Beyond the acronyms: How AML/CTF is evolving

Highlights

• AML/CTF is a whole-of-business issue, not just a regulatory checkbox.
• Australia’s AML/CTF reforms have commenced – existing reporting entities came into scope on 31 March 2026, and Tranche 2 enrolment is now open.
• Financial crime is evolving rapidly and businesses must adapt to stay ahead.
• BNDRY is a financial crime compliance platform that automates compliance procedures for regulated businesses.

It has been said that financial crime is faceless, an elusive monster not easily captured, but that’s far from the reality. There are countless faces behind the crimes that are financed through Money Laundering and Terrorism Financing (ML/TF), the issue lies in detecting them because perpetrators of financial crime are finding increasingly intelligent ways to hide their illicit funds.

The Many Faces of Financial Crime

Financial crime isn’t a new concept. It's existed for centuries with the first known case recorded in 300 BC, when two Greek sea merchants thought they could get away with pocketing loaned money by sinking their own cargo ship, becoming the first recorded example of insurance fraud. Scallywags. Modern methods have since developed to include identity fraud, embezzlement, bribery, and money and document counterfeiting, with new methods developing all the time.

The financial crime landscape is unrecognisable compared to what it looked like in 2008 – a new beast that’s bleeding the global economy and threatening businesses and individuals at a prolific rate. Meanwhile, the status quo around Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) has undergone a serious overhaul to ensure compliance and regulation procedures effectively combat these crimes.

Since the rise of the internet, money laundering has become far more sophisticated and evolved to accommodate numerous, almost undetectable crimes, including but not limited to credit card fraud and terrorism financing.

Traditional crimes may have been simpler to track, but chasing paper trails and hidden capital has always been a laborious and time-heavy task – a compelling reason why many businesses may choose to avoid full compliance. That choice is no longer available. With the reformed AML/CTF Act now in force, regulators have been forced to rethink how to most effectively combat these crimes – the challenge has been to bring companies into the fold to help.

Important update. March 2026: AUSTRAC's AML/CTF reforms are no longer on the horizon. They are here.

• Existing regulated entities (banks, fintechs, casinos, remittance providers) come into scope under the reformed Act. 31 March 2026.
• Tranche 2 enrolment opened. Tranche 2 brings a new class of businesses into the AML/CTF regime for the first time – including lawyers, accountants, real estate agents, and high-value dealers. 31 March 2026.
• Final deadline for Tranche 2 businesses to enrol with AUSTRAC. 29 July 2026.
• Full AML/CTF program obligations commence for Tranche 2 entities. 1 July 2026.

Where Australia stands: reforms are live now

What is Tranche 2? Tranche 2 refers to the second wave of Australian businesses now captured by AML/CTF obligations under the reformed Anti-Money Laundering and Counter-Terrorism Financing Act, including legal professionals, accountants, real estate agents, trust and company service providers, and dealers in precious metals and stones.

Since modern ML/TF has seen a rapid development in how criminals work and how they acquire their funds, businesses also need to adapt to safeguard themselves against these threats. Perpetrators of financial crime are intelligent, they have the capital, tools and personnel to find where vulnerabilities lie in both businesses and consumers, which is why AUSTRAC and many regulatory organisations across the world have had to adapt to fight the threat ML/TF poses to the global community.

In his speech at the Clubs NSW 2025 Conference AUSTRAC CEO, Brendan Thomas, stated that gambling businesses, including pubs and clubs, had historically taken a “tick and flick” approach to compliance, resulting in major fines for venues that failed to meet their obligations. The new reforms are explicitly designed to move beyond checkbox compliance, toward risk-based, proactive detection; one of the reasons why the Australian government has taken measures to align with regulatory compliance set by the Financial Action Task Force (FATF).

Brendan Thomas has outlined that AUSTRAC's regulatory expectations are informed by two factors:

• The financial crime risks businesses need to manage.
• The time available to prepare for the AML/CTF reforms.

Businesses need to make sure their risk and compliance procedures and related tools are capable of handling and detecting potential risk. For most businesses, that preparation window is closing fast.

Financial Crime is Smart, Businesses Need to be Smarter

Global scam economies are flourishing, driven by the digital economy and the increasing intelligence of criminal enterprises, with some perpetrators even setting up illegal labour camps. These camps consist of abducted migrants, where victims are held against their will and forced to perform online scams. One such syndicate involving Prince Holding Group chair, Chen Zhi, has been seized by the US government and labelled "one of the largest investment fraud operations in history". It’s believed Chen Zhi had been using forced labour to deceive hopeful investors in on-going "pig-butchering" scams.

Closer to home, scammers regularly acquire bank accounts from legitimate users, for a fee, and use them to launder proceeds of crime. These are not theoretical risks. They are documented, active threats to Australian businesses.

AML/CTF obligations have historically been treated as a manual, overlooked aspect of business functions where customer information is scattered and potentially falling through compliance cracks, making it difficult, and sometimes impossible, to locate required information. Businesses, especially those governed by regulatory laws, need to recognise this and adapt their compliance processes to the changing AML/CTF landscape. Developing the right policies and procedures, including staff training, running ongoing monitoring and audits and managing a solid compliance program is crucial to meeting regulatory obligations, mitigating risk and detecting fraud.

The tools available to detect risk and discover the source of financial crimes have become far more sophisticated, a necessary development to meet the technologies used by FinCrime syndicates.

Before selecting tools, businesses should stress-test their current environment:

• Where are threats most likely to appear in your customer base or transaction flows?
• Which systems hold customer identity data, and are they connected?
• Is responsibility for recognising risk distributed across the business – not siloed in compliance?
• Are clients and vendors properly screened against sanctions and PEP lists?
• Are geographical risk factors built into your transaction monitoring?

AUSTRAC’s 2025–26 priorities mark a clear shift toward proactive enforcement and data-led detection. Businesses who shift their focus from an obligation to risk management and protecting their assets, will be better positioned – both regulatorily and operationally.

Frequently asked questions

What is the difference between Tranche 1 and Tranche 2?

Tranche 1 entities are the businesses regulated under Australia’s AML/CTF framework since the original 2006 Act – banks, credit unions, remittance dealers, casinos, and gambling services. Tranche 2 entities are the newly captured professions including lawyers, accountants, real estate agents, and high-value goods dealers, who will have full obligations from 1 July 2026.

What does a compliant AML/CTF program actually require?

A compliant AML/CTF program requires: a documented, risk-based program (no longer split into Parts A and B) including an enterprise-wide risk assessment covering Money Laundering (ML), Terrorism Financing (TF), and Proliferation Financing (PF); a designated AML/CTF compliance officer; Ongoing Customer Due Diligence (OCDD); transaction monitoring; lodgement of SMRs and TTRs with AUSTRAC; staff training; periodic independent review; and an annual compliance report lodged by 31 March each year.

What happens if my business doesn’t comply?

AUSTRAC can issue infringement notices, enforceable undertakings, civil penalties, or refer matters to the AFP or CDPP for criminal prosecution. Recent penalties for major regulated entities have run into the hundreds of millions of dollars.

When do I need to enrol as a Tranche 2 entity?

Enrolment opened 31 March 2026. The final enrolment deadline is 29 July 2026. Full program obligations commence 1 July 2026. If you are a legal professional, accountant, real estate agent, trust and company service provider, or high-value dealer and are not yet enrolled, you should act now.

You can find more answers on AUSTRAC's website.

How BNDRY Tech Combats Financial Crime

AML/CTF, fraud and cybersecurity are all connected so your compliance systems and associated technology should be closely connected too.

“Cybercrime leads to or enables financial crime by exposing the data of individuals or organisations, which in turn leads to fraud or scam activities,” says Ben Jackson, BNDRY’s Chief Information Officer.

BNDRY is a financial crime compliance platform built specifically for regulated businesses to help with their AML/CTF needs. It integrates via API with existing core banking systems, CRMs and identity providers. No rip-and-replace required.

The platform automates the compliance functions that regulators are scrutinising most closely:

• KYC and CDD screening against sanctions and PEP lists.
• Intelligent monitoring with automated alerts, rule-based and ML-driven detection.
• Automated SMR and TTR lodgement.
• Secure, structured record-keeping with full audit trail.

BNDRY was built by people who have fought fraud, scams, and financial crime from the inside. The platform enables smarter, automated decision-making so compliance teams can manage by exception – focusing on the highest-risk cases rather than manually reviewing every transaction. It is designed to bring structure and speed to regulated businesses fighting financial crime, without slowing down business-as-usual operations. Think of BNDRY as your personal scout, performing reconnaissance tasks and only bringing you into battle when absolutely necessary, because combating financial crime should safeguard against potential threats, not slow a business down.

From decision makers to risk and compliance officers, if you want help building a strong compliance ecosystem to meet your regulatory needs, we're here to help.