The three-year grace period for initial CDD made headlines across the Australian compliance community. What didn’t make headlines is everything that has no grace period at all.
On 31 March 2026 — now just weeks away — Australia’s reformed AML/CTF Act takes effect for existing reporting entities. The transitional rules announced by AUSTRAC and the Department of Home Affairs in January 2026 provide genuine flexibility for initial customer due diligence. That part is well understood.
What concerns me is how many teams appear to have stopped reading after “3-year transition period” and assumed the breathing room extends further than it does.
It doesn’t. And the gap between what people think is transitional and what actually is could be the defining compliance risk of 2026.
What IS transitional
The transitional rules give existing Tranche 1 reporting entities a three-year window — from 31 March 2026 to 30 March 2029 — to transition their initial CDD processes. During this period, entities can choose one of two paths:
Path 1: Continue with ACIP. Keep using your existing Applicable Customer Identification Procedures for all new customers. This is the path of least disruption — your onboarding workflows, identity verification systems, and staff training remain as they are today. You continue operating under the pre-reform rules.
Path 2: Opt in early to the reformed initial CDD framework. Adopt the new Section 28 initial CDD obligations under the reformed AML/CTF Act. This path gives you access to the new deemed compliance provisions and delayed CDD provisions built into the reformed framework — provisions that are potentially more efficient for certain customer types and scenarios.
This is a genuine and welcome concession. Redesigning onboarding frameworks, upgrading identity verification technology, retraining frontline staff, and aligning policies across business units and jurisdictions is complex, expensive work — particularly for large financial institutions running legacy systems. AUSTRAC has acknowledged that complexity and provided room to manage it.
But there are three critical catches that every compliance professional needs to understand:
First, once you opt in to the reformed framework, there is no going back. The transition is a one-way door. You must apply the new Section 28 CDD requirements consistently to all new customers and all customer types from the date you choose to transition. You cannot run a hybrid — old rules for some customers, new rules for others. It is one or the other, applied across the board.
Second, this flexibility applies only to initial CDD. It does not extend to ongoing CDD, transaction monitoring, suspicious matter reporting, or any other obligation under the reformed Act. Those are live from Day 1, regardless of which initial CDD path you choose. More on this below.
Third, the transitional period does not apply to Tranche 2 entities. Newly regulated businesses — lawyers, accountants, real estate agents, dealers in precious metals — that commence enrolment from 31 March 2026 must comply with the reformed CDD framework from the outset. The three-year grace period is exclusively for existing Tranche 1 reporting entities.
What is NOT transitional
This is where the industry conversation has a blind spot. The following obligations under the reformed AML/CTF regime commence on 31 March 2026 with no transition period, no grace period, and no phased implementation.
Ongoing CDD (Section 30 of the AML/CTF Act)
This is the biggest one, and the one most likely to catch teams off guard.
From 31 March, all existing reporting entities must implement ongoing customer due diligence as required under the reformed Act. This is not a continuation of existing practices with a new name. It is a substantive uplift to a formal, outcomes-focused ongoing CDD obligation that requires:
- Monitoring customers for unusual transactions and behaviours that may trigger an obligation to submit a suspicious matter report (SMR). AUSTRAC’s guidance specifies this includes transactions inconsistent with a customer’s known profile, structured transactions that appear designed to avoid reporting thresholds, and patterns involving high-risk countries or sanctioned parties.
- Reviewing and updating customer ML/TF risk profiles at appropriate intervals and in response to triggers. This means your customer risk ratings are not static — they must be actively maintained based on transaction behaviour, changes in the business relationship, and new information.
- Reverifying KYC information where there are doubts about its adequacy or veracity. If a customer’s identification information appears outdated, incomplete, or potentially false, you cannot wait for a scheduled review cycle. The obligation to reverify is triggered by the doubt itself.
- Monitoring for significant changes in the nature and purpose of the business relationship. If a customer’s relationship with your entity changes in a way that elevates their ML/TF risk to medium or high, both initial and ongoing CDD must be completed.
- Checking the effectiveness of your ongoing CDD measures regularly to ensure they are operating as intended. AUSTRAC expects your AML/CTF policies to include processes for reviewing monitoring effectiveness, prioritising any issues identified, and updating policies accordingly.
This obligation applies regardless of which initial CDD path you choose. Whether you are still using ACIP or have opted into the reformed Section 28 framework, ongoing CDD under Section 30 is mandatory from 31 March 2026 with no deferral.
For pre-commencement customers — those you already have a business relationship with before 31 March — you must monitor for unusual transactions, review and update KYC information at appropriate frequency, and watch for significant changes that would elevate their risk profile. You don’t need to re-do initial CDD on these customers unless an SMR obligation arises or there is a significant change in the business relationship that results in medium or high ML/TF risk.
Transaction monitoring and SMR obligations
Your obligation to monitor transactions, identify suspicious activity, and submit suspicious matter reports continues — but now under a reformed framework that is explicitly outcomes-focused rather than compliance-focused.
The distinction matters. Under the old regime, many entities could demonstrate compliance by pointing to the existence of a monitoring system and a procedure for filing SMRs. Under the reformed framework, AUSTRAC expects you to demonstrate that your monitoring actually identifies, assesses, manages, and mitigates the ML/TF risks you reasonably face. If you don’t have a process to review and respond to unusual transactions or behaviour, AUSTRAC’s guidance states you are unlikely to demonstrate that you are managing or mitigating your ML/TF risks.
The reformed framework also introduces a new requirement to monitor for prohibited hate group offences as part of monitoring for unusual transactions and behaviours, following the 9 February 2026 exposure draft amendments to the AML/CTF Rules.
AML/CTF program restructure
The old Part A / Part B program structure — where Part A covered customer identification and Part B covered your broader compliance framework — is gone. From 31 March, your AML/CTF program must be organised around outcomes-based risk management rather than prescriptive procedural checklists.
Under the new structure, you must identify and assess ML/TF risks (now explicitly including proliferation financing), establish appropriate policies to manage and mitigate those risks, and ensure your governing body and senior management play an active role in overseeing compliance. The explicit requirement to appoint a fit and proper AML/CTF compliance officer is also new.
If your proliferation financing risk is low and is appropriately addressed by policies related to ML and TF, you don’t need to implement specific counter-proliferation financing policies. But the assessment itself — determining whether PF risk is low — must be documented.
Reporting groups
Existing designated business groups cease to exist on 31 March 2026. If you are currently in a designated business group and want to share compliance costs through group-wide arrangements, you must take active steps to create a reporting group under the new framework.
Under Rule 2-1, all members of a business group must designate a lead entity in writing. Rule 2-2 further stipulates that if one member joins or leaves a reporting group, all members are deemed to have done the same. The February 2026 exposure draft amendments introduced an ‘opt-out’ model where related entities in a corporate group will form a reporting group by default, unless a reporting entity declines in writing.
If you haven’t started this process, you are behind.
Gambling CDD threshold reduction
The initial CDD threshold for certain gambling services drops from $10,000 to $5,000 on 31 March 2026. No transition period. No phased approach. This aligns with FATF standards and will significantly increase the volume of CDD triggers for casinos, gaming machine operators, totalisator agency boards, and on-course bookmakers.
For gambling operators, this means more customer interactions will require identity verification from Day 1. Systems that were calibrated for a $10,000 trigger will need to be adjusted, and staff trained on the new threshold, before 31 March.
Sanctions and proliferation financing
The reformed Act requires reporting entities to establish whether a customer, any beneficial owner, any beneficiary, or any agent is a person designated for targeted financial sanctions. Rule 5-3 now refers to “any assets” instead of the previous “money, property or virtual assets” — a broader scope. The Australian Sanctions Office has released advisory guidance on proliferation financing risk management, which becomes a formal requirement from 31 March.
The obligations with short extensions — but not exemptions
A handful of obligations have been given brief extensions. These are months, not years, and they represent breathing room on administrative logistics — not on substance.
AML/CTF compliance officer notification: Existing reporting entities have until 30 May 2026 to notify AUSTRAC of their nominated compliance officer. Tranche 2 entities and newly regulated VASPs have until 29 July 2026.
SMR and TTR reporting forms: Existing reporting entities can continue using current reporting forms until 2029 while new forms are phased in. The obligation to report doesn’t change — the format of the form is what gets the grace period.
Independent evaluation: Staggered deadlines mean your first post-reform independent evaluation of your AML/CTF program won’t be required before 1 July 2029 at the earliest, with other deadlines staggered every six months depending on when your AUSTRAC account was activated.
Travel rule for virtual asset transfers: Deferred to 1 July 2026, aligning with Tranche 2 commencement. Both existing and newly regulated virtual asset service providers must implement the travel rule from that date.
How different sectors will feel it differently
The reforms hit all existing reporting entities on the same date, but the practical impact varies significantly by sector.
Major banks and ADIs
The Big Four and major ADIs are the most prepared — they’ve had reform program teams running for months, large compliance budgets, and established regulatory relationships. But the challenge for large institutions is scale and complexity. Ongoing CDD under Section 30 means actively monitoring millions of customer relationships, not just new onboarding. Legacy systems, siloed data, and the sheer volume of customer risk profiles to maintain will test even well-resourced banks. The shift from prescriptive Part A/B programs to outcomes-based risk management also requires cultural change — front-line staff and second-line assurance teams need to understand the new philosophy, not just the new procedures.
Fintechs, neobanks, and payment providers
Digital-first entities face a different challenge. Many were built around the previous regulatory framework and may have designed lean compliance operations optimised for the old rules. The expansion of virtual asset regulation from 31 March — including crypto-to-crypto exchanges, custody wallets, and token issuances — brings previously unregulated activities squarely under AUSTRAC oversight. Existing digital currency exchange providers automatically become virtual asset service providers (VASPs) without re-registration, but will need to ensure their compliance frameworks cover the expanded scope.
Gambling operators
The CDD threshold reduction from $10,000 to $5,000 will have an immediate operational impact on casinos, gaming venues, and wagering providers. Senet Group’s analysis notes that gaming machine operators, casinos, totalisator agency boards, and on-course bookmakers now face CDD triggers at a significantly lower threshold, increasing the volume of identity verification interactions. The introduction of pre-commencement customer monitoring obligations — watching for significant changes in risk for existing patrons — adds another layer of operational complexity for venues that have traditionally managed AML as a back-office function.
Remittance providers and currency exchange businesses
These entities are already highly scrutinised by AUSTRAC and have been enforcement targets in recent years. The reformed framework deepens their obligations around value transfer reporting and ongoing CDD for correspondent relationships. The new international value transfer service (IVTS) reporting framework, which will eventually replace IFTI reporting, will require reporting entities closest to the Australian customer to collect, verify, and pass on key information. While IVTS reporting itself has a transitional timeline, the underlying ongoing CDD obligations do not.
Tranche 2 entities (from 1 July 2026)
Lawyers, accountants, real estate agents, and dealers in precious metals are not directly impacted by the 31 March date — their obligations commence 1 July 2026, and enrolment opens from 31 March. But they receive no transitional period for initial CDD. They must comply with the reformed framework from the outset. With an estimated 80,000 to 100,000 new reporting entities entering the regime, the scale of onboarding these sectors into AML/CTF compliance is unprecedented. AUSTRAC has released starter program kits for small, low-complexity businesses in these industries, but the expectation is clear: honest effort, not perfection, but substantive compliance from day one.
What happens after 31 March: the potential issues
This is where I want to look ahead and flag some of the practical challenges I see emerging in the months following commencement.
The “implementation plan” problem
AUSTRAC has said that if you cannot meet your new or changed obligations by 31 March, you must have a documented implementation plan that explains how you will manage ML/TF risks during the transition. The plan must be endorsed by senior management and provided to your board. Material changes must also be endorsed at that level.
This sounds reasonable. But here’s the risk: implementation plans could become a compliance crutch. An entity that hasn’t made meaningful progress could produce a polished implementation plan and point to it as evidence of good faith — without the underlying operational change to back it up.
AUSTRAC has anticipated this. Its updated regulatory expectations statement explicitly says that an implementation plan “does not excuse regulated businesses who have, or are currently, failing to meet their AML/CTF obligations.” The plan must show sustained effort and progress, not just intent. AUSTRAC will consider, as a relevant matter, whether the entity has “exercised due care and diligence to manage their ML/TF risks.”
But distinguishing genuine implementation progress from well-documented inertia will be one of AUSTRAC’s key supervisory challenges in the second half of 2026.
The dual-track CDD confusion
During the three-year transition, different reporting entities within the same industry — and even within the same reporting group — could be operating under different CDD frameworks. One bank might continue with ACIP. Another might opt in to Section 28 early. A third might transition partway through 2027.
This creates operational complexity for entities that rely on each other’s CDD — such as correspondent banking relationships, group-wide shared services, or outsourced onboarding functions. Staff who move between entities may carry assumptions from one framework that don’t apply in the other. Training and quality assurance programs will need to be crystal clear about which framework applies and when.
The outcomes-based enforcement question
The shift from prescriptive, compliance-based rules to an outcomes-focused regime is philosophically sound. But it introduces ambiguity into enforcement. Under the old framework, you could demonstrate compliance by following a checklist. Under the new framework, compliance depends on whether your controls actually achieve the outcome of managing and mitigating ML/TF risk.
What does “outcomes-focused” look like when AUSTRAC conducts a supervisory review? How will the regulator distinguish between a control that was designed well but failed to catch a specific case (acceptable) and a control that was poorly designed and systematically missed risk (unacceptable)? These are questions that will only be answered through regulatory practice in 2026 and 2027.
Expect AUSTRAC to publish further guidance, case studies, and feedback from early supervisory engagement as it beds down the new approach. Entities that document their reasoning — why they designed their controls the way they did, what risks they prioritised, and how they tested effectiveness — will be better positioned than those that simply produced policies without demonstrating the thinking behind them.
The FATF mutual evaluation pressure
Australia is subject to a FATF mutual evaluation commencing in 2026. This is a critical external pressure that shapes everything about the reform timeline. The tight deadlines set by Parliament reflect, in AUSTRAC’s own words, the urgency to meet FATF standards before the evaluation.
A poor showing in the mutual evaluation would have significant consequences for Australia’s standing in the global financial system — affecting cross-border banking relationships, correspondent banking, and international cooperation on financial crime. AUSTRAC cannot afford to look lenient on Day 1 obligations while the FATF evaluators are preparing to assess Australia’s regime.
This means the enforcement environment in the second half of 2026 is likely to be more assertive, not less. Herbert Smith Freehills has noted that AUSTRAC’s approach will be “increasingly targeted, zeroing in on vulnerabilities in digital assets, cash-intensive businesses, and complex transfer-of-value arrangements.” The regulator now has its largest budget and staffing numbers to date.
Talent and resource strain
With 80,000–100,000 new reporting entities entering the regime across Tranche 2, and existing entities simultaneously uplifting their ongoing CDD, transaction monitoring, and program governance, the demand for AML/CTF professionals will outstrip supply. Compliance officers, MLRO candidates, independent evaluators, legal advisers with AML expertise, and RegTech specialists will be in high demand throughout 2026 and 2027.
This is not just a Tranche 2 problem. If your entity is competing for the same talent pool that 80,000 newly regulated businesses are tapping into, your ability to recruit and retain skilled compliance staff may be affected. Planning for this resource pressure now is worth the investment.
A self-assessment for your team
With 31 March approaching, here are the questions I’d be asking if I were running a compliance project right now.
On ongoing CDD: Does your team understand that ongoing CDD obligations are live from Day 1, with no transition? Have your policies been updated to reflect the reformed Section 30 requirements — monitoring for unusual transactions, reviewing customer risk profiles, reverifying KYC information at appropriate intervals? Do you have processes to check that your ongoing CDD measures are actually working?
On transaction monitoring: Is your monitoring framework aligned with the new outcomes-focused approach? Can you demonstrate — not just assert — that your monitoring is designed to identify, assess, manage, and mitigate the ML/TF risks you reasonably face? Have you incorporated the new requirement to monitor for prohibited hate group offences?
On program structure: Have you begun restructuring your AML/CTF program away from the old Part A / Part B format? Have you documented your ML/TF and proliferation financing risk assessment? Is your governing body and senior management actively engaged in AML/CTF oversight, or is this still treated as a compliance-only function?
On reporting groups: If you’re currently in a designated business group, have you taken steps to create a reporting group under the new framework? Have you designated a lead entity in writing?
On the implementation plan: If you can’t meet all new obligations by 31 March, do you have a documented implementation plan endorsed by senior management and provided to your board? Does the plan show sustained effort and genuine progress — or is it a well-formatted statement of intent?
On communication: Has your broader team — including frontline staff — been briefed on what is and isn’t transitional? Or has the “3-year grace period” message created a false sense of comfort? Can an operational analyst in your team articulate which CDD framework they are applying and why?
What this means for you
The transitional rules are a prioritisation framework, not a holiday. They tell you where AUSTRAC is giving you time, and — by implication — where it is not.
Initial CDD has breathing room. Almost everything else does not.
If your implementation plan assumes the transitional period covers more than initial CDD, now is the time to correct that assumption. If your team has internalised “3-year grace period” as the headline without understanding the fine print, that gap in understanding is itself a compliance risk.
The institutions that treat 31 March as the starting line — not the finish line — are the ones that won’t be caught out when the regulator comes looking. And in a year where Australia faces a FATF mutual evaluation and AUSTRAC has its largest-ever enforcement capacity, the regulator will be looking.
Viktor Ha is a Senior Financial Crime Analyst based in Melbourne. He writes about AML enforcement, Australian regulatory developments, and financial crime career strategy at amlcams.info. Connect with him on LinkedIn.
Leave a Reply