AML/CTF Compliance Is Now Available in VeriEzi. Mobile App Coming Soon.
Manage AML reviews, monitor alerts, and streamline your compliance workflow today. Secure mobile access is coming soon.
BlogCompliance

You’re Now a Compliance Officer, Whether You Trained for It or Not: What Ongoing AML Actually Involves

Admin July 6, 2026Compliance
You’re Now a Compliance Officer, Whether You Trained for It or Not: What Ongoing AML Actually Involves

The short answer: From 1 July 2026, if your business provides a "designated service" (most legal work, conveyancing, accounting and tax agent services, real estate agency work, or dealing in precious metals and stones) you are now a reporting entity under Australia’s anti-money-laundering laws. In practice, ongoing compliance means five things: enrol with AUSTRAC, keep a single written AML/CTF program that assesses your risks, verify who your clients are (and screen them) before you act, watch for anything that doesn’t add up over the life of the relationship, and report the two things the law names, which are suspicious matters and large cash transactions. You keep the paperwork for seven years. That’s the core of it, and for most small operators it is a set of habits, not a second job.

Spend five minutes on LinkedIn this year and you’ll have seen the reaction. Real estate agents posting that "the government has just made me personally responsible for money laundering." Accountants asking who, exactly, is meant to run a compliance department in a two-person firm. Conveyancers who have never once said the words "beneficial ownership" wondering what they’ve been signed up for.

The concern is fair. Between 90,000 and 100,000 newly regulated firms across five industries, lawyers, conveyancers, accountants and tax agents, real estate agents, and dealers in precious metals and stones, have just become legally responsible for anti-money-laundering compliance. Many have no compliance background, no compliance staff, and no training. It is one of the biggest expansions of the regime since it began in 2006.

So let’s do the calm, practical thing. Here is what ongoing compliance actually involves, day to day, not as legal theory. It is not effortless. But it is manageable, and this article sets out why.

Am I Really a Reporting Entity, or Is This Only for Big Firms?

If you provide a designated service, you’re in, regardless of how small you are. Capture is by the service you provide, not your profession or your size. A sole conveyancer handling a settlement and a national law firm can both be caught by the same trigger.

We won’t relitigate the capture test here; that’s covered in detail elsewhere in this July series. The important point for this article is simple: once you are captured, the obligations described below apply to you the same way they apply to everyone else. The scale of your response should match the scale and risk of your work, but the framework is the same.

What Are the Core Obligations, in One List?

Ongoing AML compliance workflow for small practices
Here is the whole regime in plain terms. Everything else is detail hanging off these points:
  • Enrol with AUSTRAC. If you’re providing a designated service from 1 July 2026, the enrolment deadline is 29 July 2026.
  • Keep a single AML/CTF program. One written program: a risk assessment, plus the policies, procedures and controls that flow from it. The reforms replaced the old two-part structure with a single, integrated program, a change AUSTRAC sets out in its summary of changes for reporting entities.
  • Appoint an AML/CTF compliance officer. In a solo or small practice, that person can be you.
  • Do customer due diligence before you act. Verify identity, work out who really owns or controls the client where relevant, understand why they’re using your service, and screen against sanctions and politically-exposed-person lists.
  • Keep watching. Ongoing due diligence and transaction monitoring for the life of the relationship, not just at the start.
  • Report the two named things. Suspicious matters, and cash transactions of A$10,000 or more.
  • Keep records for seven years.
  • Lodge an annual compliance report to AUSTRAC.

That’s it. It looks like a lot written out, but most of it is a routine you build once and then follow.

Do I Need a Compliance Officer if It’s Just Me?

Yes, and it can be you. The law requires a reporting entity to appoint an AML/CTF compliance officer, but there is nothing stopping the owner of a small practice from holding that role themselves, as the government explains in its guidance on the changes to AML/CTF program requirements.

This is the point where a lot of the online anxiety lives, so it’s worth being blunt about it. "Compliance officer" sounds like a full-time salaried position with a corner office. In a small firm it isn’t. It’s a named accountable person: the person who makes sure the program exists, that your team follows it, and that reports go in when they need to. If you’re a sole trader, that’s you by default. The title describes a responsibility, not a headcount.

What matters is that the responsibility is real and someone owns it. What it doesn’t mean is that you personally need a criminology degree or a second staff member.

What Does “Ongoing” Customer Due Diligence Actually Mean?

It means you check who you’re dealing with before you act, and then you stay alert to changes while you act for them. Due diligence isn’t a one-off box you tick at onboarding.

Before you provide the service, you:
  • Verify the client’s identity using reliable, independent information.
  • Identify beneficial owners, the real people behind a company or trust, where that applies.
  • Understand the purpose of the relationship and the nature of the work.
  • Screen the client against sanctions lists and politically-exposed-person (PEP) lists.

Then, for the life of the relationship, you keep an eye out. If the money starts moving in a way that doesn’t fit what you were told, if the client’s story changes, if a transaction suddenly looks unusual for that kind of client, that’s when ongoing due diligence earns its place. You’re not auditing every client every week. You’re noticing when something stops making sense.

For most small practices, the practical version of this is: a solid onboarding check, sensible record-keeping, and a habit of pausing when your instinct says something is off.

When Do I Have to Report Something?

AML records retention and reporting process

There are exactly two reports the law asks you to make on the ground, plus your annual report. Here they are at a glance.

ReportWhat it coversThresholdWhen it’s due
Suspicious matter report (SMR)Any reasonable suspicion of money laundering, terrorism financing, or other serious offences connected to your serviceNo monetary threshold; suspicion is the triggerWithin 3 business days of forming the suspicion. 24 hours if you suspect terrorism financing. 5 business days where legal professional privilege is claimed
Threshold transaction report (TTR)Physical cash transactionsA$10,000 or more in cashWithin 10 business days of the transaction
Annual compliance reportA yearly report to AUSTRAC on your compliancen/aAnnually; confirm the current reporting period and due date with AUSTRAC
A few things worth underlining:
  • The SMR has no dollar figure. It’s about suspicion, not size. A $500 transaction can trigger an SMR if something about it is wrong; a $9 million transaction with a clear, legitimate explanation might not.
  • The TTR is only about cash. Bank transfers, cards and cheques don’t count; it’s physical currency of $10,000 or more. If a client pays partly in cash and the cash part hits the threshold, the cash part is reportable. AUSTRAC sets out the mechanics of both reports in its reporting guidance.
  • The annual report exists, but don’t diarise a hard date from this article. The reporting-period basis has been described inconsistently across commentary, so confirm the current period and first due date directly with AUSTRAC rather than relying on a third-party summary.

How Long Do I Keep Records?

Seven years. You retain the relevant records, identity checks, your program, transaction records, and reports you’ve made, for seven years.

The practical implication for a small operator is worth stating: this is a reason to keep your due-diligence records in a form you can actually find and export later, rather than scattered through email and physical folders. Seven years is a long time to reconstruct a paper trail from memory.

What Happens if I Get Something Wrong?

The honest answer, for a small business making a genuine effort, is: far less than the headline penalty numbers suggest. The maximum penalties are large: the AUSTRAC AML/CTF Act sets them at up to 100,000 penalty units (around $33 million) for a body corporate, and up to 20,000 penalty units (around $6.6 million) for an individual, per contravention. Those numbers exist to show that the regime has teeth for serious, deliberate wrongdoing. They are not the posture AUSTRAC has signalled towards the tens of thousands of small operators just entering the regime.

AUSTRAC’s CEO, Brendan Thomas, has been unusually plain about this. In a speech to real estate agency leaders he said the regulator is "not expecting perfection on day one," that what it expects is for businesses to take "reasonable steps" to understand the risks they face, and, in words worth keeping in mind on a stressful week, that AUSTRAC has "never penalised a small business for administrative mistakes, and we have no intention of starting now." Enforcement, he’s indicated, is aimed at those who wilfully ignore their obligations or make no meaningful effort to comply.

Read that carefully, because it reframes the whole task. The bar on day one is reasonable effort, not flawless execution. An honest small firm that has enrolled, written a sensible program, does its onboarding checks and reports when something looks wrong is squarely in the category AUSTRAC has said it is not chasing. The businesses at risk are the ones that do nothing.

That is not licence to ignore the rules; the obligations are real and they are law. But it should take the edge off the fear that a single missed field on a form will end your business. It won’t.

Your day-to-day, in plain terms

Strip away the acronyms and here is what ongoing compliance actually looks like in a working week for a small practice:
  • At onboarding, you check who your new client is, confirm their identity, screen them, and note down why they’re using you. For most clients this is quick and unremarkable.
  • During the matter, you carry on as normal, but you stay switched on. If something about the money, the instructions or the parties stops adding up, you pause and consider whether it needs reporting.
  • When something’s genuinely off, you lodge an SMR within the timeframe. This will be rare for most firms.
  • When cash of $10,000 or more changes hands, you lodge a TTR within 10 business days.
  • All the while, your records go somewhere organised and retrievable, and stay there for seven years.
  • Once a year, you lodge your annual compliance report.

For the overwhelming majority of small operators, the frequent part of that list is just the onboarding check and good record-keeping. The reporting parts are exceptions, not routine.

A starter checklist

If you want something to work through this week, start here:
  • Enrol with AUSTRAC (deadline 29 July 2026 if you’re providing a designated service from 1 July 2026).
  • Appoint your AML/CTF compliance officer, and name the person, even if it’s you.
  • Do a risk assessment of your business: who your clients are, the services you offer, the channels you use, the jurisdictions involved.
  • Write your single AML/CTF program, the policies and procedures that respond to that risk assessment.
  • Set up a client due-diligence process (identity verification, beneficial ownership where relevant, sanctions and PEP screening) that runs before you provide the service.
  • Decide how you’ll monitor ongoing relationships and how staff flag concerns.
  • Choose where records live so they’re retrievable and exportable for seven years.
  • Confirm your annual compliance report period and due date directly with AUSTRAC.
  • Train anyone else in the business on what to look for and what to do.

None of these is a compliance-department-sized project. Together they are a fortnight of setup and a set of habits afterwards.

Where the real difficulty sits, and how to make it smaller

Be honest with yourself about which part of this is actually hard. Enrolling is a form. Naming a compliance officer is a decision. Writing a program is a document you can build once. The part that recurs, the part that has to happen accurately for every client, forever, is the factual burden: verifying identity, checking beneficial ownership, screening against sanctions and PEP lists, and keeping a clean, exportable record of all of it.

That’s the piece that used to require a compliance team, and it’s the piece a small operator can’t realistically do well by hand at volume.

This is exactly the gap VeriEzi was built to fill: AUSTRAC-aligned identity verification and customer due diligence, PEP, sanctions and adverse-media screening, and a complete, exportable seven-year audit trail, set up quickly, without a compliance department and without heavy IT work. If you’re one of the tens of thousands of operators who’s just realised the factual burden lands on you, it’s a way to meet it day to day without turning your practice inside out. See how it works.

This article is general information only and is not legal or financial advice. AML/CTF obligations depend on your specific circumstances. Confirm your obligations and current deadlines with AUSTRAC or a qualified adviser.

Related Blogs

More insights from the same category: Compliance

AML Tranche 2 for Accountants and Tax Agents: Which of Your Services Actually Make You a Reporting EntityCompliance

July 2, 2026

AML Tranche 2 for Accountants and Tax Agents: Which of Your Services Actually Make You a Reporting Entity

Here is the practical split for accounting and tax practices. Treat it as a starting map, not a ruling on your specific facts.

Read More
AML/CTF for Real Estate Agents: What Agencies Must Have in Place by 1 July 2026Compliance

June 23, 2026

AML/CTF for Real Estate Agents: What Agencies Must Have in Place by 1 July 2026

Sales are captured; property management is not. Brokering the sale, purchase or transfer of real estate is the designated service. Leasing and property management fall outside the regime.

Read More
AML/CTF Compliance for Lawyers and Conveyancers: A Practical Guide to 1 July 2026Compliance

June 11, 2026

AML/CTF Compliance for Lawyers and Conveyancers: A Practical Guide to 1 July 2026

For the vast majority, this will be the first time anti-money laundering compliance applies to them.

Read More
You’re Now a Compliance Officer, Whether You Trained for It or Not: What Ongoing AML Actually InvolvesCompliance

July 6, 2026

You’re Now a Compliance Officer, Whether You Trained for It or Not: What Ongoing AML Actually Involves

So let’s do the calm, practical thing. Here is what ongoing compliance actually involves, day to day, not as legal theory. It is not effortless. But it is manageable, and this article sets out why.

Read More
Ready to Modernize Your VOI Process?