When LAB Group launched its free AML/CTF Consultant Chatbot in October 2025, Australia's reform landscape was still taking shape. The AML/CTF Amendment Act 2024 had passed, key dates were set, and AUSTRAC had published its initial wave of guidance. But much remained to be clarified.

The picture has filled in considerably since then. AUSTRAC has released sector-specific tools, transitional rules have been drafted, privacy obligations have been detailed, and Parliament has considered further reforms. The chatbot's knowledge base has been updated continuously to keep pace.

This article covers what has changed, surfaces the most common questions organisations and practitioners are bringing to the chatbot, and explains where the important nuances sit.

What AUSTRAC has released since the reforms commenced

The AML/CTF Amendment Act 2024 passed on 29 November 2024, setting the framework for Australia's most significant financial crime reform in nearly two decades. With commencement dates of 31 March 2026 for current reporting entities and 1 July 2026 for Tranche 2 entities, AUSTRAC has progressively published guidance, tools, and rules to help industry prepare. Here is what has been released.

January 2026: Sector-specific Program Starter Kits

On 30 January 2026, AUSTRAC released Program Starter Kits for five Tranche 2 sectors: lawyers, accountants, real estate agents, conveyancers, and dealers in precious metals, stones and products.

Each kit follows a three-step structure: customise the kit for your business, use your program in day-to-day operations, and maintain and review it over time. The kits are designed to help smaller businesses build a compliant AML/CTF program without specialist compliance resources.

Entities can use the Starter Kit as a base or develop their own program from scratch. What matters is that the program is complete, documented, and genuinely in use by 1 July 2026.

Building on the Starter Kits, LAB Group launched its AML/CTF Program Wizard in March 2026: a free guided tool that helps Tranche 2 entities understand their AUSTRAC obligations and generate a tailored AML/CTF program before the 1 July deadline.

February 2026: The Transitional Rules Exposure Draft

In February 2026, AUSTRAC released an exposure draft of the transitional rules, with public consultation closing on 20 February. This document clarified a provision that had generated significant industry interest: a three-year transition for initial customer due diligence on existing customers.

Here is the key detail that is frequently misunderstood.

Current reporting entities (Tranche 1) have until 30 March 2029 to re-collect and re-verify CDD for customers already held under the previous regime. During this transition, entities can either continue with their existing applicable customer identification procedures (ACIP) or transition to the reformed initial CDD obligations. Whichever method they choose, they must apply it consistently across all customers and customer types until they formally switch.

What does not have a transition period is ongoing CDD. From 31 March 2026, all current reporting entities must implement ongoing CDD as required by the reformed Act. There is no three-year window here, and this is not a minor distinction.

The transitional rules also covered:

• Compliance officer notification deadlines: existing reporting entities must notify AUSTRAC of their AML/CTF Compliance Officer by 30 May 2026. Tranche 2 entities and newly regulated virtual asset service providers have until 29 July 2026.
• Independent evaluations: Tranche 2 entities are not required to complete their first independent evaluation before 1 July 2029. Deadlines are staggered based on each entity's AUSTRAC account number to avoid sector-wide bottlenecks.
• Registration roll-over: existing digital currency exchange providers do not need to re-register as virtual asset service providers.

March 2026: Multiple instruments and the 31 March commencement

March brought the commencement of reformed obligations for all current reporting entities, alongside a series of additional instruments and guidance.

Two amendment rules instruments were registered by AUSTRAC:

• The Anti-Money Laundering and Counter-Terrorism Financing (2025 Rules) Amendment Rules 2026, covering the opt-out model for reporting groups and an extended travel rule exemption for certain low-value virtual asset transfers.
• The Anti-Money Laundering and Counter-Terrorism Financing (Class Exemptions and Other Matters) Amendment Rules 2026, covering revised class exemptions for gift card issuers, barristers, clearing and settlement operators, and legal assistance providers.

On 12 March 2026, the AML/CTF Amendment Bill 2026 was introduced to Parliament. Key provisions include new powers for the AUSTRAC CEO to restrict or prohibit high-risk designated services and products. The Bill had not yet passed as of April 2026.

On 23 March 2026, DFAT's Australian Sanctions Office released sector-specific guidance notes for lawyers, accountants, and real estate professionals, covering sanctions risks specific to each sector, targeted financial sanctions obligations from 1 July 2026, and red flag indicators and case studies by sector. Also from 31 March 2026, targeted financial sanctions screening requirements are formally embedded in the AML/CTF Rules rather than maintained as a separate parallel regime.

The privacy changes practitioners are actually asking about

The most common topic in chatbot sessions since March 2026 has been privacy: specifically, how the OAIC's updated guidance intersects with AML/CTF obligations. This is not surprising. The requirements are substantive, they apply from 31 March 2026, and they affect day-to-day operations in ways many compliance teams had not fully anticipated.

The document storage rule

From 31 March 2026, entities must not retain full copies of identity documents. Scanned copies, photocopies, and photos of passports, driver licences, Medicare cards or birth certificates may not be kept.

Instead, entities should record only the specific extracted fields required for AML/CTF purposes:

• Full name as it appears on the document
• Date of birth
• Residential address
• Document type and document number
• Expiry date
• The verification method used
• The outcome of the customer identification and ML/TF risk assessment

Retaining only these extracted fields satisfies both the AML/CTF record-keeping requirement and the Privacy Act's data minimisation principles simultaneously.

For identity documents collected before 31 March 2026, a different rule applies. Those copies are treated as authorised AML/CTF records and must be retained for seven years from the end of the customer relationship or last transaction. After that point, they must be destroyed or de-identified.

If systems are still transitioning, entities must document a plan explaining the delay, set timeframes for system updates, ensure senior management oversight, and place existing copies "beyond use" in the interim. "Beyond use" means the data cannot be accessed or disclosed, is protected by appropriate security, and will be destroyed once systems allow.

The small business exemption

A question that has come up repeatedly: does the Privacy Act small business exemption apply?

The answer is no. All reporting entities and authorised agents handling personal information for AML/CTF purposes must comply with the Australian Privacy Principles, regardless of annual turnover. The $3 million small business exemption does not apply where information is handled for AML/CTF obligations. This applies to current reporting entities now, and to Tranche 2 entities from 1 July 2026.

For sole traders and micro businesses in legal, accounting, and real estate: this is a new obligation, not a technicality that can be set aside.

April 2026: APP-by-APP guidance from the OAIC

In April 2026, the OAIC expanded its privacy guidance substantially. The updated document provides detailed practical guidance for each relevant Australian Privacy Principle (APPs 1, 3, 5, 6, 8, 10, 11, 12 and 13), including:

• Data minimisation worked examples for law firms, accountants, and real estate agents
• A privacy collection notice template
• A third-party provider due diligence checklist
• Guidance on how the Notifiable Data Breaches scheme interacts with AML/CTF tipping-off secrecy provisions
• An update on the Australian Government Digital ID System, which is expected to expand to private sector accreditation by December 2026

The OAIC has confirmed a proportionate, risk-based regulatory approach for entities transitioning to these requirements. Good-faith effort to comply is a material factor in how the OAIC exercises its regulatory powers. That said, having no plan at all is not a defensible position.

What reporting entities in Tranche 2 sectors are asking

Real estate agents are asking about their ML/TF risk assessment obligations: specifically, how to assess customer risk (particularly for overseas buyers and cash purchasers), how to evaluate delivery channel risk, and how to document a customer risk rating framework. The sector carries inherently high ML/TF risk and AUSTRAC's expectations reflect that.

A specific question that has come through the chatbot: when exactly must CDD be conducted on buyers and sellers? AUSTRAC's guidance draws a clear distinction. CDD on the vendor is required when the agent is engaged to provide the brokering service, typically at the point the agency agreement is executed. CDD on the buyer is required on the successful buyer at contract exchange, not on every prospective buyer who attends an inspection or open home. For auction sales, the obligation triggers when the hammer falls and the buyer is identified.

On timing for buyers, the delayed initial CDD provisions are relevant. While CDD collection should occur at or around contract exchange, agents may delay the verification of that information provided the ML/TF risk is assessed as low. The critical rule is that verification must be completed before money or property changes hands, which in practice means before settlement. In a standard residential transaction, the exchange-to-settlement period (typically 30 to 90 days) gives agents a workable window to complete buyer verification without disrupting the transaction. Higher-risk transactions, such as those involving overseas buyers, cash purchases, or complex ownership structures, should not rely on delayed verification.

Lawyers and accountants are asking about the scope of their Tranche 2 obligations: which services are designated, where legal professional privilege applies, and how to structure a program. Sanctions compliance is an emerging question for both sectors, given the DFAT guidance released in March.

Across all sectors, privacy questions dominate. The intersection of AML/CTF obligations and the Privacy Act is where most uncertainty sits. Two distinct regulatory frameworks must now be met simultaneously, and the OAIC's expanded April guidance makes clear that the expectations are substantive, not aspirational.

Key dates still ahead

• 30 May 2026: Compliance officer notification deadline for existing reporting entities
• 1 July 2026: AML/CTF and Privacy Act obligations commence for Tranche 2 entities
• 29 July 2026: Compliance officer notification deadline for Tranche 2 entities
• December 2026: Australian Government Digital ID System expected to expand to private sector accreditation
• 30 March 2029: Deadline for existing reporting entities to complete re-collection of initial CDD for pre-commencement customers

Staying ahead with LAB Group

LAB Group's AML/CTF Consultant Chatbot is available free at labgroup.com.au. The knowledge base is continuously updated as new guidance, rules, and sector-specific material is published across AUSTRAC, the OAIC, DFAT, FATF, and other relevant regulatory and government bodies, including developments in areas such as digital identity that intersect with AML/CTF compliance. The result is a resource that reflects the current state of the reform as it stands, not a fixed point in time.

If you are a lawyer, accountant, real estate agent, or conveyancer working through your obligations before 1 July 2026, the chatbot can answer specific questions about your sector, your customer types, and your program requirements.

Beyond the chatbot, LAB Group's platform continuously evolves to meet the changing technology requirements of the AML/CTF regime. Changes across AUSTRAC, the OAIC, DFAT, FATF, and other regulatory and government bodies are monitored and reflected in LAB Group's verification workflows, CDD data collection, and compliance infrastructure. This is informed by direct experience delivering the technology that supports AML/CTF program implementation for leading Australian financial institutions, ongoing regulatory and industry monitoring, and customer feedback from entities navigating the reforms in practice. The platform adapts so your compliance technology does not fall behind as the regulatory environment changes.

For implementation questions, product demos, or to understand how LAB Group can support your AML/CTF obligations, contact the team.