AML/CTF Compliance Checklist for Small Businesses: Meeting AUSTRAC Requirements

Key Takeaways

• AML/CTF obligations attach to a business that provides a designated service, not to an industry label.
• Enrolment with AUSTRAC, and registration where relevant, are foundational steps to complete before or as services commence.
• You must appoint a fit and proper AML/CTF compliance officer and maintain a single risk-based AML/CTF program kept current.
• Customer due diligence, ongoing monitoring and reporting of suspicious matters and threshold transactions are recurring obligations.
• The Tranche 2 reforms commence on 1 July 2026 and bring many professional and real estate businesses into the regime, with enrolment closing on 29 July 2026.

1. 1.In Brief
2. 2.Step 1: Work out whether you provide a designated service
3. 3.Step 2: Enrol and register with AUSTRAC
4. 4.Step 3: Appoint a compliance officer and build your AML/CTF program
5. 5.Step 4: Carry out customer due diligence
6. 6.Step 5: Report suspicious matters and threshold transactions
7. 7.Step 6: Keep records and review the program
8. 8.Common pitfalls for small businesses
9. 9.Frequently Asked Questions

A step-by-step checklist to help an Australian small business meet its obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth). It walks through enrolment, your program, customer due diligence and reporting and flags what the Tranche 2 reforms change from 1 July 2026.

In Brief

AML/CTF obligations flow from providing a designated service. The core building blocks are enrolment and registration, a compliance officer, an AML/CTF program, customer due diligence, ongoing monitoring and reporting. The regime is risk-based, so a small business acts proportionately rather than copying a bank. Tranche 2 widens the net from 1 July 2026.

Step 1: Work out whether you provide a designated service

Start with your activities, not your industry. The Act lists designated services, and providing one makes you a reporting entity. The list spans lending, remittance, foreign exchange, gambling, bullion dealing and digital currency exchange, among others.

From 1 July 2026 the Tranche 2 reforms extend that list to many activities provided by lawyers, accountants, conveyancers, real estate professionals, dealers in precious metals and stones and trust and company service providers. If you sit in one of those sectors, the question is whether any service you provide now falls within the expanded definitions. For how these reforms intersect with professional conduct rules, see our note on Rule 8 and Rule 12 and the AML/CTF regime.

Step 2: Enrol and register with AUSTRAC

Provide a designated service and you generally must enrol with AUSTRAC. Enrolment places you on the Reporting Entities Roll. Certain services, such as remittance and digital currency exchange, also require registration before you may lawfully operate.

The distinction matters. Enrolment is broad and applies to most reporting entities. Registration is an additional gateway for higher-risk services. If Tranche 2 brings you in, the timing is fixed: enrolment opened on 31 March 2026 and must be completed by 29 July 2026, with obligations commencing on 1 July 2026. Do not leave enrolment until after you have started providing the service.

Step 3: Appoint a compliance officer and build your AML/CTF program

Two things sit at the centre of the regime. First, you must appoint an AML/CTF compliance officer, a fit and proper person with the authority to run compliance. Second, you must have an AML/CTF program.

The program is a single, risk-based framework that identifies, mitigates and manages the money laundering and terrorism financing risk your business reasonably faces. It covers how you assess risk, verify customers, monitor transactions, train staff and oversee the whole thing. It should reflect your business, not a template. A two-person bookkeeping practice and a busy remittance dealer face different risks and should document different controls. Do the work to understand your risk, then build controls that match it.

Step 4: Carry out customer due diligence

Before providing a designated service, verify the identity of your customer using reliable and independent information. For individuals that usually means confirming name and date of birth or residential address from appropriate sources. For companies, trusts and other entities, it extends to understanding the structure and identifying the beneficial owners who ultimately control the customer.

Due diligence is not a single event. The regime requires ongoing customer due diligence, which means keeping customer information current and staying alert to activity that does not fit what you know about the customer. Our guide to common gaps in AUSTRAC starter kits shows where businesses most often fall short here.

Step 5: Report suspicious matters and threshold transactions

Two reporting obligations recur. A suspicious matter report, or SMR, is required when you form a relevant suspicion, for example that a transaction relates to money laundering or an offence. It is due within 3 business days, reduced to 24 hours where the suspicion relates to terrorism financing. A threshold transaction report, or TTR, is required for a transfer of physical currency of $10,000 or more and is due within 10 business days.

Both are lodged with AUSTRAC online. Reporting is a legal obligation, and the protections around suspicious matter reporting are built so you can report without breaching confidentiality to the customer.

Step 6: Keep records and review the program

Retain records of customer identification, transactions and your program for the periods the Act requires. They support your decisions if AUSTRAC asks how you assessed a customer or a transaction.

Review the program regularly and update it when your business, your customers or the law change. A program written once and never revisited is a common weakness. Treat review as part of the ordinary rhythm of the business.

Common pitfalls for small businesses

• Assuming the regime applies only to banks. It applies to anyone providing a designated service.
• Copying a large institution's program instead of matching controls to actual risk.
• Verifying identity at onboarding but never monitoring afterwards.
• Treating enrolment, or the compliance officer appointment, as optional or something for later.
• Overlooking the Tranche 2 expansion now that it has commenced.

Frequently Asked Questions

Does AML/CTF compliance apply to my small business?

It applies if you provide a designated service listed in the Act. The test is the activity, not the size of the business. Many small businesses are reporting entities without realising it.

What is the difference between enrolment and registration?

Enrolment places most reporting entities on AUSTRAC's roll and applies broadly. Registration is an additional requirement for specific higher-risk services such as remittance and digital currency exchange, and must be in place before those services are provided.

Do I need a compliance officer?

Yes. You must appoint a fit and proper AML/CTF compliance officer with the authority and standing to oversee compliance. In a small business that is often a director, but the role has to be real, not nominal.

When do I have to lodge a suspicious matter report?

When you form a relevant suspicion connected to a designated service. The deadline is 3 business days, or 24 hours where the suspicion relates to terrorism financing.

Do the Tranche 2 reforms affect me?

If you work in legal, accounting, conveyancing, real estate, dealing in precious metals and stones or trust and company services, the expanded designated services may bring you in. The reforms commenced on 1 July 2026 and enrolment closes on 29 July 2026, so assess your position now.

This is general information, not advice on your situation. If you would like help working through your AML/CTF obligations, get in touch or call (07) 3519 5616.

This article is for general information purposes only and does not constitute legal advice and should not be relied on as such. While we take reasonable care to ensure the accuracy of the information provided, we make no representations or warranties as to its completeness, currency or reliability. We accept no liability for any loss or damage arising directly or indirectly from the use of, or reliance on, this website's content. You should always seek professional advice tailored to your specific circumstances before acting on any information in this article. Liability limited by a scheme approved under Professional Standards Legislation.