12 June 2026 Back to all posts
Financial Planning & AML

AML Compliance for Financial Planners: What You Actually Need to Do

The 2026 AML/CTF reforms have landed. For financial planners, the obligations are real but manageable, if you understand which rules apply to your specific practice. This guide cuts through the complexity.

This guide is based on AUSTRAC's Quick Guide: AML/CTF Program for Financial Planners (January 2026) and current AUSTRAC and OAIC guidance. If you are not yet fully compliant, the most important thing you can do right now is develop an Implementation Plan, this demonstrates a good-faith commitment to AUSTRAC and positions you defensibly.

Your Core Obligations as a Financial Planner

Every financial planning practice that provides a designated service under the AML/CTF Act must have two foundational documents in place before providing that service: a risk assessment and a documented AML program. These cannot be borrowed from a product provider or licensee, they must reflect your specific business.

REQUIRED
ML/TF Risk Assessment

Must be tailored to your specific practice, client base, products, and delivery channels. Using a risk assessment from your product provider or licensee is not sufficient under the AML/CTF Act.

REQUIRED
AML/CTF Program

A written program that describes how your practice identifies, manages, and mitigates money laundering and terrorism financing risk, including what controls you have in place. Must be approved by a compliance officer.

REQUIRED
Initial Customer Due Diligence

You must identify and verify all customers before providing a designated service. This applies even if your obligations are simplified (see Section 2 below).

RECOMMENDED
Document Your Rationale

If you choose to retain copies of verified identity documents, document the business rationale in your AML Program. Keeping copies is not required under the new AML laws, and may create Privacy Act exposure.

Simplified Obligations or Full Compliance? How to Decide

Not all financial planners face the same level of obligation. If your practice only makes arrangements for clients to receive a designated service from another provider, such as a platform, fund manager, or insurer, your obligations are significantly simplified. However, this exemption disappears if you provide any "Tranche 2" designated services.

Compliance Pathway Decision Guide
START
Does your practice provide a designated service? e.g. financial product advice, arranging for clients to acquire financial products
Do you only make arrangements for clients to receive designated services from another provider? That is, the service is actually provided by a platform, fund manager, insurer, or other reporting entity, not directly by you.
No, You also provide directly
Full AML/CTF obligations apply. You need a complete AML Program (Part A + Part B), full initial CDD, ongoing monitoring, and reporting obligations.
Yes, Arrangements only
Simplified obligations apply. You still need a risk assessment, your own AML Program, and full initial customer due diligence, but your program requirements are reduced.
Does your practice also provide any Tranche 2 designated services? e.g. providing a registered office address, holding client funds in a trust account, assisting in a transaction to buy real estate, creating trusts or companies
Yes, Tranche 2 services apply
The simplified exemption does not apply to you. Full AML/CTF Act obligations apply from 1 July 2026 for those services.
No, Arrangements only
Simplified obligations continue to apply. Maintain your risk assessment, program, and CDD, but full transaction monitoring may not be required.

If in doubt, review AUSTRAC's guidance on professional designated services to check whether specific activities in your practice trigger full obligations.

Initial Customer Identification and Verification

Customer identification and verification must be completed before you provide the designated service, not after, and not simultaneously. The following options apply to standard (low/medium risk) customers. High-risk customers require additional measures including source of funds verification and enhanced due diligence.

A
Primary Photo ID
Sufficient alone
Accepted documents
  • Australian passport
  • Driver's licence
  • Proof of age card
  • Foreign national identity card
Obtain, inspect, and verify that the person is who they claim to be. One document is sufficient.
B
Non-Photo Primary + Secondary
Both required
Primary (non-photo)
  • Birth certificate
  • Citizenship certificate
  • Government concession card
Plus secondary (showing name + address)
  • Utility bill
  • Commonwealth, state, territory, or local government notice
Both documents must be provided together.
C
Electronic Verification
Automated option
What to verify
  • Customer's full name
  • Date of birth or residential address
Using at least two independent sources
  • Document Verification Service (DVS)
  • Credit reporting agency record
  • Other reliable independent electronic data
Can be fully automated. Name + DOB or name + address across two sources satisfies the requirement.
High-risk customers require additional steps beyond initial verification, including source of funds checks, enhanced due diligence, and potentially senior management approval before the relationship commences. See AUSTRAC's initial CDD guide for individuals.

Record-Keeping: What to Collect, What to Store

Two separate laws govern what you must record and what you must not keep. Understanding how they interact is essential, and the interaction creates a clear default position for modern compliance.

AML/CTF Act
Record content, not copies

You are not required to retain scanned copies or photocopies of identity documents. You only need to record the type and content of the data collected.

Privacy Act
Data minimisation applies

You must not keep more personal information than is reasonably necessary. Collecting ID document copies when they are not required is a direct breach of this principle.

Combined effect
Do not collect copies

You should not collect scanned copies or photocopies of identity documents. If you do collect them, document the reason in your AML Program.

Retention period
Records kept for 7 years after you stop providing the service to the client, then must be securely destroyed.
🛡️
Modern AML/KYC tools meet both requirements by design. Purpose-built compliance platforms capture and store only the extracted data fields required by AUSTRAC, without retaining document images. This satisfies the AML/CTF record-keeping obligation while minimising data breach exposure under the Privacy Act. LiteAML can help your practice implement affordable tools built to these principles.

Not Fully Compliant Yet? Develop an Implementation Plan

If your practice is not yet fully compliant with the 2026 obligations, the most important step is to develop and document an Implementation Plan. AUSTRAC has stated explicitly that it recognises compliance takes time, but it expects good-faith effort and evidence of progress. A documented plan is your strongest defence in any regulatory interaction.

AUSTRAC Guidance

An Implementation Plan creates a defensible position

AUSTRAC's regulatory expectations make clear that reporting entities which demonstrate genuine effort to comply, documented through an implementation plan with milestones and accountability, will be treated very differently from those who ignore their obligations. Read AUSTRAC's Quick Guide for Financial Planners →

Need help getting your AML program in order?

LiteAML works with financial planning practices to build tailored risk assessments, AML programs, and affordable compliance tools.

Get in touch →