AML/CTF in Australia: Engineering-Ready Overview
Updated 1 Feb 2026
AML/CTF (Anti-Money Laundering and Counter-Terrorism Financing) compliance is not a legal checkbox. It is a system architecture requirement. For Australian FinTech and RegTech companies, AML/CTF obligations translate directly into data models, event logging, transaction monitoring pipelines, and audit-ready infrastructure.
Quick summary
- What it is: controls and processes that prevent your platform from being used for money laundering or terrorism financing
- Who it applies to: reporting entities regulated by AUSTRAC (banks, remitters, DCEs, gambling, bullion, securities; from July 2026: legal, accounting, real estate, TCSP)
- Core obligations: risk assessment, CDD, transaction monitoring, reporting (SMRs, TTRs, IFTIs), record keeping (7 years)
- What to build: identity verification pipeline, risk scoring engine, transaction monitoring, case management, audit trail infrastructure
Definition
AML refers to Anti-Money Laundering: the controls and processes that prevent your platform from being used to convert illegally obtained funds into legitimate-seeming assets. CTF refers to Counter-Terrorism Financing: the controls that prevent your platform from facilitating the movement of funds to individuals or organisations engaged in terrorism.
In regulatory terms, these are combined obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth). In engineering terms, they require continuous monitoring, risk-based decision logic, and immutable audit trails across every customer touchpoint and transaction.
The practical implication: your system must be able to explain every customer relationship and every transaction, retrospectively, to a regulator. If your database cannot reconstruct the who, what, when, where, and why of any given transaction from seven years ago, you have a compliance gap.
Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) compliance is not a legal checkbox. It is a system architecture requirement. For Australian FinTech and RegTech companies, AML/CTF obligations translate directly into data models, event logging, transaction monitoring pipelines, and audit-ready infrastructure.
If you are building or scaling a regulated product in Australia, your engineering decisions today determine whether you pass an AUSTRAC audit tomorrow. This page explains what AML/CTF means in practice: not as compliance theory, but as system design.
What AML/CTF Actually Means
AML refers to Anti-Money Laundering: the controls and processes that prevent your platform from being used to convert illegally obtained funds into legitimate-seeming assets. CTF refers to Counter-Terrorism Financing: the controls that prevent your platform from facilitating the movement of funds to individuals or organisations engaged in terrorism.
In regulatory terms, these are combined obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth). In engineering terms, they require continuous monitoring, risk-based decision logic, and immutable audit trails across every customer touchpoint and transaction.
The practical implication: your system must be able to explain every customer relationship and every transaction, retrospectively, to a regulator. If your database cannot reconstruct the who, what, when, where, and why of any given transaction from seven years ago, you have a compliance gap.
Who AML/CTF Applies to in Australia
AUSTRAC (Australian Transaction Reports and Analysis Centre) is both Australia’s financial intelligence unit and the regulator for AML/CTF compliance. Currently, approximately 17,000 reporting entities operate under AUSTRAC supervision.
Current reporting entities (pre-Tranche 2)
Financial institutions
Banks, ADIs, credit unions
Remittance providers
Money transfer services, currency exchange
Digital currency exchanges
Crypto exchanges, virtual asset service providers
Gambling and wagering
Casinos, online betting, TABs
Bullion dealers
Gold, silver, precious metals
Securities and derivatives
Brokers, dealers
Tranche 2 sectors (from 1 July 2026)
The AML/CTF Amendment Act 2024 expands AUSTRAC’s regulatory scope to an estimated 80,000 to 100,000 additional entities. From 1 July 2026, the following sectors become reporting entities:
Sector
What triggers scope
Legal professionals
Lawyers, conveyancers providing designated services
Accountants and auditors
Accounting services connected to higher-risk flows
Real estate
Agents, property managers facilitating transactions
Trust and company service providers
Formation, management, nominee arrangements
Precious metals and stones dealers
High-value goods dealers
Tranche 2 AML reforms
Key compliance dates
Date
What happens
Who is affected
31 March 2026
New AML/CTF Rules apply; enrolment opens for Tranche 2
Existing reporting entities; Tranche 2 entities
30 May 2026
Deadline to notify AUSTRAC of compliance officer
Existing reporting entities
1 July 2026
AML/CTF obligations commence
Tranche 2 entities
29 July 2026
Enrolment deadline
Newly regulated entities
Check if you may be regulated (AUSTRAC)
Core AML/CTF Obligations
AML/CTF is risk-based: controls must be proportionate to your actual exposure.
Obligation
What it means
System requirement
Risk assessment
Document ML/TF risk based on customers, products, channels, geographies
Risk model, customer segmentation logic, periodic review triggers
AML/CTF program
Written policies covering CDD, monitoring, reporting, training
Policy version control, approval workflows, audit trail
Compliance officer
Designated officer at management level
Role assignment, notification to AUSTRAC
Customer due diligence
Verify identity before providing services; ongoing CDD
Identity verification pipeline, document storage, re-verification triggers
Enhanced due diligence
Additional measures for high-risk customers including PEPs
Risk scoring, PEP screening, escalation workflows
Transaction monitoring
Continuous surveillance for unusual or suspicious activity
Rule engine, anomaly detection, alert generation
Reporting
Submit SMRs, TTRs (cash $10,000+), IFTIs as required
Report generation, AUSTRAC integration, submission logs
Record keeping
Retain records for seven years
Immutable storage, retention policies, retrieval capability
Training
Staff must recognise ML/TF risk indicators
Training logs, completion tracking, role-based curricula
Independent review
Program must be independently evaluated
Review scheduling, findings documentation, remediation tracking
AML/CTF From a System Design Perspective
Compliance must be embedded in your data architecture from day one.
- Capture and verify customer identity documents with biometric matching. Integrate with Document Verification Service (DVS). Store verification results, not just outcomes.
- Risk scoring engine. Dynamic scoring based on customer attributes, transaction patterns, and external data. Risk levels determine CDD intensity and monitoring frequency.
- Transaction monitoring. Real-time analysis against configurable rules and anomaly detection. Generate alerts for human review.
- Case management. Analysts investigate alerts, document findings, escalate to SMRs, and record resolutions.
- Reporting integration. Automated generation of SMRs, TTRs, and IFTIs in AUSTRAC-compliant formats.
- Sanctions screening. Real-time screening against DFAT Consolidated List and international sanctions lists.
- Audit trail infrastructure. Why 40,000 API attacks in 6 months should warn every Australian FinTech Every action logged with timestamp, actor, and context. Logs immutable and retained for seven years.
Data and Events Your System Must Log
AUSTRAC expects you to reconstruct any customer relationship or transaction on demand. Your logging infrastructure must capture the following categories of events.
Required event logging categories
Category
Event types
Required fields
Customer lifecycle
customer_created, identity_verification_attempted, identity_verification_completed, kyc_document_uploaded, risk_score_updated, pep_screening_performed, sanctions_screening_performed, customer_status_changed, customer_offboarded
timestamp, customer_id, actor, outcome, context-specific fields
Transaction
transaction_initiated, transaction_screened, transaction_completed, transaction_blocked, transaction_reversed
timestamp, transaction_id, customer_id, amount, currency, accounts, rules applied, alerts
Monitoring
alert_generated, alert_assigned, alert_investigated, alert_escalated, alert_closed, smr_created, smr_submitted
alert_id, rule_id, investigator actions, outcomes, grounds for suspicion
System
rule_created, rule_modified, risk_model_updated, user_permission_changed, compliance_report_generated, policy_document_updated, training_completed
timestamp, actor, change details, approval chain
Evidence and Audit Trail Expectations
AUSTRAC can request records with retrieval expected within 24-72 hours.
Record retention requirements
Record type
Retention period
Starts from
Transaction records
7 years
Transaction date
CDD records
7 years
Business relationship end
AML/CTF program records
7 years
Records cease being relevant
Audit-ready requirements:
- Secure storage with access controls and encryption.
- Retrievable and translatable to English.
- Legible and auditable regardless of format.
- Complete timeline reconstruction for any customer relationship.
AUSTRAC enforcement cases consistently cite documentation failures. The standard is not “we had a system” but “we can prove the system operated as designed.”
High-Level Implementation Steps
Phase 1: Foundation (Weeks 1-4). Conduct ML/TF risk assessment. Define customer risk categories. Design data models for identity, transaction, and audit logging. Select verification and screening providers.
Phase 2: Core Systems (Weeks 5-12). Implement onboarding pipeline with identity verification. Build transaction monitoring with configurable rules. Implement case management for alert investigation. Develop AUSTRAC reporting infrastructure.
Phase 3: Integration and Testing (Weeks 13-16). Integrate sanctions screening. Implement audit logging across all components. Test monitoring and reporting workflows. Document AML/CTF policies. How to stay compliant when deploying FinTech in public clouds
Phase 4: Operational Readiness (Weeks 17-20). Train staff. Conduct independent review. Enrol with AUSTRAC. Establish ongoing monitoring cadence.
Frequently Asked Questions
- What triggers an SMR?Reasonable grounds to suspect a transaction or customer activity relates to money laundering, terrorism financing, tax evasion, or other serious crime. “Reasonable grounds” is objective: would a reasonable person form the same suspicion?
- SMR deadlines?24 hours for terrorism financing suspicions. Three business days for all other suspicions.
- Must I end the customer relationship after an SMR?No. Continue services with appropriate risk mitigation. Do not “tip off” the customer.
- TTR threshold?Submit a threshold transaction report for any cash transaction of $10,000 or more.
- Risk assessment review frequency?No fixed schedule, but reviews must be triggered by material changes to business, customers, products, or regulatory environment.
- Can I outsource AML/CTF functions?Operational tasks yes, but responsibility for compliance cannot be delegated. Board and senior management remain accountable.
- Penalties?Civil penalties can reach $23 million per contravention. AUSTRAC has secured: $1.3 billion (Westpac, 2020), $700 million (Commonwealth Bank, 2018), $450 million (Crown, 2023), $67 million (SkyCity, 2024). Infringement notices range from $1,500 to $31,500 per violation.
Related Terms
eKYC. Electronic Know Your Customer: the digital verification of customer identity using document scanning, biometric matching, and database checks. A core component of CDD.
Fraud Detection. Systems and processes for identifying potentially fraudulent transactions or account activity. Overlaps with but distinct from transaction monitoring for ML/TF purposes.
Transaction Monitoring. Continuous surveillance of customer transactions against rules, thresholds, and behavioural baselines to detect suspicious activity.
Tranche 2 AML Reforms. The extension of AML/CTF obligations to legal, accounting, real estate, and trust service sectors, effective 1 July 2026.
Tranche 2 AML Reforms
Suspicious Matter Report (SMR). A mandatory report to AUSTRAC when reasonable grounds for suspicion exist regarding money laundering, terrorism financing, or other serious crimes.
Threshold Transaction Report (TTR). A mandatory report to AUSTRAC for cash transactions of $10,000 or more.
Politically Exposed Person (PEP). An individual who holds or has held a prominent public position, or their close associates and family members. Requires enhanced due diligence.
Related reading on Ostride Labs
External resources
- AUSTRAC: AML/CTF reform overview
- AUSTRAC: Develop your AML/CTF program
- AUSTRAC: Record keeping
Request a Compliance-Readiness Review
AUSTRAC’s enforcement history demonstrates that system failures and documentation gaps are the primary drivers of civil penalties. Building compliance into your architecture from day one is not optional: it is how you protect your business from regulatory exposure.
Ostride Labs specialises in compliance-ready engineering for Australian FinTech and RegTech companies. Our Discovery Sprint assesses your current architecture against AUSTRAC requirements and delivers a clear roadmap for closing gaps before they become enforcement risks.
Book a Call
