Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth)

The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) creates Australia’s core AML/CTF regime for businesses that provide designated services. Its objects and structure are aimed at reducing money laundering and terrorism financing risk through customer due diligence, reporting, record-keeping, governance and regulatory oversight.

For business owners, the key point is that the Act does not apply simply because you handle money in a general sense. It applies when your business provides a service that falls within the designated services framework in section 6. Once that threshold is met, the Act can require your business to enrol, assess risk, maintain AML/CTF controls, verify customers, monitor relationships, make reports to AUSTRAC and keep records.

The Act is broad and operational. It covers more than customer identification. It also deals with reporting obligations, transfers of value, remittance registration, virtual asset service provider registration, secrecy and tipping off, audits, information-gathering powers and enforcement tools.

The practical trigger is whether your business provides a designated service. The Act’s table of designated services sits in section 6. That table is the first place to look. It is not enough to rely on broad labels like fintech, lender, exchange, gaming operator or payments business. You need to compare your actual service offering against the current legislative text.

Businesses commonly affected include parts of the banking, lending, remittance, transfer, gaming and virtual asset sectors. The Act also contains dedicated registration regimes for the remittance sector and for virtual asset service providers. If your business sends value, receives value, exchanges value, facilitates transfers, or provides a service involving virtual assets, you should check the Act carefully.

Many businesses will usually be outside the regime if they do not provide a designated service. For example, a standard retailer, hospitality venue or service business that does not provide a captured financial, remittance or virtual asset service may not be a reporting entity. But that can change quickly if the business adds a wallet, stored value feature, customer transfer function, lending product, exchange function or another captured service.

You should also be careful with commentary about sector expansion. Public discussion about reforms does not itself change the law. Professional services firms, real estate businesses and high-value goods dealers should not assume they are already covered unless their current activities fall within a designated service in the Act as in force.

For many businesses, the hardest issue is not understanding the obligations. It is deciding whether the Act applies at all. The safest approach is to work through the designated services table in section 6 line by line and compare it with how your product actually works in practice.

That means looking at the real transaction flow. Ask who receives funds or value, who controls the transfer, whether the business is issuing, exchanging or facilitating value, whether the service is domestic or international, whether virtual assets are involved, and whether the business is acting directly or through agents, affiliates or platform arrangements.

Do not stop at your marketing description. A product described as a software platform may still involve a designated service if the business is functionally providing a captured service. Likewise, a business that starts as a technology provider can move into scope if it later adds customer onboarding, transfer execution, exchange functionality, wallet features or settlement services.

The list of designated services and related provisions should be checked in the latest version of the Act. The current compilation notes that uncommenced amendments are not shown in the text of the compiled law. That means businesses should confirm both the current in-force text and whether any upcoming changes are relevant before relying on a compliance position.

If your business is a reporting entity, the Act imposes a set of linked and ongoing obligations. These are designed to work together. They are not a one-time onboarding checklist.

Part 1A requires reporting entities to undertake an ML/TF risk assessment, review and update that assessment, and have an up-to-date assessment before providing designated services. Reporting entities must also develop and maintain AML/CTF policies, comply with those policies, designate an AML/CTF compliance officer, and notify AUSTRAC of that officer. The Act also places responsibilities on governing bodies and requires AML/CTF program documentation and approvals.

Part 2 deals with customer due diligence. That includes initial customer due diligence, ongoing customer due diligence, and the use of simplified or enhanced customer due diligence in the circumstances allowed or required by the Act. There are also provisions dealing with identity verification information, including use and disclosure to credit reporting bodies for identity verification purposes and privacy-related protections around that information.

Part 3 creates reporting obligations, including suspicious matter reports, threshold transaction reports, reports relating to international value transfer services, reports relating to transfers of value involving unverified self-hosted virtual asset wallets, and AML/CTF compliance reports. The Act also allows AUSTRAC to require further information in some circumstances.

Part 10 requires retention of transaction records, customer due diligence records and records relating to AML/CTF program obligations. Record-keeping is a core control, especially where a business relies on agents, third-party arrangements or group structures.

A common mistake is treating AML/CTF compliance as a setup project that ends once a policy is written or an enrolment is completed. The Act points the other way. It requires review and updating of the ML/TF risk assessment, ongoing customer due diligence, continuing compliance with AML/CTF policies, and ongoing reporting and record retention.

In practice, this means your controls need to match your actual risk profile and change as your business changes. A startup with one product and a small customer base may have a different risk profile from the same business six months later after adding international transfers, new customer channels, higher transaction volumes or virtual asset functionality.

Governance also matters. The Act includes responsibilities for governing bodies and documentation requirements for AML/CTF programs. Businesses should make sure compliance ownership is clear, escalation paths exist, and product, operations, legal and engineering teams understand when a product change may alter AML/CTF obligations.

The Act does more than create general reporting entity obligations. It also establishes a Remittance Sector Register and a Virtual Asset Service Provider Register. The Act restricts unregistered persons from providing certain remittance services and certain virtual asset services.

That means some businesses need to assess two related questions. First, are we providing a designated service and therefore operating as a reporting entity? Second, are we also in a category that requires registration under the remittance or virtual asset parts of the Act?

For businesses in payments, transfers and crypto, this is a critical launch issue. If your service model changes, your registration position may also change. Review the current Act carefully before going live, especially if your product involves exchange, transfer, wallet or network functionality.

The Act contains detailed provisions about the use, disclosure, retention and protection of information. In the customer due diligence part, it addresses use and disclosure of personal information for identity verification purposes, including interactions with credit reporting bodies and protections around verification information. It also states that a breach of certain requirements can amount to an interference with privacy.

The Act separately contains secrecy and access provisions, including offences relating to tipping off and unauthorised access, use or disclosure of AUSTRAC information. Businesses should therefore treat AML/CTF information handling as both a compliance and privacy issue. Internal access controls, staff training and clear reporting pathways are important operational safeguards.

AUSTRAC has substantial oversight and enforcement tools under the Act. These include monitoring of compliance, remedial directions, injunctions, enforceable undertakings, infringement notices and civil penalty proceedings. The Act also gives authorised officers monitoring and information-gathering powers, and provides for external audits in some circumstances.

For businesses, the practical message is that AML/CTF compliance should be capable of being evidenced. It is not enough to say your business takes compliance seriously. You need records, documented policies, current risk assessments, reporting processes and governance arrangements that can withstand regulatory scrutiny.

The Act also contains offences relating to false or misleading information and documents, use of false customer names or anonymity in connection with designated services, and conduct designed to avoid reporting requirements. Businesses should make sure frontline teams understand that process workarounds can create legal exposure.

The current public compilation referenced here is Compilation No. 60 of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006, showing the law as amended and in force on 31 March 2026. The compilation notes also say that uncommenced amendments are not shown in the text of the compiled law.

That matters in practice. Before relying on this page for a launch decision, compliance build or product redesign, check the latest compilation on the Federal Register of Legislation and confirm whether any amendments affecting your business have commenced or remain uncommenced. You should also review current AUSTRAC materials relevant to your sector.