Your AML/CTF Program Is Outdated. Here's What You Need to Do Before 1 July 2026.

If you're an existing reporting entity — a remittance dealer, financial services provider, digital currency exchange, or any other business that has been enrolled with AUSTRAC for years — you may be operating under a false sense of security right now.

You have an AML/CTF Program. It's been reviewed, it's been approved. Job done, right?

Not anymore.

Australia's AML/CTF legislative framework has been fundamentally restructured. The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 and the new AML/CTF Rules 2025, which commenced on 31 March 2026, replace the old Part A / Part B program architecture with a single, unified AML/CTF Program underpinned by a suite of standalone AML/CTF Policies. Your existing program — no matter how well-drafted — does not meet this new structure. And the deadline to fix it is 1 July 2026.

That's not much runway.

What's Actually Changed

The old framework divided your program into two parts: Part A (the enterprise-wide program) and Part B (the customer identification program). The new framework abolishes this distinction entirely.

Under the new Act, your AML/CTF Program must now incorporate:

A documented ML/TF Risk Assessment — undertaken before you provide designated services, updated whenever your risk profile changes, and reviewed at least every three years. This is no longer embedded in your program; it is a standalone, living document that must be approved by a senior manager and notified to your governing body whenever it is updated.

A suite of AML/CTF Policies covering every area mandated under section 26F of the Act and the AML/CTF Rules 2025 — including customer due diligence, targeted financial sanctions, PEP screening, personnel due diligence, training, independent evaluation, suspicious matter reporting, threshold transaction reporting, tipping off prevention, record keeping, and governing body reporting. Each policy area must now be documented with specificity, not buried in a generic program document.

A designated AML/CTF Compliance Officer — who must be notified to AUSTRAC within 14 days of designation, and whose functions are now legislatively defined under section 26L of the Act.

Approval by a senior manager of both the ML/TF Risk Assessment and all AML/CTF Policies, including any updates, before those updates take effect.

The Clock Is Already Running

The new rules commenced on 31 March 2026. From that date, all reporting entities — including you — are operating under the new legislative framework. However, transitional provisions give existing reporting entities until 1 July 2026 to bring their program documentation into full compliance with the new format.

After 1 July 2026, non-compliant program documentation is a civil penalty exposure. AUSTRAC has made clear through its regulatory priorities that program adequacy is a frontline enforcement focus. The regulator can request your AML/CTF documentation at any time under section 26Q of the Act — and if what you hand over is a legacy Part A / Part B document, you have a problem.

This Is Not a Light Refresh

Many reporting entities will be tempted to treat this as a cosmetic exercise — relabelling their existing program and calling it done. That approach carries significant risk.

The new framework requires substantive uplift. Your risk assessment needs to be reconsidered through the new ML/TF risk methodology. Your policies need to be restructured to address each of the specific matters required by the AML/CTF Rules 2025. Gaps that were acceptable under the old framework — vague training provisions, undefined escalation triggers, absent proliferation financing considerations — are no longer acceptable under the new one.

What You Should Be Doing Right Now

First, conduct a gap analysis. Map your existing Part A and Part B program against the new legislative requirements. Identify what's missing, what's outdated, and what needs to be rewritten from scratch.

Second, restructure your program documentation. Draft a standalone ML/TF Risk Assessment and a suite of individual AML/CTF Policies that meet the specificity requirements of the Rules 2025.

Third, get senior manager approval and update your AUSTRAC enrolment details. Confirm your AML/CTF Compliance Officer is correctly designated and notified, and that all updated documents are formally approved.

Fourth, build your review cadence. The new framework requires your risk assessment to be reviewed at least every three years, and your policies to be updated within 14 days of any material change. You need a governance calendar to support this.

The Window Is Closing

There are weeks, not months, between now and 1 July 2026. If you haven't started your program uplift, you are already behind.

At Compass AML Solutions, we specialise in AML/CTF compliance for Australian reporting entities. We understand the new legislative framework inside and out — and we build compliant, practical AML/CTF Programs that work for real businesses, not just for auditors.

Don't wait until AUSTRAC comes knocking. Contact Compass AML Solutions today for a confidential program review.

📧 enquiry@compassamlsolutions.com.au 🌐 www.compassamlsolutions.com.au