When we think about anti-money laundering and counter terrorism financing (AML/CTF) risks, our minds often jump to suspicious customers, shady transactions, and complex criminal networks. But there’s another, more insidious threat: one that wears a staff ID badge, attends meetings, and shares morning coffees with us. The risk of internal bad actors, employees or business partners who facilitate or overlook criminal activity is real and dangerously underestimated, particularly in businesses soon to fall under the scope of Australia’s Tranche 2 AML/CTF reforms.

Why It Matters: Insider Risk Is Not a Hypothetical

No one wants to imagine that a colleague could be compromised, corrupt, or criminal. But real-world examples prove that employee risk is more than just theoretical.

In recent years, individuals working in high-security government departments including border control and immigration have been caught aiding criminal enterprises. These departments are subject to audits, vetting, and national security oversight, yet bad actors managed to infiltrate them.

The private sector is no safer. In 2011, a prominent Sydney Eastern Suburbs real estate agent was convicted of dealing in the proceeds of crime, highlighting that even trusted professionals can become facilitators of illicit activity. Similar vulnerabilities exist across other professional sectors. In various cases, lawyers and accountants have also faced disciplinary action or prosecution for enabling or ignoring criminal conduct. While these professions are subject to professional obligations to disclose criminal convictions, these obligations rely largely on self-disclosure, an honesty system that is not always sufficient when it comes to proactive risk management. It’s likely that others have accepted large cash payments with little to no scrutiny or have chosen to ignore obvious red flags. Sometimes, the behaviour isn’t mere negligence it’s complicity.

Now consider Tranche 2 entities: real estate agents, accountants, lawyers, and others about to come under the AML/CTF regime. Many of these businesses, especially small and medium firms, have little or no formal staff screening. Hiring is often based on referrals, minimal background checks, or gut instinct. That won’t suffice in a regulated environment.

Insider risk isn’t unique to Australia. Globally, regulated entities have faced enforcement action due to staff enabling money laundering, through false documentation, manipulation of onboarding systems, or suppressing suspicious transaction reports. For example, in the United States, a real estate broker was convicted for assisting sanctioned Russian oligarchs in managing and leasing luxury properties, despite international financial restrictions. In another case, a partner at a prominent law firm was found guilty of using his legal expertise to set up fake investment funds that laundered hundreds of millions in fraud proceeds. These cases highlight that insider risk extends beyond banks and into professional service sectors, making this a global challenge that demands universal attention.

The Critical Role of Employee Due Diligence in AML/CTF Compliance

Employee due diligence (EDD) is a vital but often downplayed element of a holistic AML/CTF framework. Just as customer due diligence (CDD) helps you understand who you’re doing business with, EDD helps you understand who you’re trusting to protect your business and your regulatory standing.

EDD also plays a critical role in detecting and managing risks associated with politically exposed persons (PEPs), their relatives, and close associates (RCAs). These relationships can potentially compromise decision-making or create avenues for corruption.

Poor hiring practices, with weak oversight and controls, can expose businesses to:

• Deliberate circumvention of AML/CTF controls, including suppression of suspicious matter reports (SMRs)
• System exploitation by criminal groups who place insiders into key roles
• Staff coercion due to personal debt, addiction, or other vulnerabilities
• Negligence from undertrained employees, leading to missed red flags
• Connected hires influenced by PEPs, high-risk clients, or third-party interests

The Business Impact of Internal Complicity

The consequences of poor staff screening and oversight are severe:

• Regulatory penalties for inadequate AML/CTF controls
• Legal exposure when staff facilitate or ignore criminal behaviour
• Loss of licences in regulated industries such as real estate or accounting
• Reputational damage that erodes client trust and market credibility

For small businesses, even a single internal incident can have existential consequences especially because, in many cases, the employees are the face of the business.

Why Businesses Fail to Act

There’s a natural reluctance to consider that someone in the office could be a criminal. This “normalcy bias” causes many owners and managers to assume, “It won’t happen here.”

Others fear that screening may be invasive or harm morale. In small businesses, the perceived cost of thorough checks, or the challenge of navigating privacy obligations, can be intimidating. And many assume that a clean police check and good references are enough.

But failing to manage employee risk leaves your business exposed. Inaction is often more costly than proportionate diligence.

What Tranche 2 Entities Should Do Now

Even before the laws take effect, Tranche 2 entities should begin integrating employee due diligence into their operations. Early action means fewer surprises and lower risk.

1. Risk-Based Hiring Practices

Develop a hiring policy that reflects the risk level of each role. Staff with access to client funds, compliance systems, or customer data should face enhanced checks.

2. Baseline Screening for All Staff

At a minimum, conduct:

• Identity and qualification checks
• National Police and reference checks
• PEP and sanctions screening
• A review of publicly available online activity that may reveal links to high-risk individuals or networks

For high-risk roles, consider:

• Bankruptcy and litigation history
• Credit checks
• Screening against ASIC’s banned/disqualified register
• External background reviews for senior hires
• International police checks where applicable

If a staff member is related to or closely linked with a PEP:

• Segregate them from client matters relating to the PEP
• Monitor for conflicts or undue influence

3. Ongoing Monitoring

EDD isn’t a one-time task. It requires periodic re-screening and must also be responsive to certain triggers, especially for staff in sensitive or high-risk roles. Triggers for out-of-cycle re-screening may include:

• Unexplained wealth or lifestyle changes
• Secrecy or around clients
• Unusual loyalty to a high-risk client
• Open disregard or dismissive attitude towards compliance

4. Annual Attestations and Role-Based Training

Good practices include having your employees formally acknowledge their awareness of AML/CTF obligations each year. When combined with regular AML/CTF awareness training, targeted training for increased-risk roles, and tailored role-specific modules where appropriate, this reinforces both capability, and a culture of accountability.

5. Conflict of Interest Register

Track staff connections to clients, suppliers, and counterparties. Transparency prevents conflicts before they arise.

6. Use of Technology

Technology can enhance your EDD process. Consider using:

• automated screening against watchlists and databases
• digital ID tools that validate credentials and identity in real time.

Creating a Culture of Integrity

Screening is one layer of protection, but culture is the foundation.

A healthy compliance culture includes:

• Leaders who model integrity and visibly support the AML/CTF framework
• Open reporting channels where employees can raise concerns without fear
• Zero tolerance for cutting corners, no matter the person’s rank or profitability
• Clear and consistent consequence management, where staff understand the personal accountability of AML/CTF obligations and the disciplinary actions that follow non-compliance, up to and including dismissal and regulatory referral

By embedding these values from the top down, businesses foster an environment where compliance is the norm, not the exception.

Conclusion: The Time to Act Is Now

As Tranche 2 reforms approach, businesses must move quickly. The threat of internal bad actors is not speculative, it’s proven.

Tranche 2 means regulators will now expect a higher standard of employee due diligence from sectors that haven’t previously been subject to these rules. If you’ve been doing some checks already, that’s a great start, but under the new regulatory regime, those checks need to be more consistent, formalised, and defensible. This isn’t just red tape, it’s smart business. So why not take the opportunity now to get ahead of the curve?

If a full screening program feels too far off, begin the conversation. Talk with your staff. Make expectations clear. Lay the groundwork for a safe, compliant workplace.

Because when it comes to financial crime, the biggest threat might not be on the outside. It might be sitting at the desk next to yours.

Call to Action

If you’re a Tranche 2 entity preparing for AML/CTF obligations, now is the time to act. Review your employee screening processes. Identify the gaps. Build a framework that protects your brand, your people, your clients, and your licence.

Prevention doesn’t start with your customers, it starts with your team. If you want to explore practical steps to improve employee due diligence, feel free to get in touch with the team at Platinum AML.