Under AUSTRAC Tranche 2, every reporting entity must have a written AML/CTF program before providing designated services. This guide walks you through building one, step by step, even if you're a sole practitioner.

What is an AML/CTF program?

An AML/CTF program is a documented set of policies and procedures that describe how your practice identifies, mitigates, and manages money laundering and terrorism financing (ML/TF) risk. It's required under Part 7A of the AML/CTF Act 2006.

Your program must have two parts:

Part A: How you identify, manage, and mitigate ML/TF risk in your business. This covers customer identification, ongoing due diligence, transaction monitoring, and reporting.
Part B: Your employee due diligence program. This covers staff screening, training, and awareness.

Step 1: Identify your designated services

Your AML/CTF obligations depend on which designated services you provide. Not everything you do is covered — only specific activities trigger AML/CTF requirements.

For accountants, designated services include:

Managing client money, securities, or other assets
Managing bank, savings, or securities accounts
Organising contributions for company creation or management
Creating, operating, or managing legal persons or arrangements
Buying or selling business entities

For lawyers, add conveyancing, trust and company services, and financial arrangements. For real estate agents, it's property transactions. For conveyancers, it's settlement services.

Tip: Check the profession-specific pages on ComplyAU for a full list of designated services for your profession.

Step 2: Conduct your initial risk assessment

Before writing your program, you need to understand your ML/TF risk profile. This is called an Enterprise-Wide Risk Assessment (EWRA).

Your EWRA should consider:

Customer risk: Who are your clients? Do you have overseas clients, trusts, PEPs (politically exposed persons)?
Service/product risk: Which of your services are higher risk? (e.g., trust account management vs tax returns)
Geographic risk: Do clients or transactions involve high-risk jurisdictions (FATF grey/black list)?
Delivery channel risk: Are services provided remotely or in person? Are instructions received via third parties?

For a small practice, this doesn't need to be a 50-page document. It needs to be honest, documented, and reviewed annually.

Step 3: Write Part A — your risk-based procedures

Part A must cover these areas:

3.1 Customer identification and verification (CDD)

Document how you will:

Collect customer identification information before providing designated services
Verify identity using reliable, independent documentation (e.g., driver's licence + passport)
Handle different entity types (individuals, companies, trusts, partnerships)
Apply Enhanced CDD for high-risk clients (PEPs, foreign nationals, complex structures)
Identify beneficial owners (who ultimately controls or benefits from the entity)

3.2 Ongoing customer due diligence

CDD isn't a one-off exercise. Your program must describe how you:

Keep client information up to date
Monitor for unusual transactions or behaviour
Trigger re-verification when circumstances change
Schedule periodic reviews (e.g., annually for standard clients, 6-monthly for high risk)

3.3 Transaction monitoring

Describe how you monitor transactions for suspicious activity. For most small practices, this involves:

Watching for transactions inconsistent with the client profile
Monitoring cash transactions at or above $10,000 (TTR threshold)
Alerting on unusual patterns (sudden changes in transaction volume, multiple small cash deposits)

3.4 Suspicious matter reporting

Your program must document:

What constitutes a "suspicion" — the reasonable grounds test
How to lodge a Suspicious Matter Report (SMR) with AUSTRAC
Timeframes (within 24 hours for terrorism, 3 business days otherwise)
The tipping-off prohibition — you cannot tell the client about the report

3.5 Record keeping

All records must be kept for 7 years. Your program should describe:

What records you keep (CDD docs, transaction records, SMRs, training records)
Where and how records are stored (encrypted, access-controlled)
How you ensure records can be produced to AUSTRAC if requested

Step 4: Write Part B — employee due diligence

Part B covers your people. Even if you're a solo practitioner, you still need this section:

Staff screening: Background checks on employees with access to client data or compliance functions
Training: All staff must understand ML/TF risks, your AML/CTF program, and their reporting obligations
Ongoing awareness: Regular updates on new typologies, regulatory changes, and internal policy updates

Step 5: Appoint a compliance officer

Your program must nominate a compliance officer at management level who is responsible for overseeing AML/CTF compliance. In a small practice, this is usually the principal.

The compliance officer's responsibilities include:

Overseeing the AML/CTF program
Reviewing and updating the program at least annually
Ensuring staff training is completed
Acting as the point of contact for AUSTRAC

Step 6: Implement, review, and update

Your AML/CTF program is a living document. After implementation:

Review the program at least annually
Update after any significant changes to your business, client base, or services
Update when AUSTRAC issues new guidance or typology reports
Document every review and update with dates and approvals

ComplyAU generates this for you

ComplyAU generates a complete, profession-specific AML/CTF program in under 30 minutes. It covers all the sections above, tailored to your practice type, risk profile, and designated services. Or start with a Readiness Review.

Common mistakes to avoid

Copy-pasting a generic template: AUSTRAC expects your program to be tailored to your specific business. A one-size-fits-all template won't pass scrutiny.
Treating it as a one-off: Your program must be a living document, reviewed and updated regularly.
Forgetting Part B: Even solo practitioners need an employee due diligence section.
No risk assessment: Your program must be based on a documented risk assessment. No EWRA = no defensible program.
Ignoring record keeping: If you can't prove you did it, you didn't do it. Keep records of everything.

What does a good program look like?

A good AML/CTF program for a small practice is:

Proportionate: Scaled to your risk profile and business size
Practical: Procedures your team can actually follow day-to-day
Documented: Written down, dated, approved by the compliance officer
Evidence-based: Grounded in your EWRA and updated based on real experience
Auditable: Every compliance action is logged with timestamps and evidence

What is an AML/CTF program?

Your program must have two parts:

Part A: How you identify, manage, and mitigate ML/TF risk in your business. This covers customer identification, ongoing due diligence, transaction monitoring, and reporting.
Part B: Your employee due diligence program. This covers staff screening, training, and awareness.

Step 1: Identify your designated services

Your AML/CTF obligations depend on which designated services you provide. Not everything you do is covered — only specific activities trigger AML/CTF requirements.

For accountants, designated services include:

Managing client money, securities, or other assets
Managing bank, savings, or securities accounts
Organising contributions for company creation or management
Creating, operating, or managing legal persons or arrangements
Buying or selling business entities

For lawyers, add conveyancing, trust and company services, and financial arrangements. For real estate agents, it's property transactions. For conveyancers, it's settlement services.

Tip: Check the profession-specific pages on ComplyAU for a full list of designated services for your profession.

Step 2: Conduct your initial risk assessment

Before writing your program, you need to understand your ML/TF risk profile. This is called an Enterprise-Wide Risk Assessment (EWRA).

Your EWRA should consider:

Customer risk: Who are your clients? Do you have overseas clients, trusts, PEPs (politically exposed persons)?
Service/product risk: Which of your services are higher risk? (e.g., trust account management vs tax returns)
Geographic risk: Do clients or transactions involve high-risk jurisdictions (FATF grey/black list)?
Delivery channel risk: Are services provided remotely or in person? Are instructions received via third parties?

For a small practice, this doesn't need to be a 50-page document. It needs to be honest, documented, and reviewed annually.

Step 3: Write Part A — your risk-based procedures

Part A must cover these areas:

3.1 Customer identification and verification (CDD)

Document how you will:

Collect customer identification information before providing designated services
Verify identity using reliable, independent documentation (e.g., driver's licence + passport)
Handle different entity types (individuals, companies, trusts, partnerships)
Apply Enhanced CDD for high-risk clients (PEPs, foreign nationals, complex structures)
Identify beneficial owners (who ultimately controls or benefits from the entity)

3.2 Ongoing customer due diligence

CDD isn't a one-off exercise. Your program must describe how you:

Keep client information up to date
Monitor for unusual transactions or behaviour
Trigger re-verification when circumstances change
Schedule periodic reviews (e.g., annually for standard clients, 6-monthly for high risk)

3.3 Transaction monitoring

Describe how you monitor transactions for suspicious activity. For most small practices, this involves:

Watching for transactions inconsistent with the client profile
Monitoring cash transactions at or above $10,000 (TTR threshold)
Alerting on unusual patterns (sudden changes in transaction volume, multiple small cash deposits)

3.4 Suspicious matter reporting

Your program must document:

What constitutes a "suspicion" — the reasonable grounds test
How to lodge a Suspicious Matter Report (SMR) with AUSTRAC
Timeframes (within 24 hours for terrorism, 3 business days otherwise)
The tipping-off prohibition — you cannot tell the client about the report

3.5 Record keeping

All records must be kept for 7 years. Your program should describe:

What records you keep (CDD docs, transaction records, SMRs, training records)
Where and how records are stored (encrypted, access-controlled)
How you ensure records can be produced to AUSTRAC if requested

Step 4: Write Part B — employee due diligence

Part B covers your people. Even if you're a solo practitioner, you still need this section:

Staff screening: Background checks on employees with access to client data or compliance functions
Training: All staff must understand ML/TF risks, your AML/CTF program, and their reporting obligations
Ongoing awareness: Regular updates on new typologies, regulatory changes, and internal policy updates

Step 5: Appoint a compliance officer

Your program must nominate a compliance officer at management level who is responsible for overseeing AML/CTF compliance. In a small practice, this is usually the principal.

The compliance officer's responsibilities include:

Overseeing the AML/CTF program
Reviewing and updating the program at least annually
Ensuring staff training is completed
Acting as the point of contact for AUSTRAC

Step 6: Implement, review, and update

Your AML/CTF program is a living document. After implementation:

Review the program at least annually
Update after any significant changes to your business, client base, or services
Update when AUSTRAC issues new guidance or typology reports
Document every review and update with dates and approvals

ComplyAU generates this for you

Common mistakes to avoid

Copy-pasting a generic template: AUSTRAC expects your program to be tailored to your specific business. A one-size-fits-all template won't pass scrutiny.
Treating it as a one-off: Your program must be a living document, reviewed and updated regularly.
Forgetting Part B: Even solo practitioners need an employee due diligence section.
No risk assessment: Your program must be based on a documented risk assessment. No EWRA = no defensible program.
Ignoring record keeping: If you can't prove you did it, you didn't do it. Keep records of everything.

What does a good program look like?

A good AML/CTF program for a small practice is:

Proportionate: Scaled to your risk profile and business size
Practical: Procedures your team can actually follow day-to-day
Documented: Written down, dated, approved by the compliance officer
Evidence-based: Grounded in your EWRA and updated based on real experience
Auditable: Every compliance action is logged with timestamps and evidence

How to Build an AML/CTF Program for a Small Practice (Step-by-Step)

What is an AML/CTF program?

Step 1: Identify your designated services

Step 2: Conduct your initial risk assessment

Step 3: Write Part A — your risk-based procedures

3.1 Customer identification and verification (CDD)

3.2 Ongoing customer due diligence

3.3 Transaction monitoring

3.4 Suspicious matter reporting

3.5 Record keeping

Step 4: Write Part B — employee due diligence

Step 5: Appoint a compliance officer

Step 6: Implement, review, and update

Common mistakes to avoid

What does a good program look like?

Related Reading

Continue reading

Customer Due Diligence (CDD) Explained

AUSTRAC Tranche 2: What You Need to Know

How to Build an AML/CTF Program for a Small Practice (Step-by-Step)

What is an AML/CTF program?

Step 1: Identify your designated services

Step 2: Conduct your initial risk assessment

Step 3: Write Part A — your risk-based procedures

3.1 Customer identification and verification (CDD)

3.2 Ongoing customer due diligence

3.3 Transaction monitoring

3.4 Suspicious matter reporting

3.5 Record keeping

Step 4: Write Part B — employee due diligence

Step 5: Appoint a compliance officer

Step 6: Implement, review, and update

Common mistakes to avoid

What does a good program look like?

Related Reading

Continue reading

Customer Due Diligence (CDD) Explained

AUSTRAC Tranche 2: What You Need to Know