AU: AML/CTF Act 2006
|
|
| Regulator |
APRA |
| Jurisdiction |
AU |
| Status |
live |
| Applicability |
Platform |
The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 is Australia's primary AML/CTF
legislation. It requires reporting entities to enrol with AUSTRAC, implement an AML/CTF programme,
conduct customer identification, monitor transactions, and report suspicious matters, international
funds transfers, and threshold transactions. AUSTRAC is the regulator and supervisor. Major reforms
extending the Act to professional services (lawyers, accountants, real estate) progressed through
Parliament in 2024–2025 under the AML/CTF Amendment Act 2024.
The Act is closely parallel in structure to New Zealand's AML/CFT Act 2009 but differs in several
key areas: AUSTRAC replaces RBNZ as the supervisor; Suspicious Matter Reports (SMRs) replace
Suspicious Transaction Reports (STRs); Threshold Transaction Reports (TTRs) apply to cash
transactions at or above AUD 10,000; and International Funds Transfer Instructions (IFTIs) are the
primary cross-border reporting mechanism, with no equivalent to NZ's CMIRs. Australia is a FATF
member — Australia's most recent Mutual Evaluation was 2015 with a follow-up assessment in 2024.
Section references below are indicative — refer to the Act as amended for precise statutory language.
Compliance register
This register maps every material obligation under the Act to the platform control or institutional
process that satisfies it. It is the static traceability layer for the Totara compliance report —
dynamic data (module build status, test evidence, control test dates) is overlaid at runtime.
Scope legend
| Symbol |
Meaning |
| 🤖 Automated |
Platform enforces or performs the obligation. Primary control mode is GATE, AUTO, CALC, or ALERT. Human action is not required in the normal case. |
| 📊 Evidenced |
Platform captures the evidence trail automatically. Human compliance decision sits on top. Primary control mode is LOG. |
| 🏛 Institutional |
Obligation is met by a process entirely outside the platform — training programmes, board governance, HR, legal. Platform may generate evidence inputs but does not own the process. |
| N/A |
Obligation does not apply to this deployment configuration. |
Build legend
| Symbol |
Meaning |
| ✅ |
Module built and deployed |
| 🔨 |
Module planned — not yet built (build_status: Not started) |
| ❌ |
Uncontrolled gap — no module attributed |
Part 7 — AML/CTF Programme (ss.84–99)
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| S.84 |
Maintain an AML/CTF programme — Part A (Board-level governance, risk assessment, oversight) and Part B (customer identification procedures) |
📊 Evidenced |
AML-001 |
MOD-037 (AUTO) — annual AUSTRAC compliance report data sourced and structured from operational systems; MOD-047 (LOG) — every compliance decision logged; MOD-012 (LOG) — KYC audit trail provides the programme evidence base |
🔨 |
| S.85 |
Risk assessment — conduct and maintain an AML/CTF risk assessment of the reporting entity's ML/TF risk |
🤖 Automated |
AML-001 |
MOD-039 (AUTO) — customer risk scores computed continuously; MOD-017 (AUTO) — ML behavioural scoring for portfolio-wide risk view |
🔨 |
| S.91 |
Ensure relevant employees trained on AML/CTF obligations |
🏛 Institutional |
AML-010 |
LMS is an institutional system — not platform scope. MOD-049 (LOG) captures staff consent acknowledgements as a supporting evidence input only. |
— |
| S.95 |
Submit annual compliance report to AUSTRAC |
🤖 Automated |
AML-001, REP-003 |
MOD-037 (AUTO) — annual AML reporting pipeline submits to AUSTRAC automatically; MOD-026 (AUTO) — IFTI data feeds directly into annual compliance report |
🔨 |
Part 2 — Customer Identification and Verification (ss.32–67)
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| S.32 |
Customer identification procedure (CIP) — complete before providing a designated service |
🤖 Automated |
AML-003, AML-002 |
MOD-009 (GATE) — no account activates without verified KYC; MOD-010 (AUTO) — CDD tier assigned by rule engine, not agent discretion |
🔨 |
| S.35 |
Verify identity of individuals — using reliable, independent source documents or data |
🤖 Automated |
AML-003 |
MOD-009 (AUTO) — eIDV extracts and verifies identity from document biometrics automatically |
🔨 |
| S.39 |
Verify beneficial owners of non-individual customers (≥ 25% threshold) |
🤖 Automated |
AML-002 |
MOD-133 (GATE) — all trustees and beneficial owners ≥ 25% must individually pass eIDV before trust account activates; MOD-134 (GATE) — all authorised signatories pass eIDV before community account activates |
🔨 |
| S.40 |
Simplified verification — permitted for prescribed low-risk customer categories |
🤖 Automated |
AML-002 |
MOD-010 (AUTO) — simplified CDD tier applied by rule engine where criteria are met; not agent discretion |
🔨 |
| S.36 |
Enhanced customer due diligence — required for PEPs and high-risk customers |
🤖 Automated |
AML-004, AML-002 |
MOD-010 (ALERT) — PEP detection triggers EDD tier and senior management notification automatically; MOD-153 (GATE) — PEP cannot be accepted without completed EDD on record |
🔨 |
| S.36A |
High-risk jurisdictions — enhanced due diligence for customers from FATF grey/black list countries |
🤖 Automated |
AML-004 |
MOD-010 (AUTO) — jurisdiction risk tier applied automatically from FATF list configuration; MOD-013 (GATE) — high-risk country flag escalates to EDD gate |
🔨 |
| S.48 |
Correspondent banking — enhanced due diligence before establishing a correspondent relationship |
🤖 Automated |
AML-009 |
MOD-154 (GATE) — no payment may be routed through a correspondent without completed due diligence and active approval in the correspondent registry |
🔨 |
| S.67 |
Ongoing customer due diligence — monitor customers and transactions and keep records current |
🤖 Automated |
AML-005, AML-002 |
MOD-011 (AUTO) — periodic CDD review triggered automatically; MOD-016 (AUTO) — all transactions monitored continuously; MOD-017 (AUTO) — behavioural anomaly detection; MOD-039 (AUTO) — live risk score updates trigger monitoring tier changes |
🔨 |
Part 3 — Reporting Obligations (ss.41–51)
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| S.41 |
Suspicious Matter Reports (SMRs) — file with AUSTRAC as soon as practicable (3 business days for property dealings, 24 hours for terrorism financing) |
🤖 Automated |
AML-006 |
MOD-018 (LOG) — alert-to-SMR pipeline; every alert actioned and disposition recorded; MOD-037 (AUTO) — SMR submission automated and tracked from creation to AUSTRAC acknowledgement; MOD-048 (LOG) — alert dismissals logged with analyst ID and reasoning |
🔨 |
| S.41(2) |
Tipping-off prohibition — must not disclose that an SMR has been or may be filed |
🤖 Automated |
AML-006 |
MOD-052 (AUTO) — SAR/SMR data accessible only to compliance and legal roles; data-layer segregation enforced, not UI-layer only |
🔨 |
| S.43 |
Threshold Transaction Reports (TTRs) — report cash transactions at or above AUD 10,000 to AUSTRAC |
🤖 Automated |
AML-008 |
MOD-019 (AUTO) — TTR submitted automatically; no manual data extraction or formatting; MOD-129 (GATE) — cash transactions at or above threshold require identity verification and are submitted to the TTR workflow before posting finalises |
🔨 |
| S.45 |
International Funds Transfer Instructions (IFTIs) — report to AUSTRAC within 10 business days; include sender and recipient details |
🤖 Automated |
AML-008, REP-003 |
MOD-019 (AUTO) — IFTI reports submitted automatically; MOD-026 (AUTO) — threshold check applied to every cross-border event; MOD-154 (LOG) — correspondent-routed cross-border payments flagged for IFTI evaluation |
🔨 |
| S.47 |
Adequate, accurate, and timely information on wire transfers — originator and beneficiary data in payment messages |
🤖 Automated |
AML-008 |
MOD-026 (AUTO) — originator and beneficiary data populated on every outbound wire automatically; ISO 20022 structured data used |
🔨 |
| S.48A |
Record-keeping — retain CDD records and transaction records for 7 years |
🤖 Automated |
AML-002 |
MOD-002 (LOG) — immutable transaction log; MOD-012 (LOG) — CDD records retained and immutable; records cannot be deleted or altered |
🔨 |
Sanctions obligations (via AU Autonomous Sanctions Act 2011)
Financial sanctions obligations in Australia arise under the Autonomous Sanctions Act 2011 rather
than directly under the AML/CTF Act, but are operationally delivered through the same AML programme.
See au-autonomous-sanctions-act.
| Obligation |
Scope |
Policy |
Platform controls |
Build |
| Screen all customers and transactions against DFAT consolidated sanctions list |
🤖 Automated |
AML-007 |
MOD-013 (GATE) — no payment to/from a confirmed sanctions match; hard gate, not advisory; MOD-014 (AUTO) — existing customers rescreened on new designations without manual trigger; MOD-015 (LOG) — false positive decisions auditable; MOD-020 (GATE) — sanctions screen is a mandatory pre-payment gate |
🔨 |
| Screen correspondent banks and intermediaries |
🤖 Automated |
AML-007 |
MOD-154 (GATE) — every correspondent and named intermediary screened before routing; sanctions hit blocks payment regardless of prior approval |
🔨 |
The following obligations under the Act are the responsibility of the institution, not the platform.
The platform may generate evidence inputs but does not own these processes.
| Obligation |
Owner |
Platform evidence input |
| AML/CTF staff training programme design and delivery |
Chief People Officer / Chief Compliance Officer |
MOD-049 logs staff training consent acknowledgements |
| AUSTRAC enrolment and maintenance of reporting entity registration |
Chief Compliance Officer |
Institutional process — AUSTRAC online portal; not platform-managed |
| Board and senior management oversight of AML/CTF programme |
Board / CEO |
MOD-037, MOD-047 provide examination-ready data extracts and audit logs |
| Designation of AML/CTF Compliance Officer |
Board |
Institutional HR record; not a platform function |
| Regulatory examination responses and correspondence with AUSTRAC |
Chief Compliance Officer |
MOD-037 provides examination-ready data extracts; MOD-047/MOD-048 provide audit logs |
| AML/CTF audits (internal and external) |
Head of Internal Audit |
MOD-047, MOD-048, MOD-002 provide the audit evidence base |
| Oversight of AML/CTF reforms (2024 tranche 2 expansion) |
General Counsel / CCO |
Legislative monitoring is institutional; platform changes driven by policy changes |
Coverage summary
| Area |
Total obligations |
Platform automated 🤖 |
Platform evidenced 📊 |
Institutional 🏛 |
N/A |
| AML/CTF Programme |
4 |
2 |
1 |
1 |
0 |
| Customer identification |
8 |
8 |
0 |
0 |
0 |
| Reporting |
6 |
5 |
1 |
0 |
0 |
| Sanctions |
2 |
2 |
0 |
0 |
0 |
| Total |
20 |
17 (85%) |
1 (5%) |
1 (5%) |
0 |
Of the 19 platform obligations, all have attributed controls. All attributed modules are currently
build_status: Not started — the compliance position will update as modules are built and deployed.
| Policy |
Title |
| AML-001 |
AML/CFT Programme Policy |
| AML-002 |
Customer Due Diligence (CDD) Policy |
| AML-003 |
Know Your Customer (KYC) & Identity Verification Policy |
| AML-004 |
Politically Exposed Persons (PEP) Policy |
| AML-005 |
Transaction Monitoring Policy |
| AML-006 |
Suspicious Activity Reporting Policy |
| AML-007 |
Sanctions Screening Policy |
| AML-008 |
Cross-Border Transfer Reporting Policy |
| AML-009 |
Correspondent Banking & Payments Policy |
| AML-010 |
AML Training & Awareness Policy |
| AML-011 |
Customer Acceptance Policy |
| AML-012 |
Customer Risk Rating Policy |
| AML-013 |
Onboarding Fraud & Identity Integrity Policy |
| PAY-004 |
Cross-Border Payments & FX Policy |
| REP-003 |
AML Compliance Reporting Policy |
See D03 AML / Financial Crime for the full risk domain.
Official documentation
Policies referencing this standard
- AML-001 — AML/CFT Programme Policy
- AML-002 — Customer Due Diligence (CDD) Policy
- AML-003 — Know Your Customer (KYC) & Identity Verification Policy
- AML-004 — Politically Exposed Persons (PEP) Policy
- AML-005 — Transaction Monitoring Policy
- AML-006 — Suspicious Activity Reporting Policy
- AML-008 — Cross-Border Transfer Reporting Policy
- AML-009 — Correspondent Banking & Payments Policy
- AML-010 — AML Training & Awareness Policy
- AML-011 — Customer Acceptance Policy
- AML-012 — Customer Risk Rating Policy
- AML-013 — Onboarding Fraud & Identity Integrity Policy
- PAY-004 — Cross-Border Payments & FX Policy
- PPL-003 — Training & Competency Policy
- REP-003 — AML Compliance Reporting Policy
Compiled 2026-05-22 from source/entities/regulations/au-amlctf-act.yaml