AUSTRAC’s 2026 reset: a governance and control checklist for current reporting entities

AUSTRAC’s AML/CTF reforms are no longer a future-state compliance project. For current reporting entities, the issue is now practical: has the business changed the way it governs, controls and evidences AML/CTF compliance?

The reforms commenced for current reporting entities on 31 March 2026, subject to transitional arrangements. AUSTRAC’s 21 May 2026 expectations update confirms that the regulator is focused on implementation, not just awareness. The task is broader than updating an AML/CTF Program. It requires changes to governance, role design, reporting architecture, customer due diligence and value transfer processes.

For current reporting entities, the key changes include new AML/CTF Program requirements, replacement of designated business groups with reporting groups, revised customer due diligence requirements, updated reportable details for suspicious matter reports and threshold transaction reports, travel rule obligations, and changes affecting international value transfer services and unverified self-hosted wallet reporting.

Some obligations are staged. For example, existing reporting entities enrolled on 30 March 2026 had until 30 May 2026 to notify AUSTRAC of their AML/CTF compliance officer. Later milestones apply to some reporting, wallet and customer identification transition arrangements.

Why it matters? The reforms sharpen AUSTRAC’s ability to ask a simple governance question: who is accountable, what has changed, and where is the evidence?

A policy rewrite will not be enough if the control environment has not changed. Reporting entities need a risk-based AML/CTF Program tailored to the nature, size and complexity of the business, supported by a current risk assessment that drives customer risk ratings and controls.

That is a governance standard, not a drafting standard.

The most exposed reporting entities are those with complex group structures, outsourced operations, digital onboarding, cross-border payments or value transfer activity, virtual asset exposure, multiple product lines, high-risk customers or legacy CDD files.

AFSL holders, responsible managers and boards should also treat AML/CTF implementation as part of broader licence governance. AML/CTF weaknesses may indicate wider issues in resourcing, risk management, compliance assurance and board reporting.

The immediate risks are operational. First, governance roles may be under-designed. A nominal AML/CTF compliance officer appointment will not be enough if the person lacks authority, independence, resources, access to data or escalation rights.

Second, reporting group arrangements may not reflect operational reality. Groups need clarity on lead entity responsibility, member obligations, information sharing, escalation and group-level control effectiveness.

Third, CDD uplift may be incomplete. Onboarding, beneficial ownership, risk rating, enhanced due diligence and ongoing due diligence processes should align with the new risk assessment.

Fourth, travel rule implementation may create control gaps. Entities involved in transfers of money, virtual assets or property need processes to collect, verify and share required information across the transfer chain.

Boards and governing bodies should now ask for an implementation pack, not a verbal status update. That pack should include an updated ML/TF risk assessment, board-approved AML/CTF Program, compliance officer role confirmation, reporting group analysis, CDD uplift plan, travel rule control assessment, updated reporting procedures and evidence of training, testing and assurance.

The key is traceability. A reporting entity should be able to show how risk assessment findings changed customer controls, transaction monitoring, escalation rules and reporting decisions.

Our perspective is, AUSTRAC’s 2026 reset should be treated as a control design exercise. The strongest reporting entities will not have the longest AML/CTF Program. They will have clear accountability, current risk understanding, practical controls, reliable reporting architecture and evidence that the framework operates in daily business.