Anti-money laundering and counter-terrorism financing (AML/CTF) obligations are among the most significant compliance requirements facing Australian fintech companies. AUSTRAC — the Australian Transaction Reports and Analysis Centre — regulates entities that provide designated services, including payment services, lending, digital currency exchange, and account management. Getting AML/CTF compliance right is not just a regulatory requirement; it is a condition of operating in the financial services sector.
Who AUSTRAC regulates
Under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act), reporting entities are businesses that provide 'designated services'. These include: financial institutions providing account and payment services; remittance dealers; digital currency exchange providers; lending and finance companies; financial planners and advisers; and bullion dealers.
Many fintech startups discover their AUSTRAC obligations later than they should. If you're building a payment application, a lending platform, a crypto exchange, or a remittance service — you are almost certainly a reporting entity from the moment you start providing that service to customers. There is no startup exemption.
Reporting entities must enrol with AUSTRAC, adopt an AML/CTF program, conduct customer due diligence (KYC), submit transaction reports, and report suspicious matters. Each of these obligations has specific requirements.
The AML/CTF program: what it must contain
An AML/CTF program is the foundational compliance document for a reporting entity. Under the AML/CTF Act, it must address two parts: Part A (customer-facing obligations including KYC and ongoing due diligence) and Part B (employee obligations including AML/CTF training and employee due diligence).
Part A must include your customer identification and verification procedures, your risk assessment methodology (how you classify customers by risk level), your ongoing monitoring procedures (how you detect suspicious activity), your enhanced due diligence procedures for high-risk customers and transactions, and your procedures for dealing with politically exposed persons (PEPs).
Part B must describe the training your employees receive on AML/CTF obligations, the screening procedures for new employees in relevant roles, and your oversight procedures for employee compliance.
Know Your Customer (KYC): minimum verification requirements
KYC — the process of verifying the identity of customers — is the cornerstone of AML/CTF compliance. AUSTRAC prescribes minimum verification requirements depending on the service provided and the customer risk profile.
For individual customers, standard verification typically requires full name, date of birth, and residential address, verified against a reliable and independent source (typically a government-issued identity document). For business customers, verification extends to the entity itself and its beneficial owners — individuals who ultimately own or control 25% or more of the entity.
Electronic verification through authorised identity verification services is standard practice for fintechs. It's faster, more consistent, and creates an audit trail that manual document checking cannot match. Document your chosen verification methodology, why it meets the required standard, and how you maintain verification records.
Suspicious matter reporting and transaction reporting
Reporting entities must submit suspicious matter reports (SMRs) to AUSTRAC when they form a suspicion that a transaction or customer is related to money laundering, terrorism financing, or certain other offences. Suspicion is a lower threshold than belief — if the facts and circumstances give rise to a reasonable suspicion, the obligation to report applies.
Threshold transaction reports (TTRs) must be submitted for cash transactions of $10,000 or more. International funds transfer instructions (IFTIs) must be reported for all transfers of funds into or out of Australia.
AUSTRAC's reporting portal (AUSTRAC Online) handles all transaction and matter reports. Your AML/CTF program should document the internal escalation process — from the employee who identifies suspicious activity to the AML/CTF compliance officer who decides whether to submit a report — and the record-keeping requirements that apply.
Preparing for an AUSTRAC assessment
AUSTRAC conducts compliance assessments of reporting entities on both a scheduled and unannounced basis. The assessment will typically review your AML/CTF program documentation, your KYC records, your transaction reporting history, and your staff training records.
The most common findings in AUSTRAC assessments are: AML/CTF programs that are outdated or don't reflect current operations; KYC records that are incomplete or cannot be readily produced; and staff who cannot demonstrate understanding of AML/CTF obligations.
Preparing for an assessment means keeping your AML/CTF program current (reviewing it annually or whenever your business model changes), maintaining complete and accessible KYC records, and running regular training for all staff in customer-facing and compliance roles.
AML/CTF compliance is not a destination — it's an ongoing operational discipline. Build it into your product and processes from day one, and it becomes a competitive advantage rather than a constraint.