ClickCease

Something we said? Don’t leave just yet!

For more information about latest events, news and insights, leave us your email address below.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form
Dismiss

AUSTRAC's second exposure draft rules: what you need to know

AUSTRAC’s new AML/CTF rules bring major changes to reporting, CDD, and sanctions policies.

Jeff Jones
July 10, 2025

Australia’s Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) regime is undergoing a major transformation. Following a first consultation on modernising and simplifying AML/CTF obligations, Australian Transaction Reports and Analysis Centre (AUSTRAC) has now released its Second Exposure Draft Rules (ED2) as part of the implementation of the Amended AML/CTF Act 2024.

The ED2 Rules further clarify and expand on the proposals from late 2024, focusing on operational detail, new reporting requirements, and risk-based measures across the AML/CTF lifecycle.

Here are the key changes:

1. New reporting requirements for suspicious matter and threshold transactions

AUSTRAC is revamping the data requirements for Suspicious Matter Reports (SMRs) and Threshold Transaction Reports (TTRs).

The new rules specify granular reportable details that will be required when submitting SMRs and TTRs via new online forms. This includes enhanced information on counterparties, transaction types, and payment channels, with the aim to:

  • Improve data quality
  • Support automation
  • Increase the usefulness of intelligence for law enforcement

Regulated entities will need to align reporting systems with AUSTRAC’s updated digital standards to maintain compliance and efficiency.

2. Reinforced enrolment and registration rules

AUSTRAC has updated the enrolment process for all reporting entities and enhanced the registration framework for Remittance Service Providers (RSPs and Virtual Asset Service Providers (VASPs).

Registration will now include more detailed scrutiny of:

  • AML/CTF capabilities
  • Criminal history of key personnel
  • International operations
  • Business models and risk management practices

The goal is to prevent high-risk actors from entering the system, while building trust in the legitimacy of registered entities, especially in the remittance and crypto sectors.

3. Risk-based CDD flexibility

AUSTRAC has introduced targeted changes to Customer Due Diligence (CDD), including:

  • Delayed verification: Broader conditions under which reporting entities may delay verifying beneficial owners and trust beneficiaries (up to 30 days).
  • Low-risk customers: Simplified due diligence where customers are low-risk and regulated (e.g. government bodies, listed companies, or foreign regulated entities).
  • CDD clarity: Limits on needing to identify a person ‘on whose behalf the customer is acting’ only when trust or fiduciary relationships apply.

This improves flexibility, particularly for onboarding and digital transactions, while preserving a risk-based approach.

4. New AML/CTF policies for sanctions

Reporting entities will now be required to maintain AML/CTF policies that prevent contravention of targeted financial sanctions, such as:

  • Identifying designated individuals or entities
  • Avoiding dealing with frozen assets
  • Documenting how they will respond if a customer becomes subject to sanctions
  • This closes long-standing FATF-identified gaps and aligns AML obligations more closely with Australia’s broader financial crime and national security framework.

5. Refinements to the Reporting Group Framework

Building on earlier drafts, AUSTRAC clarifies how reporting groups (replacing designated business group structures) operate. New provisions define:

  • How lead entities are selected  
  • What responsibilities can be discharged by group members
  • How non-operating holding companies can act as lead entities

This update reflects stakeholder feedback from the previous consultations and offers greater flexibility in multi-entity group structures while maintaining clear accountability.

6. Updated Keep Open Notice Rules

AUSTRAC will no longer issue Keep Open Notices itself. Keep Open Notices are formal instructions that allow a reporting entity to delay certain CDD steps, such as verifying a customer’s identity, if doing so might alert the customer to a criminal investigation. Instead:

  • Entities may issue their own, if disclosure could compromise a criminal investigation
  • AUSTRAC retains an oversight role and must be notified of any notice issued

This change shifts operational control to the reporting entity, with AUSTRAC providing regulatory assurance.

7. Transitional provisions and exemptions

Some rules are being phased in gradually to give businesses time to adjust. For example,

  • Businesses that send money overseas (like through SWIFT) can keep using current reporting methods until the new ones are ready.
  • New crypto and virtual asset services won’t need to stop operating on 31 March 2026 while they wait for their registration to be approved.

How should financial institutions prepare? Response from Napier AI

The Second Exposure Draft marks a significant step toward a more robust, technology-aligned AML/CTF regime. Napier AI, welcomes AUSTRAC’s risk-based, future-forward direction, but emphasise the importance of practical clarity for implementation, especially for high-volume transaction monitoring and reporting systems.

More guidance is encouraged on the requirements for Suspicious Matter Reports under the ED2 Rules, particularly the technological and operational implications of the new online submission process.  

Reporting entities and RegTech providers who provide financial crime compliance software for financial institutions, often rely on automated systems to identify and collate suspicious activity across large volumes of transactions.  

Clearer guidance on the expected data fields, validation criteria, submission format, and how these align with automated processes would help to streamline implementation and reduce the risk of inconsistent or incomplete reports. To aid implementation and maximize the utility of this data, we seek further guidance from AUSTRAC on the expected depth of granularity for certain fields- especially on specific data points or attributes around direct counterparties, beneficial owners, ultimate beneficiaries, or other associated parties and how this should be represented in a submission.

It would also be helpful if this guidance addressed, for example:

  • Any considerations on how automated reports should be generated from a technological perspective.
  • What controls should be in place to assure their completeness and accuracy, and whether there will be a testing or validation environment available to help firms prepare for the new submission platform.

We’ve compiled the regulatory changes and notices in the Asia Pacific region in the last year into an eBook: Regulatory Round up 2025: Asia Pacific.

The eBook includes recommendations on next steps from Napier AI experts and bookmark bars for important regulatory notices and pages. Read now.

Photo by james thompson on Unsplash