Start with a spot check
If your existing AML/CTF course is reasonably current, the foundations may still be sound. You may not need to rewrite every definition, every scenario or every assessment question.
A practical review should separate your course into three groups:
Keep: content that remains accurate and useful. This may include basic definitions, the purpose of AML/CTF controls, general suspicious activity indicators, internal escalation principles and record keeping basics.
Update: content that is directionally right but now needs to reflect the updated regime, new terminology, changed processes, new customer due diligence requirements, changed reporting pathways or new AUSTRAC guidance.
Replace: content that is now misleading, too narrow, too generic, based on old procedures, or written for a pre-reform operating model.
This is particularly important for courses that have been updated over several years. Many AML/CTF modules contain layers of historical content: an old introduction, a newer suspicious matter scenario, an assessment question from a previous policy version, and a downloadable PDF that nobody has checked recently.
The 1 July milestone is a good reason to clean that up.
What actually needs to change with new requirements?
For existing courses, the July update is less about teaching AML/CTF from the beginning and more about updating the course’s decision points.
These are the moments where staff need to know what to do.
For example:
- Is this part of the business now providing a designated service?
- Is this customer or counterparty now within scope?
- When does customer due diligence need to occur?
- Does an old ACIP process still apply, or has the business moved to the new initial CDD framework?
- Does this customer require ongoing or enhanced due diligence?
- Does this scenario create a suspicious matter escalation?
- Could the way we respond to the customer create a tipping off risk?
- Are there travel rule obligations for this transfer?
- Which team, system or workflow now applies?
These are the areas where existing training often becomes outdated.
The course may still explain what a suspicious matter is, but not reflect the new escalation process. It may still explain KYC, but not reflect the current customer due diligence workflow. It may still include a scenario about cash structuring, but not one that reflects newly regulated high-value goods, real estate, professional services or virtual asset activity.
1. Update the opening: who is now in scope?
Many older AML/CTF courses start with a simple statement about who the regime applies to. That section may now be too narrow.
If your course still frames AML/CTF as primarily applying to banks, casinos, remitters, digital currency exchanges and other historically regulated sectors, it should be reviewed.
From 1 July 2026, AUSTRAC expects newly regulated businesses to have enrolled where required, have an AML/CTF program, have a compliance officer, train staff on the program and internal processes, and be ready to engage with clients and report suspicious matters.
That does not mean every learner needs a long legal explanation of every newly regulated sector. But it does mean your course should explain the parts of the reform that are relevant to your organisation.
For a bank, lender, superannuation fund or financial services provider, the training might need to explain how the reforms affect customers, counterparties, professional intermediaries or related business areas.
For a larger corporate group, it may mean updating training to reflect newly captured professional services, property, trust, company, virtual asset or high-value goods activities within the group.
For a newly regulated business, the update may be more significant. Even if the organisation already had financial crime, fraud, sanctions or ethics training, it may not have had a formal AML/CTF training pathway aligned to an AML/CTF program.
The course should answer a very practical question:
“Which activities in our organisation now trigger AML/CTF obligations?”
That is different from asking learners to memorise the reform.
2. Update designated service examples
This is one of the most important content updates.
A course built before the reforms may not include examples for the newly regulated services that commenced on 1 July 2026. That means staff may understand AML/CTF at a high level, but still fail to recognise when their work actually falls within the regime.
For real estate, AUSTRAC says designated services include brokering the sale, purchase or transfer of real estate, and that both the buyer and seller may be customers of the same reporting entity for the purposes of the designated service. AUSTRAC also explains that a seller’s agent starts providing a designated service to the seller when the agreement to broker the sale or transfer is signed, and to the buyer when it is reasonably expected that the transaction will proceed.
That kind of detail should be reflected in training for affected real estate roles. A generic scenario about “checking customer identity” is unlikely to be enough.
For professional services, AUSTRAC lists new designated services across areas such as assisting with transactions to sell, buy or transfer real estate, assisting with transactions involving body corporates or legal arrangements, receiving or managing property to help with a transaction, selling shelf companies, and assisting with the creation or restructuring of body corporates or legal arrangements.
Again, that is not just a policy detail. It changes what a training scenario should look like.
For dealers in precious metals, stones and products, AUSTRAC explains that a regulated service may arise where a purchase is made using physical currency, virtual assets, or a combination of both, with a total value of at least $10,000 in a single transaction or linked transactions.
For virtual asset services, AUSTRAC notes that the term “virtual asset” has replaced the previous “digital currency” language and that the reforms capture a wider range of services, including exchange, safekeeping, transfer instructions and financial services connected with the offer or sale of a virtual asset.
If those examples are not in your current course, they may need to be added.
3. Update customer due diligence content
Most existing AML/CTF courses already include customer identification or KYC content. The issue is whether that content now reflects the updated customer due diligence framework and the organisation’s current process.
AUSTRAC describes customer due diligence as understanding who customers are before providing designated services and throughout the business relationship. Initial CDD involves identifying customers and relevant persons, assessing ML/TF risk, and generally collecting and verifying KYC information. Ongoing CDD includes keeping KYC information up to date, monitoring unusual transactions and behaviours, updating risk ratings and collecting or verifying additional information where appropriate. Enhanced CDD applies when the customer’s ML/TF risk is high or in other specified circumstances.
For an existing course, this means checking whether the language and process flow are still right.
For example, does the course still refer to an old customer identification process? Does it explain which customers are being transitioned to initial CDD and when? Does it describe ongoing CDD as a real process, or just as a definition? Does it give staff examples of when a customer’s risk profile might change?
This is also where transitional arrangements matter.
AUSTRAC’s transitional rules allow some current reporting entities to continue using applicable customer identification procedures, or ACIP, instead of the new initial CDD obligations for a limited period, if certain conditions apply. To rely on that transitional rule, entities needed transitional AML/CTF policies by 1 July 2026 that list the customer classes ACIP will apply to and the date when ACIP will stop applying to each class. AUSTRAC also says new ongoing CDD obligations apply to all customers from 31 March 2026.
That means a course may need to explain a temporary operating model.
For example:
“For some customer classes, we will continue to use the existing identification process during transition. For other customer classes, we will use the new initial CDD process. Use the workflow in the system and escalate any exceptions to the AML/CTF team.”
4. Update the scenario bank
This is where many AML/CTF courses will need the most work.
Older AML/CTF courses often use scenarios that are heavily weighted towards banking, gambling, remittance or generic cash behaviour. Those scenarios may still be useful, but they may not reflect the 1 July changes.
If the audience includes newly regulated sectors, or if existing reporting entities deal with those sectors, the scenarios should be updated accordingly.
The goal is not to write legal case studies. The goal is to help staff recognise the new risk moments.
Below are three examples of the type of scenario update that may be required.
Example 1. Real estate training that previously focused only on generic fraud
What the old course might include
The old course might include a general scenario about a customer using funds from an unknown source, or someone trying to rush a transaction. It might ask the learner to identify whether the behaviour is suspicious and whether it should be escalated.
That scenario is still useful, but it may not teach real estate staff what changed on 1 July 2026.
What needs to change
The updated course should help learners understand when the designated service begins, who the customer is, and when customer due diligence is required.
For a seller’s agent, the training may need to explain that the designated service begins for the seller when the agreement to broker the sale or transfer is signed. It may also need to explain that the buyer can become a customer when it is reasonably expected that the transaction will proceed, typically when the offer is accepted and the contract is signed. AUSTRAC’s guidance also notes that both buyer and seller can be customers for the purposes of the designated service.
That means the scenario should not simply ask:
“Is the buyer suspicious?”
It should ask:
“At what point do we need to complete the required steps for each party, and what should we do if information is missing, inconsistent or delayed?”
Example scenario to add
A seller signs an agreement with an agency to sell a residential property. The seller wants the property listed quickly and says they are acting on behalf of a family member overseas. Later, a buyer makes an offer that is accepted. The buyer wants to settle quickly and provides funds through a company account that does not appear connected to their personal profile.
The learner should work through:
- when the agency starts providing the designated service to the seller;
- when the buyer becomes relevant for AML/CTF purposes;
- what information needs to be collected and verified;
- what internal system or checklist must be used;
- what should be escalated if the customer refuses to provide information;
- what language should be used with the customer to avoid tipping off; and
- what records need to be kept.
Example 2. Professional services training that previously covered ethics, fraud or conflicts, but not designated services
What the old course might include
A law firm, accounting firm, conveyancing practice or advisory business may already have training on professional ethics, confidentiality, fraud, sanctions, conflicts, trust accounts, privacy or suspicious client behaviour.
But that does not necessarily mean the training covers the new professional designated services that commenced on 1 July 2026.
What needs to change
AUSTRAC’s professional services guidance includes services such as assisting with real estate transactions, assisting with transactions involving body corporates or legal arrangements, receiving or managing property to assist with a transaction, selling or transferring shelf companies, and assisting with the creation or restructuring of a body corporate or legal arrangement.
This creates a different training challenge. The learner may need to identify whether the work they are doing is within scope before they even get to the customer due diligence step.
A generic AML/CTF course might say:
“Know your customer before providing services.”
An updated course may need to say:
“First, identify whether the work being performed is a designated service. If it is, follow the AML/CTF workflow before providing the designated service, unless an approved exception applies.”
Example scenario to add
A client asks an accounting firm to help restructure a family trust and establish a new company to hold assets. The client wants the work completed quickly because funds are expected to arrive from overseas. The client is reluctant to provide details about the source of wealth, says the beneficial owner is “a private family matter”, and asks whether the accountant can simply use the details already provided for tax work.
The learner should work through:
- whether the requested work is likely to involve a professional designated service;
- whether existing client information is enough for the AML/CTF process;
- whether beneficial ownership information is required;
- whether source of funds or source of wealth information should be requested;
- whether enhanced CDD may be required;
- what should be escalated internally;
- what the staff member should say to the client; and
- what they should avoid saying if suspicion has formed.
That scenario is much closer to the work professional services staff actually do.
Example 3. Precious metals, stones and products training that previously covered cash thresholds but not linked transactions
What the old course might include
A course for high-value goods, retail or cash-handling staff might already include threshold transaction reporting, cash payments, structuring and suspicious activity.
But after 1 July 2026, training for dealers in precious metals, stones and products may need to be more specific.
AUSTRAC explains that regulated transactions may involve physical currency, virtual assets or a combination of both, and may be captured where linked or apparently linked transactions reach the $10,000 threshold. AUSTRAC also says businesses need processes to monitor for and identify linked transactions that could reach the threshold.
What needs to change
The course should not only teach “cash over $10,000”. It should teach staff how to recognise linked transactions, split payments, instalments, repeated visits and the use of different payment methods.
That is a behavioural update.
Example scenario to add
A customer wants to buy a $28,000 watch. They ask to pay $8,000 in cash today, $8,000 in cash later in the week, and the balance using cryptocurrency. They say they do not want the payments “treated as one transaction” and ask whether a different staff member can process the next payment when they return.
The learner should work through:
- whether the payments may be linked;
- whether the total value crosses the threshold;
- whether the use of cash and virtual assets changes the AML/CTF process;
- whether the customer appears to be structuring payments;
- what the staff member should do before accepting or processing the payment;
- how to escalate the concern; and
- what not to say to the customer.
This kind of scenario is far more useful than asking learners to define structuring.
5. Update tipping off guidance and customer language
Tipping off is another area where many existing courses need a careful update.
A course may already tell staff not to tell a customer that a suspicious matter report has been submitted. But that may not be detailed enough for staff who need to ask follow-up questions, request additional information, pause a transaction or explain why a process is taking longer.
AUSTRAC explains that tipping off involves disclosing certain information where it would or could reasonably be expected to prejudice an investigation. This can include telling a customer that you have provided, or need to provide, a suspicious matter report, or giving them enough information to understand that suspicion has formed.
This is where training should be very practical.
It should give staff safe language.
For example, instead of saying:
“We need more information because this transaction looks suspicious.”
The course might suggest:
“We need to collect some additional information to complete our standard verification process.”
Instead of saying:
“Compliance has flagged this and we may need to report it.”
The course might suggest:
“I need to refer this internally before we can proceed.”
AUSTRAC’s guidance notes that reasonable enquiries into unusual customer activity are not, by themselves, tipping off, but staff must avoid disclosing information that would or could be likely to prejudice an investigation. AUSTRAC also gives examples of genuine reasons staff may provide, such as needing to comply with AML/CTF obligations, keeping customer details up to date, collecting additional information as part of standard procedures, or resolving issues with identification documents.
That should be reflected in your course.
A good update is to include a short “say this, not that” activity. This can be simple but powerful.
6. Update travel rule content where relevant
Not every AML/CTF course needs travel rule content. But if your organisation transfers or receives money, virtual assets or property on behalf of customers, it may need to be reviewed.
AUSTRAC explains that the travel rule may require reporting entities that transfer or receive money, virtual assets or property on behalf of customers to collect, verify and share specific information with other businesses involved in the transfer. It typically applies to financial institutions, remittance service providers, virtual asset service providers and some other international transfers of value.
For virtual asset providers, the update may be especially important. AUSTRAC states that separate travel rule obligations apply in relation to transfers of value involving virtual assets.
If your existing course still uses older “digital currency exchange” language, it should be checked against the updated terminology and service scope.
For relevant roles, training should explain:
- when the travel rule applies;
- what information must be collected;
- what information must be verified;
- what information must be passed on;
- what to do when information is missing or inaccurate;
- the difference between ordering, intermediary and beneficiary institution roles;
- what the system will prompt staff to do; and
- when an issue needs to be escalated.
This does not need to be taught to everyone in the organisation. But for teams involved in payments, remittance, virtual assets, operations, monitoring or exception handling, it may need a specific learning pathway.
What to look for in your existing AML/CTF course
A practical review might ask:
Does the course still describe the right audience?
If the organisation now has newly regulated activities, or interacts with newly regulated sectors, the audience and context may need to change.
Does it use current terminology?
Check references to digital currency, digital currency exchange providers, ACIP, customer identification, customer due diligence, compliance officer roles and internal systems.
Does it reflect the current AML/CTF program?
Training should align to the current risk assessment, policies, procedures, systems and controls.
Does it include the right sector examples?
If the course still relies on generic banking or cash examples, add scenarios for relevant sectors such as real estate, professional services, precious metals and stones, or virtual assets.
Does it explain the updated customer due diligence process?
Make sure learners know what initial CDD, ongoing CDD and enhanced CDD look like in practice.
Does it explain transition arrangements clearly?
If some customer classes are still under ACIP while others have moved to initial CDD, staff need to understand the operational impact.
Does it help staff avoid tipping off?
Include safe language and realistic customer interactions.
Does the assessment test the updated process?
Rewrite questions so they test what staff need to do, not just what they can remember.
Are training records and version history clear?
Make sure you can show what was updated, who completed it and what evidence of understanding was collected.
What next?
For many organisations, the most efficient approach is not a complete rebuild.
A targeted AML/CTF training uplift might include:
- reviewing your existing AML/CTF module against the 1 July 2026 changes;
- mapping outdated content to updated AUSTRAC guidance and internal policies;
- rewriting sections that no longer match your AML/CTF program;
- developing new sector-specific scenarios;
- adding role-based pathways;
- updating assessment questions;
- refreshing facilitator guides and job aids;
- creating short compliance refreshers;
- rebuilding legacy content into modern eLearning;
- preparing LMS-ready SCORM packages; and
- documenting version changes for audit and reporting purposes.
The best AML/CTF training does more than tell people the law has changed.
It helps them recognise what has changed in their role.
That is the key test for any AML/CTF training update after 1 July 2026:
Can staff still use the course to make the right decision, at the right moment, using the current process?
If the answer is not yet clear, the course should be reviewed.