
The short answer: From 1 July 2026, if your business provides a "designated service" (most legal work, conveyancing, accounting and tax agent services, real estate agency work, or dealing in precious metals and stones) you are now a reporting entity under Australia’s anti-money-laundering laws. In practice, ongoing compliance means five things: enrol with AUSTRAC, keep a single written AML/CTF program that assesses your risks, verify who your clients are (and screen them) before you act, watch for anything that doesn’t add up over the life of the relationship, and report the two things the law names, which are suspicious matters and large cash transactions. You keep the paperwork for seven years. That’s the core of it, and for most small operators it is a set of habits, not a second job.
Spend five minutes on LinkedIn this year and you’ll have seen the reaction. Real estate agents posting that "the government has just made me personally responsible for money laundering." Accountants asking who, exactly, is meant to run a compliance department in a two-person firm. Conveyancers who have never once said the words "beneficial ownership" wondering what they’ve been signed up for.
The concern is fair. Between 90,000 and 100,000 newly regulated firms across five industries, lawyers, conveyancers, accountants and tax agents, real estate agents, and dealers in precious metals and stones, have just become legally responsible for anti-money-laundering compliance. Many have no compliance background, no compliance staff, and no training. It is one of the biggest expansions of the regime since it began in 2006.
So let’s do the calm, practical thing. Here is what ongoing compliance actually involves, day to day, not as legal theory. It is not effortless. But it is manageable, and this article sets out why.
If you provide a designated service, you’re in, regardless of how small you are. Capture is by the service you provide, not your profession or your size. A sole conveyancer handling a settlement and a national law firm can both be caught by the same trigger.
We won’t relitigate the capture test here; that’s covered in detail elsewhere in this July series. The important point for this article is simple: once you are captured, the obligations described below apply to you the same way they apply to everyone else. The scale of your response should match the scale and risk of your work, but the framework is the same.

That’s it. It looks like a lot written out, but most of it is a routine you build once and then follow.
Yes, and it can be you. The law requires a reporting entity to appoint an AML/CTF compliance officer, but there is nothing stopping the owner of a small practice from holding that role themselves, as the government explains in its guidance on the changes to AML/CTF program requirements.
This is the point where a lot of the online anxiety lives, so it’s worth being blunt about it. "Compliance officer" sounds like a full-time salaried position with a corner office. In a small firm it isn’t. It’s a named accountable person: the person who makes sure the program exists, that your team follows it, and that reports go in when they need to. If you’re a sole trader, that’s you by default. The title describes a responsibility, not a headcount.
What matters is that the responsibility is real and someone owns it. What it doesn’t mean is that you personally need a criminology degree or a second staff member.
It means you check who you’re dealing with before you act, and then you stay alert to changes while you act for them. Due diligence isn’t a one-off box you tick at onboarding.
Then, for the life of the relationship, you keep an eye out. If the money starts moving in a way that doesn’t fit what you were told, if the client’s story changes, if a transaction suddenly looks unusual for that kind of client, that’s when ongoing due diligence earns its place. You’re not auditing every client every week. You’re noticing when something stops making sense.
For most small practices, the practical version of this is: a solid onboarding check, sensible record-keeping, and a habit of pausing when your instinct says something is off.

There are exactly two reports the law asks you to make on the ground, plus your annual report. Here they are at a glance.
| Report | What it covers | Threshold | When it’s due |
|---|---|---|---|
| Suspicious matter report (SMR) | Any reasonable suspicion of money laundering, terrorism financing, or other serious offences connected to your service | No monetary threshold; suspicion is the trigger | Within 3 business days of forming the suspicion. 24 hours if you suspect terrorism financing. 5 business days where legal professional privilege is claimed |
| Threshold transaction report (TTR) | Physical cash transactions | A$10,000 or more in cash | Within 10 business days of the transaction |
| Annual compliance report | A yearly report to AUSTRAC on your compliance | n/a | Annually; confirm the current reporting period and due date with AUSTRAC |
Seven years. You retain the relevant records, identity checks, your program, transaction records, and reports you’ve made, for seven years.
The practical implication for a small operator is worth stating: this is a reason to keep your due-diligence records in a form you can actually find and export later, rather than scattered through email and physical folders. Seven years is a long time to reconstruct a paper trail from memory.
The honest answer, for a small business making a genuine effort, is: far less than the headline penalty numbers suggest. The maximum penalties are large: the AUSTRAC AML/CTF Act sets them at up to 100,000 penalty units (around $33 million) for a body corporate, and up to 20,000 penalty units (around $6.6 million) for an individual, per contravention. Those numbers exist to show that the regime has teeth for serious, deliberate wrongdoing. They are not the posture AUSTRAC has signalled towards the tens of thousands of small operators just entering the regime.
AUSTRAC’s CEO, Brendan Thomas, has been unusually plain about this. In a speech to real estate agency leaders he said the regulator is "not expecting perfection on day one," that what it expects is for businesses to take "reasonable steps" to understand the risks they face, and, in words worth keeping in mind on a stressful week, that AUSTRAC has "never penalised a small business for administrative mistakes, and we have no intention of starting now." Enforcement, he’s indicated, is aimed at those who wilfully ignore their obligations or make no meaningful effort to comply.
Read that carefully, because it reframes the whole task. The bar on day one is reasonable effort, not flawless execution. An honest small firm that has enrolled, written a sensible program, does its onboarding checks and reports when something looks wrong is squarely in the category AUSTRAC has said it is not chasing. The businesses at risk are the ones that do nothing.
That is not licence to ignore the rules; the obligations are real and they are law. But it should take the edge off the fear that a single missed field on a form will end your business. It won’t.
For the overwhelming majority of small operators, the frequent part of that list is just the onboarding check and good record-keeping. The reporting parts are exceptions, not routine.
None of these is a compliance-department-sized project. Together they are a fortnight of setup and a set of habits afterwards.
Where the real difficulty sits, and how to make it smaller
Be honest with yourself about which part of this is actually hard. Enrolling is a form. Naming a compliance officer is a decision. Writing a program is a document you can build once. The part that recurs, the part that has to happen accurately for every client, forever, is the factual burden: verifying identity, checking beneficial ownership, screening against sanctions and PEP lists, and keeping a clean, exportable record of all of it.
That’s the piece that used to require a compliance team, and it’s the piece a small operator can’t realistically do well by hand at volume.
This is exactly the gap VeriEzi was built to fill: AUSTRAC-aligned identity verification and customer due diligence, PEP, sanctions and adverse-media screening, and a complete, exportable seven-year audit trail, set up quickly, without a compliance department and without heavy IT work. If you’re one of the tens of thousands of operators who’s just realised the factual burden lands on you, it’s a way to meet it day to day without turning your practice inside out. See how it works.
This article is general information only and is not legal or financial advice. AML/CTF obligations depend on your specific circumstances. Confirm your obligations and current deadlines with AUSTRAC or a qualified adviser.
More insights from the same category: Compliance
ComplianceJuly 2, 2026
Here is the practical split for accounting and tax practices. Treat it as a starting map, not a ruling on your specific facts.
Read More
ComplianceJune 23, 2026
Sales are captured; property management is not. Brokering the sale, purchase or transfer of real estate is the designated service. Leasing and property management fall outside the regime.
Read More
ComplianceJune 11, 2026
For the vast majority, this will be the first time anti-money laundering compliance applies to them.
Read More
ComplianceJuly 6, 2026
So let’s do the calm, practical thing. Here is what ongoing compliance actually involves, day to day, not as legal theory. It is not effortless. But it is manageable, and this article sets out why.
Read More