From checklists to continuous risk management
At the heart of the Act is a clear message: know your customer, know your risk. Initial CDD must now be completed at the commencement of a customer relationship, and before any designated service is provided. This initial CDD will be performed by the reporting entity using what can be established by taking reasonable steps and based on information reasonably available to the reporting entity at that time. For this purpose, the reporting entity must identify the ML/TF risk of the particular customer, and this determination will affect the levels of enquiry and verification to be adopted for that customer in the initial CDD.
Part 5 of the Second Exposure Draft of the proposed Anti-Money Laundering and Counter Terrorism Financing Instrument 2025, if adopted in its present form will be more specific than the Act about what needs to be established on reasonable grounds for certain classes of customers, but at this stage leaves what may be reasonable grounds to a risk-based determination (although in the future this may be the subject of guidance from AUSTRAC).
This approach will therefore replace the current prescriptive minimum requirements contained in Chapter 4 of the Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1) (Cth) with a more robust mandate. It will mean that before commencing to provide a designated service, a reporting entity must identify and assess the ML/TF risk of a customer, and if applicable, any beneficial owner of the customer and any person acting on behalf of the customer. The reporting entity is then obliged to collect and verify know your customer (KYC) information appropriate to that risk, understand ownership structures, and assess the nature and purpose of relationships.
But the real transformation lies in ongoing CDD. Reporting entities will be required to monitor customer activity continuously, update risk profiles and conduct further checks when "red flags" emerge. This dynamic approach ensures that CDD is not a one-time formality but a living process that is responsive to change and alert to risk, aligning with the principles of perpetual KYC by enabling continuous monitoring, real-time risk assessment, and proactive compliance.
The Act also streamlines the application of simplified and enhanced due diligence. Simplified CDD is permitted only for low-risk customers, and when no red flags are present. Enhanced CDD, on the other hand, is mandatory for high-risk scenarios such as dealings with foreign politically exposed persons, customers from high-risk jurisdictions, or when suspicious activity is detected. Enhanced CDD measures may include collecting additional information (e.g. source of funds or wealth), obtaining senior management approval, and increasing monitoring frequency .
Further guidance from AUSTRAC is expected to clarify practical implementation of the new CDD requirements, particularly around risk classification and documentation standards. A key concern across the industry is the potential for increased compliance burden due to the ambiguity in defining "high risk" scenarios and the scope of enhanced measures.
A new compliance frontier
The most sweeping change is the extension of AML/CTF obligations to new activities that will attach to business sectors previously untouched including lawyers, accountants, real estate professionals, and dealers in precious metals and stones. By 1 July 2026, tens of thousands of entities will need to implement AML/CTF programs, appoint AML/CTF compliance officers, train staff, and enrol and (where necessary) register with AUSTRAC as reporting entities for the first time.
For these “Tranche 2” entities, the transition will be significant. Many have never conducted formal CDD, and the cultural shift from client services to compliance may be challenging. However, AUSTRAC is providing guidance, templates, and education to support these sectors. The expectation is clear: honest efforts to comply are required, not just box-ticking.
For existing reporting entities, AUSTRAC expects that they will have commenced reviewing and strengthening of their existing frameworks, systems and processes and would have developed and documented implementation plans to manage ML/TF and proliferation financing risks in advance of 31 March 2026. Non-compliance could lead to severe financial and reputational damage. Conversely, businesses that invest in robust compliance frameworks will be viewed more favourably by regulators and customers alike.
Technology: The compliance catalyst
Many organisations are now turning to regulatory technology (RegTech) solutions to automate and enhance CDD processes to both comply with the new requirements and drive efficiencies, while minimising the impact of the customer experience.
