Catherine Evans
“Surely this doesn’t apply to me, as my clients aren’t criminals.”
This is heard time and again from advisers and is exactly the wrong way to think about Anti-Money Laundering / Counter Terrorism Financing (AML/CTF).
Australia has been significantly behind the international community on AML legislation for years now, with increased pressure to bring our regime into line being tied to the real risk of grey listing from international trade. This is a large part of why these reforms have moved as quickly as they have.
The laws are now in place and operational, with AUSTRAC’s expectations higher than much of the advice profession has yet appreciated.
Existing reporting entities, including self-licensed advisers, have been operating under the new framework since 31 March 2026.
That deadline has passed, and the next critical date is 1 July 2026. This is when new designated services and new reporting entities come into the regime in full.
The starting point is knowing which services are regulated, and this is where most firms underestimate the complexity in its entirety.
The designated services in the legislation are worded broadly, and AUSTRAC’s guidance does not always map neatly to how advice businesses operate. If for example you recommend an SMSF and simply refer the client to their accountant to manage the set up process, you are likely not providing a designated service (the accountant would be). But if you facilitate the set-up process, by completing forms, using a document provider, effectively setting it up for the client or on their behalf, then you almost certainly are.
Similarly, if you hold authority over a client’s account and make payments on their behalf, that is a designated service. And if you provide a registered office address for any client, that is a separate designated service as well.
None of these are unusual arrangements in an advice practice, they are everyday occurrences. And they are precisely the kinds of services this regime is designed to capture.
What has also surprised many integrated practices is the group-level reach of the new laws. This is where an advice business has an associated accounting arm, both entities may be caught and need to be separately enrolled.
Corporate authorised representatives providing any of the new designated services will also be regulated and require enrolment with AUSTRAC, not just the licensee entity. The day of assuming the licensee manages all of this are gone.
Once you’ve determined one or more of your services are regulated, then the obligations are extensive and includes a money laundering and terrorism financing risk assessment, policies and controls, personnel due diligence, training, an internal governance framework, and annual reporting to AUSTRAC.
The most common mistake we see is treating this as a documentation exercise. A policy gets written, filed away, and never touched again. But the framework only works and only holds up under scrutiny when it is embedded in how the business operates.
What does the team do day to day? How are concerns escalated? How are decisions recorded? That is what AUSTRAC is interested in, and that is what an independent evaluation will examine.
This is the part many firms have not fully grasped yet, that AML/CTF compliance is not a set-and-forget exercise. Customer due diligence will continue throughout the life of a client relationship, not just at onboarding.
Suspicious matter reporting obligations are triggered by reasonable suspicion, not proof, not certainty. Once that suspicion forms, a report must be lodged within three business days. AUSTRAC has already signalled its concern that the advice industry is not reporting enough, which is a clear indication of where scrutiny is heading.
Enhanced customer due diligence under the new regime is also no longer a checklist. It is a judgement call, based on the specific risks identified. There is no one-size-fits-all answer, and firms need people who can make those calls.
There is one more thing worth being direct about, even if the overall risk profile is genuinely low, that does not reduce any of the legal obligations. Risk shapes how you comply with certain parts of the framework, it does not determine whether you comply.
This distinction matters, and it is where many otherwise well-run firms find themselves exposed.
The firms that will manage this well are not the ones trying to minimise the issue. They are the ones that have taken the time to understand what is required, built it into how they operate, and can demonstrate clearly that their framework works in practice.
With 1 July weeks away, there is still time to get this right. But not much, because when questions come, confidence will not come from knowing your clients well. It will come from being able to show your workings.
By Catherine Evans, Founder and Head of Legal
