Sign up today — FREE access until 1 July 2026. No credit card required.
    ComplyReady
    FeaturesPricingBlogFAQContactGet Started
    Back to Blog
    compliance
    6 min read

    Common AML Compliance Mistakes That Lead to AUSTRAC Fines

    ComplyReady Team|2 April 2026

    When it comes to AML/CTF compliance in Australia, the difference between a clean audit and a six-figure penalty often comes down to avoidable errors. AUSTRAC will take enforcement action against businesses that fail to meet their obligations, regardless of size or intent. In many cases, the businesses that attract fines are not criminal enterprises — they are legitimate operators who made common AML compliance mistakes.

    Whether you are newly caught by Tranche 2 or have been a reporting entity for years, here are the most frequent compliance failures and how to avoid them.

    1. Not Having a Written AML/CTF Program

    Some businesses believe that being aware of their obligations or having informal processes is enough. It is not. The AML/CTF Act requires every reporting entity to adopt and maintain a written program, approved by a senior member of your organisation and readily available if AUSTRAC requests it.

    How to avoid it: Create a formal written program with Part A (risk assessment) and Part B (compliance procedures) before providing designated services.

    2. Copy-Pasting a Generic Template

    AUSTRAC has been clear that generic, off-the-shelf templates do not satisfy the requirement for a program tailored to your business. A conveyancer in regional Queensland and a commercial real estate firm in Sydney face different ML/TF risks — their programs should reflect that.

    How to avoid it: Use your risk assessment to drive the content. Every procedure in Part B should link back to a risk identified in Part A.

    3. Skipping the Risk Assessment

    Some businesses jump straight to writing procedures without completing a proper ML/TF risk assessment. Without understanding your risks, your compliance procedures are built on guesswork. Part A requires a documented assessment considering customer types, services offered, delivery channels, and geographic factors.

    How to avoid it: Complete your risk assessment first and treat it as the foundation of your entire program. Revisit it whenever your business changes.

    4. Incomplete Customer Due Diligence

    CDD errors are among the most commonly cited issues in AUSTRAC enforcement actions. Common failures include:

    • Collecting identification but not verifying it against a reliable source
    • Failing to identify beneficial owners of companies or trusts
    • Not applying enhanced due diligence where the risk profile warrants it
    • Completing CDD after the service has already been provided

    How to avoid it: Build CDD checklists into your workflow so no designated service is provided until identification has been collected, verified, and documented.

    5. Not Training Staff

    A well-written program is pointless if your people do not know it exists. Staff training is mandatory. Everyone who performs designated services must receive training covering your program, red flags, CDD procedures, and reporting obligations.

    AUSTRAC expects training to be delivered before staff begin relevant duties, refreshed at least annually, and documented with records of content, dates, and attendees.

    How to avoid it: Schedule initial training as part of onboarding and set reminders for annual refreshers. Keep attendance records and training materials.

    6. Failing to Report Suspicious Matters

    This is one of the most serious compliance failures. If you suspect a customer is involved in money laundering or terrorism financing, you must lodge a Suspicious Matter Report (SMR) with AUSTRAC. Common reasons businesses fail to report:

    • Not recognising the red flags
    • Being unsure whether the suspicion is "serious enough"
    • Fear of damaging a client relationship
    • Not having an escalation process in place

    There is no threshold for certainty. If you form a suspicion, report it. Failing to do so — or tipping off the customer — are both offences.

    How to avoid it: Train staff to recognise industry-specific red flags. Implement a clear escalation process and lodge reports within required timeframes.

    7. Poor Record Keeping

    The AML/CTF Act requires you to retain records for seven years, including CDD documents, transaction records, your program (including previous versions), training records, and reports lodged with AUSTRAC. Common failures include storing documents in ways that make retrieval difficult, discarding records prematurely, and not maintaining training logs.

    How to avoid it: Use a consistent digital filing system with clear naming conventions and retention policies that prevent premature deletion.

    8. Not Updating Your Program Annually

    Your AML/CTF program is not a set-and-forget document. AUSTRAC expects at least an annual review, plus updates whenever material changes occur. Many businesses create a program once and never revisit it. When AUSTRAC audits, one of the first things checked is whether the program reflects current operations.

    How to avoid it: Schedule an annual review. Document what was assessed, what changed, and who approved the updated version — even if no changes were necessary.

    9. Ignoring Ongoing Customer Monitoring

    CDD is not a one-off exercise at onboarding. Reporting entities must conduct ongoing monitoring, including watching for transaction patterns inconsistent with the customer's profile, keeping identification information up to date, and re-assessing risk if the relationship changes.

    How to avoid it: Build periodic reviews into your processes. For higher-risk customers, review more frequently. Use transaction monitoring to identify activity that does not align with the customer's profile.

    10. Assuming a Small Business Exemption Exists

    Many small business owners assume AML/CTF obligations only apply to large firms or banks. Under the AML/CTF Act, there is no exemption based on business size, revenue, or transaction volume. A sole practitioner conveyancer has the same legal obligations as a national franchise, although their program can be simpler.

    How to avoid it: Accept that the obligations apply regardless of size. Focus on building a proportionate program that addresses your actual risks.

    The Cost of Getting It Wrong

    AUSTRAC's enforcement powers include civil penalty orders, enforceable undertakings, and infringement notices. Civil penalties can reach tens of millions of dollars for serious breaches. Even for smaller businesses, infringement notices can exceed $100,000 — plus reputational damage and the cost of remediation.

    Build Compliance Confidence with ComplyReady

    Every one of these common AML compliance mistakes is avoidable with the right tools. ComplyReady helps Australian businesses build tailored, audit-ready AML/CTF programs that address real risks. From automated risk assessments to CDD workflows, staff training resources, and annual review reminders, ComplyReady keeps you on the right side of AUSTRAC. Get started at ComplyReady and take the guesswork out of compliance.

    Ready to get AML/CTF compliant?

    ComplyReady helps Australian businesses build their AML/CTF compliance program in hours, not months.

    Get Started
    ComplyReady

    AML/CTF compliance software built for Australian professional services. Helping real estate agents, lawyers, accountants and conveyancers meet their obligations under the amended AML/CTF Act.

    Product

    • Program Builder
    • Risk Assessment
    • CDD Records
    • Training
    • AI Assistant

    Industries

    • Real Estate
    • Accountants
    • Lawyers
    • Conveyancers

    Free Tools

    • Readiness Check
    • Penalty Calculator
    • Compliance Calendar
    • Enrolment Guide
    • Blog
    AUSTRAC AlignedAustralian MadeISO 27001 Pending
    © 2026 ComplyReady. All rights reserved.Made in Australia