when dealing with your customers and client base.

Examples of suspicious activity include:

• Unusual transactions. A customer you have done small business with for a few months suddenly starts doing large transactions with no clear explanation. Or someone who does not present as wealthy is dropping $10 million on a property.
• Unexplained changes in the people you are dealing with. You have been dealing with one person at a company, and suddenly you are dealing with someone else with no explanation, or they refuse to meet face-to-face.

You need to implement an internal process and training so that these things are flagged to your AML/CTF compliance officer. The compliance officer then assesses whether the matter is reportable to the regulator.

The point of the suspicious matter reporting framework is to give AUSTRAC the information it needs to work with other government authorities to take action against criminals. It is collecting these data points to build a picture of money laundering risk and to focus investigations.

The Tipping Off Offence

Stephen Drysdale: Tipping off is a criminal offence. It occurs when you tell someone that you have reported, or are likely to report, something suspicious about them to AUSTRAC, or you otherwise give them reason to believe a report has been made.

It is called tipping off because we do not want to tip off criminals that they have been reported. Train your staff on how to handle things when they see something suspicious. They need to act as usual. Avoid saying things like “we have reported this transaction to AUSTRAC”, “you are under investigation”, or “we suspect you of money laundering”. It is a criminal offence and penalties apply.

When building your processes, ensure that the funnel of information internally is not open source. For example, you would not want a company-wide Slack channel where people are posting suspicious activity and reports. Use a dedicated ticket system or email inbox for your AML compliance officer to receive these reports. Controlling the flow of information is imperative.

Consequences of Non-Compliance

Rebecca Wood: AUSTRAC has broad enforcement powers and can take action to enforce compliance, seek financial penalties, or both. There are two main mechanisms.

Enforcement Actions

There are four key enforcement tools available to AUSTRAC:

Civil penalty orders are the most significant in terms of financial consequences. AUSTRAC can apply to the Federal Court to impose financial penalties for non-compliance. Maximum penalties are currently $33 million for a body corporate and $6.6 million for an individual, imposed on a per-infringement basis. Where there are multiple infringements, those figures can multiply. AUSTRAC has demonstrated a willingness to pursue large penalties as a deterrent.

Enforceable undertakings require an organisation or person to make a written commitment to AUSTRAC to take certain actions or refrain from doing things. It is essentially a contractual promise; if breached, AUSTRAC can go to the Federal Court to seek enforcement. Enforceable undertakings are generally made public and carry serious reputational consequences.

Infringement notices can be issued for specific or discrete breaches. They are a more targeted enforcement tool.

Remedial directions are written instructions requiring a business to remedy a specific breach or take certain steps within a set time frame.

All of these can be made public, with reputational consequences for your business.

External Audits

AUSTRAC can also require a business to appoint an external auditor to review its AML/CTF compliance program. The resulting audit report is provided to AUSTRAC for consideration. This is an effective regulatory tool because it requires the business to fund and facilitate the review of its own compliance.

The message from AUSTRAC has been clear: the cost of non-compliance will significantly outweigh the cost of getting compliant.

Key Takeaways

Rebecca Wood: Before we move into the Q&A, here are the key takeaways from this session.

The AML/CTF regime is expanding, and it may apply to you. Real estate agents, lawyers, conveyancers, accountants, and other professional service providers can all be caught. Understand what the designated services are and how your business operates. If you are not sure, get advice quickly.

The deadlines are closer than they sound. Businesses caught by the new regime need a program in place, a compliance officer appointed, staff trained, due diligence processes operating, and record-keeping systems running from 1 July 2026, with enrolment completed by 29 July 2026. Developing a compliant program takes time, and generic precedents will not cut it. Programs must be tailored to your business.

Customer due diligence needs to become a front-end business process. You need to identify and verify your customers, their beneficial owners, and any persons acting on their behalf before you provide a designated service. This will mean changes to your onboarding processes.

Suspicious activities need to be reported carefully, and the tipping off rules are strict. Your business needs the tools to identify red flags and a clear structure for decision-making and reporting. Train your staff so they understand they cannot alert a customer to the fact that a suspicious matter report may have been made. A simple slip such as “we cannot proceed because we are dealing with some AML issues” can fall into the tipping off category. Make sure your staff know what they can and cannot say.

Non-compliance carries serious financial and reputational risk. AUSTRAC can issue substantial financial penalties and require costly audits. No business wants the reputational damage of being publicly called out for non-compliance.

The good news is that there is still time to get it right, but the window is narrow.

Questions from the Audience

Do all parties in a transaction need to do their own KYC?

Stephen Drysdale: A common scenario is where an accountant, a lawyer, and a real estate agent are all working on the same transaction with the same customer. Do they all need to do KYC? Reporting entities can rely on identity checks done by other reporting entities. This can be arranged on a case-by-case basis or formalised in a contract that sets out each party’s obligations to share information.

If you are using a third-party KYC provider, the process can be simpler again. If a customer has already used the same provider for someone else, you may be able to do a simple re-verification with the customer’s consent. That is one of the benefits of these third-party providers.

What about existing customers?

Stephen Drysdale: There are transition-in arrangements that recognise you may already be in business relationships with customers before 1 July 2026. These need to be genuine ongoing business relationships, not ad hoc or occasional engagements.

You generally do not need to do immediate KYC on existing customers unless a suspicious matter arises. If a customer you have been dealing with for two years suddenly comes into a lot of money, acts inconsistently with past practice, or you are now dealing with different people because the business has changed hands, those are triggers where you need to do due diligence.

Does the Act apply to business brokers selling businesses that lease their premises?

Rebecca Wood: It depends on whether you are performing any designated services. Even where there is no purchase of land, you may be regulated if the brokering services you provide include designated services. For example, assisting with due diligence, drafting or implementing loans, or managing funds in escrow. Those activities can tip you into being a Tranche 2 entity. The best step is to get specific advice based on what your business actually does.

Who can act as an independent evaluator?

Rebecca Wood: AUSTRAC provides guidance on this, but there is no certified list. The key requirement is that the evaluator understands and is experienced with businesses in your sector. For law firms in particular, you need someone who understands how law firms traditionally operate.

Stephen Drysdale: A New Zealand case study makes the point well. Two New Zealand law firms independently evaluated each other and signed off favourably. The regulator looked at both and fined them significantly. Just because another business in your industry is also a reporting entity does not mean they are a suitable independent evaluator. You probably want a consultancy or a specialist firm that has been working in this space since the start of the legislation, rather than a new entrant.

What is the difference between enrolment and registration?

Stephen Drysdale: Most businesses subject to the Act only need to enrol. Registration is an additional step for remittance service providers, such as payment processors and certain financial service providers. It does not apply just because you are managing settlement funds in a trust account as part of a business transaction.

The timing seems back-to-front. Why does compliance start before enrolment?

Rebecca Wood: That is a fair observation. You need to be operationally compliant from 1 July 2026, but enrolment is later, on 29 July 2026. In practice, when you enrol, you are confirming to AUSTRAC that you are complying. The 28-day gap gives you a short grace period to make sure your ducks are in a line, but 1 July 2026 is the deadline you should be working towards.

What if I do not currently provide designated services but might in the future?

Stephen Drysdale: If you do not currently provide designated services, there is nothing more you need to do. If, for example, six months down the line your law firm opens a conveyancing practice to deal with real estate transactions, you have a 28-day grace period to get your house in order.

It is important to remember that just because you are a lawyer, accountant, or real estate agent does not automatically mean you are captured. It depends on whether you are providing designated services. An immigration law firm that only does visa processing is not providing designated services, but if it opens a corporate practice helping with company structures, it would be.

Is there a transaction value that triggers a suspicious matter report?

Rebecca Wood: The Act and AUSTRAC rules have specific guidance on threshold transaction reporting, such as cash deposits over $10,000 or sums over $10,000 coming from a foreign jurisdiction. Those are automatically reportable.

For suspicious matter reports, however, there is no specific transaction size in the legislation. It comes down to an evaluation of the circumstances. For example, a purchase of a residential property well above market value paid by a company with a complex ownership structure, combined with a reluctance to provide identification information, might trigger a suspicious matter report. It is not necessarily tied to the value of the transaction itself.

Do designated services apply if I provide the service for free?

Stephen Drysdale: Yes. These designated services often apply even if it is a free service. If you ever do anything pro bono or agree to do work on a zero-cost basis, it is still a designated service.

Do I need to do KYC on a family member or friend?

Stephen Drysdale: Yes. The obligation is risk-based, but you would want clear records, particularly for people known to you, so there are no gaps in your processes. When the independent evaluator comes through, they will usually do a spot check, and it would be unfortunate to have to explain why certain people are missing from your records.

What do I do if I identify a suspicious matter? Do I stop work?

Rebecca Wood: The obligation is to report the suspicious matter. You can generally continue with the transaction. For professional services and lawyers, there may be overlying professional obligations to consider, and you can cease the engagement if you feel you cannot adequately mitigate the risk. The most important thing is not to fall into the tipping off trap. If you have formed a suspicion and lodged a report, you need to make sure you do not give the customer any indication that a suspicious matter report has been submitted.

Stephen Drysdale: AUSTRAC’s website has a document library with sector-specific starting points for policy documents, including guidance on tipping off and on terminating retainers or relationships with clients. It is fine to tell someone “we cannot start providing you with services until you complete this KYC check.” That is normal. It is very different to saying you are terminating the engagement because you do not trust them or you think they are dodgy.

How LegalVision Can Help

If you have questions about whether your business is captured by the Tranche 2 reforms, or you need help building a compliant AML/CTF program, our team can help.

LegalVision’s membership offers unlimited business legal support for a fixed monthly fee, giving your business access to a full team of specialist lawyers across contracts, IP, corporate, employment, and more. We can also advise you on your AML/CTF obligations, help you assess whether you need to comply, and guide you through your compliance journey.

To find out more, get in touch with our team for a complimentary consultation.

This article was prepared from a LegalVision webinar presented by Rebecca Wood, Practice Group Leader in LegalVision’s Disputes team, and Stephen Drysdale, Practice Leader in LegalVision’s Commercial team. The content is general information only and does not constitute legal advice. For advice tailored to your business, please contact LegalVision directly.