AML Compliance for Australian Banks and Fintechs: AUSTRAC Requirements and Tookitaki’s FinCense

AUSTRAC — the Australian Transaction Reports and Analysis Centre — has established itself as one of the most active AML/CFT regulators in the Asia-Pacific region. Its enforcement record includes landmark penalty actions against major Australian banks and casino operators, with fines reaching into the billions of dollars for systemic failures in transaction monitoring, threshold reporting, and suspicious matter reporting. That record sets the compliance context for every reporting entity operating in Australia: AUSTRAC has demonstrated both the willingness and the capability to take enforcement action when compliance programmes do not meet the standard the AML/CTF Act requires.

For banks and fintechs operating under AUSTRAC's supervision, the compliance challenge is not just meeting the Act's minimum requirements — it is building a programme that is demonstrably risk-based, operationally embedded, and capable of withstanding scrutiny under examination. The AML/CTF Amendment Act 2024 extended the regime further, bringing lawyers, accountants, and real estate agents into the regulated population under Tranche 2. This expansion signals the direction of travel: AUSTRAC is broadening its reach, not narrowing it.

What AUSTRAC Requires from Financial Institutions

A two-part AML/CTF programme. Every reporting entity must maintain a written AML/CTF programme with two distinct parts. Part A is the entity's risk-based approach to ML/TF risk — a board-approved statement of how the institution identifies, assesses, and mitigates its specific ML/TF risks. Part B covers the entity's Know Your Customer (KYC) procedures: how it identifies and verifies customers and beneficial owners at onboarding. Both parts must be reviewed regularly and updated when the institution's risk profile changes materially.

Customer identification and verification. AUSTRAC's Customer Identification Program requirements set the standard for identifying individual and corporate customers, verifying their identity through reliable sources, and identifying the beneficial owners of entities. For higher-risk customers — politically exposed persons, customers from high-risk jurisdictions, complex ownership structures — enhanced identification and verification applies. Ongoing due diligence must keep the customer's risk profile current as their transaction behaviour evolves.

Ongoing transaction monitoring. The AML/CTF Act requires continuous monitoring of customer transactions against the risk profile established at onboarding. Monitoring must be capable of identifying suspicious patterns — structuring designed to avoid reporting thresholds, rapid layering activity, mule account behaviour — and triggering the investigation process when those patterns are detected.

Suspicious Matter Reports. SMRs must be filed with AUSTRAC when a reporting entity forms a suspicion that a transaction or activity is related to a money laundering or terrorism financing offence, or an offence against a Commonwealth, state, or territory law. There is no minimum value threshold. AUSTRAC assesses both the volume and quality of SMRs — investigation narratives must document the specific indicators of suspicion and the steps taken to investigate before filing.

Threshold Transaction Reports. Every cash transaction of AUD 10,000 or more must be reported to AUSTRAC as a Threshold Transaction Report (TTR) within ten business days. For high-volume cash businesses, this is a significant reporting obligation.

International Funds Transfer Instructions. Every international funds transfer of any value must be reported to AUSTRAC as an International Funds Transfer Instruction (IFTI). This includes both incoming and outgoing transfers, and covers transfers made through correspondent banking channels, SWIFT, and non-bank remittance channels. IFTI reporting provides AUSTRAC with visibility into cross-border fund flows — and makes cross-border transactions a primary focus of its data analysis and enforcement activity.

Record keeping. All transaction records, KYC documents, and AML/CTF programme documentation must be retained for seven years.

The Tranche 2 Expansion

The AML/CTF Amendment Act 2024 brought a significant expansion of the regulated population — known as Tranche 2 — covering legal professionals, accounting professionals, real estate agents, and trust and company service providers. These sectors have historically operated outside the AML/CTF regime despite their exposure to high-value, complex transactions involving legal entities and real property.

For financial institutions, the Tranche 2 expansion has two practical implications. First, the volume of entities filing SMRs and TTRs with AUSTRAC will increase substantially as Tranche 2 entities come into compliance — adding to the cross-sector intelligence picture that financial institutions access through AUSTRAC's feedback mechanisms. Second, correspondent relationships with Tranche 2 entities — particularly law firms and accountants involved in corporate transactions — carry a different risk profile now that those entities have AML/CTF obligations, and financial institutions need to update their risk assessments accordingly.

Australia's AML Risk Landscape

Scam proceed flows. Australia has one of the highest per-capita scam loss rates in the world. The Australian Competition and Consumer Commission's Scamwatch data consistently records billions of dollars in annual losses from investment scams, romance fraud, and impersonation schemes. The proceeds move through the banking system in predictable layering patterns before exiting to offshore accounts or cryptocurrency — creating a monitoring challenge that requires behavioural pattern detection, not just threshold-based rules.

Trade-based money laundering. Australia's role as a major commodity exporter — iron ore, coal, agricultural products — makes it a target for TBML. Over- and under-invoicing of trade transactions, and the use of trade finance instruments to layer illicit funds, are identified AUSTRAC risk vectors that standard AML monitoring rules were not designed to detect.

Remittance corridors. Australia's diverse migrant population generates significant remittance flows to South and Southeast Asia, the Pacific, and East Africa. These corridors carry variable ML/TF risk, and FATF's periodic updates to high-risk jurisdiction lists require monitoring systems that incorporate updated risk classifications dynamically.

How Tookitaki's FinCense Supports Australian Reporting Entities

AFC Ecosystem: typology coverage for Australia's specific risk vectors. FinCense's detection is built on Tookitaki's Anti Financial Crime (AFC) Ecosystem — a federated intelligence network of 30+ financial institutions across APAC that contribute and receive financial crime typologies without exchanging customer data. Australia's specific risk vectors, like scam-related layering patterns, Pacific and Asian remittance corridor typologies, are covered through AFC Ecosystem intelligence validated across the network. When a new scam payout typology emerges in the Australian market, that pattern flows to every member institution automatically, without internal scenario engineering. For AUSTRAC's risk-based programme requirements, this provides the continuously updated typology coverage that Part A of the AML/CTF programme must reflect.

Transaction monitoring calibrated to AUSTRAC's risk-based standard. FinCense's transaction monitoring module uses scenario-based detection — each scenario encodes the full behavioural pattern of a known financial crime typology, not a threshold rule that fires on surface-level transaction characteristics. Automated Threshold Tuning recommends optimal monitoring thresholds for distinct customer segments within the institution's portfolio, rather than applying uniform thresholds across the entire customer base. A high-volume business customer and a retail customer have genuinely different normal transaction profiles — monitoring calibrated to each segment generates fewer false positives while maintaining detection coverage across both. False positive volumes are reduced by up to 70% compared to legacy rule-based systems.

Name and transaction screening. FinCense's screening module uses natural language processing and machine learning to match customer and transaction data against AUSTRAC's sanctions and designated persons lists, DFAT's consolidated list, PEP databases, and adverse media sources. Fuzzy matching handles name variants, transliterations, and partial matches that exact-string matching misses, reducing the false positive volumes that make manual review unsustainable at scale. For IFTI-obligated institutions processing high volumes of cross-border transfers, real-time transaction screening covers originator, beneficiary, and intermediary details against current sanctions designations before settlement.

Case management for AUSTRAC reporting quality. FinCense's integrated case management connects alert, investigation, and SMR report generation in a single environment. AI-generated investigation notes surface the specific indicators of suspicion for each case, improving the quality and completeness of SMR narratives filed with AUSTRAC. The investigation record captures every step taken before filing — directly addressing the quality dimension that AUSTRAC examiners assess when reviewing an institution's reporting programme.

Unified AML and fraud detection. For Australian institutions managing both AML obligations and scam-related fraud risks, FinCense provides unified detection across both on a single engine and shared data layer. Scam proceed flows — investment fraud, romance scam, business email compromise — move through accounts in patterns that have both fraud and AML dimensions. Running separate systems for each creates the detection gap that financial crime networks exploit. FinCense closes that gap with cross-typology detection and a unified case workflow. For more on how unified fraud and AML detection works, see our FRAML guide.

Australia's AML/CTF regulatory environment will continue to intensify as Tranche 2 entities come into compliance, AUSTRAC's data analysis capabilities expand, and the enforcement record continues to set high-stakes expectations across the regulated population. Institutions that build their programme on a platform calibrated to AUSTRAC's specific requirements — risk-based by design, typology-driven, and continuously updated — are positioned for examination cycles and the regulatory trajectory ahead.

For a comparison of AML platform options evaluated against AUSTRAC's requirements, see our AML platforms buyer's guide.

To see how FinCense is deployed for AUSTRAC-regulated institutions and how it supports AML/CTF Act compliance, book a demo with our Australia compliance team.