On 31 March 2026, the most significant overhaul of Australia’s Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) framework since 2006 came into force for existing reporting entities.
If you hold an AFSL, this affects you directly. And if you haven’t reviewed your AML/CTF program against the new requirements yet, the gap between where you are and where you need to be may be larger than you think.
So what’s actually changed — and what should you be doing about it?
The old structure is gone
The familiar Part A / Part B program structure has been replaced by a single, integrated, risk-based model. Under the new framework, your AML/CTF program must demonstrate genuine operational effectiveness — not just well-documented policies sitting in a folder.
Regulators are increasingly assessing what is actually happening in practice: through data, reporting, and observable outcomes. Documentation alone is no longer enough.
What AFSL holders need to address
The key obligations that have changed or strengthened for AFSL holders include:
- Integrated risk assessment — your ML/TF risk assessment must now reflect your specific services, customer profiles, and delivery channels, and must be kept current. Proliferation Financing risk must also be included.
- AML/CTF Compliance Officer — the governance expectations around your Compliance Officer have been strengthened, including formal appointment, independence requirements, and fit and proper status. Boards carry enhanced liability in this area.
- Designated Business Group (DBG) transition — the DBG structure is being reshaped into a Reporting Group model. If your AFSL operates within a group structure, this transition needs to be planned and executed.
- AUSTRAC enrolment — if your AFSL provides any new designated services, enrolment details must be updated with AUSTRAC. The 31 March 2026 deadline has passed for existing entities, but newly regulated sectors have until 1 July 2026.
- Suspicious matter reporting — processes around identification, escalation, and reporting of suspicious matters have been scrutinised, and AUSTRAC expects evidence of operational effectiveness.
The AFCA dimension
At the same time, AFCA’s updated Rules and Operational Guidelines took effect on 12 March 2026. One change worth noting: AFCA now has a more explicit ability to publicise firm non-compliance with its determinations, and to report that non-compliance to ASIC and APRA where relevant.
For AFSL compliance teams, complaints governance and post-determination remediation are now more visible than they have ever been. This is not the time to let your complaints management processes slide.
Where to start
If your business hasn’t already conducted a gap analysis against the new AML/CTF requirements, that’s the logical first step. Specifically, you should be asking:
- Does our current AML/CTF program reflect the new single, risk-based model — or is it still structured around the old Part A/Part B framework?
- Has our risk assessment been updated to include Proliferation Financing and our current customer and service profile?
- Is our Compliance Officer formally appointed, independent, and meeting the fit and proper requirements?
- Have we mapped our obligations for any new designated services and updated our AUSTRAC enrolment accordingly?
- Can we demonstrate operational effectiveness — not just policy documentation?
The reforms are designed to make Australia’s financial system hostile to criminal exploitation. The bar has been raised, and compliance is now treated as a core licence-to-operate imperative — not a box-ticking exercise.
The good news is that a well-structured AML/CTF program, properly embedded in your day-to-day operations, doesn’t need to be a burden. It’s an opportunity to strengthen your governance and demonstrate to regulators that you’re taking your obligations seriously.
If you’re not sure where your current program stands against the new requirements, we can help. Get in touch and we’ll walk through it with you.
