Skip to content

Get your free Risk Assessment and free staff training today. No obligation. Zero cost.

Get your free Risk Assessment and free staff training today. No obligation. Zero cost.

Get your free Risk Assessment and free staff training today. No obligation. Zero cost.

Get your free Risk Assessment and free staff training today. No obligation. Zero cost.

The 5 AML tasks you’ll be personally responsible for (even if you outsource)

Published April 13, 2026

As Tranche 2 AML obligations approach in July 2026, many businesses are exploring outsourcing options. After all, with so many balls in the air as a modern business owner, outsourcing can reduce workload, provide access to expertise and help structure your compliance processes. But there’s a dangerous assumption that often sits underneath that decision:

If someone else is doing the work, they’re also carrying the responsibility.

Yet, under Australia’s AML/CTF framework, that’s not how it works.

Even if you outsource parts of your AML compliance, whether to software, consultants or service providers, the legal responsibility remains with your business as the reporting entity.

For directors, principals and licensees, that responsibility is personal in practice, even if it sits at an organisational level in law.

Let’s look at what that actually means, and break down the five AML tasks you remain responsible for, no matter who or what you engage to help you.

First, what can be delegated (and what can’t) under Tranche 2 reforms

Before we get into examples of things you can outsource, it’s important to draw a clear line. There are many things you can delegate, including:

But what you cannot delegate is:

AUSTRAC is clear on this point: outsourcing may assist you in meeting your obligations, but it does not transfer them.

1. Owning your AML/CTF program

Your AML program is a complex, detailed document, and so for many businesses, it makes sense to outsource the creation of this document. This might involve engaging someone to help draft your AML/CTF program. Or perhaps using a template, platform or external consultant to structure it.

But no matter what you do, ultimately, you are responsible for ensuring that your program:

A generic program that gets printed off only to sit on a shelf will not meet your obligations.

For example, a director of a conveyancing business who relies on a templated program without tailoring it to their client base, transaction types and delivery channels is still responsible if that program fails to identify risk.

Consider your AML/CTF program as the framework that governs how your business operates under the new reforms. Ownership of that cannot be outsourced.

2. Making risk-based decisions

Technology can assist with risk scoring. Consultants can provide guidance. Systems can flag anomalies. But your risk assessment is not a mechanical process. At some stage of the risk assessment process, someone in your business must decide:

For example, a real estate licensee may receive a risk rating from a system. But if the transaction involves unusual funding arrangements or inconsistent instructions, the decision to escalate sits with the business, not the platform.

Professional judgement is key here, and this is where tailored training for your staff plays a critical role in their ability to identify and escalate unusual transactions.

3. Deciding when to report suspicious activity

This is one of the most important, and most misunderstood, responsibilities. You can use tools that help identify unusual behaviour, to receive alerts or even have reports pre-drafted.

But the decision to submit a Suspicious Matter Report (SMR) ultimately sits with the reporting entity. Software cannot tell you to do this, nor can a consultant. You are the only one who can decide to do that. Under the AML/CTF Act, businesses must report when they have reasonable grounds to suspect certain activity.

For example, an accounting firm may notice a client using multiple entities for transactions with no clear commercial rationale. A system may flag it and a software provider may prepare a draft SMR, but the decision to lodge the report, and the timing of that decision, remains your responsibility.

This is a critical point, because failing to report cannot be blamed on system failure. Instead, it is a compliance failure on behalf of the business.

4. Ensuring your team is trained and aware

There are so many different options out there for your staff’s AML training. You can provide access to training modules, or engage external providers. But whatever you choose to do, you remain responsible for ensuring that:

For example, a legal practice may roll out training through a third-party platform. But if the platform allows staff to skip over videos and gives them the answers to the quiz questions, your staff will find it incredibly difficult to apply AML knowledge in real scenarios. And if that happens, the business cannot point to the provider as the source of failure.

Training is not a tick-box exercise to be completed. There is a high degree of comprehension and application when it comes to adhering to the AML Rules, and the responsibility to support your staff in this sits firmly within the business.

5. Maintaining oversight and control

This is the thread that runs through everything. Even when outsourcing is in place, businesses must:

For example, a conveyancing firm using an outsourced solution for customer due diligence still needs to ensure that:

If something goes wrong, AUSTRAC will not look to your provider first. They will look to you.

The biggest myth: “If I outsource, I reduce my risk”

In reality, outsourcing changes the nature of your risk, but it certainly doesn’t remove it. Instead of managing every task internally, you are now also responsible for:

Outsourcing can absolutely make compliance more efficient. But only when paired with strong internal ownership. Think of it as a partnership, not a delegation of responsibility.

Where directors, principals and licensees sit

While AML/CTF obligations apply to the reporting entity, leadership plays a central role. In fact, AUSTRAC has a whole section on their website dedicated to your firm’s AML culture. Directors, principals and licensees are responsible for:

In practice, this means you cannot step back entirely from AML compliance. Outsourcing reduces the need to manage day-to-day detail, but you still need to remain actively engaged in how your business meets its obligations.

Building support without giving up control

The goal isn’t to avoid outsourcing. Instead, we want to encourage Tranche 2 businesses to use it properly. The right setup allows:

That’s exactly how easyAML is designed to work.

Rather than positioning technology as a replacement for responsibility, easyAML supports businesses by structuring processes, guiding workflows and helping teams document and manage compliance effectively, while keeping decision-making where it belongs.

You can get started for free, with no lock-in contracts, no credit card required and no commitments. You can begin onboarding your team, setting up your AML framework and building your compliance processes.

Get started here now - https://easyaml.com/get-started/