AML/CTF Reform · Program Starter Kit

AML/CTF Program Starter Kit

After enrolment, creating and maintaining a program is the actual work. This guide will explain what a program is, how to build it, and provide links to the official AUSTRAC resources.

What is an AML/CTF Program?

Under the reformed rules your AML/CTF program has two components.

  1. Risk assessment. It identifies and assesses the money laundering, terrorism financing and proliferation financing risks your business faces, across four dimensions: the services you provide, the customers you serve, how you deliver (channels), and the countries you deal with.Free risk assessment template
  2. AML/CTF policies.The procedures, systems and controls that manage and mitigate the risks you identified, and ensure you meet your obligations. They must fit your business's nature, size and complexity, and be kept up to date.
Governance is typically administered by 3 roles:

Governing bodyOversees the program and appoints the compliance officer.

Senior managerApproves the risk assessment and AML/CTF policies.

Compliance officerRuns the day-to-day program and reports back to the governing body.

In a small business, one person can hold all three roles.

Build your program, step by step

Work this list in order. Evidence each step as you complete it: a dated file note is enough.

Appoint your AML/CTF compliance officer.

Management level, an Australian resident, and fit and proper: competent for the role, of good character, and free of material conflicts. Keep a record of how you assessed this. It can be you. Done with, and before, enrolment.

Enrol via AUSTRAC Online by 29 July 2026.

Covered in our quick guide. You are enrolled when AUSTRAC emails your account number.

Do your risk assessment.

Services, customers, channels, countries, including proliferation financing risk. Tailor it to your size; date it; keep the working notes. Your senior manager approves it. Our free template walks you through it and exports a draft document.

Put your AML/CTF policies in place.

AUSTRAC publishes five official sector program starter kits. Start with the kit for your sector, or build from AUSTRAC's policies guidance. Your senior manager approves the result.

Switch on customer due diligence.

For new customers: identify them before providing a designated service, including beneficial owners and PEP status, with enhanced checks where risk is high. For clients you already had on 1 July 2026: a genuine relief applies. Pre-commencement customers need no initial due diligence until a suspicious matter report is triggered or their risk rises to medium or high. You still monitor them and keep their information current.

Be ready to report.

Suspicious matter reports: within 24 hours for terrorism financing suspicions, 3 business days for everything else. Threshold transaction reports: cash transactions of $10,000 or more, within 10 business days. Your first annual compliance report covers the year from 1 July 2026; AUSTRAC will contact you when it is time. Train your people to spot and escalate.

Keep records and keep a rhythm.

Seven years retention for most records: the program itself, due diligence, transactions, training. The compliance officer reports to the governing body at least every 12 months. Reviews run at least every three years; your first independent evaluation is not due before 1 July 2029.

What AUSTRAC actually expects

"We do not expect newly regulated businesses to be perfect at identifying and controlling for money laundering risks from day one. We do expect honest efforts to meet your obligations and report suspicions to AUSTRAC."
Brendan Thomas, AUSTRAC CEO, regulatory expectations statement, July 2025

AUSTRAC has said its enforcement focus for newly regulated sectors includes entities that wilfully ignore enrolment or are complicit with, or wilfully blind to, money laundering.

If you are starting after 1 July: work through the checklist in order and evidence as you go. The record of honest effort is the key asset.

Three reliefs people miss

Pre-commencement customers.

Your existing client book does not need initial due diligence on day one. See step 5.

One person, three hats.

Small businesses do not need a compliance department. Governing body, senior manager and compliance officer can be the same person.

Proliferation financing.

If this risk is low for your business and your existing policies already cover it, you do not need separate policies. Record that assessment.

The checklist

Coming soon

Coming soon: Program setup and record keeping

One place to build your AML/CTF program, keep your records as you go, and stay on top of your reporting deadlines. Tick each step, attach your evidence, and export dated records and reports when you need them.

One email. Nothing else.