AML/CTF Program. Your Compliance Foundation

Your AML/CTF program is the foundation of your compliance. It's not just a document you file away and forget. It's your roadmap for detecting, preventing, and reporting money laundering and terrorism financing.

Let's break down what it actually needs to include — and why.

What Is an AML/CTF Program?

In AUSTRAC's words: it's a written document showing how you identify, mitigate, and manage the risk of your services being used for ML/TF.

In practical terms: it's your compliance manual. It explains:

• What ML/TF risks your business faces
• How you'll detect suspicious activity
• What processes you'll follow for customer due diligence
• Who's responsible for what
• How you'll train staff
• When and how you'll report to AUSTRAC

Deadline for Tranche 2 entities: July 1, 2026. Your program needs to be documented, approved by senior management, and operational by that date. Not "in progress." Operational.

The Two Core Components

1. ML/TF Risk Assessment

This is where you identify the specific money laundering and terrorism financing risks your business faces.

AUSTRAC expects you to assess risks across five dimensions:

Customer risk: Who are your customers? High-net-worth individuals? Foreign nationals? PEPs? Shell companies? Each customer type carries different ML/TF risk.

Product/service risk: What services do you offer? Trust account management? Property transactions? Company formations? Some services are higher risk than others.

Delivery channel risk: How do you deliver services? Face-to-face? Online? Through intermediaries? Non-face-to-face channels are higher risk (because identity verification is harder).

Geographic risk: Where do your customers come from? Where do funds originate? Transactions involving high-risk jurisdictions (identified by FATF) increase ML/TF risk.

Third-party risk: Do you rely on third parties for CDD or other compliance functions? That introduces risk if they're not reliable.

Your risk assessment isn't a one-time exercise. You need to review it regularly (AUSTRAC recommends annually) and update it when your business changes.

Example risk assessment for a real estate agency:

• High-risk customers: Foreign buyers paying cash, corporate buyers with complex structures, buyers from high-risk jurisdictions
• High-risk services: Sales over $5 million, off-the-plan purchases with long settlement periods, rapid property flipping
• High-risk channels: Offshore buyers who never physically inspect properties
• High-risk geography: Buyers from countries with weak AML regimes or high corruption

2. AML/CTF Policies and Procedures

This is your compliance playbook. It documents the systems, processes, and controls you'll use to manage ML/TF risks.

Your policies need to cover:

Governance: Who's accountable? Who oversees compliance? Who makes decisions when there's a red flag?

Customer due diligence: How do you verify customer identity? How do you identify beneficial owners? When do you apply enhanced due diligence?

Transaction monitoring: What thresholds trigger reviews? What patterns do you watch for? Who investigates alerts?

Suspicious matter reporting: When do you file an SMR? Who makes that decision? What's the process?

Record keeping: What records do you keep? Where? For how long?

Training: How often do you train staff? What topics do you cover?

Independent review: Who conducts the review? How often? What's the scope?

Governance Requirements

Your AML/CTF program needs a clear governance structure. That means:

Board/senior management oversight: Someone at the top needs to own compliance. They're accountable if things go wrong.

AML/CTF Compliance Officer: This is a management-level position. Not an admin role. This person needs to be "fit and proper" — meaning they have the competence, knowledge, and judgment to oversee compliance.

Responsibilities of the Compliance Officer:

• Implement and maintain the AML/CTF program
• Monitor compliance across the business
• Report to senior management/board regularly
• Liaise with AUSTRAC
• Ensure staff training
• Assess and escalate risks

For small businesses, the owner might be the compliance officer. For larger firms, it's typically someone with legal or compliance expertise.

Employee Due Diligence

You need to make sure your employees aren't ML/TF risks themselves. That means:

• Background checks before hiring
• Assessing whether employees have the skills and judgment for their roles
• Monitoring for conflicts of interest or suspicious behaviour

If an employee's facilitating money laundering (intentionally or through negligence), that's on you. AUSTRAC will hold the business accountable.

Training Requirements

All staff who interact with customers or handle compliance functions need AML/CTF training. They need to know:

• What money laundering and terrorism financing are
• What red flags look like
• What their obligations are
• Who to escalate concerns to
• What happens if they don't comply (hint: penalties)

How often should you train staff? At minimum:

• During onboarding (before they start working with customers)
• Annually (refresher training)
• When there are significant changes (new laws, new services, new risks)

Document all training. When AUSTRAC audits you, they'll ask for training records.

Independent Review

Every 3 years (minimum), your AML/CTF program needs an independent review. That means someone who's not involved in your day-to-day compliance assesses:

• Is your program effective?
• Are you following it?
• Are there gaps or weaknesses?
• Do you need updates based on new risks or regulatory changes?

The reviewer can be:

• An external auditor
• A consultant with AML expertise
• Someone from another part of your organisation (if they're truly independent)

Results go to your board/senior management. Recommendations need to be acted on.

Systems and Controls for Reporting

Your AML/CTF program needs to ensure you can meet reporting obligations:

Suspicious Matter Reports (SMRs):

• Who decides when to file?
• What's the escalation process?
• How do you submit (AUSTRAC Online)?
• Are you meeting the 3-business-day deadline (or 24 hours for TF)?

Threshold Transaction Reports (TTRs):

• How do you detect cash transactions of $10,000+?
• How do you submit TTRs within 10 business days?
• Are you aggregating multiple transactions from the same customer on the same day?

Annual Compliance Reports:

• Who compiles the report?
• What data sources do you use?
• Is it submitted by the deadline?

Record Keeping

All AML/CTF program documentation must be kept for at least 7 years. That includes:

• Your ML/TF risk assessment (and all updates)
• Your AML/CTF policies (and all versions)
• Customer identification records
• Transaction records
• SMRs and TTRs filed
• Training records
• Independent review reports
• Board/management meeting minutes related to AML/CTF

Why 7 years? Because AUSTRAC can audit you at any time. And if you can't produce records, you can't prove compliance.

Real-World Example: What Goes Wrong

Commonwealth Bank's $700 million penalty included failures in their AML/CTF program:

• Risk assessments didn't account for new channels (intelligent deposit machines)
• Transaction monitoring systems didn't work properly
• Governance failures — senior management wasn't adequately overseeing compliance
• Late or missing SMRs and TTRs

CBA had an AML/CTF program. It just wasn't working. And that's what AUSTRAC penalised — not the lack of a program, but the failure to implement it effectively.

For Tranche 2 Entities

If you're entering the AUSTRAC regime on July 1, 2026, you need to build your AML/CTF program from scratch. That includes:

• Conducting a full ML/TF risk assessment
• Writing policies and procedures
• Appointing a compliance officer
• Implementing systems for CDD, monitoring, and reporting
• Training all staff
• Getting senior management sign-off

Can you do this yourself? Possibly. But most firms are working with compliance specialists or using platforms like ARCaml to handle the heavy lifting.

Because building an AML/CTF program isn't just about ticking boxes. It's about creating systems that actually work — systems that detect money laundering, protect your business, and keep you compliant.

The Bottom Line

Your AML/CTF program is mandatory. It needs to be documented, approved by senior management, and operational before you provide designated services.

It's not a static document. It needs regular review, updates when your business changes, and an independent assessment every 3 years.

And most importantly: it needs to work. Having a program that looks good on paper but doesn't actually prevent money laundering? That's what gets you penalised.

If you're building a program for the first time (Tranche 2 entities, we're looking at you), start now. You've got less time than you think.