- within Finance and Banking topic(s)
- in Australia
- with readers working within the Business & Consumer Services and Retail & Leisure industries
- within Wealth Management, Employment and HR and Transport topic(s)
- with Senior Company Executives, HR and Inhouse Counsel
On 12 May 2026, AUSTRAC released updated risk snapshots of money laundering (ML), terrorism financing (TF) and proliferation financing (PF) threats influencing Australia’s ML, TF and PF environment.
These annual updates provide industry with a year‑on‑year view of evolving threats and AUSTRAC’s assessment of ML/TF/PF risks. They therefore serve as a critical input for reporting entities’ compliance frameworks, while also offering insight into AUSTRAC’s emerging compliance expectations and enforcement priorities.
In that context, AUSTRAC’s 2026 snapshot describes an increasingly complex, globalised and digitised financial system, in which sophisticated criminal actors are leveraging new technologies to accelerate the scale and complexity of their ML/TF/PF activities.
Of particular note is AUSTRAC’s focus on how technological advancements, particularly generative artificial intelligence (AI), are increasing the speed, scale and accessibility of ML/TF/PF activity while simultaneously undermining traditional approaches to detection and prevention.
In this short article, we examine AUSTRAC’s specific observations on technology driven risks and consider what they suggest about AUSTRAC’s expectations of reporting entities in an increasingly digitised financial landscape.
Proliferation financing update 2026Australia’s PF vulnerabilities are shaped by exposure to foreign nationals, entities and transactions linked to jurisdictions of proliferation or diversion concern. AUSTRAC’s latest update highlights that technological developments are making these vulnerabilities easier to exploit while simultaneously making illicit activity harder to detect. For example, while AUSTRAC does not identify widespread current use of AI in PF, it expects the generative capabilities of AI will enable PF actors to design increasingly complex logistics chains and financial flows to obscure the origin and end-use of funds. This may include the use of AI to generate fictitious entities or generate convincing, falsified documentation. AUSTRAC also identifies the use of virtual assets in some PF networks. AUSTRAC highlights the use of virtual assets to settle obligations between international counterparties as part of legitimate activity which allows PF related value to blend into routine commercial activity. The use of stablecoins is highlighted as reinforcing this dynamic, making it more likely that Australia’s financial system and trade-connected industries to be exploited by PF actors. AUSTRAC describes that these dynamics have enabled sanctioned states, such as Iran and the DPRK, to continue transferring value even where access to conventional financial systems is constrained. |
Terrorism Financing updated 2026AUSTRAC emphasises that a defining feature of TF in Australia is its low‑value, low‑volume nature, which makes TF activities difficult to distinguish from ordinary consumer behaviour. This challenge is being compounded by the increasing digitisation of the financial system and real time payment technologies. These technologies have been identified as particularly problematic because they reduce the window for detection and intervention by service providers. AUSTRAC also highlights AI as a further accelerant, increasing both the speed and complexity of TF activity and adding to the challenges for reporting entities. |
Money laundering updated 2026AUSTRAC considers that the core channels identified in the 2024 national ML risk assessment remain the same. However, ML actors are able to exploit those channels in increasingly complex ways because of technological innovations. AI is again highlighted in the context of ML risk, noting that AI and emerging technologies continue to intensify the ML environment. This includes through the increased efficiency and sophistication of identity fraud and fake documentation, impersonation, transaction structuring and other measures. AUSTRAC also points to decentralised finance and offshore virtual asset service providers (VASPs) as being increasingly used to move and layer value in ways where supervisory reach is limited. AUSTRAC’s update identifies a gap in visibility connected to crypto-native transactions and decentralised activity. |
What do these updates mean for reporting entities?
AUSTRAC CEO Brendan Thomas emphasised that AUSTRAC’s updates are a critical foundation for the ongoing reforms to Australia’s AML/CTF regime:
“This is about building a system that’s fit for today’s risks and tomorrow’s threats – one that supports risk management, delivers better intelligence and keeps Australia aligned with global best practice”.
The update therefore provides a clear signal that AUSTRAC expects AML/CTF compliance frameworks to be capable of responding to increasingly complex, interconnected and scalable financial crime risks arising from advancements in technology.
In that context, we have set out our key takeaways for reporting entities to consider in light of AUSTRAC’s expectations in designing, implementing and operationalising a technology aware and responsive AML/CTF compliance framework.
This is not a full examination of the updates and we encourage reporting entities to review and consider these updates in the context of their business. This should involve the AML/CTF Compliance Officer who should consider the relevance of these updates in their updates to governing bodies.
Consider updating your risk assessment
The AML/TF/PF risk assessment of every reporting entity must have regard to:
“information communicated either directly or indirectly by AUSTRAC to the reporting entity that identifies and assesses the risks associated with the reporting entity’s provision of its designated services”.
If there is a significant change to this, the ML/TF/PF risk assessment of the reporting entity must be reviewed.
All reporting entities should consider AUSTRAC’s national risk assessments as part of the ML/TF/PF risk assessment. Reporting entities should therefore be reviewing these guidance materials from AUSTRAC and considering whether their ML/TF/PF risk assessments require update in light of the new guidance.
What if you are relying on the low PF risk exception?
The AML/CTF Act allows reporting entities to not have to develop PF controls if the reporting entity has assessed the PF risk that they may reasonably face is low and that those risks can be appropriately managed and mitigated by its existing policies, procedures, systems and controls.
Reporting entities should be mindful to keep its position on PF risk under review and consider whether any updates in AUSTRAC’s PF risk assessment mean that this position remains.
For example, any entity that is engaging in virtual asset connected activity, including the use of stablecoins, should consider whether its PF risk should be reconsidered having regard to AUSTRAC’s guidance.
Reporting entities relying on this exemption should ensure that they are considering its position on an ongoing basis, including by reference to AUSTRAC's updated guidance. This assessment should also be documented by the reporting entity.
Doing business with an entity identified enabling TF risk?
AUSTRAC’s update references regulatory gaps as a key enabler of TF, noting certain social media and crowdfunding sites and VASPs as being out of scope of the AML/CTF regime.
While those outside of the regulatory perimeter of the AML/CTF Act are unlikely to be considering AUSTRAC’s guidance, this is relevant to any reporting entity doing business with these out of scope businesses. Any reporting entity that enables the flow of funds through these businesses identified as AUSTRAC as enablers of TF should consider this as part of its own TF risk assessment and controls.
Consider the appropriateness of responding controls, not only the risk
As well as considering whether its ML/TF/PF risk assessment is appropriately identifying relevant risks, reporting entities must consider whether their procedures, systems and controls are appropriately responsive to this risk.
Given the focus of AUSTRAC on the use of AI to precisely target vulnerabilities, reporting entities should ensure that their systems and controls are designed with a clear understanding of how their services may be targeted by criminal actors and are able to respond accordingly.
In the context of TF, AUSTRAC highlights the rapid movement of funds as being a key enabler of TF risk as it enables funds to be able to be moved before raising suspicion. Any reporting entity involved in a payments environment should therefore be considering how its controls manage and mitigate the risks associated with its service offering such as, for example, the risk associated with near instant settlement capabilities.
In the context of professional service providers coming in scope from 1 July 2026, AUSTRAC has indicated that these sectors must take a particularly considered risk‑focused approach to assessing PF exposure and embedding appropriate controls. This is particularly where those entities have a higher risk of exposure (whether directly or indirectly) to foreign nationals, entities and transactions linked to jurisdictions of proliferation or diversion concern.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
[View Source]
