Skip to content

Get your free Risk Assessment and free staff training today. No obligation. Zero cost.

Get your free Risk Assessment and free staff training today. No obligation. Zero cost.

Get your free Risk Assessment and free staff training today. No obligation. Zero cost.

Get your free Risk Assessment and free staff training today. No obligation. Zero cost.

An Overview of the Anti-Money Laundering (AML) & Counter-Terrorism Financing (CTF) Act 2006

Published February 13, 2026

If you’ve tried to read the AML/CTF Act directly, or even navigate some of the guidance on the AUSTRAC website, you’re not alone if you’ve come away feeling overwhelmed.  The legislation is extensive, some 400-odd pages, plus another 370+ pages for the associated AML/CTF Rules. And for many businesses newly captured under Tranche 2, it can be hard to tell what actually matters for you.

This article is designed to do exactly that: give you a plain-English, practical overview of the AML/CTF Act 2006, what it’s for, how it works, and what businesses really need to know as the July 2026 changes approach. Think of this as your TL;DR guide to the AML CTF Act.

What is the AML & CTF Act?

The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (commonly referred to as the AML CTF Act or AML and CTF Act) is Australia’s primary legislation for preventing:

In simple terms, the AML/CTF Act requires certain businesses to know who their customers are, understand the risk those customers pose in the context of the above crimes, monitor their activity as it relates to their services and report any suspicious behaviour to AUSTRAC.  And at the end of all this, they’re required to keep records to demonstrate said compliance.

The Act is administered and enforced by the Australian Transaction Reports and Analysis Centre a.k.a. AUSTRAC, Australia’s financial intelligence agency and AML/CTF regulator.

What is the purpose of the AML & CTF Act?

The purpose of the AML/CTF Act is to protect the Australian financial system, the broader economy and the community.  It does this by making it harder for criminals to:

From a business perspective, the Act is not about turning businesses into law-enforcement agencies. Instead, those businesses act as the gatekeepers, identifying risk early and reporting concerns where required.

Why the AML CTF Act matters more now (Tranche 2)

When the AML/CTF Act was first introduced in 2006, it applied mainly to financial institutions, casinos and other large businesses with high-transaction volumes (often referred to as Tranche 1 entities). From 1 July 2026, that changes.

Under Tranche 2 reforms, the AML/CTF Act will extend to a much broader group of professional services, including:

For many of these businesses, this will be their first time operating under AML/CTF legislation.

Breaking down the AML & CTF Act (in plain English)

The AML/CTF Act is divided into many Parts, but for practical understanding, it’s more helpful to group them into themes. Below is a high-level breakdown of the key components that matter most to businesses under this legislation.

Governance, scope and definitions

These sections of the Act establish AUSTRAC as the regulator, define key terms (such as designated services, reporting entities) and explain who the Act applies to and when.

If your business provides a designated service, you are a reporting entity and must comply, regardless of your size.

Relevant sections of the Act:

Part 1 - Introduction, in particular Section 5 (Definitions, including designated service, reporting entity) and Section 6 (Designated services table).

AML/CTF programs (your compliance framework)

One of the central requirements of the AML CTF Act is that reporting entities must have a written AML/CTF program. In practice, this means documenting:

The Act requires a risk-based approach, which you may have seen referenced in AUSTRAC’s materials, and indeed by others in the AML/CTF space. Basically this means that there is no one-size-fits-all program. Your obligations scale with the size, nature and complexity of your business.

Relevant sections of the Act:

The requirement to maintain a written, risk-based AML/CTF program is set out in Part 7 of the AML/CTF Act (sections 81-92).

Customer due diligence (CDD)

The AML/CTF Act requires businesses to identify customers, verify that identity and understand beneficial ownership. Businesses must apply enhanced checks where risk is higher. This is where some Tranche 2 businesses, particularly in the property sector, may recognise familiar concepts like VOI. It is important to know though, that the Act goes further than the VOI you may be used to.

CDD is not just about collecting ID. It expands on this concept to require you to understand the purpose of your relationship with the client, and the purpose of their transaction. You need to monitor changes over time, and update information when circumstances change.

A key concept in the AML/CTF Act is that compliance is ongoing, not one-off.

Businesses must have systems and controls to:

This applies after onboarding, and for the duration of the business relationship.

Relevant sections of the Act:

Customer due diligence obligations are contained in Part 2 of the AML/CTF Act (sections 34-38), which govern identification and verification requirements.

Reporting obligations

The Act sets out several types of mandatory reports to AUSTRAC, including:

For Tranche 2 SMEs, SMRs are the most relevant. An SMR must be lodged when there are reasonable grounds to suspect that either a customer is not who they claim to be, that funds may be the proceeds of crime, that activity is inconsistent with the customer’s profile or that the transaction may be linked to criminal activity.

Importantly, the Act requires reporting within strict timeframes, and prohibits “tipping off” customers.

Relevant sections of the Act:

Mandatory reporting obligations, including SMRs, are set out in Part 3 of the AML/CTF Act (Division 2 - Suspicious matter reports, section 41, Division 3 - Threshold transactions, section 43 and Division 4 - International funds transfer instructions, section 45-46)

Record-keeping obligations

The AML/CTF Act places heavy emphasis on evidence. Businesses must keep records of having completed customer identification and verification, 

risk assessments, monitoring activities, decisions around reporting, AML/CTF programs and reviews and staff training.

Most records must be retained for seven years and be readily accessible if requested by AUSTRAC.

Relevant sections of the Act:

Record-keeping requirements, including seven-year retention periods, are prescribed in Part 10 of the AML/CTF Act.

Staff training and awareness

The AML/CTF Rules requires businesses to:

Importantly, training is not a one-size-fits-all approach. It must be ongoing, proportionate to risk and role-appropriate. This applies even in small teams.

Relevant sections of the Act:

While the AML/CTF Act itself does not prescribe training requirements in detail, it mandates compliance with the AML/CTF Rules, which require AML/CTF programs to include staff training.

Independent reviews and oversight

The AML/CTF Act requires AML/CTF programs to be reviewed regularly and independently assessed for effectiveness. For SMEs, this does not mean constant audits, but it does mean that you will need to have a periodic independent review, which documents its findings and provides evidence of any remediation necessary.

Relevant sections of the Act:

While the AML/CTF Act itself does not prescribe the independent review process in detail, it mandates compliance with the AML/CTF Rules, which requires a periodic independent review of your AML/CTF program (Part 8.6).

Penalties and enforcement powers (brief but important)

The AML/CTF Act gives AUSTRAC significant enforcement powers. Depending on the breach, AUSTRAC may:

Penalties can be substantial (millions of dollars in serious cases), and AUSTRAC has a documented history of enforcement.

Relevant sections of the Act:

AUSTRAC’s enforcement powers are set out primarily in Parts 15, 16 and 17 of the AML/CTF Act.

Key summary: the AML CTF Act in one page

In practical terms, the AML/CTF Act requires businesses to:

  1. Enrol with AUSTRAC
  2. Identify and manage ML/TF risk (Risk Assessment, AML Program)
  3. Know and monitor customers (CDD, Ongoing Monitoring)
  4. Report suspicious activity (SMRs)
  5. Keep records for seven years
  6. Train staff
  7. Review and improve compliance

From July 2026, Tranche 2 SMEs will be fully subject to these obligations. 

Action points for businesses to stay compliant

If you’re newly captured under Tranche 2, you should start by understanding whether you provide a designated service. Even if you only provide this service once a year, you will need to enrol and comply. You should also identify who will act as your Compliance Officer, start educating yourself and your team and review existing ID, record-keeping and monitoring processes.

The next step is to plan how you’ll build and maintain an AML/CTF program before July 2026. Early preparation reduces stress, cost and risk, so all suggestions are to start now.

Final note: turning legislation into something workable

The AML/CTF Act is not short. It’s not light reading. But when broken down, it’s less about legal complexity and more about good business discipline. Knowing your clients, documenting your decisions, managing risk and being able to show your workings.

For many Tranche 2 businesses, the challenge won’t be understanding the law. Instead, it will be putting it into action without overwhelming teams. And this is where structured processes and technology become essential.

If you’re ready to move from “understanding the Act” to actually implementing it, easyAML is designed to help Tranche 2 SMEs manage enrolment, AML programs, CDD, monitoring, reporting and record-keeping in one place.

Get started for free today with easyAML and turn this TL;DR into a workable compliance plan:

Get Started