In November 2024, Australia passed one of the most consequential financial crime reforms in its recent history. The AML/CTF Amendment Act 2024 marked a watershed moment, not only because it expanded regulatory coverage to long-exempt sectors such as law firms and real estate agents, but because it fundamentally reshaped the expectations for how all reporting entities, including banks, payments companies, investment firms, and crypto exchanges, are to detect and disrupt illicit financial activity.

For compliance officers and boardrooms alike, the message from Canberra is unmistakable. The era of procedural checkbox compliance is over. The new benchmark is effectiveness.

A two-year fuse, already lit

The legislation passed Parliament in November 2024 and received Royal Assent in December, but the implementation is structured to give institutions a transition runway. As of March 2025, interim measures such as the repeal of the 1988 Financial Transaction Reports Act and a redefinition of the “tipping off” offense have already come into force.

But the real deadline looms on 31 March 2026, when existing AUSTRAC-regulated institutions must have fully adopted the new regime. Just three months later, on 1 July 2026, the net will widen further as AML/CTF obligations are extended to the so-called “tranche two” sectors; lawyers, accountants, real estate agents, and dealers in precious metals and stones.

That may sound distant. But for institutions with sprawling compliance architectures and legacy transaction monitoring systems, it’s alarmingly soon.

What has changed: from checkbox to outcomes

The most visible change is structural. AUSTRAC has abolished the traditional “Part A / Part B” AML/CTF program split in favour of a single, risk-based program that focuses on actual effectiveness. Programs must now be grounded in a documented, regularly updated ML/TF risk assessment and account for proliferation financing, global priority tied to the prevention of weapons of mass destruction financing.

Customer due diligence has also evolved. A clear distinction is drawn between initial and ongoing due diligence, with mandatory screening for politically exposed persons (PEPs), beneficial owners, and agents such as power of attorney holders. Sanctions screening expectations have quietly sharpened as well.

The reforms also streamline compliance for corporate groups via a new “reporting group” construct. Unlike the previous Designated Business Group model, this framework allows affiliated entities to operate under a shared AML/CTF program, provided they designate a lead entity to coordinate risk management.

Most significant is the reorientation of transaction monitoring obligations. The new regime expects institutions to focus less on volume and more on substance, detecting typologies that matter: structuring, account layering, international fund flows, and high-risk geographies.

Industry spotlight: Superannuation, crypto, and neobanks

While the legislative language applies broadly, certain sectors face uniquely complex challenges under the 2024 AML/CTF reforms. Three stand out: superannuation funds, digital currency exchanges, and neobanks.

Superannuation funds: no longer exempt by structure

Super funds are not part of the “tranche two” expansion; they are already regulated under AUSTRAC’s regime. But the reforms expose longstanding gaps in how these institutions interpret and operationalise AML obligations.

Key changes affect how funds must:

  • Treat power of attorney arrangements and third-party authorisations during onboarding and withdrawals;
  • Identify and report potential fraud vs money laundering, particularly in cases where a member is a victim, not a perpetrator;
  • Align ongoing monitoring to high-risk typologies such as abnormal withdrawal patterns, successor fund transfers, and cross-border pension consolidations;
  • Clarify internal governance. The fund administrator may execute controls, but the trustee remains accountable.

Superannuation trustees must also reconcile AML/CTF data retention rules with privacy laws, an area that has prompted industry calls for clearer guidance on recordkeeping duration and lawful data sharing with administrators.

Crypto exchanges: welcome to full-spectrum regulation

If ambiguity once protected crypto platforms, those days are over. AUSTRAC’s reforms pull Australia in line with global peers by:

  • Expanding AML/CTF obligations to crypto-to-crypto exchanges, custodial wallet providers, and token sales;
  • Enforcing the travel rule, requiring payer/payee identity data to travel with digital transfers; and
  • Establishing a hard compliance deadline. No crypto services may be offered into Australia from March 2026 unless the provider is registered with AUSTRAC.

These rules don’t just increase the compliance workload. They change the business model. Exchanges must now prove they can:

  • Monitor transaction flow across pseudonymous wallets;
  • Detect typologies such as mixer usage, exchange hopping, and peer-to-peer laundering;
  • File Suspicious Matter Reports (SMRs) even when traditional KYC data is absent but blockchain patterns suggest illicit activity.

Smaller crypto firms, especially those offshore, will struggle to meet these expectations without retooling both their tech stack and compliance function.

Neobanks: built lean, but not immune

Australia’s neobank wave has crested, but digital-first banking platforms continue to grow embedded within consumer finance, payroll, or cross-border payment apps. These firms now face the same expectations as established banks but with leaner teams and often brittle systems.

Key implications:

  • Formal board oversight of AML/CTF is now unavoidable, even for startups without legacy governance layers;
  • Monitoring for terrorism financing and proliferation risks must be explicitly documented, not assumed to be covered by fraud detection;
  • Group structures involving white-labelled providers or partner banks must establish a clear lead reporting entity with consolidated oversight.

For neobanks relying on third-party infrastructure, the reforms will force a re-evaluation of whether partners and vendors meet AUSTRAC’s new expectations or create regulatory exposure.

A regulatory reality check for international players

Foreign financial institutions with Australian operations should treat these changes not as administrative noise but as strategic signal.

The reformed AML/CTF Act imposes clear expectations that local branches or subsidiaries reflect Australian regulatory priorities, regardless of their parent group’s global policies. AUSTRAC has clarified that transaction monitoring, suspicious matter reporting, and tipping-off provisions apply at the local entity level, even when decisions are centralised abroad.

More concretely, international firms offering services into Australia, especially crypto exchanges, must be registered with AUSTRAC by March 2026 if they conduct crypto-to-crypto trades, offer custodial wallets, or provide related services to Australian residents.

Executive liability is no longer theoretical

One of the quieter, yet most powerful, aspects of the reform is its unambiguous shift toward board-level accountability. AML/CTF compliance is now formally a governance responsibility. Boards must receive annual reports on program effectiveness and are expected to engage directly with compliance officers and internal assurance functions.

Institutions must also appoint an AML/CTF Compliance Officer who is demonstrably “fit and proper”, a phrase AUSTRAC is likely to define with increasing rigour. The compliance officer must have operational independence, report to senior management, and be adequately resourced. These are no longer soft best practices; they are legislated standards.

Failure to meet them could result in enforceable undertakings or civil penalties, with senior leaders no longer shielded by plausible deniability. AUSTRAC has made clear that where governance failures are material, individual accountability is very much on the table.

What AML leaders should do now

With less than a year to go before industry guidance is finalised and only two years until the reforms are enforceable, compliance leaders must move quickly. Here is a checklist worth reviewing:

  • Conduct a gap assessment: Compare your current AML/CTF program against the new requirements, especially around risk assessment, governance, and monitoring coverage.
  • Update policies and procedures: Rewrite internal documentation to reflect consolidated program design, new CDD standards, and revised suspicious matter escalation procedures.
  • Rescope transaction monitoring rules: Ensure they are typology-driven and adapted to high-risk activity, not just legacy thresholds.
  • Formalise governance: Schedule board briefings, document oversight responsibilities, and ensure the AML officer is empowered and resourced.
  • Modernise systems: Prepare to capture and report the full data payload for value transfers, including for crypto transactions.
  • Run scenario testing: Use audits, red-teaming, or mock regulator reviews to uncover blind spots in your program before AUSTRAC does.

How Flagright supports reform-ready compliance

At Flagright, we’ve built a compliance infrastructure that aligns with the exact requirements of the 2024 reforms without the operational bloat of legacy systems.

Flagright enables:

  • Real-time, risk-based transaction monitoring for fiat and digital assets
  • Integrated CDD with PEP, sanctions, and adverse media screening
  • Case management with audit trails for suspicious matter reporting
  • Program-level controls to support board reporting, role-based access, and reporting group structures

Flagright’s modular design means financial institutions can deploy quickly, often in under two weeks, across multiple business lines or jurisdictions.

With March 2026 approaching fast, the cost of inaction is rising. Institutions that treat this as a compliance checkbox will find themselves outpaced by those who treat it as an opportunity to modernise.

Ready to start implementing your AML stack? Request a demo today and see Flagright in action.