When firms design their AML/CTF compliance programs, many begin with the paperwork — policies, risk assessments, training logs.
But in practice, your compliance program is your workflow. It’s how your team identifies and manages risk in their day-to-day work. And that’s shaped not only by legal requirements but also by how your operating model is structures.
Whether you centralise, decentralise, outsource or take a hybrid approach, your AML/CTF operating model has real consequences for who does the work, how information flows, where decisions are made and how consistently your firm manages risk.
Let's explore why that matters, how each model impacts your workflows and how to design for real-world delivery - not just policy compliance.
Why your AML/CTF operating model matters
Your operating model sets the stage for how compliance happens across your business. It defines:
- Who completes key AML/CTF tasks
- Where those tasks sit - centrally, locally or externally
- How information moves between teams or providers
- Who owns decision-making and reporting responsibilities
- How consistently your firm applies controls and manages risk
In short, your workflows are your program in action. The model you choose will shape how well those workflows function - whether they're clear, consistent and efficient or fragmented and risky.
Four operating models (and how they shape AML/CTF workflows)
Four operating models in compliance
We typically see four operating models in regulated firms:
1. Centralised / Reporting Group
A central team manages AML/CTF across multiple offices or practices, often under a formal AUSTRAC reporting group. This model is ideal for standardised workflows and consistency.
2. Decentralised / Go it alone
Each office or team manages AML/CTF independently. This gives maximum autonomy but increases the risk of inconsistency and duplicated effort.
3. Hybrid / Directed by Corporate
A central compliance function provides shared policies, systems and oversight while allowing local flexibility in how day-to-day tasks are carried out.
4. Outsourced
Some or all AML/CTF tasks are handled by a specialist provider. This reduces internal workload but still requires strong internal oversight.
These models aren't just organisational choices — they define how your program components turn into action.
What your AML/CTF program must include
No matter your model, AUSTRAC requires your AML/CTF program to include:
- A documented risk assessment
- Policies and procedures
- Senior management approval and oversight
- A nominated AML compliance officer (AMLCO)
- Ongoing staff training and awareness
- CDD and KYC processes
- Reporting of suspicious and threshold transactions
- Independent review at least every three years
Each of these components must be operationalised — turned into repeatable actions within your workflow.
Translating compliance components into workflows
Here's how your chosen model affects key program components:
Program component
Workflow responsibility
Risk assessment
Central team (centralised), local teams (decentralised) or shared ownership (hybrid/outsourced)
Policies and SOPs
Created centrally vs tailored locally - hybrid models blend both
AMLCO
One central AMLCO vs multiple local leads - outsourced models still require internal AMLCO oversight
Training
Delivered group-wide, locally or via provider with tracking and reinforcement
CDD and KYC
Done in-platform centrally or locally with shared or bespoke tools - providers handle this in outsourced models
Transaction monitoring
Alerts and SMR prep managed by central team, locally or flagged by provider and finalised internally
Independent review
Group-wide vs local reviews - outsourced models must include provider scope in review
Your workflows only succeed when they match your operating model. Misalignment leads to duplication, delays or missed obligations.
Which model fits your firm?
Ask yourself: do your AML workflows need...
- Standardised processes across offices? → Centralised
- Local flexibility with shared guardrails? → Hybrid
- Complete independence and control? → Decentralised
- Specialist support or faster setup? → Outsourced
The right model aligns to your firm's culture, structure and risk appetite and sets the foundation for scalable compliance.
Designing your workflows: guiding questions
To ensure your workflows align with your model, consider:
- Who introduces the CDD process to clients?
- What information is required and who collects it?
- Where does due diligence happen and who reviews it?
- How are red flags escalated?
- Who drafts and submits SMRs?
- How do policy or risk updates get rolled out?
- Who delivers training and tracks compliance?
- How is audit evidence collected and stored?
- What happens when something doesn't look right?
Clear answers to these questions shape workflows that actually work across tools, teams and offices.
Technology enables smarter workflows but doesn't replace them
Too often, firms invest in technology before clearly defining the workflows it’s meant to support. But that puts the cart before the horse. Start by mapping out the workflow, then choose tools that help you deliver it more efficiently and consistently.
“Tech's essential for scale and consistency in AML but it only really works if you first understand your risks and processes. You can't just buy your way to compliance.”
— Matt Kennedy, Director, EY Australia
Tech supports your program but it doesn't define it. People still need to:
- Interpret results
- Escalate issues
- Apply judgement
- Maintain oversight
- Adapt to change
Where tech fits and where it doesn't
Here's what technology can do (and what still needs a human):
Workflow stage
Technology can
Humans must
Customer onboarding
Automate ID checks, match to PEP/sanctions lists
Decide if risk is acceptable, escalate edge cases
CDD and risk assessment
Apply models, automate document collection
Interpret indicators in context, guide bespoke data collection
Ongoing monitoring
Flag anomalies, track client activity
Assess suspicion and determine reporting threshold
SMR preparation
Pre-fill templates, store and track submissions
Draft clear narratives, make reporting calls
Training
Deliver e-learning, track completion
Reinforce with discussion, tailor to real scenarios
Policy and legislative updates
Push new versions via document tools
Communicate meaning, ensure teams understand what's changing
Technology removes bottlenecks and improves consistency but the compliance burden still lives with your people.
Final advice: build workflows with your program, not after it
Too often, compliance programs are written like checklists. But they need to be designed like systems.
If your workflows aren't defined, documented and supported, then your program isn't really live. Start by designing your AML/CTF workflows:
- Who does what, when and how?
- Where do decisions happen?
- What systems or templates support each step?
Then, and only then, bring in technology to make those workflows faster, smoother and more consistent.
That’s what workflow-first compliance looks like.
About First AML
This article is not only written from the perspective of a technology provider, but also from the lens of compliance professionals. Prior to releasing Source, First AML’s orchestration platform, we processed over 2,000,000 AML cases ourselves. Understanding the acute problem that faces firms these days as they try to scale their own AML, is in our DNA.
That's why Source now powers thousands of compliance experts around the globe to reduce the time and cost burden of complex and international entity KYC. Source stands out as a leading solution for organisations with complex or international onboarding needs. It provides streamlined collaboration and ensures uniformity in all AML practices.
Keen to find out more? Book a demo today!