Article: Lagging on AML/CTF compliance? It’s already past time to act urgently

Australia is in the process of reforming its Anti-Money Laundering and Counter-Terrorist Financing (AML/CTF) framework to better align with the international standards set by the Financial Action Task Force (FATF). Among these updates are the ‘Tranche 2’ reforms, which will extend AML/CTF compliance to additional professions starting from 1 July 2026. This will include sectors such as legal, accounting, real estate, property development, and precious stone dealing. Additionally, significant changes are required for existing reporting entities, with a deadline for implementation by 31 March 2026.

The clock is ticking, yet some organisations are moving faster than others. Ahead of the AML/CTF Summit 2025 in Melbourne on 12th-13th November, we interviewed several leaders in the area to get their insights on the importance of acting urgently, trends in automation in AML/CTF compliance, best-practice training, and more. Read on for insights from:

• Detective Senior Constable Ashley Powers (Lead Investigator at Australia Federal Police) 
  
• Rob Meade (Senior Lawyer, Regulatory at Endeavour Group)
• Timothy Goodrick (Partner – Financial Crime at KPMG)
• Dr Anton Moiseienko (Senior Lecturer in Law and Research Director at The Australian National University)

What would you say to a leader in a tranche 2 organisation who is currently unconvinced of the need for urgent AML/CTF action?

Why would a leader fail to act or act too slowly on AML/CTF? Usually, it’s because they don’t recognise the risks or fail to see how those risks could apply to their organisation.

“It is important that you take your AML/CTF obligations seriously,” urges Goodrick. “The AML/CTF regulatory regime has potentially significant penalties for non-compliance, and we have seen that AUSTRAC is willing to take enforcement action. Consequences for businesses can include hefty fines, remediation costs, and reputational damage – but more importantly, it is also the right thing to do. It protects the community, as well as your business, from crime.”

Powers stresses that AML/CTF risks are far from hypothetical. Money laundering is very real and happening at scale in Australia right now. “Our money laundering investigations, among other money laundering investigations conducted by the AFP (most of which are currently before the courts), identified hundreds of millions of dollars that have allegedly been laundered through the financial system,” he says. “Criminals have exploited considerable weaknesses within existing frameworks of Tranche 2 organisations to integrate and ‘legitimise’ these funds.”

“If the billions of dollars of AUSTRAC fines issued in recent years haven’t already convinced someone, then it will be hard,” observes Meade. “However, with all new compliance initiatives, it’s about taking leaders on the journey. Show, don’t tell. If you can show leaders where there are specific vulnerabilities, they will be more inclined to invest in fixing them. Take your leaders into the field, show them what your staff do and what the risks look like, and it will help to turn the tide.”

Moiseienko also points to several waves of AUSTRAC enforcement actions over the years. “First, against banks (Westpac and CBA), then casinos (Crown and Star). It will only be a matter of time before Tranche 2 entities find themselves under AUSTRAC's spotlight. And, of course, there is huge reputational risk in getting it wrong!”

How can we shift action around AML/CTF compliance from a regulatory burden to a frontline defence against sophisticated criminal exploitation?

Shifting mindsets around AML/CTF compliance from a regulatory burden to a frontline defence requires a strategic repositioning of its value. Companies that establish robust compliance frameworks can leverage their commitment to security as a competitive advantage. This is particularly appealing to B2B customers who seek peace of mind and need to fulfil their own compliance obligations.

“I think you need to look at what a breach will cost, both socially and economically,” recommends Powers. “The risks are real and significant. If a Tranche 2 organisation was exploited, they face reputational risk, a decline in investor mindset, a perceived decline in corporate social responsibility, the opportunity cost of loss of revenue due to declining customer faith, customer blacklisting, adverse media attention, and sanctions. We’ve seen this first-hand with our investigation of Tranche 2 organisations, with the worst-case scenario being the dissolution/liquidation of entire businesses.”

Meade believes that a culture of compliance ultimately comes from the top. “Employees can and should be incentivised to achieve compliance outcomes, both financially and through employee recognition and training. However, without buy-in at the top of an organisation, from the Board and the executive team, this won’t carry through. Organisations need to practice what they preach, and it often helps for an organisation to get exposure to the harms they’re trying to prevent to highlight the importance of taking this seriously – and resourcing accordingly.”

“If you're considering AML/CTF compliance just to meet legal requirements, take a moment to engage the team on ‘why’ it matters before discussing the ‘what’ and the ‘how’,” recommends Goodrick. “Ensure that AML/CTF controls are embedded in business processes and not considered an add-on. For example, when engaging with potential customers you should consider the most appropriate and seamless timing to perform Know Your Customer (KYC) checks based on the business relationship, rather than waiting until the last minute.” 

Another way to shift mindsets around the importance of AML/CTF compliance is to remind ourselves of the human victims of criminal activity. “There is incredible work that many organisations do helping law enforcement agencies uncover some of the worst crimes, from human trafficking to child sexual exploitation,” says Moiseienko. “The value of this is perhaps not highlighted in public often enough, but it is crucial to the overall societal effort against serious crime.”

What specific vulnerabilities exist in the sectors you’ve worked with and how can they be addressed?

Poor reporting? Cash payments? Insider threats? Which areas of weakness are most commonly targeted by criminals?

“Every Tranche 2 sector has its own vulnerabilities, but one of the main commonalities is that Tranche 2 businesses will often lack the scale or AML/CTF experience of banks and other financial institutions,” notes Moiseienko. The scope of the Tranche 2 changes has caused an inevitable talent crunch in this area, so many organisations lacking skillsets and resources are turning to outsourcing to meet AML/CTF obligations.

“Common themes are cash transactions, transactions which are not face-to-face, and deficient training and understanding of risk”, says Meade. “For lawyers and law firms, there’s pressure to bring in more and more work, but there’s a lack of understanding of how firms can legitimise currency movements – such as through unusual property transactions and deals, trust account transactions, and uncommercial settlements of disputes. At the end of the day, it all starts with people. If your people understand the risks, and know what to look for, they can call things out and save on compliance costs and risks.”

 “We have seen the services of lawyers, accountants, and trust or company service providers misused globally by criminals to establish trusts and companies,” warns Goodrick. “Criminals can then exploit opaque corporate structures to conceal their activities and identities. I worked on several research projects when I was at the Financial Action Task Force (FATF) where we found that in almost all major money laundering cases, criminals use corporate vehicles to move money to avoid detection.” 

Goodrick adds that Australia is an attractive destination to criminals who seek to integrate criminal proceeds through the real estate market in particular; a crime which is inadvertently facilitated by real estate professionals.

For Powers, the main vulnerabilities he has seen have stemmed from a general lacklustre approach to AML/CTF reporting. “It’s done as a ‘should do’, not a ‘must do’,” he says. “Tranche 2 organisations need to be made aware of these real risks and repercussions, such as sanctions and costly court fees. A lack of reporting creates opportunities for criminals.”

Powers also notes that trusted insiders are a key vulnerability in Tranche 2 organisations, as they may evade scrutiny that would typically apply to external threats.

Can we ever fully automate AML/CTF compliance?

Some experts argue that, like the self-driving car, the biggest leap in safety and compliance can be achieved by taking the human out the equation. Fully-automated AML/CTF systems would (theoretically) be free from human error and the influence of bad actors. But could it work?

“This is 50/50,” says Powers. “You will certainly be able to automate things up to a point, as we’ve seen with solutions like RapidID KYC or AI KYC checks. But manual checks need to be more robust to ensure proper compliance.” Powers expects to see more automation over time as solutions continue to improve.

Meade believes that full automation isn’t realistic: “There will always be a need to observe behaviour and to make trained and risk-based decisions about whether something feels wrong. While technology and automation should be used to detect issues at scale and can enhance a compliance program, there will always be a role for human judgment and intuition at the centre of compliance.”

“Identifying suspicious activities will likely always involve some human judgment, especially in Tranche 2 businesses”, says Moiseienko. “Banks can identify anomalies through transaction monitoring, whereas for someone like a lawyer or accountant determining whether something is suspicious will entail more of a 'gut feeling'.”

Goodrick says that technology can be a great help in implementing AML/CTF controls in an efficient and effective way, but it is not a golden bullet because staff will always be your frontline defence against criminal exploitation. “There are a number of great solutions on the market to help you undertake KYC on your customers and monitor transactions”, he says, “but it is critical that you think through what you need, how you will use these tools, the controls you have in place, and how they integrate with your existing processes.” 

Where should organisations focus internal training?

How comprehensive does AML/CTF training need to be? Who should be trained? Organisations need to ensure internal training to targeted and effective, particularly in smaller organisations where resources are limited.

“Start where your organisation is most vulnerable,” urges Meade. “Work out how a criminal might try to abuse your business to launder money, and then work out which staff are the most relevant to that risk. Is it your frontline staff, your contact centre, your finance team? Engage the most relevant staff in targeted training, such as what is needed for your trust accounts, or for the cash-intensive parts of your business. As those staff get more proficient, focus your resources elsewhere and use your early adopters to carry that message through the organisation.”

Goodrick recommends starting with the “why” of AML/CTF compliance, then making sure your people understand the risks. “This means identifying, assessing and documenting the ways in which criminals may seek to misuse your products and services. For large entities, the risks may vary between different parts of the business, while in smaller organisations it may be consistent for all staff.”

 “Training should then be tailored to the persons’ particular role and responsibilities,” continues Goodrick. “This ensures that staff receive training on the particular AML/CTF controls or processes that are relevant to them. Finally, reinforce that compliance is everyone’s responsibility, promoting a speak-up culture where concerns are welcomed and addressed.”

Powers recommends providing focused internal training with the help of subject-matter experts and workshops, then bolstering training by hiring risk consultants with PI or Law Enforcement background skills. “Training should be tailored to a point, but also make sure the framework is both thorough and one-size-fits-all to ensure everything is covered.”

Learn more at the AML/CTF Compliance Summit 2025

Join Rob Meade, Ashley Powers, Dr Anton Moiseienko, Timothy Goodrick and other AML/CTF experts at AML/CTF Summit 2025 in Melbourne on 12th-13th November at Citadines on Bourke.