AUSTRAC Amends AML/CTF Rules at the 11th Hour: What You Need to Know

AUSTRAC has made targeted amendments to the Anti‑Money Laundering and Counter‑Terrorism Financing Rules 2025 (AML/CTF Rules), following their initial tabling in Parliament on 29 August 2025.

These changes aim to fully operationalise the Act and Rules, correct newly discovered issues, and reduce administrative burden for reporting entities.

What Has Changed?

The amendments to the AML/CTF Rules address three key areas: reporting groups, technical corrections, and exemptions.

Here's a breakdown of what's been updated:

Reporting Groups

AUSTRAC has introduced an 'opt-out' reporting group model, replacing the previous framework. Under the new model, related entities that share the same ultimate holding company are automatically grouped together, with the ultimate holding company designated as the lead entity. Entities that do not wish to be part of a reporting group can opt out by notifying AUSTRAC.

This change significantly reduces the administrative burden previously associated with creating a reporting group and selecting a lead entity.

Technical Amendments

Several technical corrections have been made to improve the effectiveness of the Rules, including:

1. Updates and corrections to information required in enrolment and registration applications to accommodate all possible business models and structures

2. Aligning the annual compliance report period and lodgement date to the Commonwealth Performance Framework under the Public Governance, Performance and Accountability Act 2013

3. Requiring monitoring for prohibited hate group offences as part of monitoring for unusual transactions and behaviours under safe harbour rules

4. Amending the travel rule to extend the existing customer exemption from verifying certain information (including payer address) to all customers for transactions conducted before 1 July 2030

5. Prescribing content of forms for voluntary and mandatory notifications

6. Expanding AUSTRAC CEO powers for information gathering and sharing, including additional powers for gathering information related to a compliance assessment

Exemptions

AUSTRAC has also introduced several targeted exemptions to provide practical relief where full AML/CTF obligations were not considered necessary or proportionate.

Key exemptions include:

• ATM operators are not required to conduct initial customer due diligence (CDD) for cash withdrawals under $10,000 where the individual is not otherwise their customer

• Virtual Asset Service Providers (VASPs) are exempt from initial CDD for withdrawals under $1,000 to self-hosted wallets in similar circumstances

• Open-loop gift card issuers are not required to conduct CDD on recipients where appropriate risk mitigations are in place

• Certain non-reporting activities and professions have been clarified as outside the intended scope of the regime, including:

  • Providers of legal assistance

  • Barristers acting for Australian government bodies

  • Clearing and settlement facility operators where services are incidental

These exemptions are designed to ensure the regime remains risk-based and proportionate, while reducing unnecessary compliance burden in lower-risk scenarios.

Why This Matters

These amendments reflect AUSTRAC’s continued shift towards a more practical, risk-based AML/CTF framework.

The move to an opt-out reporting group model, combined with targeted exemptions and technical clarifications, is intended to simplify compliance while maintaining regulatory integrity.

For many financial services entities, particularly AFSLs, these changes will reduce administrative overhead while reinforcing expectations around monitoring, reporting, and governance.

What This Means for AFSLs (Practically)

While many of these changes are technical, there are a few areas where AFSLs will feel a real operational impact:

1. Reporting Groups - Less Admin... but Less Choice

If your AFSL sits within a broader corporate structure:

• You may now be automatically grouped with related entities under a reporting group

• The ultimate holding company becomes the default lead entity

• You only need to act if you want to opt out

Impact: Less paperwork to set up a group, but you need to be comfortable with:

• Who the lead entity is

• How AML/CTF obligations are being managed across the group

2. Customer Due Diligence (CDD) – Subtle but Important Changes

The updates introduce:

• Clarifications to how CDD provisions operate

• Extended timeframes for relying on KYC done by other parties (e.g. real estate transactions)

• “Deemed CDD” in limited scenarios where genuine attempts have been made

Impact:

• If you rely on third-party KYC (e.g. platforms, custodians, or external providers), you should revisit those arrangements

• Your AML/CTF program may need minor updates to reflect these clarifications

3. Monitoring Expectations Have Expanded

A notable addition:

• You must now monitor for prohibited hate group offences as part of transaction monitoring under safe harbour rules

  
  

Impact:

• This broadens what “suspicious activity” can include

• Monitoring frameworks and triggers may need to be updated or expanded

4. Travel Rule Relief (Temporary)

• Verification requirements (e.g. payer address) are relaxed for transactions before 1 July 2030

  
  

Impact:

• Some short-term operational relief

• But systems should still be built with the future requirement in mind

5. Annual Compliance Reporting Alignment

• Reporting timelines are now aligned with the Commonwealth Performance Framework

  
  

Impact:

• AFSLs should confirm reporting periods and lodgement dates align with the new structure

• Avoid relying on legacy timelines

6. AUSTRAC Powers & Information Requests

• Expanded CEO powers for information gathering and sharing

• Additional administrative and review processes formalised

  
  

Impact:

• Expect more structured and potentially broader information requests

• Record-keeping and audit trails become even more important

7. Exemptions – Limited Direct Impact for Most AFSLs

Most exemptions (ATM operators, VASPs, gift cards) are not directly relevant to typical AFSLs.

However:

1. They reinforce AUSTRAC’s risk-based approach

2. AFSLs should ensure their own controls are proportionate to risk, not overly burdensome

What AFSLs Should Do Now

1. Review Your AML/CTF Program

Update for:

• Reporting group changes

• CDD clarifications

• Expanded monitoring expectations

2. Confirm Your Reporting Group Position

• Are you now automatically part of a group?

• Are you comfortable with the lead entity and governance model?

• If not, consider whether to opt out

3. Reassess Monitoring & Controls

• Ensure monitoring frameworks capture:

  • Broader suspicious activity indicators

  • New expectations (e.g. prohibited organisations)

    
    

4. Check Third-Party Reliance Arrangements

If relying on external KYC or onboarding:

• Confirm it aligns with updated rules

• Document reliance clearly

  
  

5. Validate Reporting Timelines

• Align internal compliance calendars with the new reporting periods

  
  

6. Strengthen Record Keeping

Be prepared for:

• More formalised AUSTRAC information requests

  
  

Ensure:

• Decisions are documented

• Evidence is easily retrievable

Bottom Line

These changes are less about introducing entirely new obligations and more about:

• Reducing friction (reporting groups, exemptions)

• Clarifying expectations (CDD, reporting, processes)

• Expanding oversight focus (monitoring and AUSTRAC powers)

For most AFSLs, this is a refinement exercise, not a rebuild but it is still important to update your framework to stay aligned.

Need Support?

If you would like assistance reviewing how these changes impact your AML/CTF framework, updating your program, or sense-checking your approach to reporting groups, monitoring, and CDD obligations, the team at 3Lines Consulting can help.

We work closely with AFSLs to translate regulatory change into practical, fit-for-purpose frameworks so you can meet your obligations with confidence.

Contact us here.