Beyond compliance: What effective AML really means

Two critical dates are approaching for Australian reporting entities: 31 March 2026 for enrolment and reforms for existing entities, and 1 July 2026 when Tranche 2 obligations take effect. 

AUSTRAC doesn’t expect perfection by these deadlines, but they do expect you to have a programme in place and be actively implementing it. 

AUSTRAC has released comprehensive guidance centralised under the ‘Reforms’ menu on AUSTRAC’s website. Tranche 2 entities should start with the starter kits designed specifically for each business type. 

Here’s what’s critical: you’re building a programme that suits your business, assesses your specific risks, and puts policies in place that work for you. This isn’t about copying templates or mimicking apparently similar businesses. We’ve heard stories of documentation that includes another reporting entity’s name—don’t fall into that trap. Your programme needs to reflect your business’s actual risk profile. 

The reforms section on AUSTRAC’s website includes extensive information for existing reporting entities. Assess which changes are relevant to your business and what you need to do about them. 

What matters most is AUSTRAC’s shift towards programmes that are effective, risk-based, and outcomes-focused, in addition to being compliant. 

Outcomes-focused: Your programme should prevent, detect, and report financial crimes rather than just ticking compliance boxes. The real measure is whether you’re actually helping to stop crime. 

Risk-based: Focus resources on higher risks. Not all risks deserve equal attention. 

Effective: You need appropriate controls that actually prevent or detect risks, and you must continually tune them to maintain effectiveness. Having controls in place isn’t enough if they’re not producing results. 

The upcoming FATF mutual evaluation will assess technical compliance and effectiveness separately, highlighting this distinction. 

An effective programme ultimately aims to send reports to AUSTRAC that help create intelligence for law enforcement. 

From a transaction monitoring perspective, this means having rules that cover your risks, particularly your higher risks. Let’s use cash transactions as an example. 

It’s easy to implement basic rules and claim they cover your risks. But what are those rules actually uncovering? 

The tuning challenge: If thresholds are too low, you swamp your team with noise and analysts become complacent. Too high and you miss genuine threats. Treating all customers equally fails to address expected differences between individuals and businesses, or high-wealth and low-wealth customers. 

Tune in two ways: First, reduce unnecessary alerts to give analysts more time per alert. Second, uncover more reportable cases so your team focuses on what matters. 

When you detect something reportable, report it promptly. Quick reporting enables AUSTRAC and other agencies to act sooner, reducing the harm caused by these crimes. 

Checking the three values: 

Risk-based: Cash monitoring is proportionate if cash is high-risk for your business. Segment based on actual risk—business customers might warrant different rules than personal customers. 

Effective: You’re picking up transactions that need reporting without excessive noise, and you’re actively tuning rules as you learn. 

Outcomes-focused: You’re reporting promptly to help prevent further crimes. The test is whether your work stops financial crime, not just satisfies compliance. 

The analyst question: When your rule raises an alert, do your analysts know how to investigate it effectively? Do they have the knowledge, skills, and time to do the job properly, or are they rushing through without proper consideration? 

Compliance is important—you need policies, processes, and procedures to detect and report money laundering, terrorism financing, and proliferation financing. But compliance isn’t enough. Your programme must produce the right outcomes: 

• Meet deadlines with genuine progress: AUSTRAC expects implementation underway, not perfection 

• Build your own programme: Use guidance to create one that reflects your actual risks, not copied templates 

• Focus on effectiveness: Ask whether your controls actually prevent and detect financial crime 

• Tune continuously: Rules and processes should evolve as you learn what works 

• Invest in your team: Ensure analysts have the knowledge, skills, and time to investigate properly 

The reforms are an opportunity to build programmes that genuinely protect our communities. 

 This blog is based on the February 2026 episode of ThirdEye View, hosted by Jing Zhang, Business Development Manager, and Colin Dixon, CAMS-certified AML Solutions Specialist at ThirdEye. Colin has been with ThirdEye since its inception in 2012 and works closely with clients to help them maximise their platform capabilities.