In part 1 of this series, we explored how to enrol and register with AUSTRAC to meet your anti-money laundering and counter-terrorism financing (AML/CTF) obligations.
Now, we turn to the next critical requirement: developing and maintaining an AML/CTF program tailored to your unique business.
An AML/CTF program is more than a regulatory requirement; it is your business’s frontline defence against financial crime. Whether you are a real estate agency, legal or accounting firm, or any other entity covered by AML laws, you have obligations to identify, assess and mitigate money laundering (ML), terrorism financing (TF), and proliferation financing (PF) risks when Tranche 2 reforms come into effect in June 2026.
Based on AUSTRAC's Future Law Compilation of the AML/CTF Act this article explains what an AML/CTF program is, why it must be tailored to your business and how to develop and maintain one.
Note that as the rules have not been finalised as at publication of this article so the information below may change. It is designed to assist reporting entities and industry associations understand the effect and become familiar with the amended legislation.
What is an AML/CTF program?
An AML/CTF program is a structured set of policies, procedures and controls designed to protect your business from criminal exploitation. It ensures compliance with AML laws and contributes to the integrity of Australia’s financial system.
AUSTRAC mandates that an AML/CTF program must:
- Identify and assess ML/TF/PF risks your business may reasonably face
- Set out policies, procedures and controls to mitigate these risks
- Ensure compliance with AML/CTF obligations
- Be documented, approved by senior management, and regularly reviewed
Your AML/CTF program is not just a box-ticking exercise, it must be a living document that evolves alongside your business and regulatory changes.
What your AML/CTF program must include
To be effective, your AML/CTF program must be risk-based and proportionate to the nature, size and complexity of your business. It should contain the following key elements:
Risk assessments
Your business must assess the specific ML/TF/PF risks it faces in providing designated services. This includes:
- Identifying potential vulnerabilities within your operations.
- Evaluating the likelihood and impact of these risks.
- Implementing measures to mitigate them effectively.
A well-documented risk assessment enables your business to apply appropriate controls, allocate resources efficiently and ensure ongoing compliance.
This process is not just about checking boxes, it requires a genuine understanding of the threats posed by financial crime and how they could impact your specific business.
Here's further reading on risk assessments and some light reading from AUSTRAC
Policies, procedures, systems and controls
Your AML/CTF program must establish clear policies and procedures to manage and mitigate identified risks. To do that you need systems that:
- Define how your business identifies and manages ML/TF/PF risks.
- Ensures compliance with AML/CTF laws and regulatory requirements.
- Guide staff on customer due diligence (CDD) procedures.
- Provide ongoing training to employees involved in compliance functions.
- Ensure independent reviews are conducted at least once every three years.
The policies, procedure, systems and controls should include:
- Customer due diligence (CDD) measures, including Know Your Customer (KYC) processes to verify customer identities and understand their financial activities.
- Suspicious matter reporting (SMR) obligations and procedures to report potentially illicit activities.
- Record-keeping requirements to ensure an auditable trail of transactions and customer interactions.
- Employee training and awareness programs to build a culture of compliance.
- Transaction monitoring and ongoing risk assessments to detect and prevent illicit financial activity.
These policies must be proportionate to your business’s risk exposure and updated regularly to reflect regulatory changes and emerging threats.
Appointing an AML/CTF Compliance Officer (AMLCO)
Your business must designate an AMLCO who is responsible for:
- Overseeing day-to-day compliance with AML/CTF obligations.
- Ensuring AML/CTF policies are effectively implemented.
- Acting as the key liaison with AUSTRAC.
- Maintaining sufficient authority and resources to carry out their responsibilities.
- Ensuring timely reporting to AUSTRAC when required.
You must notify AUSTRAC within 14 days of appointing an AML/CTF Compliance Officer.
Note that this does not need to be a full time role and in smaller companies is often done in addition to someone's everyday job.
Governance and accountability
Your internal governance group plays a critical role in AML/CTF compliance by:
- Providing oversight of ML/TF risk assessments and compliance efforts.
- Ensuring policies are effectively applied and updated.
- Taking reasonable steps to mitigate financial crime risks.
Key players and activities of the governance group include:
- Senior management oversight: A governing board or senior managers must ensure the program is effectively implemented and continuously improved.
- AMLCO: A designated individual must oversee day-to-day compliance. This person should be appropriately qualified and have the authority to enforce AML/CTF policies.
- Ongoing updates: Your AML/CTF program must be reviewed and updated to reflect significant changes in your business, regulatory requirements, or emerging risks identified by AUSTRAC.
- Independent review: The program must be independently assessed at least once every three years to ensure its effectiveness.
- For sole traders, these responsibilities can be managed independently but must still align with AUSTRAC’s compliance expectations.
Documenting and approving the AML/CTF program
To demonstrate compliance, your business must maintain up-to-date records of:
- Your AML/CTF program and supporting policies.
- ML/TF risk assessments and updates.
- Policy approvals by senior managers.
- Independent review findings and subsequent actions.
Consider how you will approach the security, back up and retention of all documents to allow for limited rework, quicker responses and auditability.
Your compliance model. Leveraging reporting group arrangements.
Businesses seeking to share compliance costs may be able to do so within a reporting group framework. Under the AML/CTF Act and Rules, entities within a reporting group can share some or all compliance obligations, including risk assessments, transaction monitoring, and reporting procedures. A lead entity must establish and oversee the group AML/CTF program, ensuring all members adhere to regulatory requirements.
AUSTRAC is finalising changes to the reporting group framework and businesses should stay informed on how this may apply to them via the official site.
In the mean time, consider what model you will adopt for AML compliance; centralised, hybrid or decentralised. Read more about the pros and cons of each one here.
Reporting obligations
While the exact requirements are yet to be clarified in the final regulations, based on existing obligations for other sectors and international practices, you can expect to be responsible for the following types of reports:
Ongoing reporting obligations
- Threshold Transaction Reports (TTRs).
- International Funds Transfer Instructions (IFTIs)
- Suspicious Matter Reports (SMRs)
Other reporting obligations
- AUSTRAC compliance reports: annual or biennial reports on your AML/CTF compliance programme and its effectiveness.
- AML/CTF Program Updates
- Risk Assessment Reports
- Registered Designated Service Reports
Remember, the exact reporting requirements may vary based on the final regulations. It's crucial to stay informed about AUSTRAC's specific guidance. Find out more about each of the report types here.
Record-keeping practices
Maintaining accurate and accessible records supports the integrity of your AML/CTF efforts and facilitates audits or regulatory reviews.
Ensure that records of customer identification, transaction details and compliance activities are retained for the mandated period, typically seven years.
Here are some great tips on how other companies are reducing the record-keeping burden.
Staff training and awareness
Educating your employees about AML/CTF obligations and red flags empowers them to act as the first line of defence against financial crime. Regular training sessions should cover:
- Recognising red flags of ML/TF activities for your industry, services and client base.
- Understanding internal reporting procedures.
- Staying informed about regulatory updates and typologies.
Feedback from international AMLCOs is that the more relevant, timely and bite-sized you make training, the better it's understood and retained.
Independent audits and reviews
Periodic independent assessments of your AML/CTF program can help identify areas for improvement and demonstrate your commitment to compliance. These reviews should evaluate the effectiveness of your policies, procedures and controls, providing actionable recommendations for enhancement.
AUSTRAC has released guidance stating that, "Your AML/CTF program must be documented and approved by a senior manager of your business. It must be kept up-to-date to reflect significant changes to your business and relevant ML/TF/PF risk products released by AUSTRAC and independently evaluated at least once every 3 years."
Getting help
Creating an AML/CTF program can seem daunting. Firms frequently use specialists to help them understand their unique risks then develop relevant risk assessments and their resulting AML programs.
Examples of companies who can help in this area include:
- Teal Compliance Australia - Amy Bell
- EY Australia - Nick Davidson
- Raven AML - Luke Raven
- One AML - Akash Khushal
- Whitelight - Tomas Jordan
Conclusion
An AML/CTF program is not just a regulatory obligation, it is an essential tool to protect your business from criminal exploitation. A well-structured, risk-based and regularly updated program ensures compliance while safeguarding your reputation.
For further guidance, refer to AUSTRAC’s official AML/CTF resources or seek professional compliance advice.
About First AML
This article is not only written from the perspective of a technology provider, but also from the lens of compliance professionals. Prior to releasing Source, First AML’s orchestration platform, we processed over 2,000,000 AML cases ourselves. Understanding the acute problem that faces firms these days as they try to scale their own AML, is in our DNA.
That's why Source now powers thousands of compliance experts around the globe to reduce the time and cost burden of complex and international entity KYC. Source stands out as a leading solution for organisations with complex or international onboarding needs. It provides streamlined collaboration and ensures uniformity in all AML practices.
Keen to find out more? Book a demo today!