AML/CTF Program Template for Accountants: Free Guide + Checklist

Your AML/CTF program is the foundation of your compliance obligations under Tranche 2. This guide provides a practical, section-by-section breakdown of what your program must include, with a checklist you can use to audit your own program.

What AUSTRAC expects from your program

AUSTRAC does not prescribe a specific format. Your program must be written, risk-based, and tailored to your practice. It must demonstrate that you have:

• Identified the ML/TF risks relevant to your business
• Put procedures in place to mitigate those risks
• Assigned responsibility for compliance to a named person
• Trained your staff
• Committed to ongoing review and improvement

A generic template copied from the internet will not satisfy AUSTRAC. Your program must reflect your practice, your clients, and your risk profile.

Part A: ML/TF risk management

Part A is the core of your program. It must cover the following areas:

Section 1: Risk assessment methodology

Document how you assess ML/TF risk. Your EWRA should be referenced here, and your methodology should address:

• How you categorise risk factors (customer type, service type, geography, delivery channel)
• How you assign risk ratings (low, medium, high, extreme)
• How risk ratings affect your CDD procedures
• How often you reassess risk (at least annually)

Section 2: Customer identification and verification

This is your CDD procedure. It must specify:

• When CDD is triggered: Before providing any designated service
• Identification requirements: What information you collect (full name, DOB, address, ID documents)
• Verification methods: How you verify identity (documentary — driver's licence, passport; or electronic verification)
• Entity types: Separate procedures for individuals, companies (ABN/ACN lookup, ASIC extract), trusts (trust deed), and partnerships
• Beneficial ownership: How you identify beneficial owners using the 25% threshold and control tests
• Enhanced CDD: Additional procedures for high-risk clients (PEPs, foreign nationals, complex structures)
• Simplified CDD: When reduced measures are acceptable (e.g., listed companies, government entities)

Section 3: Ongoing customer due diligence

• How you keep client information up to date
• Triggers for re-verification (change of ownership, unusual activity, change in risk profile)
• Periodic review schedule (12 months for high/extreme risk, 36 months for low/medium)
• How you handle clients who refuse to provide updated information

Section 4: Transaction monitoring

• What you monitor (client transactions through trust accounts, fee payments, third-party payments)
• Red flags and indicators (structuring, round-sum transactions, unusual payment methods)
• Threshold Transaction Reports (TTRs) for cash transactions of $10,000 or more
• How you escalate anomalies internally

Section 5: Suspicious matter reporting

• Definition of "suspicion" — the reasonable grounds test
• Internal escalation procedure (who reviews, who files)
• SMR filing process through AUSTRAC Online
• Timeframes: 3 business days (general), 24 hours (terrorism financing)
• Tipping-off prohibition and confidentiality obligations
• Record keeping for SMRs

Section 6: Sanctions and PEP screening

• Which lists you screen against (DFAT consolidated list, FATF high-risk jurisdictions)
• When screening is performed (on-boarding, periodic, trigger-based)
• How you handle potential matches
• Escalation procedures for confirmed matches

Section 7: Record keeping

• 7-year retention period from end of relationship or transaction
• What records you keep (CDD, transactions, SMRs, training, program versions)
• Storage method (secure, encrypted, access-controlled)
• Ability to produce records to AUSTRAC on request

Part B: Employee due diligence

Section 8: Staff screening

• Pre-employment screening for roles with compliance responsibilities
• Background checks (criminal history, reference checks, qualifications)
• Ongoing monitoring of staff suitability

Section 9: Training

• Initial AML/CTF induction training for all relevant staff
• Annual refresher training
• Role-specific training (compliance officer, front-line staff)
• Training records and completion tracking
• Updates when regulations or typologies change

Section 10: Compliance officer

• Name and role of the nominated compliance officer
• Responsibilities (program oversight, reporting, AUSTRAC liaison)
• Reporting line to senior management
• Succession planning

Program checklist for accountants

Why not just use a generic template?

AUSTRAC has been clear: they expect programs to be risk-based and tailored. A generic template fails because:

1. It doesn't reflect your specific designated services
2. It doesn't reference your EWRA or actual risk profile
3. It uses boilerplate language that AUSTRAC auditors can spot immediately
4. It may include procedures that don't apply to you (or miss ones that do)
5. It won't evolve with your practice — static templates become stale

Your program should be a living document that reflects how your practice actually operates.