After enrolment, creating and maintaining a program is the actual work. This guide will explain what a program is, how to build it, and provide links to the official AUSTRAC resources.
Under the reformed rules your AML/CTF program has two components.
Governing bodyOversees the program and appoints the compliance officer.
Senior managerApproves the risk assessment and AML/CTF policies.
Compliance officerRuns the day-to-day program and reports back to the governing body.
In a small business, one person can hold all three roles.
Work this list in order. Evidence each step as you complete it: a dated file note is enough.
Management level, an Australian resident, and fit and proper: competent for the role, of good character, and free of material conflicts. Keep a record of how you assessed this. It can be you. Done with, and before, enrolment.
Covered in our quick guide. You are enrolled when AUSTRAC emails your account number.
Services, customers, channels, countries, including proliferation financing risk. Tailor it to your size; date it; keep the working notes. Your senior manager approves it. Our free template walks you through it and exports a draft document.
AUSTRAC publishes five official sector program starter kits. Start with the kit for your sector, or build from AUSTRAC's policies guidance. Your senior manager approves the result.
For new customers: identify them before providing a designated service, including beneficial owners and PEP status, with enhanced checks where risk is high. For clients you already had on 1 July 2026: a genuine relief applies. Pre-commencement customers need no initial due diligence until a suspicious matter report is triggered or their risk rises to medium or high. You still monitor them and keep their information current.
Suspicious matter reports: within 24 hours for terrorism financing suspicions, 3 business days for everything else. Threshold transaction reports: cash transactions of $10,000 or more, within 10 business days. Your first annual compliance report covers the year from 1 July 2026; AUSTRAC will contact you when it is time. Train your people to spot and escalate.
Seven years retention for most records: the program itself, due diligence, transactions, training. The compliance officer reports to the governing body at least every 12 months. Reviews run at least every three years; your first independent evaluation is not due before 1 July 2029.
"We do not expect newly regulated businesses to be perfect at identifying and controlling for money laundering risks from day one. We do expect honest efforts to meet your obligations and report suspicions to AUSTRAC."
AUSTRAC has said its enforcement focus for newly regulated sectors includes entities that wilfully ignore enrolment or are complicit with, or wilfully blind to, money laundering.
If you are starting after 1 July: work through the checklist in order and evidence as you go. The record of honest effort is the key asset.
Your existing client book does not need initial due diligence on day one. See step 5.
Small businesses do not need a compliance department. Governing body, senior manager and compliance officer can be the same person.
If this risk is low for your business and your existing policies already cover it, you do not need separate policies. Record that assessment.
One place to build your AML/CTF program, keep your records as you go, and stay on top of your reporting deadlines. Tick each step, attach your evidence, and export dated records and reports when you need them.