AML Software in Australia: The 2026 Buyer's Guide for Banks and Fintechs

Australia's AML enforcement environment is one of the most active in the world. AUSTRAC has levied penalties exceeding AUD 1.3 billion against a single institution, issued enforceable undertakings against major banks, and in 2024 extended compliance obligations to lawyers, accountants and real estate agents under the AML/CTF Amendment Act. For Australian banks and fintechs, the choice of AML software vendor is not a technology decision — it is a compliance risk decision.

This guide covers what AUSTRAC requires from an AML platform, the seven questions every Australian institution should ask before selecting a vendor, and what separates adequate compliance tooling from a programme that holds up under examination.

What AUSTRAC Actually Requires from Your AML Platform

Before evaluating vendors, it helps to be clear about what AUSTRAC examinations actually look for. The AML/CTF Act 2006 and AML/CTF Rules do not mandate a specific technology — they mandate documented outcomes. An AML platform needs to produce those outcomes and the evidence trail to support them.

Risk-based scenario design. Monitoring rules must be derived from the institution's ML/TF risk assessment — not from vendor defaults. AUSTRAC examiners request the mapping between risk assessment outputs and deployed monitoring scenarios. A vendor that cannot support this traceability — or whose implementation methodology starts with generic rules rather than the institution's specific risk profile — creates a compliance gap from day one.
‍
To learn how to build a risk assessment that supports transaction monitoring and regulatory review, read our comprehensive guide to AML risk assessment.

Suspicious Matter Report quality. There is no minimum value threshold for SMR filing — the obligation arises on reasonable grounds for suspicion, regardless of transaction size. AUSTRAC assesses SMR quality, not just volume. Narrative that describes unusual transactions without explaining the suspicion indicators and investigation steps taken does not meet the standard. The platform must support case management that captures the full investigation trail and populates SMR fields accurately.

Threshold Transaction Report accuracy. TTRs are mandatory for cash transactions of AUD 10,000 or more, filed within 10 business days. The platform must identify TTR-eligible transactions reliably — including structuring activity designed to avoid the threshold — and maintain an audit trail of filings.

Calibration documentation. A monitoring programme that has not been reviewed since implementation will fail examination. AUSTRAC expects documented evidence that scenarios have been assessed for effectiveness, false positive rates have been reviewed, and adjustments made when the risk profile or typology environment changed. The platform must produce this documentation without requiring manual reconstruction.

Annual compliance reporting support. Reporting entities must certify annually that their AML/CTF programme is effective. The monitoring layer — its design, outputs, and review history — must be documentable for this certification.

The 7 Questions Australian Banks Should Ask Before Selecting a Vendor

1. Does the implementation start with our risk assessment or with the vendor's default rules?

This is the single most important question. A vendor whose implementation methodology begins by deploying a standard rule library — then adjusting it to fit the institution — is working backwards from the AUSTRAC requirement. The platform should be configured from the institution's documented ML/TF risk assessment: which customer segments present elevated risk, which products and channels, which geographic exposures. The rules follow from the risk, not the other way around.

Ask the vendor: "Show us a past implementation — what did the configuration process look like, and at what point did the institution's risk assessment inform the scenario design?"

2. How does the platform support SMR narrative quality — not just alert generation?

Many platforms generate alerts well but provide weak case management. The SMR obligation requires documented investigation — what transactions were reviewed, what the suspicion indicators were, what escalation steps occurred, why the decision to file or not file was made. A platform that generates alerts and tracks their status is not the same as one that supports investigation documentation of sufficient quality to satisfy AUSTRAC review.

Ask the vendor: "Can you show us a sample case record and the SMR output it produces? What does the narrative quality look like?"

3. What is the false positive rate in AUSTRAC-regulated deployments, and how is it measured?

False positive rates vary significantly depending on how well scenarios are calibrated to the institution's actual customer and transaction profile. A vendor citing a low false positive rate achieved in a different regulatory environment, or across a different customer segment, is not a reliable predictor of performance in your programme. Ask for false positive benchmarks from comparable Australian institutions with similar customer profiles.

Ask the vendor: "What is the average false positive rate across your Australian bank deployments, by customer segment? How is it measured and reviewed?"

4. How does the platform handle the NPP and real-time payment monitoring requirements?

The New Payments Platform processes transactions in near-real time, which compresses the window for pre-settlement monitoring. Monitoring systems designed for batch processing — reviewing transactions after settlement — cannot provide meaningful pre-settlement controls for NPP transactions. This is a documented gap in many legacy AML platforms that were not built for real-time payment rails.

Ask the vendor: "How does the platform monitor NPP transactions? Is monitoring pre-settlement, post-settlement, or both? What is the processing latency?"

5. Can the platform produce calibration review documentation for AUSTRAC examination?

The monitoring calibration review — documenting which scenarios were active, their alert volumes, false positive rates, scenario performance, and any adjustments made — must be producible for examination without manual reconstruction from analyst spreadsheets and emails. If the platform cannot generate this documentation systematically, the institution faces operational risk every time AUSTRAC requests it.

Ask the vendor: "Show us an example calibration review report. What data does it contain, and how is it generated?"

6. What coverage does the platform provide for Tranche 2 transaction types?

The AML/CTF Amendment Act 2024 extends monitoring obligations to lawyers, accountants, real estate agents and other designated non-financial businesses from 2026. Institutions that provide banking services, credit facilities or payment channels to these newly covered sectors need monitoring coverage for the transaction types associated with them — property settlement flows, legal trust account movements, accountancy firm transactions, high-value asset purchases. A platform without scenario coverage for these transaction types will require significant customisation as Tranche 2 obligations take effect.

Ask the vendor: "What scenario coverage do you have for Tranche 2 transaction types? Can these be activated without a full system reconfiguration?"

For more on what Tranche 2 means for your monitoring programme, see our Tranche 2 AML Reforms Australia guide.

7. How does the vendor's typology intelligence stay current — and how quickly does it reach your deployment?

Regulatory typology guidance from AUSTRAC is updated periodically, but financial crime patterns evolve faster than guidance documents. Vendors who rely solely on AUSTRAC publications to update their scenario libraries leave institutions exposed to emerging patterns in the gap. The question is whether the vendor has a mechanism for sharing cross-institutional typology intelligence — new patterns identified at one institution becoming available to others — and how quickly that intelligence reaches deployed scenarios.

Ask the vendor: "When a new typology pattern is identified in one of your customer deployments, what is the process for making that intelligence available to other institutions? How quickly does it reach production?"

Vendor Evaluation Criteria: What Separates Adequate from Effective

Beyond the seven questions, the following criteria consistently differentiate platforms that perform under AUSTRAC examination from those that produce compliance exposure:

AUSTRAC regulatory alignment — built in, not bolted on. The strongest platforms are built with AUSTRAC's specific reporting formats, examination documentation requirements, and typology coverage as first-order design requirements — not as optional modules added after the core product was built for another market.

AI with explainability. Machine learning-based monitoring can significantly improve detection accuracy and reduce false positives. But AUSTRAC examiners are increasingly asking how AI-generated alerts are produced — which inputs drove the alert, how the model was validated, what the explainability trail looks like. A platform that uses ML without an explainability layer will face examination questions it cannot answer.

Community-based typology intelligence. Platforms that participate in cross-institutional typology sharing — where anonymised pattern intelligence from one institution's monitoring data is available to network participants — provide faster detection of emerging patterns than those relying solely on vendor-maintained rule libraries or published AUSTRAC guidance.

Implementation methodology, not just technology. The platform is only as good as the implementation. Vendors who deploy with a structured methodology — beginning with the institution's risk assessment, designing scenarios against specific risk outputs, calibrating against actual transaction data before go-live, and establishing a review cycle — consistently produce better compliance outcomes than those who deploy quickly against generic defaults.

Long-term partnership, not licence and leave. An AML platform deployed and left unchanged becomes progressively less effective as the institution's customer base evolves, new products are launched, and the typology environment changes. Vendors who provide ongoing calibration support, regulatory update briefings, and proactive scenario reviews are structurally different from those whose commercial relationship ends at go-live.

How Tranche 2 Changes the Vendor Selection Calculus

The AML/CTF Amendment Act 2024 is the most significant expansion of Australia's AML framework in almost two decades. From 2026, lawyers, accountants, real estate agents, high-value dealers and other designated non-financial businesses are required to maintain AML/CTF programmes.

For banks and fintechs, the implications for vendor selection fall into two categories:

If you are a newly covered Tranche 2 entity: You need a platform that can be deployed quickly with AUSTRAC-compliant monitoring, case management, SMR/TTR workflow, and calibration documentation. The implementation timeline is constrained, which makes vendor methodology — how quickly a compliant programme can be stood up — a critical evaluation criterion.

If you provide financial services to Tranche 2 sectors: Your existing monitoring programme needs scenario coverage for transaction types associated with newly regulated entities. Property-linked transactions, legal trust account flows, and high-value asset purchases that previously required no specific monitoring now sit within the extended AUSTRAC regulatory perimeter.

Building a Long-Term AML Programme, Not Just a Compliant One

AUSTRAC's enforcement actions consistently reveal the same failure mode: institutions that built an AML programme at implementation and then stopped. Scenarios that were calibrated in 2019 running unchanged in 2026. Risk assessments that predate the NPP. Monitoring thresholds set for a customer base that has since grown by 300%.

The right AML vendor relationship is an ongoing compliance partnership. The platform must support the institution as it changes — new products, new customer segments, regulatory updates, emerging typologies — without requiring a full reimplementation every time.

For institutions evaluating transaction monitoring capability specifically — including how to assess scenario design methodology, calibration review processes, and AUSTRAC documentation requirements — our Transaction Monitoring Software Buyer's Guide provides a detailed framework built around Australian regulatory expectations.

To discuss how Tookitaki's FinCense platform is deployed in Australian financial institutions — including Tranche 2 readiness — book a demo with our APAC compliance team.