AUSTRAC’s New AML/CTF Rules: Raising the Bar for Fintech Compliance

Australia is overhauling its anti-money laundering/counter-terrorism financing (AML/CTF) framework with a new set of AML/CTF Rules introduced in August 2025. AUSTRAC (the Australian financial intelligence unit and regulator) tabled the Anti-Money Laundering and Counter-Terrorism Financing Rules 2025 in Parliament on 29 August 2025 after two rounds of public consultation. This rulemaking initiative is a cornerstone of Australia’s broader AML/CTF reform agenda, aimed at modernizing the regime, closing regulatory gaps, and aligning with international standards. Below, we analyze the new rules and what they mean for Australian fintechs, payments providers, and other reporting entities.

Background and Drivers of AUSTRAC’s New Rulemaking

Several factors prompted AUSTRAC’s push to update the AML/CTF rules. Regulatory modernization was a key driver, Australia’s AML laws date back to 2006, and a comprehensive review identified the need to simplify and clarify obligations and address new technologies (like digital payments and crypto-assets). Closing gaps in coverage was another major impetus: historically, certain high-risk sectors (real estate, legal, accounting, etc.) were exempt from AML regulation in Australia, a deficiency repeatedly flagged by international evaluators. The government’s reforms embodied in the AML/CTF Amendment Act 2024 and these new Rules extend the regime to those “tranche 2” sectors and other services deemed high-risk for money laundering.

Global pressure also played a role. Australia faces a Financial Action Task Force (FATF) mutual evaluation in 2026, and the tight reform timeline reflects urgency to meet FATF’s standards. The goal is to ensure Australian laws “meet international standards set by [FATF]” and to strengthen defenses against financial crime. Key themes in the new rulemaking include an emphasis on risk-based supervision and “harm reduction”, enhanced reporting and transparency in cross-border value transfers, and closing loopholes that sophisticated criminals exploit. In AUSTRAC’s words, the new Rules focus on “setting up businesses to mitigate and manage their money laundering and terrorism financing risk” and “modernise the laws to meet global best practice”. Rather than impose purely prescriptive checklists, the regulator is shifting toward outcomes-focused obligations, expecting firms to actively identify and reduce ML/TF risks in their operations.

Risk-based supervision underpins the reforms. AUSTRAC has explicitly stated it “does not expect perfection on day one” of the new regime, but it does expect a genuine focus on risk mitigation over “tick-the-box” compliance. This signals that compliance will be judged on how effectively a business prevents money laundering, not just on having the right paperwork. Other themes include stronger reporting obligations (e.g. eventually implementing “international value transfer” reporting in place of old cross-border transaction reports) and greater oversight of cross-border payments and digital assets through the adoption of the FATF “travel rule” for fund transfers.

Implications for Fintechs and Digital Payments Providers

For Australian fintech companies and digital-first financial services providers, AUSTRAC’s new rules carry significant practical implications. Remittance providers, digital currency exchanges, neobanks, fintech lenders, and Banking-as-a-Service (BaaS) platforms are all either already reporting entities or will face increased expectations under the reforms. Key impacts on these businesses include:

• Expanded Scope of Regulation: Fintechs engaged in activities that were previously unregulated might now fall squarely under AUSTRAC oversight. For example, cryptocurrency exchanges were already regulated for crypto-to-fiat exchange, but the new laws extend AML/CTF obligations to additional virtual asset services like crypto-to-crypto exchanges, custody wallets, and token issuances. A fintech offering an e-wallet for cryptocurrencies or facilitating peer-to-peer crypto transfers will have to enrol with AUSTRAC and implement full AML programs by March 2026. Similarly, payments startups that provide stored-value digital wallets or prepaid cards must ensure they meet the same KYC, reporting, and record-keeping standards as traditional banks.
• Higher Standards for Customer Due Diligence: Fintechs often pride themselves on seamless digital onboarding, but under the new rules they’ll need to build in stronger Customer Due Diligence (CDD) steps. Neobanks and payment apps will be expected to verify customer identity and beneficial ownership with greater rigor and apply Enhanced CDD for higher-risk scenarios (such as customers linked to high-risk countries or politically exposed persons). Ongoing monitoring of customer activity is also emphasized, meaning fintechs must continually reassess customer risk throughout the relationship – not just at onboarding.
• Obligations for Cross-Border and Crypto Transactions: Many fintechs facilitate cross-border payments or use novel payment rails. AUSTRAC’s reforms introduce a “value transfer” framework that is technology-neutral, requiring that originator and beneficiary information accompany transfers whether they happen via SWIFT, blockchain, or any other network. Remitters and payment processors will need to ensure their systems capture the required sender/recipient data and can transmit it in compliance with the travel rule for both fiat and crypto transactions. This closes a gap for digital payment providers: even if you’re not a bank, if you move money (or crypto) for customers, you must embed traceability and reporting in those transfers.
• Greater Scrutiny of Fintech Compliance Programs: AUSTRAC’s heightened expectations mean fintech firms must mature their compliance operations. “Startup” approaches to compliance, like relying on partner banks or minimal procedures, will no longer suffice. For example, fintechs that rely on a sponsoring bank’s license (common in BaaS models) should expect that banks will demand stronger AML controls from their fintech partners. Australian banks have been known to “de-bank” fintechs, remitters, and crypto companies that are seen as compliance risks, cutting off banking services. To avoid this existential threat, fintechs must invest in robust internal AML/CTF capabilities. This includes hiring or upskilling compliance officers, implementing proper transaction monitoring systems, and ensuring board-level oversight of financial crime risks.

In short, the new rules level the playing field between traditional institutions and digital-native ones. Fintechs and payments providers will be held to the same standard of diligence and reporting as banks, with AUSTRAC expecting them to innovate in compliance just as they have in product experience. The upside is that compliant fintechs should find it easier to maintain banking partnerships and customer trust, while laggards may face regulatory enforcement or commercial exclusion.

Key Changes and New Obligations at a Glance

AUSTRAC’s AML/CTF rule changes are extensive. Below are the major obligations and definitions introduced or updated, which compliance teams should digest and act upon:

• Extended “Designated Services” Definition: The AML/CTF regime now covers additional industries and activities. Tranche 2 professions; real estate agents, lawyers (and conveyancers), accountants, trust and company service providers, and dealers in precious metals/stones, are brought under regulation due to their high money-laundering risk. These businesses must enrol with AUSTRAC by 31 March 2026 and implement AML programs by 1 July 2026. In the fintech space, the law also expands the definition of “designated services” provided by Virtual Asset Service Providers (VASPs). Beyond crypto-to-fiat exchanges, this now includes services like crypto-to-crypto exchange, transfer of virtual assets on behalf of a customer, safekeeping (custodial wallets), and facilitating ICOs/token sales. A new definition of “virtual asset” replaces the old “digital currency” term to ensure things like stablecoins and even NFTs are captured.
• Risk-Based AML/CTF Programs: The rules overhaul how reporting entities must design their AML/CTF compliance programs. Instead of a box-ticking approach, the law explicitly requires an outcomes-focused, risk-based program. Firms must conduct and regularly update a holistic risk assessment covering their products, customers, delivery channels, and jurisdictions, including risks of proliferation financing (WMD financing) alongside money laundering and terror financing. The governing body (Board) and senior management are now accountable for taking “reasonable steps” to ensure the program is effective. This means fintech boards must actively oversee AML efforts. The program rules also clarify the role of the AML/CTF Compliance Officer and require that person to have sufficient authority and resources. Additionally, requirements are simplified for Australian entities operating overseas (foreign branches) and for corporate groups via a new “reporting group” concept (replacing the old designated business group), which allows enterprise-wide risk management with a designated lead entity bearing certain group-wide compliance responsibilities.
• Customer Due Diligence (CDD) Enhancements: The new framework redefines CDD obligations for clarity and effectiveness. Reporting entities must carry out initial CDD before providing a service, which includes verifying the customer’s identity and identifying beneficial owners, beneficiaries of trusts, and other relevant persons. The rules clarify when Enhanced CDD is mandatory, for instance, in situations of higher risk, complex or unusually large transactions, connections to high-risk countries, etc., enhanced measures (like obtaining senior management approval, source of funds/wealth checks) must be applied. Conversely, the circumstances for Simplified CDD (lower-risk scenarios) are streamlined so businesses know when they can rely on reduced verification. Ongoing due diligence is highlighted: firms must monitor transactions and customer activity and update identification information over time. In practice, fintechs need to implement continuous KYC review cycles and robust transaction monitoring triggers to meet this requirement.
• Tech-Neutral Record-Keeping and Reporting: The reforms strive to be technology-neutral, ensuring obligations keep pace with innovation. For example, the law collapses various concepts of electronic funds transfer, remittance, etc., into a single “value transfer” chain that mandates the preservation of key payer/payee information regardless of technology. This is Australia’s implementation of the FATF travel rule for both traditional and digital transfers. International Funds Transfer Instruction (IFTI) reports will be replaced by International Value Transfer Service (IVTS) reports, though not immediately; transitional rules will keep current IFTI reporting in place until technical systems are updated in coming years. The idea is that eventually any cross-border movement of funds or value will be reported in a uniform way. Additionally, record-keeping requirements (such as the obligation to keep transaction and customer records for 7 years) continue, but firms have flexibility in using digital storage and automated record systems. The reforms also updated the definition of Bearer Negotiable Instruments (BNIs) in cross-border reporting, aligning it to FATF’s definition so that only true “bearer” instruments (like cash, bearer bonds) are reportable, this change narrows the scope and reduces unnecessary reports of non-bearer instruments.
• “Tipping Off” and Information Sharing: Changes to the tipping-off provisions took effect in March 2025 ahead of the other reforms. Now, it is only a criminal offense to disclose information about suspicious matter reports or AUSTRAC investigations if that disclosure would prejudice an investigation. This relaxes prior strictures and facilitates better information sharing: reporting entities can more freely share fraud and AML risk information within their corporate group or with correspondent banks and even customers as long as they’re not undermining law enforcement. The aim is to encourage proactive risk management and inter-institution collaboration on financial crime, without the chilling effect of broad tipping-off fears.
• Keep Open Notices: A new concept introduced in the rules is “keep open notices” (replacing what were informally called Chapter 75 notices). These notices empower AUSTRAC or law enforcement to direct an institution to keep a customer account open, even if the institution wants to close it due to suspicion, so that investigators can continue to monitor transactions. This tool helps authorities follow the money trail. Fintechs must have processes to comply with any keep-open directions, meaning their compliance teams should coordinate closely with AUSTRAC if such situations arise.

Overall, these changes significantly upgrade AML/CTF obligations for all players. Australian reporting entities should review these new rule provisions in detail (the full AML/CTF Rules 2025 instrument is available via the Federal Register of Legislation) to ensure every requirement from enrolment details to new reportable data fields is addressed in their compliance planning.

Closing Gaps and Aligning with Global AML Standards

A clear intention behind Australia’s reforms is to close regulatory gaps and align with global AML/CFT practices. By bringing “gatekeeper” professions (lawyers, accountants, etc.) and crypto assets into the AML regime, Australia is catching up with standards already in place in the EU, UK, and many other jurisdictions. These steps respond to long-standing FATF recommendations, FATF has criticized Australia in the past for failing to regulate these sectors, and the 2025 changes directly answer those critiques. In FATF’s parlance, Australia is addressing deficiencies to improve technical compliance with the 40 Recommendations and bolster effectiveness.

The new rules also mirror trends in major global financial centers. For instance, the European Union is in the midst of significant AML reforms: a new EU-wide AML Authority (AMLA) is being established, and the 6th AML Directive (6AMLD) is enhancing rules around criminal liability and information-sharing. The pressure to tighten beneficial ownership transparency and include “enablers” of money laundering in the regulatory net is felt worldwide. In fact, global AML penalties reached record highs in recent years, and regulators have zeroed in on areas like beneficial ownership and crypto-assets; FinCEN in the US implemented its final Beneficial Ownership Reporting rule in January 2025, and FATF has been urging countries to enforce the travel rule for crypto transfers. Australia’s adoption of a comprehensive travel rule compliance (through the value transfer obligations) aligns with measures already seen in the EU, UK, US, Singapore, and others to monitor cross-border crypto and electronic payments.

Likewise, UK regulators (FCA and others) have been intensifying scrutiny of fintech and challenger banks’ AML controls, ensuring that digital-first banks aren’t a weak link. For example, the UK’s FCA penalized Starling bank in 2024 for inadequate AML systems, stating the bank’s platform was “wide open to criminals”. This reflects a global consensus that innovative financial services must adhere to the same high standards of AML compliance. AUSTRAC’s reforms echo this by explicitly focusing on fintech-relevant issues (such as requiring real-time electronic data sharing, and emphasizing ongoing monitoring over one-off checks).

In summary, AUSTRAC’s new rules help harmonize Australia’s AML regime with global best practices. They ensure Australia “better meets international standards” and closes off avenues that criminals might exploit across borders. Australian fintechs operating internationally will benefit from this alignment, as their compliance programs can be designed in line with frameworks they see in the US, UK, and EU. It also means less opportunity for regulatory arbitrage; as Australia raises its AML/CTF bar, there are fewer dark corners in the global financial system for illicit finance to hide.

Operational and Risk Management Priorities for Compliance Teams

For Chief Compliance Officers and risk leaders in fintech and payments firms, these reforms signal a need to recalibrate and reinforce your AML/CTF framework. Here are key priorities to focus on:

• Upgrade Risk Assessments Now: Don’t wait until 2026. Firms should immediately update their ML/TF risk assessments to incorporate new risk factors introduced by the reforms (e.g. exposure to virtual assets, dealings in sectors like real estate, or proliferation financing risk). AUSTRAC expects businesses to “act now to review and strengthen existing frameworks, systems and processes” while the changes are phased in. A refreshed risk assessment will drive a more effective implementation of the new rules by highlighting where controls need enhancement.
• Tune Transaction Monitoring Rules and Thresholds: With a greater emphasis on risk-based outcomes, compliance teams must ensure their transaction monitoring scenarios are properly tuned. This means reducing false positives while being able to catch the more subtle patterns of suspicious activity. For instance, rules should be refined to detect structuring (multiple sub-$10k transactions designed to evade reporting) even though the formal threshold report limit remains at AUD 10,000. The requirement to include crypto and alternative payment data in monitoring may require new scenarios (e.g. alerts for rapid in-and-out crypto transfers or use of mixers/tumblers). AUSTRAC has signaled it doesn’t want “old-school” rigid rules that create noise without benefit, the regulator urges against compliance measures that create an “impression of compliance... but have minimal impact on the risk of money laundering”. Compliance officers should therefore iterate on their detection rules, possibly leveraging analytics and machine learning, to prioritize truly risky events. Rule tuning and ongoing model calibration will be an iterative, continuous process in the new regime.
• Enhance Data Model Flexibility: The new reporting and record-keeping obligations mean firms must capture more detailed data (for example, additional fields in Suspicious Matter Reports or the forthcoming International Value Transfer reports). Compliance IT systems and data models should be flexible enough to add new data fields and adapt to new report formats without huge development efforts. For example, capturing and storing travel rule data (beneficiary and originator details for every cross-border transfer or crypto transfer) is something firms should build into their databases now. Fintechs, in particular, should leverage their tech agility to ensure KYC databases, transaction ledgers, and case management systems are integrated, so that a single view of customer risk can be achieved. This flexibility will also help in responding to future regulatory changes, if AUSTRAC tweaks a reporting threshold or adds a new designated service, a nimble compliance system can accommodate it quickly.
• Strengthen Customer Risk Scoring and Ongoing CDD: Under the new rules, initial and ongoing customer due diligence are explicitly required, meaning firms must have a robust customer risk rating mechanism. Compliance leaders should evaluate whether their current risk scoring model (which often scores customers as low/medium/high risk at onboarding) needs refinement. Consider incorporating more dynamic factors: for instance, if a customer’s behavior changes (sudden large transactions, use of new products like crypto) their risk score should automatically adjust and trigger review. Enhanced CDD processes should be clearly documented for high-risk customers, who qualifies for ECDD under the new criteria, what additional information will you collect, and how will you monitor them more closely? By formalizing these processes, fintechs can ensure they meet the substantially redesigned obligations for initial and ongoing CDD and can readily demonstrate to regulators why each customer’s risk classification is appropriate.
• Governance and Training: With boards now obligated to take reasonable steps for AML compliance, compliance officers need to engage senior management and directors proactively. This might involve more frequent reporting to the Board on AML matters, board-level trainings on the new obligations, and obtaining board approval for the updated AML Program. Regulators will likely ask to see evidence of board involvement (minutes, implementation plans approved, etc.). Additionally, staff training programs should be updated to cover the new rules, front-line teams (like customer onboarding or payments support) must understand new identification requirements, red flags for suspicious matters, and what “tipping off” situations to avoid. Emphasize a culture of compliance where employees know that preventing financial crime is part of their job role. As AUSTRAC noted, criminals are innovative and “spotting that behaviour is a practice that improves over time as we learn more”. Continuous learning and adaptation are crucial.
• Plan for Implementation and Monitor Progress: Given the staged effective dates (most new obligations for existing entities start 31 March 2026, with some reporting changes deferred to 2029), compliance leaders should create a detailed implementation roadmap. AUSTRAC expects to see “implementation plans” in place and “sustained effort and progress” as the deadlines approach. This implies firms should internally set milestones (e.g. updated risk assessment by X date, system changes by Y date, staff training completed by Z date, etc.) and monitor their own readiness. Documenting this process is important; if AUSTRAC inquires in mid-2025 or 2026 about your reform preparedness, you should be able to demonstrate the steps taken so far.

By focusing on these priorities, fintech and payment providers can transform the regulatory changes into an opportunity: the opportunity to build more resilient, intelligence-driven compliance operations that not only satisfy AUSTRAC’s requirements but also protect the business from fraud and reputational damage.

Building Agile, Future-Proof Compliance Infrastructure

Achieving the above priorities will require the right compliance infrastructure. Fintechs should evaluate whether their current tools and systems are up to the task of an expanded, evolving AML rule set. The ideal approach is to adopt configurable, integrated, and scalable technology for AML/CTF compliance:

• Configurable, No-Code Rule Engines: With rules changing (and likely to change again as financial crime evolves), a compliance platform that allows no-code or low-code adjustments to scenarios and thresholds is extremely valuable. This enables compliance teams to tweak monitoring rules, add new typologies, or adjust risk scoring models in hours or days, rather than embarking on months-long IT projects. As AUSTRAC updates guidance or if typologies emerge (e.g. new scam patterns or sanctions evasion techniques), a nimble rule engine lets you respond swiftly, keeping your controls effective.
• Unified Platforms (Breaking Down Silos): Many financial institutions still operate disparate systems, one for onboarding/KYC, another for transaction monitoring, another for case management, etc. Such silos can impede a holistic view of risk and slow down reaction time. A unified compliance platform that brings together customer data, transaction monitoring alerts, case investigation, and reporting in one interface can greatly enhance efficiency. It ensures that when a suspicious alert is investigated, the analyst has the full context (KYC info, past alerts, related accounts) immediately at hand. Integration also reduces manual effort and error-prone transfers of data between systems. AUSTRAC’s emphasis on reporting group compliance similarly implies that group-wide systems (covering multiple business units or affiliates) should be linked. By centralizing AML controls, firms can manage risks across products and entities more consistently.
• Strong Audit Trails and Analytics: Regulators and auditors will expect clear evidence of compliance decisions and actions. Your systems should automatically log all important events, e.g. when a customer’s risk rating changes, when an alert is reviewed and cleared or reported, when due diligence on a high-risk client was last updated, and by whom. Audit trail functionality is essential for demonstrating compliance (and for internal quality assurance). Moreover, leveraging analytics on these logs can help compliance officers identify bottlenecks or weaknesses (for instance, if certain types of alerts are always closed as false positives, you might refine those rules; or if enhanced due diligence is frequently delayed, you allocate more resources). A data-driven compliance operation is better equipped to continuously improve, which is exactly the kind of agility regulators want to see.
• Automation and AI where Feasible: The volume of compliance data and alerts is only growing, which can strain teams and budgets. Incorporating automation (for routine tasks like screening watchlists, populating regulatory reports, or pre-triaging alerts) can free up human analysts for more complex judgments. Advances in AI, such as machine-learning models for anomaly detection or natural language processing to draft narrative reports, can be game-changers. For example, some banks are using AI to prioritize alerts that are most likely truly suspicious, thereby focusing investigator time wisely. While not explicitly mandated by AUSTRAC, such tech-forward methods align with the agency’s outcome-focused stance. The end goal is effectiveness: if AI helps you catch more bad actors with fewer false alarms, it’s likely to be viewed favorably (with proper validation and oversight).
• Scalability and Performance: As fintechs grow, their compliance systems must scale accordingly. Real-time payments and crypto trades generate high volumes of transactions, your monitoring system must handle this throughput without slowing business. Cloud-based, API-driven solutions can offer the needed scalability and speed (many fintechs process events in sub-seconds). The new rules don’t change this directly, but an underpowered compliance system could become a single point of failure (e.g. if it can’t ingest all transactions for monitoring, you’d miss suspicious activity). Thus, investing in a scalable infrastructure now is both a compliance imperative and a business enabler.

By building an agile compliance architecture, institutions will be well-placed to not only comply with the 2025 rules but also adapt to future changes. AUSTRAC has indicated that further guidance and possibly refinements will continue post-2026 (e.g. fully transitioning to IVTS reports, ongoing sector-specific guidance). A flexible infrastructure serves as insurance against these uncertainties, whatever comes next, your systems can be configured to handle it with minimal disruption.

Conclusion: From Reactive to Proactive Compliance

AUSTRAC’s new AML/CTF rules herald a new era of compliance in Australia, one where simply reacting to regulatory requirements will not be enough. Regulators are raising the bar, expecting reporting entities (old and new alike) to anticipate risks and actively contribute to the financial system’s integrity. Fintechs and other digitally native providers must therefore transition from a reactive compliance posture to a proactive, intelligence-driven one. In practical terms, this means moving beyond minimalistic checkbox compliance, and instead leveraging data, technology, and skilled analysts to detect and prevent illicit finance before it causes harm.

The reforms are ultimately about strengthening Australia’s overall defense against financial crime. They “help build a stronger, more proactive intelligence picture” for AUSTRAC and industry, enabling more effective deterrence, detection, and disruption of money laundering and terrorism financing. Fintech companies, with their agility and innovative tech stacks, are well-placed to lead in this proactive approach; they can harness advanced analytics, collaborate via information-sharing arrangements, and design customer experiences that seamlessly incorporate compliance checks. By doing so, fintechs not only satisfy the letter of the new laws but also bolster their reputation and trust with customers, banks, and regulators.

In the coming months, as AUSTRAC issues guidance and the 2026 deadlines approach, compliance leaders should keep an open dialogue with the regulator and peers, share best practices, and refine their programs continuously. The trajectory is clear: regulatory expectations will continue to evolve, potentially influenced by global moves like the EU’s AML Authority or stricter U.S. FinCEN directives. Australian firms need compliance frameworks that can evolve in tandem. Those who invest in adaptable systems and a genuinely risk-conscious culture now will find themselves not only meeting AUSTRAC’s standards but exceeding them, turning compliance into a strategic advantage.

In summary, AUSTRAC’s revamped rules push everyone toward greater vigilance and accountability in the fight against financial crime. For fintechs and payments providers, it’s a call to action to elevate compliance from a back-office obligation to a core element of business strategy. By proactively embracing this change with strong leadership support, the right technology, and a forward-looking mindset, digital finance companies can thrive in a regime where financial crime controls are as agile and intelligent as the criminals they guard against. As the regulatory bar rises, the winners will be those who can confidently say their compliance programs are preventing threats in real time, not just reacting after the fact. This proactive stance is not just preferred; it’s fast becoming non-negotiable in Australia’s financial ecosystem.