Key Takeaways

In this article

Why are the penalties so severe? How much are the civil penalties? What are the criminal penalties? Are directors and officers personally liable? How do penalties multiply per breach? How does AUSTRAC enforce compliance? What are real enforcement cases in Australia? How can you avoid AML/CTF penalties? Frequently asked questions

Why Are the AML/CTF Penalties So Severe?

Australia has been the only OECD country without full AML/CTF coverage for so-called "gatekeeper" professions—real estate agents, lawyers, accountants, and trust service providers. The AML/CTF Tranche 2 reforms, effective 1 July 2026, close this gap.

AUSTRAC (the Australian Transaction Reports and Analysis Centre) is the regulator responsible for enforcing these laws. The severity of the penalties reflects the scale of the problem: real estate is one of the most common channels for laundering criminal proceeds in Australia, with property valued for its ability to store wealth, generate income, and appreciate over time.

The penalties are designed to make non-compliance far more costly than compliance. For most real estate agencies, getting compliant will cost a fraction of what even a single penalty could amount to.

How Much Are the Civil Penalties?

AUSTRAC can impose civil penalties for breaches of the AML/CTF Act 2006 without needing a criminal conviction. These are the financial penalties that apply:

Body Corporate
$33M
Up to 10,000 penalty units per breach for companies, partnerships, and trusts
Individual
$6.6M
Up to 2,000 penalty units per breach for individuals, directors, and officers
Criminal — Serious
25 years
Maximum imprisonment for conducting transactions involving proceeds of crime
Criminal — Reckless
2-5 years
Imprisonment for recklessly failing to verify identity or providing false information

Civil penalties cover a wide range of obligations. You can be fined for failing to enrol with AUSTRAC, failing to have an AML/CTF program, not conducting customer due diligence, not filing suspicious matter reports, or not keeping proper records.

What Are the Criminal Penalties?

Criminal penalties apply to the most serious categories of non-compliance. Unlike civil penalties, these require proof of intent or recklessness, and they carry imprisonment.

Offence Maximum Penalty
Providing designated services without enrolling with AUSTRAC Criminal offence under the AML/CTF Act
Recklessly failing to verify customer identity Up to 2 years imprisonment
Failing to report suspicious matters Up to 2 years imprisonment
Intentionally providing false information to AUSTRAC Up to 5 years imprisonment
Conducting transactions involving proceeds of crime Up to 25 years imprisonment + unlimited fines

It's worth noting that "recklessly" has a specific legal meaning. You don't need to intentionally break the law—if you were aware of a risk and failed to take reasonable steps, that can constitute recklessness. Not having an AML/CTF program, or having one that sits in a drawer unimplemented, could meet this threshold.

Are Directors and Officers Personally Liable?

Directors and compliance officers are personally liable

Your position as a director or senior manager does not shield you from personal criminal charges
The AML/CTF Act explicitly targets individuals who exercise control over compliance systems
You can receive a personal criminal conviction while your company simultaneously pays civil penalties for the same breach
AUSTRAC treats personal liability as completely separate from corporate liability

This is particularly relevant for real estate agency principals. If you are the principal of an agency and you fail to implement an AML/CTF program or appoint a compliance officer, you are personally exposed. The AML/CTF Compliance Officer must be at management level and is directly responsible for ensuring the business meets its obligations. The Attorney-General's Department provides further background on the government's AML/CTF framework.

How Do Penalties Multiply Per Breach?

How penalties multiply quickly

The AML/CTF Act treats each individual failure as a separate breach. This means penalties can compound rapidly.

Example: If you onboard 50 clients without proper identity verification, that is potentially 50 separate penalty events—each carrying its own fine of up to $6.6 million for an individual or $33 million for a body corporate.

Even at the lower end of the penalty scale, 10 breaches at $100,000 each is $1 million in fines. For a small real estate agency, this could be enough to shut the business down entirely.

This "per-breach" structure is why AUSTRAC penalties can reach into the hundreds of millions of dollars in serious cases, as has been seen with major financial institutions.

How Does AUSTRAC Enforce Compliance?

AUSTRAC doesn't jump straight to maximum penalties. There is a graduated enforcement approach, but every step has real consequences:

Enforcement Action What It Means
Infringement notices Fixed fines for specific contraventions—the lightest enforcement tool
Remedial directions AUSTRAC orders you to take specific actions to fix non-compliance within a set timeframe
Enforceable undertakings Legally binding agreements to improve compliance, often with ongoing reporting requirements
Civil penalty proceedings Court action seeking fines of up to $33M per breach
Criminal prosecution Referral to the Commonwealth Director of Public Prosecutions for imprisonment

Beyond formal penalties, non-compliance brings reputational damage that can be equally devastating. AUSTRAC enforcement actions are public. If your agency is named in a compliance action, clients and referral partners will take notice. In a market built on trust, this alone can cost you more than the fine itself.

What Are Real Enforcement Cases in Australia?

To understand how seriously AUSTRAC takes enforcement, consider the penalties that have already been imposed on existing regulated entities in Australia:

Notable AUSTRAC enforcement actions

AUSTRAC has a track record of pursuing substantial penalties against businesses that fail to meet their AML/CTF obligations. Previous enforcement actions against financial institutions have resulted in penalties totalling well over a billion dollars combined.

With approximately 90,000 new reporting entities coming under regulation through Tranche 2, AUSTRAC has made clear it will apply the same enforcement standards to real estate agents, conveyancers, and property developers as it does to banks and financial services companies.

AUSTRAC has stated clearly that it expects Tranche 2 entities to be compliant from day one. There will be limited tolerance for businesses that haven't taken steps to prepare, particularly given the extended notice period leading up to July 2026.

How Can You Avoid AML/CTF Penalties?

The good news is that compliance is straightforward if you start now. Here's what you need to have in place before 1 July 2026:

Pre-July 2026 Compliance Checklist

1 Enrol with AUSTRAC — Enrolment opens 31 March 2026. You must enrol within 28 days of first providing a designated service (by 29 July 2026 at the latest).
2 Appoint an AML/CTF Compliance Officer — Must be at management level. This person is responsible for the day-to-day operation of your compliance program.
3 Conduct a risk assessment — Identify your money laundering, terrorism financing, and proliferation financing risks based on your services, clients, and geography.
4 Develop your AML/CTF program — Document your policies, procedures, and controls. It must be approved by a senior manager and reviewed every 3 years.
5 Implement customer due diligence (CDD) — Set up processes for initial, ongoing, and enhanced CDD including identity verification and beneficial ownership checks.
6 Set up reporting processes — You must be able to file Suspicious Matter Reports (SMRs) within 24 hours for terrorism financing and 3 business days for other matters.
7 Train your staff — All staff involved in providing designated services must understand their AML/CTF obligations and how to identify red flags.
8 Establish record-keeping systems — All CDD records, transaction records, and training records must be kept securely for a minimum of 7 years.

If this feels overwhelming, you're not alone. That's exactly why AMLTranche exists—to automate these obligations so you can focus on running your business instead of managing compliance paperwork.

Don't risk $33 million in fines

Get your AML/CTF compliance sorted before July 2026. AMLTranche handles risk assessment, CDD, sanctions screening, and AUSTRAC reporting in one platform.

See how it works → Book a Demo →

Get a free compliance checklist for your business:

No spam. Unsubscribe anytime.

Frequently Asked Questions

What is the maximum penalty for AML/CTF non-compliance in Australia?

The maximum civil penalty is $33 million for a body corporate and $6.6 million for an individual per breach. Criminal penalties include up to 25 years imprisonment for the most serious offences involving proceeds of crime.

Can real estate agents go to jail for AML non-compliance?

Yes. Criminal penalties apply for failing to enrol with AUSTRAC, recklessly failing to verify customer identity (up to 2 years), intentionally providing false information to AUSTRAC (up to 5 years), and conducting transactions involving proceeds of crime (up to 25 years).

Are directors personally liable for AML/CTF breaches?

Yes. Directors, senior managers, and compliance officers who exercise control over compliance systems can face personal criminal charges and civil penalties separate from the company. Personal liability is treated independently from corporate liability by AUSTRAC.

When do AML/CTF Tranche 2 penalties start applying?

Tranche 2 obligations commence on 1 July 2026. Entities must enrol with AUSTRAC within 28 days of first providing a designated service. Providing designated services without enrolling is a criminal offence under the AML/CTF Act.

What counts as a separate breach under AML/CTF law?

Each individual failure is treated as a separate breach. For example, if you onboard 50 clients without proper identity verification, that could constitute 50 separate penalty events, each carrying its own fine.

How can I prepare for Tranche 2 compliance?

Start by using AUSTRAC's eligibility checker to confirm whether your services are classified as "designated services" under the reforms. Then review the reforms guidance, enrol with AUSTRAC (from 31 March 2026), appoint a compliance officer, conduct a risk assessment, develop your AML/CTF program, and implement customer due diligence processes. Using an AML/CTF compliance platform like AMLTranche can automate most of these requirements.

Last updated: 3 March 2026. This article is for general information only and does not constitute legal advice. For advice specific to your circumstances, consult a qualified legal professional.