Licensing & Compliance

AML and KYC Obligations for Australian Fund Managers: A Tranche 2 Guide

17 min read

The biggest overhaul of Australia’s anti-money laundering and counter-terrorism financing regime in nearly two decades took effect on 31 March 2026. If you operate a wholesale fund — whether as trustee, investment manager, or both — the rules you were complying with on 30 March are not the rules you have to comply with now.

This guide explains what changed, who in your business is now personally accountable, and how to use the three-year transitional relief sensibly rather than paint yourself into a corner.

AUSTRAC has moved from a prescriptive, rules-based regime to an outcomes-based one. You now must design your AML/CTF program around the money laundering, terrorism financing and proliferation financing risks your fund actually faces — and a named senior manager must personally approve it.

What changed on 31 March 2026

The reforms are driven by a 2024 amendment to the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (the AML/CTF Act) and a new set of AML/CTF Rules made by the AUSTRAC CEO. They commenced for existing reporting entities on 31 March 2026 and will commence for newly regulated “Tranche 2” entities — lawyers, accountants, real estate agents and certain trust and company service providers — on 1 July 2026.

For wholesale fund managers, the five shifts that matter most are:

  • From rules to outcomes. The pre-reform regime told you what to do. The new regime tells you what to achieve and expects you to design controls proportionate to your actual risk. This sounds more flexible. In practice it puts the design burden on you.
  • A new risk type: proliferation financing (PF). ML and TF risk are now joined by PF risk — the financing of weapons proliferation, including dealings with sanctioned individuals, entities and countries. AUSTRAC has explicitly flagged the non-bank lending and private credit sectors as areas where PF risk has been migrating as larger banks tighten controls.
  • Senior manager approval. The ML/TF risk assessment, the AML/CTF program, and updates to either, now require approval by a named senior manager. This cannot be delegated. The same applies to onboarding certain high-risk customers, including foreign PEPs.
  • Trust customers redefined. Where a trust is a customer, the trust itself is now treated as the customer for CDD purposes — not the trustee. This is a structural change that many fund managers have not yet absorbed into their onboarding workflows.
  • Reporting groups replace designated business groups. A more flexible governance construct that allows centralised AML/CTF compliance across a group of related entities.

The reforms also introduce a three-year transitional period for initial customer due diligence (CDD), ending on 30 March 2029.

Are you a reporting entity?

You are a reporting entity if you provide one or more “designated services” listed in section 6 of the AML/CTF Act. For wholesale fund managers, the services most commonly captured are:

  • Issuing or selling an interest in a managed investment scheme. Operating an unregistered MIS for wholesale investors is a designated service.
  • Custody or holding of investor money or property.
  • Making a loan in the course of carrying on a loan business — particularly relevant to private credit funds and non-bank lenders.
  • Acting as trustee of certain structures where you are providing services that fall within the table.

The practical question for most wholesale fund managers is not whether a designated service is being provided, but who in the structure is providing it. In a typical trustee-services arrangement, the trustee carries the reporting entity obligations. The investment manager may also be a reporting entity in its own right if it provides separate designated services.

Being a “wholesale-only” fund does not exempt you from the AML/CTF Act. The sophistication of your investors is not a defence to AML/CTF obligations. If you provide a designated service, you are a reporting entity, full stop.

The four AML/CTF roles you must now separate

The reforms formalise four distinct roles inside a reporting entity. AUSTRAC expects each to be filled, documented, and to operate with appropriate separation.

Role Primary responsibility Personal liability exposure
Governing Body (Board) Oversight of the AML/CTF program and ML/TF/PF risk; appointment of senior managers and the AMLCO Directors’ duties under s180 of the Corporations Act can be triggered by AML/CTF failures
Senior Manager(s) Personal approval of the AML/CTF program, ML/TF risk assessment, high-risk customer onboarding (including foreign PEPs), and CDD reliance agreements Officers’ duties under the Corporations Act
AML/CTF Compliance Officer (AMLCO) Day-to-day supervision; annual compliance report to the Board; primary AUSTRAC point of contact Generally at the corporate entity level unless the AMLCO is also an “officer”
Supporting Personnel Customer monitoring, escalation, record-keeping Generally at the corporate entity level

Two points are worth dwelling on. First, senior manager approvals cannot be delegated. The senior manager is defined by influence rather than title. It must be a person with genuine decision-making authority over the relevant subject matter. A junior compliance manager carrying the title “Senior Manager — Compliance” will not satisfy the test if they don’t have the authority to approve the program.

Second, the AMLCO must be fit and proper. AUSTRAC expects competency, skills, knowledge, diligence and soundness of judgement. Existing reporting entities had until 30 May 2026 to notify AUSTRAC of the identity of their AMLCO; newly regulated Tranche 2 entities have until 29 July 2026.

The AMLCO can be an external resource — and for many boutique wholesale fund managers, this is the most efficient model. The AMLCO must, however, be at “management level” with real visibility into the business. Naming an external consultant who only meets you twice a year is not what AUSTRAC has in mind.

Customer due diligence: initial, ongoing, simplified, standard and enhanced

The CDD framework has two dimensions: initial CDD and ongoing CDD, and three intensity levels (simplified, standard and enhanced) calibrated to customer risk.

Initial CDD sits at the front end. The four core steps are:

  • Collect and verify information about the customer using your applicable customer identification procedure (ACIP).
  • Identify and verify any beneficial owner of the customer.
  • Identify whether the customer is a politically exposed person (PEP).
  • Obtain information on the nature and purpose of the intended business relationship.

Ongoing CDD sits behind every customer relationship for as long as it lasts. It has three working components: continuous transaction and behaviour monitoring; periodic file reviews calibrated to the customer’s risk rating; and trigger-based reviews when something changes.

Simplified, standard and enhanced CDD are intensity settings driven by your customer risk rating system. AUSTRAC expects three customer risk ratings: low, medium and high.

  • Low risk: Australian-resident customers, simple ownership and control, standard verification methods, no PEP or sanctions hits. Simplified CDD may be appropriate.
  • Medium risk: Multi-layered but not unduly complex structures; low-profile domestic PEPs; connections to medium-risk jurisdictions. Standard CDD applies.
  • High risk: Foreign PEPs; unusually complex or opaque control structures; ties to high-risk jurisdictions on the FATF or DFAT lists; unclear source of wealth or funds. Enhanced CDD applies, and senior manager approval is required to onboard.

Where a trust is your customer, the trust itself is now treated as the customer for CDD purposes — not the trustee. This means your KYC must capture the trust, its trustees, its beneficial owners (including beneficiaries where relevant), and the settlor or appointor where they exercise effective control. If your onboarding form still treats the trustee as the customer, it is out of date and needs to be rebuilt.

The transitional relief — Option 1 vs Option 2, and which one most managers should pick

The Anti-Money Laundering and Counter-Terrorism Financing Transitional Rules 2026 give existing reporting entities a three-year runway, ending on 30 March 2029, to move from their pre-reform applicable customer identification procedure (ACIP) to the new initial CDD obligations. You have two choices:

Option 1: Continue using your existing ACIP for new customer onboarding until you elect to switch (before 30 March 2029).

Option 2: Transition to the post-reform initial CDD procedures now.

The transitional relief applies only to initial CDD. The other elements of the reforms — outcomes-based program design, senior manager approval, the new tipping off offence, ongoing CDD, the new risk type — all applied from 31 March 2026 without any transitional carve-out.

Our view on which option to pick. For most wholesale fund managers, the right answer is to design your post-reform initial CDD framework now, switch to it as soon as it is operational, and not run two procedures in parallel for any longer than necessary. Running pre-reform ACIPs for new onboardings while everything else in your program is post-reform creates inconsistencies between the customer file you are building and the program you are running it under, and compounds migration risk at the 30 March 2029 deadline.

The cases where holding on Option 1 longer makes sense are narrow: where you have substantial in-flight onboardings under the pre-reform framework that you do not want to disrupt, or where you are mid-transition on an enterprise system upgrade that includes CDD.

Proliferation financing: the new risk type and why it matters for private credit and lending funds

Proliferation financing is the newest of the three risk types and the one most reporting entities are least equipped to address. In simple terms, PF is the making available of an asset, the provision of a financial service, or the conduct of a financial transaction that is intended to facilitate the proliferation of weapons of mass destruction — including dealings with sanctioned individuals, entities or countries.

For wholesale fund managers, PF risk tends to arrive through three channels:

  • Direct exposure to customers or counterparties in sectors of concern — aerospace, IT, advanced manufacturing, certain extractive industries, dual-use goods.
  • Indirect exposure through complex corporate structures that obscure the ultimate end-use of funds.
  • Sanctions evasion — proliferation actors often use methods that mirror traditional money laundering, making the two difficult to disentangle in practice.

AUSTRAC has been clear that as larger banks tighten their PF controls, there is migration into the non-bank lending and private credit sectors. Smaller lenders are seen as more attractive because of weaker CDD processes, lower awareness of PF as a distinct risk type, and an absence of risk-based screening tailored to PF indicators.

If you operate a private credit fund or a lending business, PF is a risk type that needs explicit treatment in your ML/TF risk assessment — not just a rolled-up reference to “financial crime risk”. If your risk assessment was last updated before March 2026 and does not separately identify and assess PF risk factors, it is no longer fit for purpose.

The AML/CTF program: what must be documented and senior-manager-approved

Your AML/CTF program is no longer a single document. AUSTRAC expects five components, all documented, all internally coherent, and all sitting under appropriate governance:

  • ML/TF/PF risk assessment. A documented, methodical identification and assessment of the risk factors relevant to your business — customer base, products, delivery channels, and geographic exposure.
  • Policies. Setting out how you will manage the risks identified.
  • Procedures. Operationalising the policies into things people do.
  • Systems. The technology and infrastructure that support compliance — screening tools, transaction monitoring, record-keeping.
  • Controls. The internal control framework — segregation of duties, four-eyes checks, escalation pathways.

The ML/TF/PF risk assessment must be reviewed at least once every three years, and updated on a trigger basis whenever something changes — a new product, a new customer type, a change in regulatory guidance, a material change in your business or its risk profile.

Senior manager approval is required for the risk assessment, the program as a whole, and any material updates. Document who approved, when, and the reasoning behind the approval. An unexplained sign-off is not what AUSTRAC will accept under examination.

The Board must receive a regular compliance report from the AMLCO at least once every 12 months.

Tipping off, suspicious matter reports and the new criminal offence

The tipping-off provisions have been reformed in two directions at once: more permitted disclosures (genuinely useful, particularly for internal risk management and legal advice), and a sharper criminal offence.

Permitted disclosures now expressly include:

  • Internal disclosures to staff and senior management for risk-management purposes.
  • Seeking legal advice (with appropriate controls in place).
  • Customer due diligence work before the SMR obligation has been triggered.
  • Information about notices given to the reporting entity under sections 49 and 49B of the AML/CTF Act.

The new offence: disclosing information that would or could reasonably be expected to prejudice an investigation. Maximum penalty: up to 2 years imprisonment or 120 penalty units, or both. Examples of what counts as prejudice: alerting a customer that an SMR has been filed; hinting that their transactions are under review; disclosing AUSTRAC notices or compliance action.

On suspicious matter reports: a new SMR form (with expanded data fields) is being introduced. From 1 July 2026 to 30 March 2029, reporting entities can submit SMRs using either the existing form or the new form. After 30 March 2029, the new form is mandatory.

What this looks like in practice: three worked examples

Example 1 — A boutique private credit fund using a professional trustee

A wholesale private credit fund (~$120m AUM) sits in a unit trust structure with a professional trustee. The investment manager is the credit specialist; the trustee provides trustee services and holds the AFSL. Lending is to mid-market commercial borrowers.

The trustee is the reporting entity for the issuing-of-interests designated service. PF risk is non-trivial: borrowers in IT, manufacturing and extractives need a clear PF lens applied during credit assessment, not just an AML one. A senior manager at the trustee approves the ML/TF risk assessment and program. The AMLCO runs ongoing compliance and reports to the trustee’s board annually.

Example 2 — A self-trustee wholesale equity fund

A wholesale Australian equities fund (~$60m AUM) where the manager is the trustee. Single director-shareholder, all-Australian investor base, no PEPs.

The manager is the reporting entity. It cannot delegate the senior manager and AMLCO roles to anyone outside the entity, though it can outsource the AMLCO function. Most customers will fall into simplified or standard CDD. The same person cannot wear all four governance hats at once.

Example 3 — A fintech lender operating under an Australian Credit Licence

A non-bank consumer lender with $200m loan book, online origination, broad demographic spread. Heavy ongoing CDD load — transaction monitoring and behavioural patterning matter more here than in a typical fund context. PF risk is lower than in private credit but money laundering and structuring risks are higher. The AMLCO role is full-time, often internal.

Common mistakes wholesale fund managers are making under the new regime

  • Treating the program as a refresh, not a redesign. Many managers have taken their pre-reform program, pasted in references to PF risk, and called it compliant. An outcomes-based regime requires you to demonstrate that your design was driven by your risk assessment — not retrofitted to it.
  • Under-resourcing the AMLCO. Naming an external consultant who has no real visibility into your business and meets you twice a year does not meet AUSTRAC’s expectation of a fit and proper, management-level compliance officer.
  • Ignoring proliferation financing. PF is the area where almost every program we review needs more work. A single paragraph that says “we consider PF risk” is not an assessment.
  • Missing the senior manager approval trail. Sign-offs are often verbal, or signed by someone who turns out not to have the relevant authority. AUSTRAC will look at the substance.
  • Outsourcing without ownership. Reporting entities cannot treat AML/CTF as set-and-forget, regardless of who they have outsourced functions to.
  • Letting the risk assessment go stale. A three-year review cycle is a minimum, not a target. If your products, customer base, lending sectors or geographic footprint shifts, you need to update.

AUSTRAC’s findings are increasingly used by ASIC and APRA to question directors’ conduct. ASIC has pursued directors under section 180 of the Corporations Act — the duty of care and diligence — in connection with AML/CTF failures at the entity level. AML/CTF is no longer just an entity-level compliance issue; it is a director-level governance one.

Your next 90 days: a sequenced readiness plan

If you are not confident your program is reform-ready, work through the following sequence:

  1. Confirm your reporting entity status and designated services.
  2. Notify or confirm your AMLCO with AUSTRAC. Existing entities should have done this by 30 May 2026; Tranche 2 entities by 29 July 2026.
  3. Appoint senior manager(s). Document who they are, what they are authorised to approve, and why they qualify.
  4. Refresh your ML/TF/PF risk assessment. Explicit treatment of PF risk; documented methodology; senior manager approval.
  5. Rebuild or uplift your AML/CTF program. Five components — risk assessment, policies, procedures, systems, controls — internally coherent.
  6. Decide your CDD transition path. Option 1 or Option 2; if Option 1, set your switch date and plan toward it.
  7. Calibrate your CDD intensity framework. Low/medium/high customer risk rating; clear triggers for re-rating; clear escalation pathways to the AMLCO.
  8. Run a tipping-off training session for relevant personnel. The new criminal offence is narrower in scope but sharper in consequence.
  9. Schedule the Board’s annual compliance report from the AMLCO.
  10. Diarise your three-year independent review.

Frequently asked questions

Do I need my own AMLCO, or can it be outsourced?

It can be outsourced. The AMLCO must be a fit and proper person operating at management level, with sufficient visibility into the business to discharge the role effectively. For many boutique wholesale fund managers, an outsourced AMLCO is the most efficient model — provided the engagement is substantive, not nominal.

Does this apply if my fund only has sophisticated or wholesale investors?

Yes. The sophistication of your investors does not exempt you from the AML/CTF Act. The question is whether you provide a designated service, not who you provide it to.

What is the penalty for non-compliance?

Civil penalties under the AML/CTF Act are substantial — recent cases have resulted in settlements ranging from $67 million (SkyCity, 2024) to $450 million (Crown, 2023) to $700 million (CBA, 2018) and $1.3 billion (Westpac, 2020). Beyond civil penalties, AML/CTF failures can also trigger directors’ duties claims under the Corporations Act and increased scrutiny from ASIC and APRA.

My program was independently reviewed in 2024. Does that still count?

Probably not, at least not fully. The reforms have changed enough that a pre-reform review cannot validate a post-reform program. You should diarise a fresh independent review aligned to the new requirements.

What if I’m a Tranche 2 entity (lawyer, accountant) advising fund managers?

Your obligations under the reforms commence on 1 July 2026. If you advise fund manager clients on structure, licensing or compliance, you should also be thinking through which of your own services to those clients are designated services that bring you into the regime.

Where FundPro fits

FundPro provides trustee, incidental custody, registry and accounting services to wholesale fund managers across Australia. For most managers, the practical answer to “how do we deal with the 2026 AML/CTF reforms” is to use a trustee whose program, senior manager arrangements and AMLCO are already reform-ready — which means the bulk of these obligations sit with us, not you.

If you would like to talk through how your current setup measures up against the new regime, book a scoping conversation with the FundPro team. We will work through your structure, identify the gaps that need closing before AUSTRAC’s transitional windows close, and give you a clear view of where the obligations sit.

This article is general information only. It does not constitute legal, financial or tax advice and should not be relied on as such. Fund managers should obtain advice tailored to their specific circumstances.