What must an AML/CTF Program contain?

An AML/CTF Program must include a risk assessment of your business, customer due diligence procedures, enhanced due diligence procedures for high-risk clients, ongoing monitoring processes, employee awareness and training procedures, a process for reporting suspicious matters and threshold transactions, and record-keeping obligations. The program must be in writing and approved by senior management.

Can I use a template AML/CTF Program?

A template can provide a starting structure, but AUSTRAC requires that your program be tailored to the specific risks of your business. A generic template copied without customisation will not satisfy your legal obligations and may expose your firm to compliance risk. Key sections like the risk assessment and customer risk rating methodology must reflect your actual client base, services, and geographic exposure.

Who is responsible for the AML/CTF Program?

The AML/CTF Compliance Officer is responsible for overseeing the program's implementation and effectiveness. However, senior management must formally adopt the program and are ultimately accountable for compliance. For small accounting firms, the principal typically serves as both the Compliance Officer and approving executive.

How often must the AML/CTF Program be reviewed?

Your program must be reviewed regularly and updated whenever there are changes to your business, client base, services, or the regulatory environment. AUSTRAC also requires an independent evaluation — for Tranche 2 entities, the first evaluation must be completed by 1 July 2029. Internal reviews should happen at least annually.

Does an AML/CTF Program need to be submitted to AUSTRAC?

No. You do not submit your AML/CTF Program to AUSTRAC for approval. However, AUSTRAC may request to review it during an audit or investigation. You must be able to produce it promptly on request. The program must also be kept current — an outdated program that no longer reflects your actual practices is a compliance failure.

How to Build an AML/CTF Compliance Program: Step-by-Step Guide for Australian Firms

Under Australia's AML/CTF Act, every reporting entity must have a written AML/CTF Program. For Tranche 2 entities — accountants, lawyers, real estate agents — this obligation commences on 1 July 2026. Your program must be in place and operational from that date, not just drafted.

This guide takes you through each required component of an AML/CTF Program, what AUSTRAC expects to see in each section, and how to structure it so it works as both a compliance document and a practical operational guide for your team.

The 7 Required Components of an AML/CTF Program

1. Business Risk Assessment

Your program must begin with a documented assessment of the money laundering and terrorism financing risks specific to your business. This is the foundation everything else is built on. Your risk assessment should evaluate:

Client risk: Who are your clients? Do you serve high-net-worth individuals, foreign nationals, politically exposed persons, or businesses in high-risk industries?
Service risk: Which of your services involve financial flows, asset management, or control over client funds?
Channel risk: Do clients engage with you digitally, internationally, or through intermediaries?
Jurisdiction risk: Do you have clients from FATF grey or black-listed countries?

The output of your risk assessment should be a risk rating for each service type and client category, which then drives your CDD and monitoring intensity.

2. Customer Due Diligence Procedures

Document exactly how your firm will identify and verify clients before providing each designated service. This section must specify the information collected, the verification methods accepted, and who is responsible for each step. For different entity types (individuals, companies, trusts, SMSFs), the procedures will differ — each must be documented separately.

3. Enhanced Due Diligence Procedures

Your program must define the circumstances that trigger ECDD and the additional steps required. At minimum, document how your firm will handle Politically Exposed Persons (PEPs), clients from high-risk jurisdictions, and clients rated high-risk by your risk assessment methodology.

4. Ongoing Monitoring

Describe how your firm will monitor existing client relationships for changes in risk profile and suspicious transaction patterns. This section should specify:

The frequency of PEP/sanctions re-screening for different client risk tiers
Transaction monitoring thresholds and escalation procedures
Triggers for re-verification of client identity (document expiry, material relationship changes)

5. Staff Training and Awareness

All staff involved in providing designated services must receive AML/CTF training. Your program must specify:

Training content (at minimum: recognising ML/TF red flags, CDD procedures, how to escalate concerns)
Frequency of training (initial training on commencement, then at least annually)
How training completion is recorded

Clear AML includes a built-in LMS that certifies staff on AUSTRAC requirements — at no extra cost.

6. Reporting Procedures

Document how your firm will handle mandatory reporting obligations:

SMRs: Who decides whether a matter is reportable, who prepares the report, and how the 24-hour (terrorism) and 3 business day (other) deadlines are managed
TTRs: Procedures for identifying and reporting cash transactions of AUD 10,000 or more
How staff should escalate concerns internally before a report is lodged

7. Record-Keeping

Specify what records are kept, in what format, for how long (7 years minimum), and how they can be retrieved on AUSTRAC request. Include your data storage location (AUSTRAC prefers Australian-hosted data) and access controls.

Governance: Adopting and Owning the Program

The program must be formally adopted by senior management (typically the managing partner or principal). Document the adoption date and ensure the program is version-controlled. When you update the program, keep the prior version — AUSTRAC may want to see the history of your compliance approach.

Independent Evaluation

For Tranche 2 entities, the first independent evaluation must occur by 1 July 2029. The evaluator must be independent of the program's design — an external AML consultant, an internal audit function that was not involved in building the program, or a law firm with AML expertise. Document the scope, findings, and any remediation actions taken.

Build Your Program in Under 30 Minutes

Clear AML's guided AML/CTF Program Generator walks you through each required section with pre-populated content tailored to your firm. Answer a series of questions about your practice and the system generates a customised Part A and Part B — an AUSTRAC-ready program document you can approve and download immediately.

See ClearAML's AML/CTF program generator →