AUSTRAC’s latest draft rules signal a defining moment for AML compliance in Australia.

With growing pressure to address regulatory gaps and align with global standards, AUSTRAC has released a second exposure draft of AML/CTF rules that could reshape how financial institutions approach compliance. These proposed updates are more than routine tweaks, they are part of a strategic pivot aimed at strengthening Australia’s financial crime defences following international scrutiny and domestic lapses.

Background: Why AUSTRAC Is Updating the Rules

AUSTRAC’s policy overhaul comes at a critical time for the Australian financial sector. After years of industry feedback, regulatory incidents, and repeated warnings from the Financial Action Task Force (FATF), Australia has faced growing pressure to modernise its AML/CTF framework. This pressure intensified after the Royal Commission findings and the high-profile Crown Resorts case, which exposed systemic failures in detecting and reporting suspicious transactions.

The second exposure draft released in July 2025 reflects AUSTRAC’s intent to close key compliance loopholes and bring the current system in line with global best practices. It expands on the earlier draft by incorporating industry consultation and focuses on more granular obligations for customer due diligence, ongoing monitoring, and sanctions screening. These changes aim to strengthen Australia’s position in the face of a rapidly evolving threat landscape driven by digital finance, cross-border transactions, and sophisticated laundering techniques.

What’s Changing: Key Highlights from the Exposure Draft Rules

The second exposure draft introduces several new requirements that directly impact how reporting entities manage risk and monitor customers:

1. Clarified PEP Obligations

The draft now defines a broader set of politically exposed persons (PEPs), including foreign and domestic roles, and mandates enhanced due diligence regardless of source of funds.

2. Expanded Ongoing Monitoring

Entities must now monitor customers continuously, not just at onboarding, using both transaction and behavioural data. This shift pushes compliance teams to move from static checks to dynamic, risk-based reviews.

3. Third-Party Reliance Rules

The draft clarifies when and how financial institutions can rely on third parties for KYC processes. This includes more specific provisions for responsibility and liability in case of failure.

4. Sanctions Screening Expectations

AUSTRAC has proposed more stringent guidelines for sanctions screening, especially around name-matching and periodic list updates. There is also an increased focus on ultimate beneficial ownership.

5. Obligations for Fintechs and Digital Wallet Providers

The draft recognises the role of digital services and imposes tighter onboarding and monitoring standards for high-risk products and cross-border offerings.

Comparing ED2 with Tranche 2 Reforms

While Tranche 2 reforms remain on the horizon with a broader mandate to include lawyers, accountants, and real estate agents under the AML/CTF regime, the second exposure draft zeroes in on tightening the compliance expectations for existing reporting entities.

Unlike Tranche 2, which aims to expand the scope of regulated professions, the exposure draft rules focus on strengthening operational practices such as ongoing monitoring, customer segmentation, and enhanced due diligence for existing covered sectors. The rules also go deeper into technological expectations, such as maintaining audit trails and validating third-party service providers.

In short, ED2 is more about modernising the how of AML compliance, whereas Tranche 2 will eventually reshape the who of the regulated ecosystem.

Why It Matters for Financial Institutions

For compliance officers and risk managers, these proposed changes translate to increased scrutiny, more granular documentation, and an urgent need to improve monitoring practices. Institutions will be expected to maintain stronger evidence trails, adopt real-time monitoring tools, and improve their ability to detect behavioural anomalies across customer life cycles.

Moreover, the clear emphasis on risk-based ongoing due diligence means firms can no longer rely on periodic checks alone. Dynamic updates to risk profiles, responsive escalation triggers, and cross-channel data analysis will become critical components of future-ready compliance programs.
‍
{{cta-first}}

Tookitaki’s Perspective and Solution Fit

At Tookitaki, we believe AUSTRAC’s second exposure draft offers an opportunity for Australian institutions to build more resilient, intelligence-driven compliance programs.

Our flagship platform, FinCense, is built to adapt to evolving AML obligations through its scenario-driven detection engine, AI-led transaction monitoring, and federated learning capabilities. Financial institutions can seamlessly adopt continuous risk monitoring, generate audit-ready investigation trails, and integrate sanctions screening workflows, all while maintaining high levels of precision.

Importantly, Tookitaki’s federated intelligence model draws from a community of AML experts to anticipate emerging threats and codify new typologies. This ensures institutions stay ahead of bad actors who are constantly evolving their methods.

What’s Next: Preparing for the New Rules

AUSTRAC is expected to finalise the rules following this round of industry consultation, with phased implementation timelines to be announced. Financial institutions should begin by assessing gaps in their existing AML controls, especially around ongoing monitoring, PEP screening, and documentation processes.

This is also a good time to evaluate technology infrastructure. Solutions that enable scalable monitoring, natural language audit logs, and flexible rule design will give institutions a distinct advantage in meeting the new compliance bar.

Conclusion

AUSTRAC’s second exposure draft marks a pivotal shift from checkbox compliance to intelligent, risk-driven AML practices. For financial institutions, the future of compliance lies in adopting flexible, technology-powered solutions that can evolve with the regulatory landscape.

The message is clear, compliance is no longer a static requirement. It is a dynamic, strategic pillar that demands agility, insight, and collaboration.

The financial crime compliance landscape is evolving rapidly, and so are the tools required to keep up.

As criminal tactics become more sophisticated and regulatory expectations more demanding, compliance teams need AI systems that do more than detect anomalies. They must explain their decisions, prove their accuracy, and demonstrate responsible governance at every step.

At Tookitaki, we are building an Agentic Framework - a network of intelligent agents which are auditable and explainable for each action they take. These agents don’t just make recommendations - they work across the entire compliance lifecycle, supporting real-time detection, guiding investigations, and reinforcing regulatory alignment.

This blog introduces Tookitaki’s agentic approach, grounded in collaborative intelligence and designed to help financial institutions take control, not just of detection accuracy, but of trust.

The Compliance Challenge: Accuracy Isn’t Enough

Traditional AI systems are built to optimise performance. But in regulated environments, performance is only half the story.

Regulators now expect AI systems to be:

• Fully explainable and traceable
  
• Free from hidden biases
  
• Secure by design
  
• Governed with clear human oversight
  

Frameworks like the Federal Reserve’s SR 11-7, MAS TRM, and GDPR are clear: If a system impacts a regulated decision, whether it’s flagging suspicious transactions, filing reports, or escalating investigations, then institutions must be able to validate, explain, and defend those outcomes.

This is where most AI platforms struggle.

Tookitaki’s Answer: A Trust Layer Powered by Agentic AI

Tookitaki’s platform is built to meet these challenges head-on. It combines two powerful engines:

• The AFC Ecosystem: A global community of financial crime experts who contribute real-world scenarios forming the industry’s most robust collaborative intelligence network.
  
• FinCense: Our end-to-end compliance platform, which integrates these scenarios into dynamic workflows powered by AI agents, all aligned with regulatory best practices.
  

Together, these components form Tookitaki’s Trust Layer for Financial Services — enabling financial institutions to reduce risk, improve compliance operations, and increase confidence across every investigation.

Built on Collaborative Intelligence, Tested in Your Environment

At the heart of Tookitaki’s approach is the AFC Ecosystem, a global community of compliance experts who contribute a growing library of real-world typologies spanning dozens of financial crime risk categories. These are not hypothetical constructs. They are tested, peer-reviewed patterns that reflect how financial crime plays out in practice from money mule networks to account take over and social engineering.

Instead of relying on static rules or black-box models, financial institutions using Tookitaki gain access to this dynamic intelligence. And before anything is deployed, scenarios can be tested against the institution’s own historical data using our Simulation Agent, giving teams complete control, visibility, and confidence in performance.

AI Agents That Power Compliance Intelligence

Tookitaki’s Agentic AI framework is built on specialised agents, each designed to improve efficiency, accuracy, and explainability across the investigation lifecycle:

• Simulation Agent: Tests new detection scenarios against historical data, helping teams fine-tune thresholds and understand performance before going live.
  
• Alert Prioritization Agent: Ranks alerts by risk relevance using a regulatory-weighted model, reducing false positives and enabling faster triage with over 94% alignment to expert decisions.
  
• Smart Disposition Agent: It’s an agent that lets compliance teams codify their Standard Operating Procedures (SOPs) as advanced rules — so that eligible alerts are automatically closed without human intervention.
  
• Smart Narration Agent: An agent powered by large language models that auto-generates a natural language narrative for each alert.
  
• FinMate (Investigation Copilot): Assists investigators with case context, risk indicators, and typology insights, improving evidence collection and reducing handling time by over 60%.
  

These agents operate within Tookitaki’s compliance-native orchestration layer — ensuring every action is explainable, governed, and aligned with regulatory frameworks.

Setting a Benchmark in AI Governance

Tookitaki is proud to be the first RegTech company validated under Singapore’s national AI Verify programme, establishing a new standard for auditable, explainable, and responsible AI in compliance.

Our Agentic AI framework, specifically its AI-powered narration capabilities, underwent rigorous independent validation, which included:

• Accuracy testing across 400+ real-world AML scenarios
  
• Multi-language validation in complex cases involving English and Mandarin
  
• Zero tolerance for hallucinations, with protocols ensuring all outputs are grounded in verifiable data
  
• Compliance assurance, proving the system adheres to financial regulations and prevents misuse
  

This milestone reinforces Tookitaki’s position as a RegTech innovator that blends AI performance with governance - by incorporating guardrails to prevent AI hallucinations, ensuring that every narrative generated is accurate, auditable, and actionable - a critical requirement for financial institutions operating under increasing regulatory scrutiny.

A New Standard for AI in Compliance

Agentic AI is not about replacing human investigators — it’s about equipping them with the intelligence, speed, and context they need to work smarter.

By combining collaborative intelligence-driven detection, real-time simulation, and agentic automation, Tookitaki offers a future-ready model for the entire reg-tech lifecycle - one that’s grounded in transparency, is auditable and capable of learning with every new pattern, case, and risk.

In a world where compliance is no longer just about rules, but about resilience and trust, Tookitaki’s Agentic AI is setting a new standard.

What’s Next in This Blog Series

In the upcoming blogs, we’ll dive deeper into Tookitaki’s flagship AI agents — exploring how each one is designed, validated, and deployed in production environments to deliver compliance-grade performance.

Stay tuned.

Thailand’s financial system is entering a defining era for anti-money laundering and counter-terrorism financing.

As the country deepens its regional trade and digital finance ambitions, it also faces mounting pressure to confront evolving financial crime threats, ranging from cross-border laundering to high-velocity scams and informal value transfers. With the FATF eyeing gaps in oversight and regulators tightening expectations, AML/CFT compliance is no longer just a back-office responsibility. It's a front-line defence for trust and competitiveness.

In this blog, we break down the current AML/CFT regulatory framework in Thailand, highlight key risks and real-world threats, explore upcoming reform pressures, and share how banks and fintechs can strengthen their compliance strategy through both innovation and collaboration.

The Regulatory Landscape in Thailand

Thailand’s AML/CFT framework is governed by the Anti-Money Laundering Office (AMLO), established in 1999. AMLO functions as both the financial intelligence unit (FIU) and the key enforcement agency overseeing compliance and investigations related to illicit finance.

The two core laws forming the backbone of the regulatory regime are:

• The Anti-Money Laundering Act (AMLA), B.E. 2542 (1999)
• The Counter-Terrorism and Proliferation of Weapons of Mass Destruction Financing Act, B.E. 2559 (2016)
  ‍

Entities subject to AML/CTF obligations include:

• Commercial banks and financial institutions
• Money service businesses (MSBs), e-wallets, and fintech platforms
• Securities companies and insurance providers
• Real estate developers and dealers in precious stones/metals
• Legal professionals and notaries (in limited contexts)

Reporting entities must:

• Conduct customer due diligence (CDD) and enhanced due diligence (EDD)
• File suspicious transaction reports (STRs) and cash transaction reports (CTRs) with AMLO
• Retain records for a minimum of 5 years
• Establish internal AML programs, risk assessments, and staff training
  ‍

FATF and Grey List Pressures

Thailand has had a complicated relationship with the Financial Action Task Force (FATF). After being grey-listed in 2011 due to strategic deficiencies in its AML regime, it made significant reforms and was removed in 2015.

However, FATF’s most recent mutual evaluation pointed to new challenges:

• Limited oversight of certain non-financial sectors
• Gaps in beneficial ownership transparency
• Uneven application of risk-based approaches
• Under-reporting of suspicious transactions by fintech and digital players

Why it matters: FATF grey-listing carries serious consequences. It can deter foreign investment, slow correspondent banking relationships, and increase the cost of doing business internationally. For Thai banks and fintechs, staying aligned with FATF expectations is not just about compliance—it’s about global competitiveness.

Real-World Threats: What’s Fueling Financial Crime in Thailand

Thailand’s economy, geographic location, and strong informal networks make it vulnerable to a wide range of predicate offences. Some of the most prominent financial crime threats include:

🔹 Drug Trafficking and Organised Crime

Transnational criminal groups exploit Thailand’s location in the Mekong subregion to launder drug proceeds through shell companies, property purchases, and trade channels.

🔹 Public Sector Corruption and Tax Crimes

Illicit enrichment and VAT fraud are common predicate offences, with funds often laundered via nominee accounts and luxury assets.

🔹 Cross-Border Laundering

Money mules, informal remittance systems, and trade-based money laundering (TBML) remain significant threats. Syndicates frequently layer funds through multiple jurisdictions.

🔹 Investment and Romance Scams

Thailand is increasingly being used as both a staging ground and a destination for proceeds from international fraud, including pig butchering scams and tech support frauds targeting foreign victims.

AMLO has flagged the rising use of e-wallets, digital platforms, and cash-intensive businesses as high-risk vehicles for laundering.

Challenges for Banks and Fintechs

Despite progress, many institutions face real hurdles when it comes to AML/CFT execution.

• Legacy Systems and Manual Workflows
  Traditional rule-based systems often generate high false positives and miss nuanced patterns, especially in real-time transactions.
• Fragmented Intelligence
  Limited cross-institutional data sharing weakens the detection of syndicated risks, such as mule networks operating across multiple banks.
• High Compliance Costs
  Smaller fintechs and non-bank financial institutions struggle to meet regulatory requirements without draining operational resources.
• Speed vs Safety in Payments
  Instant payment rails (e.g., PromptPay) have made fund movement frictionless, but also difficult to trace once fraud or laundering occurs.

Thailand’s Push Toward RegTech and AI

Recognising these challenges, regulators and industry players are increasingly turning to RegTech to strengthen compliance without stifling innovation.

Notable trends:

• AI-driven transaction monitoring is gaining traction for detecting suspicious behaviour across vast datasets in real time.
• Automated screening tools are being used to process watchlists, sanctions, and politically exposed person (PEP) data more efficiently.
• Digital KYC and eKYB (Know Your Business) solutions are helping fintechs onboard customers with less friction and more accuracy.

AMLO itself has been vocal about the importance of technology in enhancing reporting accuracy and enabling real-time intelligence. Collaboration between regulators and the private sector on typology sharing and case-based learning is also gaining momentum.

How Tookitaki Supports Smarter Compliance in Thailand

Tookitaki’s FinCense platform is well-positioned to help Thai banks and fintechs overcome both regulatory and operational AML/CFT challenges.

Here’s how:

🔹 Scenario-Based Detection
FinCense leverages typologies contributed by global experts through the AFC Ecosystem. These include real-world cases such as QR-code laundering, mule account recruitment, and shell invoicing many of which mirror red flags identified by AMLO.

🔹 Smart Screening
Advanced screening tools that support multi-lingual names, alias logic, and national ID handling—critical in jurisdictions like Thailand.

🔹 AI-Powered Risk Scoring
Dynamic customer risk scoring and automated threshold tuning reduce false positives and allow institutions to focus on the most relevant alerts.

🔹 FinMate: AI Copilot for Compliance Teams
FinMate assists investigators by summarising alerts, surfacing behavioural insights, and recommending next steps, reducing the average case investigation time.

Whether you're dealing with fraud from romance scams or laundering via e-wallet networks, FinCense offers a flexible, modular approach that’s ready for Thailand’s fast-evolving risk environment.

Key Takeaways for Compliance Teams

✅ Thailand’s AML/CFT ecosystem is evolving, but financial crime threats are getting more sophisticated.
✅ FATF scrutiny and regulatory reform will intensify over the next 12–18 months.
✅ Manual systems are no longer sustainable—technology is a must-have.
✅ Cross-border risk requires cross-sector intelligence—collaboration is key.
✅ Institutions that prioritise adaptive compliance now will gain a strategic edge in the future.
‍

Conclusion: Thailand’s Next Chapter in AML/CFT Compliance

Thailand has made significant progress in building its AML/CFT regime, but the fight is far from over. As financial crime networks grow more organised and tech-savvy, regulators and institutions must respond in kind—with smarter systems, stronger collaboration, and a proactive mindset.

The future of compliance in Thailand isn’t just about ticking regulatory boxes. It’s about building trust, resilience, and readiness—not just for the next audit, but for the next threat.