For Fintech Companies

AML/CTF program for Australian fintechs — AUSTRAC reporting entity guide

Most fintechs are already reporting entities under existing AUSTRAC rules — the question is whether your program reflects what you actually do. Tranche 2 doesn't create new obligations for fintechs but the 2024 reforms do tighten existing ones.

Start FreeView Requirements

Compliance Challenges for Fintech Companies

Payments, lending, remittance and digital wallet providers are reporting entities under the AML/CTF Act. AutoAML generates a fintech-specific program with eKYC and monitoring procedures.

Scope confusion is the biggest fintech compliance risk

Embedded finance, BaaS partnerships and payment-facilitator models can leave it unclear which entity is the reporting entity. Getting this wrong means an unbounded enforcement risk for the wrong company.

Reliance on third-party CDD has strict conditions

Section 36A reliance arrangements (e.g. on a sponsor bank or KYC vendor) are allowed but the conditions are often missed in fast-moving partnerships. The reporting entity is still liable for any failure.

Real-time transaction monitoring is non-negotiable

Batch monitoring is rarely defensible for digital-first products. AUSTRAC's expectations have moved with the industry — your Part A risk assessment needs to justify the monitoring rules you actually run.

Cross-border flows are high-scrutiny

International funds transfer instructions (IFTIs) over $10,000 must be reported and underpin some of the largest enforcement actions in Australian history (Westpac $1.3B, 2020).

What Fintech Companies Need for Compliance

The AML/CTF Act 2006 (Cth) and the AML/CTF Rules require all reporting entities to maintain these documents and procedures.

AML/CTF Program with Part A and Part B sections — s 81 of the Act
ML/TF Risk Assessment scoped to your specific fintech product set
eKYC and digital CDD procedures meeting the AML/CTF Rules
Real-time or near-real-time transaction monitoring framework
International funds transfer instruction (IFTI) reporting procedure
SMR workflow with automated alerting feed
Sanctions and PEP screening at onboarding and on an ongoing basis
7-year transaction and CDD record retention (s 107)

Deadline & Applicability

Fintechs providing designated financial services are already reporting entities. The AML/CTF Amendment Act 2024 modernised several definitions (digital wallets, payment facilitators, value-storage products) — programs drafted before 2025 should be reviewed against the new wording.

Last reviewed: · Information is general guidance, not legal advice.

How AutoAML Helps Fintech Companies

AI-Generated Documents

All 13 compliance documents drafted from your service mix and risk profile — Part A, Part B, risk assessment, CDD scripts, the lot.

Team & Audit Trail

Invite your team, assign Compliance Officer roles, and keep a tamper-evident audit log AUSTRAC supervisors can read.

SMR & TTR Built-in

Reporting workflows, training tracking, annual review reminders and document version control — so the program stays alive after day one.

Frequently Asked Questions

Fintech Companies & AUSTRAC: common questions

Is my fintech a reporting entity?
If you provide a designated service in Schedule 1 of the AML/CTF Act — which covers most account-issuing, lending, remittance, payment-facilitating and digital-currency services — yes. The 2024 reforms broaden several of these definitions.
We use a sponsor bank — do they cover our compliance?
Only for the parts of the customer relationship they actually own. If you're the customer-facing brand and you onboard, you are most likely a separate reporting entity. Section 36A reliance is possible but must be documented and is not automatic.
Do we need to do CDD on every customer?
Yes — at onboarding for any customer of a designated service, with ongoing CDD throughout the relationship. The depth scales with risk: standard customers need standard CDD, high-risk customers (PEPs, high-risk jurisdictions, complex structures) need enhanced CDD.
What's the IFTI threshold and reporting window?
International funds transfer instructions must be reported to AUSTRAC for transfers of any value where you are an ADI or remittance provider. Reporting is via AUSTRAC Online within 10 business days.
How prescriptive does our transaction-monitoring need to be?
AUSTRAC doesn't prescribe rules — it requires that your monitoring is driven by your documented risk assessment and that it actually catches the typologies you've identified. 'We use [vendor]' is not a defence; understanding your alerts and tuning is.
What were the recent fintech-relevant enforcement actions?
Westpac was penalised $1.3 billion in 2020 for IFTI and child-exploitation reporting failures, the largest corporate penalty in Australian history. Crown Resorts paid $450 million in 2022. Entain agreed a $123 million civil penalty in 2025.

Related industries under AUSTRAC Tranche 2

Many firms work across more than one designated-service category. Check the related sectors below.

For Crypto Businesses

AML/CTF program for digital currency exchanges in Australia — AUSTRAC DCE

Read more
For Accountants

AML/CTF program for accountants in Australia — AUSTRAC Tranche 2

Read more
For Trust & Company Service Providers

AML/CTF program for trust and company service providers — AUSTRAC Tranche 2

Read more

Generate a fintech-specific AML/CTF program in 10 minutes

All 13 AUSTRAC-aligned documents drafted from your service mix. Free until the 1 July 2026 deadline.

Start Your Free Compliance ProgramPrefer to talk first? Book a 15-min setup call

Free until the 1 July 2026 AUSTRAC deadline. Cancel anytime.