Consultation on Australia's new AML/CTF Rules May 2025: Cutting through the jargon

AUSTRAC has just released their second consultation on the draft AML/CTF Rules. It's a heavy read, so we've written this article to help you make sense of it in a practical way.

Note that AUSTRAC invites submissions on the proposals discussed in this consultation paper. You can provide submissions via AUSTRAC’s consultation page. The closing date for submissions is 11:59PM Friday 27 June 2025. Your feedback will assist AUSTRAC to determine whether measures in the ED2 Rules require amendment, or whether additional rules are required.

1. Automatic reporting groups

What AUSTRAC heard:
Can we opt out of being in a reporting group if we’re part of a corporate structure?

Plain English response:
If one company controls others, you’re automatically grouped for AML purposes. You can’t opt out. If there’s no control link, joining is optional.

2. Lead entity of a business group

What AUSTRAC heard:
The rule about which company gets chosen as the lead entity is too strict.

Plain English response:
Groups can now agree who the lead is, as long as they’re not controlled by someone else and are connected to Australia.

3. Holding companies as lead entities

What AUSTRAC heard:
Can a parent company be the lead entity, even if it has no staff or services?

Plain English response:
Yes. A non-operating holding company can be the lead entity if it meets the rule’s criteria.

4. Lead entity in elective groups

What AUSTRAC heard:
The draft didn’t make it clear how lead entities are chosen when groups form voluntarily.

Plain English response:
The updated rules let members agree on the lead, as long as they aren’t under another’s control and are linked to Australia.

5. Delegating compliance work within a group

What AUSTRAC heard:
Can one group member do the compliance work for another?

Plain English response:
Yes , tasks can be shared, but the legal responsibility stays with the entity the rule applies to. Lead entities must document and oversee it.

6. Group exemptions (section 26T)

What AUSTRAC heard:
If one member qualifies for an exemption, does that apply to the whole group?

Plain English response:
Exemptions apply individually. A member can still be exempt even if others aren’t. But lead entities may inherit some responsibilities. 

7. Enrolment of non-reporting group members

What AUSTRAC heard:
Do all group members need to enrol with AUSTRAC?

Plain English response:
No. Only reporting entities and lead entities must enrol. Others don’t, they’ll get access to AUSTRAC’s systems in other ways.

8. Trigger for reviewing ML/TF risk assessment

What AUSTRAC heard:
We’re concerned the term “adverse findings” is too broad and might force unnecessary reviews.

Plain English response:
You only need to review your risk assessment if the independent review finds a genuine problem with how you did it. Not every issue triggers a full update.

9. Risk assessment review for exempt firms

What AUSTRAC heard:
Do small firms exempt under section 26T still have to do risk assessment reviews?

Plain English response:
No. If you're exempt from needing an independent evaluation, the rule to review your risk assessment doesn't apply to you.

10. Personnel due diligence , who needs checking?

What AUSTRAC heard:
The draft rule was too broad , it seemed like we had to vet every contractor, even if they don’t do AML work.

Plain English response:
You only need to check people doing AML-related tasks. AUSTRAC expects you to evaluate who these people are based on their roles.

11. Personnel due diligence , recognition of other checks

What AUSTRAC heard:
Can we rely on existing vetting processes (e.g. legal practising certificates, APRA fit and proper tests)?

Plain English response:
Yes , but you must assess if those checks meet your AML needs. AUSTRAC won’t list every accepted regime, but will offer guidance on how to align existing checks with AML rules.

12. Personnel due diligence , how far does it go?

What AUSTRAC heard:
The rule felt too rigid. Can we take a risk-based approach instead of doing detailed checks for everyone?

Plain English response:
You must assess people’s integrity and AML skills if they do AML tasks. This can be scaled based on business size and role. Poor hiring = poor controls.

13. Outsourcing personnel checks

What AUSTRAC heard:
Can we outsource these checks to a third party?

Plain English response:
Yes. But the responsibility stays with you. If your vendor does a poor job, you're still on the hook. 

14. Independent evaluation , why small firms?

What AUSTRAC heard:
Why should solo operators or micro businesses pay for external reviews?

Plain English response:
Evaluations help you know if your AML program is working. But if you’re exempt (e.g. under section 26T), you won’t need to do one.

15. Independent evaluation , how much does it cover?

What AUSTRAC heard:
Do evaluators need to assess everything in our AML policies, even if it's just for a foreign regulator?

Plain English response:
No. The review should focus on your AML policies as required by Australian law. Extra content (e.g. for offshore use) doesn’t need to be assessed unless it overlaps.

16. Independent evaluator qualifications

What AUSTRAC heard:
Shouldn’t AUSTRAC define who’s qualified to do an evaluation?

Plain English response:
We’re not creating an accreditation system, but you should choose someone with AML expertise who can genuinely assess your controls. 

17. Independent evaluation, can internal audit do it?

What AUSTRAC heard:
Can our internal audit team conduct the evaluation?

Plain English response:
Yes, if they’re independent of the AML team and have the right skills. They can’t evaluate a program they helped write.

18. AML compliance officer seniority

What AUSTRAC heard:
The compliance officer has to be a “senior manager”, is that too narrow?

Plain English response:
We expect someone with influence and access to senior leadership. Titles matter less than whether the person can raise issues and be taken seriously.

19. Reporting from the AML officer

What AUSTRAC heard:
The rules say the AML officer must report to the governing body. What if we’re small and don’t have one?

Plain English response:
That’s fine. If there’s no formal board, the officer should report to whoever runs the business , this will be clarified in guidance.

20. Training requirements

What AUSTRAC heard:
Do we have to train everyone, or just AML staff?

Plain English response:
You only need to train people involved in AML processes. The training should match the person’s role , general awareness for most, detailed training for AML staff.

21. Training for volunteers and outsourced staff

What AUSTRAC heard:
Do we need to train volunteers, temps, or outsourced providers?

Plain English response:
If they do AML tasks, yes, you must train them. If they don’t touch AML work, training isn’t needed. 

22. AML/CTF Program policies must be documented

What AUSTRAC heard:
Some thought policies could just be informal or internal.

Plain English response:
Policies must be documented, not just understood. This ensures consistency and auditability.

23. Enrolment detail concerns

What AUSTRAC heard:
The enrolment form asks for sensitive info , why does AUSTRAC need it?

Plain English response:
We use this to understand who we regulate and to tailor support. We won’t publish or share it inappropriately.

24. Privacy concerns with AUSTRAC system access

What AUSTRAC heard:
Do staff need to share personal ID info to get AUSTRAC portal access?

Plain English response:
Yes, but only enough to securely identify users. This protects your firm and prevents unauthorised access.

25. Registration of remitters and crypto providers

What AUSTRAC heard:
Some said the registration requirements seem too strict or unclear.

Plain English response:
These sectors are high-risk. We’ll issue guidance to explain how to meet the new requirements.

26. Scope of registration info required

What AUSTRAC heard:
The draft seemed to require a lot of detail upfront. Can we phase this?

Plain English response:
Yes, we’ll make it clearer what’s needed initially versus later. But you still need enough info to assess suitability from the start.

27. Overseas registration/licensing

What AUSTRAC heard:
Can overseas licenses count as valid? What if our parent company is overseas?

Plain English response:
Yes , overseas regulation can meet some requirements if the regulator is credible. We’ll issue more guidance on this.

28. AML programs in global organisations

What AUSTRAC heard:
How do the rules apply to global firms with shared group policies?

Plain English response:
You can use group-wide AML programs, but they must meet Australian requirements. You can’t rely solely on offshore standards. 

29. Use of third parties to perform AML tasks

What AUSTRAC heard:
Can third parties carry out parts of our AML program?

Plain English response:
Yes, but you remain responsible. You must ensure they’re doing it properly and document the arrangement.

30. AML program approval

What AUSTRAC heard:
Does the “governing body” have to approve the AML program?

Plain English response:
Yes, or the most senior person if there’s no formal board. This ensures accountability at the top.

31. CDD triggers for different services

What AUSTRAC heard:
Do we have to identify customers for all services, even low-risk ones?

Plain English response:
Yes, CDD is required for all designated services, but how much you collect can depend on the risk.

32. Customer vs. customer’s customer

What AUSTRAC heard:
Are we meant to identify our customer’s client too?

Plain English response:
No, unless they benefit directly or you act as trustee or agent. You don’t need to go beyond your own customer.

33. Company directors and senior managing officials

What AUSTRAC heard:
Do we have to identify all directors of a company?

Plain English response:
No, just one senior managing official, unless there's a reason to identify more.

34. Role of 'controllers' in CDD

What AUSTRAC heard:
Who counts as a ‘controller’? It’s not clear if we need to ID people with influence but no formal ownership.

Plain English response:
You must identify people who own or control the customer, this includes those with significant influence even if they don’t own shares.

35. Place of birth for individuals

What AUSTRAC heard:
Why are we still collecting place of birth? It’s hard to verify and not always relevant.

Plain English response:
Good point. That field has been removed, it’s no longer required.

36. CDD timeframes , is 30 days enough?

What AUSTRAC heard:
Is 30 days enough to complete identity checks in all cases?

Plain English response:
Yes, but only if delaying the check is low risk and unavoidable. You must have policies and finish it as soon as practical.

37. Use of CDD exemptions

What AUSTRAC heard:
Can we still rely on simplified CDD for certain customers?

Plain English response:
Yes, for certain low-risk entities (like public companies, government bodies). These are now built into the new rules. 

38. Deemed compliance during M&A

What AUSTRAC heard:
If we acquire a client book from another business, do we need to re-do CDD?

Plain English response:
No, if you get full, up-to-date records, you're deemed compliant. But you must validate those records.

39. Low-risk exemption for beneficial ownership checks

What AUSTRAC heard:
Can we skip beneficial ownership checks for trusted entities?

Plain English response:
Yes, if the customer is low risk and is a regulated or transparent organisation (e.g. listed company, government body).

40. Government bodies as low-risk

What AUSTRAC heard:
Are all government entities automatically low-risk?

Plain English response:
Not necessarily , most are, but you still need to assess them. Don’t skip risk assessment just because it’s a government agency. 

41. Delayed verification , how it applies

What AUSTRAC heard:
Does delayed verification apply to trusts and complex structures?

Plain English response:
Yes. You can delay verifying beneficiaries or beneficial owners if it’s low risk, documented, and done within 30 days.

42. Delayed verification , record keeping

What AUSTRAC heard:
Do we need to keep a record of when verification is delayed?

Plain English response:
Yes. You must document why verification was delayed, your risk assessment, and when it was completed. 

43. Re-verification of existing clients

What AUSTRAC heard:
Do we need to re-verify customers we onboarded years ago?

Plain English response:
Not unless there’s a trigger , like a change in risk profile, suspicious behaviour, or updated laws.

44. CDD for agents acting on behalf of others

What AUSTRAC heard:
Do we have to identify the person the agent is acting for?

Plain English response:
Yes. You must identify both the agent and the person they represent.

45. Foreign agents and verification

What AUSTRAC heard:
Can we accept a foreign agent’s ID verification?

Plain English response:
Yes, if the method meets Australian standards. But you remain responsible if it’s inadequate.

46. Ongoing customer due diligence (OCDD) triggers

What AUSTRAC heard:
What counts as a trigger to update a customer’s info?

Plain English response:
Things like changes in ownership, unusual behaviour, or changes in business activity , AUSTRAC will provide guidance. 

47. Simplified CDD for listed entities and government bodies

What AUSTRAC heard:
Can we avoid collecting ownership info for these types of clients?

Plain English response:
Yes, if they’re publicly listed or clearly government-run, and the risk is low.

48. Record keeping for simplified due diligence

What AUSTRAC heard:
Do we still need to document why we didn’t collect full CDD?

Plain English response:
Yes. You must record your rationale for applying simplified due diligence.

49. PEP approval and senior management

What AUSTRAC heard:
Who exactly counts as “senior management” for approving high-risk PEPs?

Plain English response:
Someone with real decision-making power , not just a title. They must understand the risk and have authority.

50. Domestic vs. foreign PEPs

What AUSTRAC heard:
Are the rules the same for Australian and foreign PEPs?

Plain English response:
Yes. Both must be treated as high risk unless you assess otherwise. You must apply enhanced due diligence to both.

51. Financial sanctions , who’s responsible?

What AUSTRAC heard:
Do we really need AML policies for sanctions?

Plain English response:
Yes. This is a legal obligation and plugs a FATF-identified gap. You need a process to avoid dealing with sanctioned people.

52. Frozen assets and sanctions

What AUSTRAC heard:
What if we already hold money for a sanctioned person?

Plain English response:
You must freeze it and not return it , even if asked. Returning it could breach sanctions.

53. Tipping off concerns

What AUSTRAC heard:
What if freezing assets tips off a customer?

Plain English response:
Sanctions law already deals with this , follow the law and contact the appropriate agency if unsure.

54. Suspicious matter reporting , who decides?

What AUSTRAC heard:
Does every suspicious matter need to go to the AML officer?

Plain English response:
Anyone can detect and report suspicions, but your AML officer is responsible for deciding whether to file an SMR with AUSTRAC.

 55. Threshold transaction reports (TTRs) , digital currency

What AUSTRAC heard:
Do TTRs apply to crypto?

Plain English response:
No. TTRs only apply to physical cash over $10,000. Crypto transfers aren’t included.

 56. TTRs and reporting timelines

What AUSTRAC heard:
When do we have to submit a TTR?

Plain English response:
Within 10 business days of the transaction. This hasn’t changed.

 57. New reportable fields in SMRs/TTRs

What AUSTRAC heard:
Why are you adding more data fields?

Plain English response:
To improve the quality of intelligence. AUSTRAC is modernising the forms to better reflect today's risks and technologies.

58. System readiness for new forms

What AUSTRAC heard:
Will we be ready to use the new forms on day one?

Plain English response:
AUSTRAC will phase in the new forms and give you time to adjust. Tech updates and guidance will be shared in advance

59. SMRs on past activity

What AUSTRAC heard:
Can we file an SMR for something that happened years ago?

Plain English response:
Yes, if the suspicion arises now, report it. The timing of the transaction doesn’t matter as much as when you became suspicious.

60. Cross-border movement reporting

What AUSTRAC heard:
What are the rules for cross-border cash movement?

Plain English response:
These rules are still under review. The existing rules apply until the new system is in place in 2026.

61. Class exemptions , will they continue?

What AUSTRAC heard:
Are existing exemptions (like for debt collectors or real estate agents) being scrapped?

Plain English response:
Some are continuing under a new instrument. Others have been retired or replaced in the new rules.

62. Class exemption: friendly societies

What AUSTRAC heard:
Will friendly societies still be exempt?

Plain English response:
Yes, their exemption is being preserved under the new class instrument.

63. Class exemption: grain warehousing

What AUSTRAC heard:
What about grain warehousing services?

Plain English response:
These too are preserved, but AUSTRAC may revisit this in the future if risk levels change.

64. Class exemption: debt collection

What AUSTRAC heard:
Are debt collectors still exempt?

Plain English response:
Yes , AUSTRAC is continuing this exemption under the new class exemption rules.

65. Retirement of outdated exemptions

What AUSTRAC heard:
Why are some exemptions being removed?

Plain English response:
They no longer reflect current risks or industries. Some have been built into the new rules instead.

66. AML rules and the Privacy Act

What AUSTRAC heard:
Do the new rules conflict with privacy laws?

Plain English response:
No , they’re designed to work within existing privacy law. AUSTRAC will update guidance to help you manage both obligations.

67. Feedback on definitions

What AUSTRAC heard:
Some terms in the rules were unclear.

Plain English response:
AUSTRAC has updated the draft to clarify key terms , including "beneficial owner", "designated service", and "governing body".

68. Access to AUSTRAC systems

What AUSTRAC heard:
It’s unclear how new sectors will get system access.

Plain English response:
AUSTRAC is updating its access process and will publish guidance for Tranche 2 entities before the regime starts.

69. Transitional periods

What AUSTRAC heard:
Will there be time to comply?

Plain English response:
Yes , AUSTRAC is planning a generous transition period, with education and support before enforcement begins. 

70. Consultation process

What AUSTRAC heard:
We need more time and transparency in the consultation process.

Plain English response:
AUSTRAC agrees. This second draft reflects industry feedback, and submissions remain open until 27 June 2025.

AUSTRAC invites submissions on the proposals discussed in this consultation paper. You can provide submissions via AUSTRAC’s consultation page. The closing date for submissions is 11:59PM Friday 27 June 2025. Your feedback will assist AUSTRAC to determine whether measures in the ED2 Rules require amendment, or whether additional rules are required.