Back to Blog
March 27, 2026
10 min read

AML/CTF Rules 2025: A Plain-English Guide for Busy Professionals

The official AML/CTF Rules 2025 are 200+ pages of legal text. This is the 10-minute version — what the rules actually mean for real estate, accounting, law, and other Tranche 2 businesses.

TL;DR: The Five Core Requirements

  1. 1. Enroll — Register with AUSTRAC (one-time, before July 1, 2026)
  2. 2. Know your clients — Verify identity before providing services (every client, every time)
  3. 3. Watch for red flags — Conduct ongoing monitoring and report suspicious activity
  4. 4. Keep records — Store all verification and transaction records for 7 years
  5. 5. Report — File SMRs, TTRs, and annual compliance reports as required

What Are the AML/CTF Rules?

The Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Rules 2025 are the detailed regulations that sit under the AML/CTF Act 2006. Think of it this way:

  • The Act = The law (what you must do in broad terms)
  • The Rules = The how-to manual (exactly how to do it)

The Rules cover everything from how to verify a client's identity to what information you must include in a suspicious matter report. They're legally binding — if you don't follow them, you're breaking the law.

Who Do These Rules Apply To?

From 1 July 2026, the Rules apply to all "reporting entities", including:

Tranche 1 (since 2006)

Banks, credit unions, remittance providers, casinos, gambling services

Tranche 2 (from July 2026)

Real estate, accounting, law, conveyancing, trust/company services, bullion dealers

If you're in Tranche 2, you follow the exact same rules as banks and casinos. The only difference is your "designated services" — the specific activities that trigger AML obligations.

The Nine Parts of the Rules (What Matters Most)

The AML/CTF Rules are divided into nine parts. Here's what each part covers and what you actually need to know:

1

Part 1: Definitions & Application

The boring stuff (but important)

Defines key terms like "designated service", "customer", "beneficial owner", "politically exposed person (PEP)".

What you need to know: Read the definition of "designated service" for your industry. If you provide a designated service, you must verify the client before proceeding.

2

Part 2: Reporting Groups

For businesses with multiple entities

If you operate multiple related businesses (e.g., different companies under the same parent), you may be able to form a "reporting group" and share AML resources.

What you need to know: Most small businesses (single ABN, sole trader, or single company) can skip this. If you run a franchise or multi-entity group, read AUSTRAC's guidance on reporting groups.

3

Part 3: Enrolment

Registering with AUSTRAC

Before you can legally provide designated services, you must enroll with AUSTRAC. This is a one-time process done through the AUSTRAC Online portal.

What you need to know: Enrollment opens 31 March 2026. You'll need your ABN, business details, and the name of your AML Compliance Officer. Read our step-by-step enrollment guide.

4

Part 4: Registration

Special registrations (most can skip)

Covers special registrations for remittance providers and other high-risk businesses.

What you need to know: If you're in real estate, accounting, law, or conveyancing, Part 4 doesn't apply. Skip it.

5

Part 5: AML/CTF Programs

Your compliance playbook (mandatory)

This is the big one. You must create and follow a written AML/CTF program that covers:

  • Risk assessment: Identify your money laundering and terrorism financing risks
  • Customer due diligence: How you verify clients
  • Ongoing monitoring: How you watch for suspicious activity
  • Reporting: How you file SMRs and TTRs
  • Training: How you educate staff on AML obligations
  • Record-keeping: What you keep and for how long

What you need to know: AUSTRAC provides free templates called "Program Starter Kits" for each sector (real estate, accounting, law, etc.). Download your industry's kit and customize it. For most small businesses, this is a 10-20 page document.

6

Part 6: Customer Due Diligence (CDD)

How to verify clients (this is 80% of your job)

Part 6 is the most important section. It explains:

  • Standard CDD: Verify name, date of birth, and address for individuals. Verify business name, ABN/ACN, and beneficial ownership for companies.
  • Simplified CDD: Reduced checks for low-risk clients (e.g., government entities, listed companies). Most small businesses won't use this.
  • Enhanced CDD: Extra checks for high-risk clients (e.g., PEPs, clients from high-risk countries). Required when your risk assessment flags a client.

Electronic verification is allowed — you don't need to see physical documents. You can use government databases (Document Verification Service), biometric checks (selfie + liveness detection), or accredited digital identity providers.

What you need to know: For every new client, you must verify their identity before providing a designated service. Use a tool like FreeAML (60-second verification, client-pays option) or follow AUSTRAC's manual verification process.

7

Part 7: Correspondent Banking

Not relevant for most Tranche 2 businesses

Covers correspondent banking relationships (when banks open accounts for other banks).

What you need to know: Unless you're a bank or financial institution, skip Part 7.

8

Part 8: Transfers of Value

Only if you move money internationally

Covers international funds transfers and the information you must include when sending money overseas (e.g., SWIFT messages).

What you need to know: If you're a conveyancer or accountant who occasionally sends money overseas on behalf of clients, read Part 8. Otherwise, skip it.

9

Part 9: Reporting

What you must report and when

Part 9 covers three types of reports:

Suspicious Matter Report (SMR)

File within 24 hours if you suspect a transaction involves money laundering or terrorism financing. Examples: Client paying in large cash amounts, client using multiple names, transaction makes no business sense.

Threshold Transaction Report (TTR)

File within 10 business days for any physical cash transaction over $10,000. This includes deposits, withdrawals, or payments in cash. Multiple transactions totaling $10,000+ in one day also trigger a TTR.

Annual Compliance Report

Due every year on your enrollment anniversary. Covers how many clients you verified, how many SMRs/TTRs you filed, and any changes to your AML program. Takes about 30 minutes to complete online.

What you need to know: Most small businesses rarely file SMRs or TTRs (especially if you don't handle cash). The annual compliance report is mandatory for everyone.

What's New in the 2025 Rules?

The 2025 rules replace the 2007 rules with several important changes:

  • Risk-based approach is mandatory. You must assess each client's risk level and adjust your verification procedures accordingly. No more one-size-fits-all checklists.
  • Electronic verification is explicitly allowed. The 2007 rules were written before smartphones and biometric tech. The 2025 rules embrace digital identity.
  • Beneficial ownership disclosure is required. For companies and trusts, you must identify and verify the ultimate beneficial owners (individuals who own 25%+ or control the entity).
  • Ongoing monitoring is clarified. You must periodically review existing clients (at least every 12-36 months depending on risk) to ensure their information is current.
  • Tranche 2 businesses are included. Real estate, accounting, law, and other sectors are now subject to the same rules as banks (with sector-specific guidance).

Common Myths About the Rules

What the Rules DON'T Say

  • ❌ "You must see physical documents." False. Electronic verification is allowed and often preferred.
  • ❌ "You must verify every client the same way." False. Risk-based approach means higher-risk clients get enhanced checks, lower-risk clients get standard checks.
  • ❌ "You need a separate AML department." False. Small businesses can integrate AML into existing workflows. The business owner can be the AMLCO.
  • ❌ "You must report every suspicious transaction." False. Only report if you genuinely suspect money laundering or terrorism financing. Over-reporting clogs AUSTRAC's systems.
  • ❌ "The rules are the same for everyone." False. There's sector-specific guidance (real estate vs accounting vs law). Use AUSTRAC's Program Starter Kits for your industry.

Where to Read the Full Rules

The full AML/CTF Rules 2025 are available on the Federal Register of Legislation: legislation.gov.au

Pro tip: Don't read the rules from start to finish. Instead:

  1. Read Part 5 (AML/CTF Programs) to understand the big picture
  2. Read Part 6 (Customer Due Diligence) for day-to-day verification
  3. Skim Part 9 (Reporting) to know when to file SMRs/TTRs
  4. Use AUSTRAC's Program Starter Kit for your sector as your checklist

Need Help?

AUSTRAC guidance: Visit austrac.gov.au/business for free templates, guidance notes, and sector-specific resources.

FreeAML: For free AML verification tools (no signup required), visit freeaml.com.au. We help small businesses comply with Part 6 (CDD) in 60 seconds — fully AUSTRAC compliant.

Simplify Your AML Compliance

Verify clients in 60 seconds. No signup, no subscription. AUSTRAC-compliant CDD reports delivered by email.

Try FreeAML →

Frequently Asked Questions