AML/CTF · AFSL

Stop Managing Two Compliance Registers: How to Run AML/CTF + AFSL Australia 2026 as One Program

Published 19 June 2026Last reviewed June 20265 min readBy Paul Wise

If you hold an AFS licence and you're now also a full AML/CTF reporting entity, you've quietly become a dual-regime business — answerable to ASIC under the Corporations Act and to AUSTRAC under the AML/CTF Act. And unless you've deliberately designed against it, you're almost certainly doing the same work twice.

The overlap nobody planned for

ASIC and AUSTRAC are different regulators with different Acts, but the operational obligations rhyme. Look at how much sits in both columns:

  • Breach and incident reporting — ASIC's reportable situations / breach reporting regime under the Corporations Act (Chapter 7) and AUSTRAC reporting obligations, including suspicious matter reports (s 41).
  • Training records — who was trained, on what, when, evidenced.
  • Board and management reporting — governance oversight. Under the reformed AML/CTF Act, your governing body carries explicit oversight duties for ML/TF risk.
  • Audit and review — the AML/CTF independent evaluation (s 26F(4)(f)) and your AFSL compliance review cycles.
  • Record keeping — overlapping retention obligations (AML/CTF records are kept seven years under Part 10), different homes.

Most firms manage these in parallel: an ASIC compliance register and process over here, an AML/CTF register and process over there. Same training event logged twice. Same incident assessed against two frameworks in two places. Two sets of evidence to assemble at audit time. It's duplicated effort, and duplicated effort is where things fall out of sync — which is exactly when one regulator finds a gap the other column would have caught.

Why integration beats duplication

The fix isn't more spreadsheets — it's a single source of truth that understands both regimes. When a training event, a breach, a board report or a review can be recorded once and satisfy both ASIC and AUSTRAC evidence needs, the two registers can't drift apart.

One platform built for both regulators

Veriqua is the only platform built for dual AFSL + AML compliance — one register, one dashboard, one audit trail covering both regulators. Most AML tools assume you're only doing AML. Most AFSL compliance tools ignore AUSTRAC entirely. Veriqua was built by an AFS licensee, for the reality of carrying both obligations at once — so your breach reporting, training, governance and review evidence live in one place, mapped to both the Corporations Act Chapter 7 world and the AML/CTF world.

For a firm currently reconciling two registers by hand, that's not a marginal saving — it's the end of doing compliance twice. See the dual-regime dashboard in two minutes, no login: demo.veriqua.com.au/start.

Frequently Asked Questions

What is the overlap between ASIC and AUSTRAC obligations for AFS licensees?
Both regulators require overlapping compliance activities: breach and incident reporting, staff training records with evidence, board and management reporting on compliance, audit and review cycles, and record keeping with defined retention periods. Managing these separately — one ASIC register and one AUSTRAC register — creates duplication and the risk that the two sets of records drift out of sync, leaving gaps that either regulator may detect.
Do AFS licensees need to lodge suspicious matter reports (SMRs) with AUSTRAC?
Yes. If an AFS licensee is an AML/CTF reporting entity (which most are, by virtue of providing financial services designated services under Table 1), they must lodge SMRs under section 41 of the AML/CTF Act when they form a suspicion about a matter in connection with providing a designated service. SMRs are subject to tipping-off restrictions — you cannot tell the subject that a report has been made.
How long must AML/CTF records be kept for AFS licensees?
AML/CTF records must be kept for seven years under Part 10 of the AML/CTF Act. This applies to records of designated services provided, transaction records, CDD and beneficial ownership evidence, and records of suspicious matter and threshold transaction reports lodged. ASIC's breach reporting and compliance records have separate, sometimes shorter, retention requirements — so the seven-year AML/CTF rule is often the governing minimum.
What is a reportable situation under ASIC's breach reporting regime and how does it interact with AML/CTF?
A reportable situation is a breach, or likely breach, of a core obligation under the Corporations Act that must be reported to ASIC within specified timeframes. AML/CTF incidents — such as a failure to lodge an SMR, a gap in CDD processes, or a policy breach — may independently constitute or contribute to a reportable situation if they involve a breach of an Australian financial services law. Dual-regime firms must assess incidents against both frameworks and report to both regulators where required.

See how Veriqua handles this

Veriqua is an Australian compliance operating system for AFSL holders and AUSTRAC reporting entities — automating AML/CTF programs, customer due diligence, transaction monitoring, SMR lodgement and board reporting.

Disclaimer: This article is general information only and is current as at June 2026. It reflects our understanding of obligations under the AML/CTF Act and the Corporations Act and AUSTRAC and ASIC guidance as at that date, all of which may change. It is not legal, financial or compliance advice. AFS licensees should obtain advice from a qualified professional and refer to current AUSTRAC and ASIC guidance at austrac.gov.au and asic.gov.au before acting.