AML/CTF Reform: Core guidance - a summary

Disclaimer: The content on this website is general and is not legal advice. Before you make a decision or take a particular action based on the content on this website, you should check its accuracy, completeness, currency and relevance for your purposes. You may wish to seek independent professional advice.

AUSTRAC has released its long-awaited core guidance for the Australian AML/CTF reforms, providing the clearest view yet of how regulated entities should prepare for the new regime. 

This guidance will become the foundation for interpreting and applying the new AML/CTF obligations. It offers practical direction on what AUSTRAC expects from reporting entities as they begin implementing the reforms and how to demonstrate that their programs effectively mitigate money laundering and terrorism financing risks.

We have summarised AUSTRAC’s core guidance for Australia’s AML/CTF reforms, providing a clear overview of what reporting entities need to know. It covers governance, customer due diligence, risk assessment, and enhanced due diligence, showing how to design and demonstrate effective compliance programs. 

What the core guidance covers

The core guidance sets out AUSTRAC’s expectations for how entities should interpret and apply their AML/CTF obligations under the reformed, risk-based framework. It explains how compliance outcomes will be assessed and what good practice looks like in governance, due diligence and oversight. More than a reference document, it’s the standard AUSTRAC will use to judge whether programs are effective in practice, not just compliant on paper.

How the guidance supports compliance implementation

The core guidance is designed to help entities transition from older, prescriptive models of compliance to a more integrated, risk-responsive framework. It provides clarity in several key areas that compliance professionals have sought for some time:

Program design and governance

Essentially, AUSTRAC expects risk-driven, well-governed programs that evolve with the business and demonstrates effectiveness through outcomes, not documentation.

The guidance sets out how firms should design AML/CTF programs that align with their actual size, structure, and risk profile. It expects that a firm’s AML/CTF program must be grounded in a documented risk assessment that shapes the firm’s policies and controls, and that governance must be clear - with senior management approval and a compliance officer responsible for day-to-day oversight. It also set expectations that programs must evolve and firms are able to demonstrate that their frameworks remain proportionate, operational, and risk-responsive - a standard measured by outcomes, not paperwork.

Customer due diligence

The emphasis is on maintaining an informed, evolving view of customer risk, supported by clear governance and timely escalation.

The guidance explains that customer due diligence must be risk-based and continuous, not a single identity check. Firms are expected to know who their customers are, understand the purpose of their relationship, and ensure activity aligns with expected behaviour. Initial CDD must be completed before providing a service, followed by ongoing monitoring and updates to keep information current. Enhanced CDD applies to high-risk situations such as PEPs or sanctions exposure, while simplified checks are only acceptable for genuinely low-risk cases.

Risk assessment/rating

In essence, the emphasis is on dynamic, evidence-based risk assessment that informs and adapts due diligence decisions, rather than static customer categorisation.

The guidance reinforces that assessing customer risk is central to a risk-based AML/CTF approach. Firms must build a clear, documented system to assign and review customer risk ratings, low, medium, or high, based on factors like customer type, service, delivery channel, and geography. Ratings should be applied consistently, revisited through ongoing monitoring, and supported by clear records showing how and why each rating was determined. The focus is on evidence-based, dynamic risk assessment that directly informs due diligence.

Enhanced due diligence and source of wealth/source of funds (SoW/SoF) checks

The emphasis is on structured, risk-led escalation - ensuring higher risk automatically triggers stronger, documented controls including source of wealth/source of funds.

The guidance makes clear that enhanced due diligence is mandatory when higher ML/TF risk arises such as high-risk customers, foreign PEPs, high-risk jurisdictions, complex or unusual transactions, or when an SMR (suspicious matter report) is filed and the relationship continues. Programs must specify triggers, roles, tipping-off controls, and how effectiveness is reviewed. Measures should be risk-matched and evidenced, from verifying source of funds and wealth to escalating decisions or exiting relationships where risk exceeds appetite.

Designation of services and illustrative examples

Designated services are about proximity to the transaction - regulation applies when your actions move money or ownership, not when you’re simply advising in the background.

The guidance defines that AML/CTF obligations are mandatory when a professional’s work directly advances a transaction, such as executing a property transfer, forming a company or trust, arranging finance, or managing client funds. Firms must enrol with AUSTRAC, complete customer due diligence, and meet program and reporting requirements once they provide a designated service. AUSTRAC expects firms to assess their role against the “direct advancement” test, distinguishing between actions that make a transaction happen and those that merely influence or advise on it.

Reporting groups

Reporting groups formalise collective compliance - allowing shared controls, but demanding clear accountability.

The guidance confirms that reporting groups will replace designated business groups from 31 March 2026, creating a single, flexible structure for shared AML/CTF compliance. Groups must have a lead entity, agreed to in writing, that is accountable for group-wide AML/CTF policies, ML/TF risk assessments, and oversight. Members must enrol with AUSTRAC and remain individually responsible for compliance, even where obligations are discharged centrally.

AUSTRAC expects lead entities to ensure their group-wide program reflects the size and risk profile of all members, governs information sharing without breaching tipping-off rules, and clearly documents who performs which obligations.

Together, these sections provide a clear operational framework for compliance teams, offering both flexibility and accountability.

Understanding AUSTRAC’s language

AUSTRAC has also published guidance on how to interpret the language and structure of its reform materials. The “Learn how to use this guidance” page explains that terms such as “must”, “should”, and “may” are used deliberately to distinguish between legal obligations, strong expectations and optional practices.

Knowing this helps compliance teams and legal advisors separate mandatory requirements from guidance, ensuring consistent interpretation and defensible program design.

Practical implications for reporting entities

The core guidance shifts focus from having policies to proving they work. Firms must show that controls are risk-proportionate, evidence-based, and responsive to change. Compliance teams should review governance, risk-rating, and documentation, updating training and systems to meet AUSTRAC’s expectations.

Preparing for the next phase

AUSTRAC recognises that implementation will take time, with transitional arrangements in place. The core guidance acts as both a roadmap and foundation, helping entities plan their reform journey, prioritise actions, and implement change in a defensible way. Further sector-specific guidance is expected to follow, refining how programs, controls, and assurance are designed and tested.