The Anti‑Money Laundering and Counter‑Terrorism Financing Amendment Bill 2026 adds a new Part 6B to the AML/CTF Act that authorises the AUSTRAC CEO, by legislative instrument, to restrict or prohibit reporting entities from using identified "high‑risk" products, services, delivery channels or other mechanisms to provide designated services. The instrument must be justified by a public‑interest test about harm to the financial system or Australian community, is subject to a 30‑day consultation rule in ordinary cases, and has tight maximum durations; breaches attract both civil penalties and a criminal offence carrying up to 4 years’ imprisonment or 1,000 penalty units.
The Bill also amends definitions and operational duties across the AML/CTF regime: it expands the statutory scope of financing of terrorism to include prescribed sanctions offences, tightens customer due diligence (including the standard for ongoing doubt and triggers for enhanced checks), broadens the definitions of politically exposed persons, clarifies who must provide enrolment and registrable details and when, and expressly adds documents to AUSTRAC’s information‑gathering powers. Collectively these changes increase AUSTRAC’s capacity for targeted interventions and raise new compliance and legal‑risk considerations for reporting entities, legal advisers and entities handling cross‑border value transfers.
At a Glance
What It Does
It authorises the AUSTRAC CEO to make legislative instruments that restrict or prohibit reporting entities' use of specified 'high‑risk' mechanisms for providing designated services, sets consultation and duration rules for those instruments, and creates criminal and civil penalties for breaches. It also updates the AML/CTF Act across PEP definitions, customer due diligence standards, document‑production obligations and the statutory definition of financing of terrorism to capture prescribed sanctions offences.
Who It Affects
Reporting entities regulated under the AML/CTF Act (banks, payment providers, remittance networks, virtual asset service providers, and other designated service providers), legal practitioners involved in privilege claims, and entities subject to AUSTRAC registration or notification obligations. State/territory agencies and regulated industries affected by overlapping regulation are included when instruments touch on matters they regulate.
Why It Matters
The Bill gives AUSTRAC a direct, instrument‑making tool to shut down or constrain specific means of transacting that it deems to pose significant systemic or community harm, rather than relying solely on case‑by‑case enforcement. That targeted power, paired with expanded information‑gathering, criminalisation of offers to use prohibited mechanisms, and broadened PEP rules, materially raises compliance stakes and legal exposure for affected organisations.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
Schedule 1 creates a standalone Part 6B empowering the AUSTRAC CEO to issue legislative instruments that restrict or prohibit reporting entities from using particular "high‑risk" products, services, delivery channels or other mechanisms to provide designated services. The CEO must be satisfied that using the mechanism has caused or is likely to cause significant harm to the financial system or the Australian community and that the restriction or prohibition is necessary in the public interest.
The Bill requires the CEO to consider a short list of factors — the nature and extent of harm, the likely effect of a restriction, and the availability of alternatives — but otherwise leaves the scope of the public‑interest assessment broad.
The instrument process has built‑in procedural constraints. The CEO must consult persons reasonably likely to be affected and relevant Commonwealth, state or territory agencies for at least 30 days unless the CEO is satisfied that urgent or exceptional circumstances justify bypassing consultation.
Instruments must specify a duration; where consultation occurred the maximum period is three years, and where no consultation occurred the instrument may run for no more than six months. The CEO can extend an existing instrument by a further legislative instrument, but must again satisfy the statutory tests and undertake consultation before extending.The Bill makes breach of an instrument both a civil penalty and a criminal offence with a maximum penalty of 4 years’ imprisonment or 1,000 penalty units, or both.
It applies strict liability to the factual elements that an entity engaged in conduct and that the conduct breached the restriction; it also creates a separate offence of offering to use a prohibited mechanism. These new penalties are integrated into the Act’s enforcement and designated‑offence framework.Beyond Part 6B, the Bill tightens operational aspects of the AML/CTF regime.
It amends the financing‑of‑terrorism definition to permit regulations to treat certain offences under the Charter of the United Nations Act 1945 and the Autonomous Sanctions Act 2011 as terrorism financing offences. It raises the bar for ongoing customer due diligence to a "reasonable grounds to doubt" standard, updates triggers for enhanced due diligence (including clearer foreign PEP thresholds tied to where the designated service is provided and the concept of a permanent establishment), expands the statutory definitions of Australian and non‑Australian PEPs to include a longer list of offices and close family/business associates, and adjusts the timing and form requirements for enrolment and registrable details, including explicit rules for document production under the AML/CTF Rules.Other technical changes include clarifying the mechanics of asserting legal professional privilege in response to AUSTRAC notices (altering who must provide notices and who may seek civil penalty orders), enabling the AML/CTF Rules to specify when value is treated as being in Australia or abroad for international value transfers, and systematically adding "documents" to AUSTRAC’s information‑gathering powers.
Those amendments shift both the evidentiary and administrative burdens on reporting entities, and may intersect with privacy, cross‑border data and legal‑privilege considerations in practice.
The Five Things You Need to Know
The AUSTRAC CEO may, by legislative instrument, restrict or prohibit reporting entities from using identified "high‑risk mechanisms" to provide designated services if satisfied the use causes or is likely to cause significant harm and the restriction is in the public interest.
Instruments must specify a duration: up to 3 years if the CEO consulted for at least 30 days, or up to 6 months where consultation was bypassed; extensions are possible but require further satisfaction of the statutory tests and fresh consultation.
Breaching a restriction or offering to use a prohibited mechanism is both a civil penalty and a criminal offence carrying a maximum penalty of 4 years imprisonment or 1,000 penalty units, with strict liability applying to elements that a person engaged in the conduct and that the conduct breached the instrument.
The definition of financing of terrorism is expanded to allow regulations to treat prescribed offences under the Charter of the United Nations Act 1945 and the Autonomous Sanctions Act 2011 as terrorism financing, bringing certain sanctions breaches into the AML/CTF framework when prescribed.
Customer due diligence and PEP rules are tightened: ongoing DDU uses a "reasonable grounds to doubt" test, enhanced checks are triggered by foreign PEP status linked to the place of service or permanent establishment, and 'politically exposed person' definitions are broadened to include specified offices, family members and close business relations.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
AUSTRAC power to restrict or prohibit 'high‑risk' mechanisms
This new Part authorises the AUSTRAC CEO to identify particular products, services, delivery channels or 'things' as high risk and then, by legislative instrument, impose restrictions or prohibitions on reporting entities’ use of them for designated services. The provision structures the power: a public‑interest test (harm to the financial system or community), required considerations for that test, mandatory consultation in ordinary cases, instrument duration limits, and express offences and civil penalties for breaches and offers to breach. Practically, regulated entities will face a fast, targeted regulatory tool able to limit transaction flows (by value, volume, method or destination) or impose reporting/mitigation obligations specific to a mechanism.
Consultation, urgency exceptions and time limits
The CEO must consult persons likely to be affected and relevant government agencies for at least 30 days before making an instrument, but may skip consultation where 'exceptional or urgent' circumstances exist. Instruments made after consultation can run for up to three years; those made without consultation are capped at six months. Extensions require the CEO to re‑satisfy the statutory tests and again consult, giving a degree of periodic review but also enabling temporary emergency action with a short shelf life.
Civil and criminal liability, strict liability to facts
The Bill creates overlapping enforcement paths: a civil penalty provision that makes contravening an instrument subject to regulatory fines and a criminal offence carrying imprisonment or substantial monetary penalties. The text applies strict liability to the factual elements that a person engaged in conduct and that the conduct breached the restriction (paragraphs (b) and (c) of the offences). It also criminalises offering to use a prohibited mechanism, which extends culpability to business development and marketing conduct that would facilitate prohibited activity.
Financing of terrorism expanded to include prescribed sanctions offences
The Bill amends the statutory definition of 'financing of terrorism' so that regulations may treat specified offences under the Charter of the United Nations Act 1945 and contraventions under the Autonomous Sanctions Act 2011 as terrorism financing offences. That change links sanctions contraventions and certain UN Charter offences more directly into AML/CTF reporting and prohibition obligations where regulations make the prescription.
Higher DDU standard and clearer EDD triggers
The Bill replaces 'has doubts about' with the higher 'reasonable grounds to doubt' wording for ongoing due diligence, and reworks enhanced due diligence triggers so that foreign PEP status is defined with reference to where the service is provided (including permanent establishment rules). The amendments are phased to apply to designated services commenced after each item’s commencement or to relationships regardless of start date where specified, producing mixed transitional effects.
Expanded PEP definitions and permanent‑establishment approach
The Bill inserts detailed definitions for 'Australian' and 'non‑Australian' PEPs, lists specific offices and positions to be treated as PEPs, and captures family members and close business relations. It ties whether a PEP is 'domestic' or 'foreign' to the location of the permanent establishment through which a service is provided, which shifts how multinational reporting entities classify customers and triggers enhanced scrutiny in cross‑border contexts.
Privilege mechanics, enrolment/registrable detail rules and document powers
The Bill clarifies who must provide notices and who may seek civil penalty orders where legal professional privilege is claimed in response to AUSTRAC notices, and expands timing and form rules for enrolment and registrable details (including 14‑day windows for changes). It lets the AML/CTF Rules define when value is treated as being in Australia for international transfers and systematically adds 'documents' to AUSTRAC’s existing information‑gathering powers and to the material reporting entities must supply, with civil penalties for non‑compliance.
This bill is one of many.
Codify tracks hundreds of bills on Finance across all five countries.
Explore Finance in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- AUSTRAC and the AUSTRAC CEO — gains a direct, instrument‑making tool to target and quickly disrupt specific mechanisms used to launder money or finance terrorism, plus broader information and document powers to support enforcement.
- Consumers and the Australian community — potentially benefit from faster, mechanism‑specific interventions that can stop risky channels (for example, anonymous value transfer methods) before harms become systemic.
- Compliant reporting entities with strong AML/CTF controls — stand to benefit relatively, because targeted prohibitions and mandated mitigation practices can raise the barrier to entry for non‑compliant competitors and clarify prohibited modes of operation.
Who Bears the Cost
- Reporting entities (banks, payment and remittance providers, VASPs) — face new compliance costs to monitor instrument lists, adapt product/service delivery, implement mitigation practices, and respond to information/document requests under new timelines.
- Legal practitioners and clients asserting privilege — face procedural change that could complicate responses to AUSTRAC notices and expose recipients to civil penalty proceedings initiated by issuers or AUSTRAC.
- Small remittance networks and niche payment providers — may be disproportionately affected by short‑term prohibitions (six‑month emergency instruments) and the costs of alternative routing or compliance upgrades, potentially forcing market exits.
- State and territory regulators — may need to engage with AUSTRAC instruments where those instruments touch matters they regulate, creating coordination burdens and the prospect of overlapping or inconsistent regimes.
Key Issues
The Core Tension
The Bill trades off regulatory agility and the ability to shut down emergent, mechanism‑specific risks (by giving AUSTRAC instrument power, short emergency durations and strict enforcement) against legal certainty, proportionality and the administrative burden on regulated entities; it asks whether the state should accept heavier preventive intervention and strict liability to stop harm quickly, even though those tools raise risks of overreach, market disruption, and disputes over ambiguous 'high‑risk' designations.
The Bill concentrates powerful, targeted regulatory authority in the AUSTRAC CEO and relies on legislative instruments rather than full parliamentary amendments to impose restrictions. While the statutory test requires consideration of public interest factors, the definitions of 'high‑risk mechanism' and 'significant harm' are open‑ended and will be fleshed out in practice by AUSTRAC’s choices.
That open texture is useful for flexibility but risks creating regulatory uncertainty for providers trying to design compliant products. The power to bypass the 30‑day consultation route in 'exceptional or urgent' cases is appropriate for emergencies, but its undefined scope may invite legal challenge or conservative practice by providers who fear criminal exposure.
The criminalisation of mere offers to use a prohibited mechanism, combined with strict liability for factual elements of breach, tilts the regime toward enforcement certainty at the expense of fault‑based nuance. Strict liability makes compliance failure more likely to attract criminal exposure for complex transactions that cross platforms, jurisdictions and intermediaries.
Adding documents to AUSTRAC’s information powers and shortening notification windows (14 days for some changes) raises practical questions about data management, privacy, and cross‑border transfer rules, especially where reporting entities operate multinationally. The expanded PEP definitions and the reliance on the permanent‑establishment test for determining which PEP rules apply could increase false positives and compliance burdens, particularly for groups with dispersed operations or layered ownership structures.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.