With 31 March 2026 fast approaching, a lot of teams have moved past “what’s changing?” and into the harder question: how do we implement this in a way that works for customers, frontline staff, management, Boards and the regulator.

In a recent CREW session with guest speakers Tanushree Dabral and Jon O’Keeffe (PX Partners), the message was clear: the reforms are less about producing more documentation and more about building an outcomes-focused, evidence-backed system that stands up when it’s tested.

Below are the key themes and practical takeaways from the session.

Why this reform moment matters (and why it’s landing now)

Jon framed AML as a “sleeper risk class” in many organisations, too often viewed narrowly through a KYC lens, rather than as a broader operational and financial crime risk.

The context matters, because it helps you explain the “why” to boards and executives:

• Australia’s AML/CTF regime has been evolving under global expectations (including FATF reviews and international comparability).

• Locally, AUSTRAC has shifted from “education mode” to using a more active enforcement toolkit.

• The threat environment has moved sharply with cybercrime, scams, identity crime, and fraud, raising community expectations of what “good” looks like.

If your internal narrative is still “this is a compliance refresh,” you might struggle to get resourcing, sponsorship and the right cross-functional engagement.

The real shift: from “checkbox compliance” to outcomes

Tanushree put it bluntly using regulator language: don’t build something that looks compliant but doesn’t reduce risk. One AUSTRAC line she quoted is worth keeping in your slide deck for internal stakeholders:

“Resist the urge to implement programs… that may create the impression of compliance… with minimal impact…”

In practice, the session unpacked what “outcomes-focused” tends to mean on the ground:

a) “Low risk” is no longer a starting assumption

In wealth (super, funds management, insurance), there can be a habit of treating AML risk as low “by default” because products aren’t cash heavy. But ‘low risk’ has to be documented, evidence-based and defensible.

b) Controls must be demonstrably effective

Having an AML program isn’t the finish line. The expectation is shifting toward:

• testing

• measuring

• collecting the right data

• iterating when controls aren’t working

That’s the difference between having a framework and being able to show it’s working.

c) AML should be a living system, not a compliance binder

The reforms reinforce feedback loops from frontline activity into governance settings, so AML becomes part of the organisation’s risk management rhythm, not a siloed annual refresh.

d) Everyone’s role changes - frontline to boardroom

Frontline teams are increasingly expected to make risk decisions, not just collect documents. Compliance teams need to become more data-and-testing led, and governance bodies need reporting that explains the organisation’s risk profile, not just a status update.

What’s happening with timing and transition relief

A key point from Jon: there are still moving parts, but it’s not “tools down.” AUSTRAC has staged the implementation, and there is transitional relief in some areas.

• 31 March 2026: changes to AML/CTF obligations start for current reporting entities (with some obligations staged later).

• AUSTRAC has announced a 3-year transition period for initial customer due diligence (CDD) from 31 March 2026 to 30 March 2029.

AUSTRAC’s messaging (as echoed in the session) is that if you won’t be fully compliant day one, you should have an implementation plan that is timebound, board-visible, and shows sustained progress, while not using transition relief as a reason to defer things that should already be in place.

Risk assessment is the foundation (and where many gaps appear)

Tanushree was clear: risk assessment isn’t just a compliance artefact, it’s the justification for everything else (CDD design, monitoring approach, reporting triggers, governance reporting).

Common gaps PX Partners sees in practice include:

• narrow views of ML/TF risk

• unsubstantiated “low risk” conclusions

• templated programs not tailored to the business

• governance reporting that says very little about actual risk exposure or management

What a stronger risk assessment draws on

Jon and Tanushree outlined a more evidence-driven approach which considers predicate crimes. The assessment draws on qualitative and quantitative inputs such as:

• product features and how the product is used in practice

• distribution and intermediation (including platform/channel visibility constraints)

• customer types and jurisdictions

• outsourcing and vendor dependency

• transaction volumes and operational data

• SMR/UAR patterns (and the internal signals that lead to them)

• AUSTRAC sectoral risk information and any direct supervisory feedback

Big design point: enterprise ML/TF risk assessment should clearly inform customer risk methodology, they’re meant to connect.

The fraud/scam/AML convergence

A practical part of the session was the call-out on siloed thinking: organisations often treat scams/fraud as “ASIC matters” and AML as “AUSTRAC matters.” But in the real world, the threats overlap—and so should your controls and intelligence.

ASIC has previously urged super trustees to strengthen anti-scam and fraud practices (including reducing over-reliance on basic checks and improving detection/response).

If your AML risk assessment and monitoring settings don’t meaningfully account for identity crime, cyber-enabled fraud, coercion, and scams, you’re likely undercooking the regime’s intended outcomes—even if your documentation looks tidy.

Technology, privacy and the “circular risk” problem

Tanushree highlighted an increasingly common reality: the AML data you collect can become the target.

That creates a circular risk:

• AML obligations increase sensitive data collection,

• that data becomes attractive to criminals,

• a breach creates both a privacy incident and an ML/TF vulnerability.

OAIC guidance emphasises limiting collection to what’s necessary and avoiding collection “just in case.”

Digital onboarding, ID verification, and biometrics can improve effectiveness—but need to be implemented with privacy and security baked in, not bolted on.

Outsourcing: “set and forget” is over

Jon described outsourcing as a major focus area under the reforms, aligning with the broader regulatory direction on third-party risk.

The session’s practical message: it’s not enough to rely on contracts and quarterly attestations. Expectations are moving toward:

• deeper due diligence (cyber/privacy/controls, depending on vendor type)

• active oversight and assurance (sampling, comparing expected vs actual outcomes)

• clarity that “personnel” includes people performing AML functions via vendors

 The day of the 250-page compliance AML program is over. The new world is shorter documents, but stronger evidence of tailoring, decisions, and effectiveness (including “file note it” discipline for key design choices).

Governance: clearer roles, sharper accountability

The session emphasised governance design as the thread that ties everything together:

• Board: oversight, receives meaningful reporting, ensures appropriate framework and resourcing.

• Senior manager (new under reforms): must personally approve key elements (risk assessment, AML/CTF policies, certain high-risk decisions) and can’t delegate those accountabilities.

• AML/CTF compliance officer (AMLCO): day-to-day oversight and program operation.

They also addressed a common question: can the senior manager and AMLCO be the same person? In smaller organisations, yes (practically necessary at times) but you need to think through unintended consequences and role clarity.

A practical “last mile” checklist for teams right now

If you’re in the final run to 31 March, here’s a tight set of actions aligned to the session themes:

1. Risk assessment: evidence-based, tailored, and clearly connected to customer risk methodology.

2. Effectiveness: define what “working” means and what you’ll measure/test.

3. Monitoring + reporting: check you’re not underweighting scams/fraud/identity crime indicators.

4. Third parties: uplift due diligence and oversight—especially where vendors perform AML functions.

5. Privacy + security: validate data collection/retention practices against necessity and security posture.

6. Governance: confirm role designations, approvals, and non-delegable decisions are operationally workable.

7. Implementation plan (if needed): gaps, owners, dates, and board visibility—showing sustained progress.