Obligations are in effect·Enrolment deadline: 29 July 202621 days remaining

AML/CTF Programs · Complete Guide · Updated July 2026 · 14 min read · Klyvon Compliance Team

What is an AML/CTF Program? Complete Guide Australia 2026

An AML/CTF program is a written document that sets out how an Australian business will identify, manage, and mitigate its money laundering and terrorism financing risks. Every reporting entity under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) must have an AML/CTF program in place before providing designated services. From 1 July 2026, this obligation extends to lawyers, accountants, real estate agents, jewellers, and other Tranche 2 entities for the first time. The program must be approved by a senior manager and kept up to date as your business and risk profile change.

Written by the Klyvon Compliance Team · Melbourne, Australia · General guidance only, not legal advice

Key facts

Required byAML/CTF Act 2006
Must coverRisk management framework + CDD procedures
Approved bySenior manager before providing designated services
EvaluatedAt least every 3 years by independent evaluator
Deadline1 July 2026 for Tranche 2 entities

Last updated: July 2026

Definition

What is an AML/CTF program and who needs one?

An AML/CTF program is a mandatory written compliance framework required under the AML/CTF Act 2006. It must cover how your business assesses ML/TF risks, how you verify customer identities, how you monitor transactions, how you train staff, and how you report suspicious matters. Every business that provides a designated service under the AML/CTF Act is a reporting entity and must have one.

Is an AML/CTF program the same as an AML/CTF policy?

The terms are often used interchangeably but technically the AML/CTF Act requires a program — a comprehensive framework covering risk assessment, customer due diligence, staff training, transaction monitoring, and reporting. A policy is typically one component within the program. When AUSTRAC refers to your AML/CTF program, it means the complete documented framework, not a single policy document.

Does every business need an AML/CTF program or only large ones?

Every reporting entity needs one regardless of size. A sole-practitioner conveyancer and a large law firm both need a written AML/CTF program. The difference is complexity — AUSTRAC expects the program to be proportionate to the size, nature, and risk profile of your business. A small, low-complexity practice can use AUSTRAC's Program Starter Kit as a starting point and customise it to their circumstances.

What happens if a business provides designated services without an AML/CTF program?

Operating a designated service without an AML/CTF program is a contravention of the AML/CTF Act 2006. Civil penalties reach up to $33,000,000 for body corporates (based on current penalty unit rate of $330; re-indexes 1 July 2026). AUSTRAC publishes enforcement actions publicly — reputational and professional consequences for lawyers and accountants extend beyond the financial penalty to their professional registration bodies.

Program structure

Does an AML/CTF program still need separate Part A and Part B sections?

No. As of the AML/CTF Amendment Act 2024 reforms, you are no longer required to structure your program into separately labelled “Part A” and “Part B” sections. AUSTRAC’s guidance confirms you can organise your AML/CTF program in a way that meets your business’s needs, provided it satisfies the Act’s requirements. What hasn’t changed is the substance: your program must still address both a risk management framework and customer due diligence procedures — only the rigid two-part labelling requirement has been removed.

Component 1

Risk management framework

ML/TF risk assessment · Governance and Compliance Officer role · Staff training requirements · Transaction monitoring procedures · Enhanced CDD triggers · Program review schedule · Independent evaluation requirements

Component 2

CDD procedures

Customer identification for individuals, companies and trusts · Beneficial ownership (25% threshold) · Simplified / standard / enhanced CDD · PEP identification · Ongoing CDD review · CDD record-keeping

What must the risk management framework cover?

Your program must include your ML/TF risk assessment methodology covering how risks are identified for each designated service, client type, delivery channel, and jurisdiction. It must define your risk rating framework — Low, Medium, and High — and document your governance structure including the Compliance Officer’s role. Staff training requirements and schedule, transaction monitoring procedures, enhanced due diligence triggers, and your program review schedule must all be included. The independent evaluation requirement — at least every 3 years — must also be documented.

What must the CDD procedures cover?

Your program must include customer identification procedures for individuals, companies, and trusts or SMSFs separately. It must document the beneficial ownership identification process — tracing to natural persons who own or control 25% or more. It must specify when simplified CDD is permitted, the default standard CDD procedure, and the mandatory steps for enhanced CDD. PEP identification and management procedures must be included, as must the ongoing CDD review schedule by risk rating and record-keeping procedures for all CDD documents.

Risk assessment

What is a ML/TF risk assessment and why does it come first?

The ML/TF risk assessment is the foundation of your AML/CTF program — it identifies and evaluates the money laundering and terrorism financing risks your business faces across four dimensions: client types, products and services, delivery channels, and jurisdictions. AUSTRAC requires the risk assessment to be completed first because the controls in your program must be proportionate to the risks you identify.

What are the four risk vectors every business must assess?

Client-type risk

The ML/TF risk posed by different types of customers — individuals, companies, trusts, SMSFs, politically exposed persons, non-residents, and anonymous clients. Higher-risk client types require enhanced controls and more frequent ongoing CDD reviews.

Product and service risk

The ML/TF risk inherent in each designated service you provide. Property transactions, trust formation, precious metals dealing, and client fund management are internationally recognised as high-risk services and must be assessed accordingly.

Delivery channel risk

How you deliver your services affects risk — online-only onboarding, remote transactions, use of trust accounts, and intermediaries all increase risk compared to face-to-face delivery. Your program must address mitigation measures for higher-risk delivery channels.

Jurisdiction risk

Whether your clients or transactions have connections to FATF grey list or black list countries. AUSTRAC publishes current FATF country listings and expects your risk assessment to reference them and apply enhanced CDD to transactions involving high-risk jurisdictions.

How often must the ML/TF risk assessment be reviewed?

AUSTRAC requires the risk assessment to be reviewed at least annually or whenever there is a material change to your business — new services, new client types, changes to the FATF country lists, or significant changes to your staff or ownership. The review must be documented and approved by a senior manager, and the updated assessment must be reflected in any corresponding changes to your program controls.

Customer due diligence

What is customer due diligence and how does it work in practice?

Customer due diligence (CDD) is the process of identifying and verifying your customers before providing a designated service. It is required under the AML/CTF Act 2006 and must be completed before service commencement in most cases. CDD has three levels — simplified, standard, and enhanced — applied based on the ML/TF risk of each customer and service.

What is the difference between simplified, standard and enhanced CDD?

Simplified CDD

Low risk only

Permitted only where ML/TF risk is genuinely low and specifically approved in writing by the Compliance Officer. Requires less verification but must still meet minimum identification requirements under the AML/CTF Rules. Must not be used as a default — it requires a documented decision each time.

Standard CDD

Default

The default level for all new clients. Requires collection and verification of full legal name, date of birth for individuals or ACN/ABN for entities, and address. Verification must use reliable, independent sources — government-issued ID, ASIC records, or the Document Verification Service.

Enhanced CDD

Mandatory when triggered

Mandatory before providing a designated service when any high-risk trigger is present — PEP clients, FATF high-risk jurisdiction connections, anonymous transactions, or complex beneficial ownership structures. Requires senior management approval and source of funds or source of wealth documentation.

What is beneficial ownership and why does it matter for an AML/CTF program?

Beneficial ownership refers to the natural persons who ultimately own or control an entity — those who own 25% or more of shares or voting rights, or who otherwise control the entity. Identifying beneficial owners is a distinct obligation from identifying the person who signs your engagement documents. For trusts, this means tracing through to the natural persons who ultimately control and benefit — including the trustee, settlor, appointor, and identifiable beneficiaries.

Step-by-step

How do you write an AML/CTF program step by step?

These nine steps cover every element required under the AML/CTF Act and Rules. Complete them in order — each step builds on the previous one.

1

Confirm your designated services

Identify every designated service your business provides under the AML/CTF Act. Your program only needs to cover designated services — but it must cover all of them. Understating your services is itself a compliance risk if AUSTRAC reviews your program against your actual activities.

2

Appoint your Compliance Officer in writing

The Compliance Officer must be senior, have access to all records, and be formally appointed before the program is finalised. Their name, title, and responsibilities must appear in the program document. For sole traders, the owner fills this role.

3

Complete your ML/TF risk assessment

Assess your risks across client types, services, delivery channels, and jurisdictions. Assign risk ratings — Low, Medium, or High. Document your methodology and findings. This assessment is the foundation of everything else in the program — every control must be traceable to a risk you identified here.

4

Write your risk management framework

Document your governance structure, training requirements and schedule, transaction monitoring procedures, enhanced due diligence triggers, program review schedule, and independent evaluation timeline. Every control must connect back to a risk identified in your risk assessment. You are not required to label this as a separate 'Part A' — organise it however suits your business.

5

Write your CDD procedures

Document your customer identification and verification procedures for each client type — individuals, companies, trusts, SMSFs. Include simplified, standard, and enhanced CDD thresholds, triggers, and steps. Include your beneficial ownership identification procedure and your ongoing CDD review schedule.

6

Get senior management approval

The program must be approved by a senior manager — partner, principal, or director — before you start providing designated services. Document the approval with the approver's name, title, date, and signature. A program without documented approval is non-compliant.

7

Train your staff

All staff involved in providing designated services must complete AML/CTF induction training before client-facing work begins, and annual refresher training thereafter. Training must cover the program content, red flag indicators, CDD procedures, and SMR obligations. Training records must be retained for 7 years.

8

Implement and operate the program

Put the program into practice — conduct CDD on every relevant client, monitor transactions, escalate suspicious matters through your Compliance Officer, and submit SMRs and TTRs as required. A written program that is not operationally followed provides no compliance protection and no defence in an AUSTRAC review.

9

Schedule your independent evaluation

Every AML/CTF program must undergo an independent evaluation at least once every 3 years, by a suitably qualified person who is not involved in day-to-day operations. Book this in advance — qualified AML/CTF evaluators become scarce as the 1 July 2026 deadline approaches.

Starter kit vs custom

What is the difference between an AUSTRAC starter kit and a custom AML/CTF program?

AUSTRAC released sector-specific Program Starter Kits for small, low-complexity businesses in early 2026. They provide a pre-built framework aligned to AUSTRAC guidance that businesses can adopt as a starting point. The Starter Kits are available free of charge at austrac.gov.au ↗.

The starter kit is generic — it does not contain your business name, your compliance officer, your specific designated services, your client risk profile, or your jurisdiction exposure. AUSTRAC’s own guidance states the program must be tailored to your specific business. A starter kit adopted without customisation may not satisfy this requirement, particularly for firms with multiple service lines or complex client types.

When AUSTRAC reviews your program, the regulator looks for evidence it reflects how your business actually operates — not just that a document exists. A document that reads as a generic template for any business in your sector is a red flag in a compliance review. A document that references your specific services, client types, officer name, and risk profile demonstrates genuine compliance intent.

Record keeping

What are the record-keeping requirements for an AML/CTF program?

All AML/CTF program documents, risk assessments, CDD records, transaction records, SMRs, TTRs, and training records must be retained for a minimum of 7 years from the date the record was made or the transaction completed, whichever is later. Records must be stored securely, access-controlled, and retrievable within timeframes specified in any AUSTRAC request.

Does the 7-year record retention apply to the program document itself?

Yes. The AML/CTF program document, all previous versions of it, approval records, and independent review reports must all be retained. If AUSTRAC conducts a compliance review, they may request historical versions of the program to assess whether it was genuinely maintained and updated over time — not just written once and filed away. Version control and dated approval records are essential.

Common questions

Frequently asked questions about AML/CTF programs

Can I use the same AML/CTF program for multiple related entities?

A joint AML/CTF program is possible if your related entities form a reporting group — a structure that replaced the previous 'designated business group' (DBG) model from 31 March 2026. Each entity in the group must still be enrolled separately with AUSTRAC. Outside a reporting group structure, each reporting entity must have its own program.

How long does it take to write an AML/CTF program?

Writing a compliant AML/CTF program from scratch typically takes 2–5 days for a small, low-complexity business, and several weeks for larger practices with multiple service lines and client types. The risk assessment alone — done properly — requires documenting every service, client type, delivery channel, and jurisdiction. Using AUSTRAC's Starter Kit as a base, or Klyvon's document generation, significantly reduces this time.

Does my program need a lawyer to review it?

AUSTRAC does not mandate legal review of your AML/CTF program, but professional review is strongly recommended before operational reliance — particularly for firms with complex service mixes, PEP clients, or international transactions. The program must demonstrate genuine risk-based thinking, not just tick boxes. A qualified AML/CTF adviser or compliance lawyer can identify gaps that may not be obvious from the AUSTRAC guidance alone.

What is an independent program evaluation and who can conduct it?

Every AML/CTF program must undergo an independent evaluation at least once every 3 years, by a suitably qualified person who is not involved in day-to-day AML/CTF operations or in designing the program being evaluated. This can be an external compliance consultant, a qualified AML/CTF adviser, or — for larger firms — an internal audit function that is genuinely independent of the compliance team. The evaluator must assess whether the program is effective and being followed, and must produce a written report.

Can my AML/CTF program be stored digitally or does it need to be printed?

AUSTRAC accepts programs in digital or printed form — there is no requirement for a physical document. Your program must be accessible to relevant staff and available for production to AUSTRAC on request. If stored digitally, ensure version control is maintained so that historical versions can be retrieved to demonstrate the program's evolution over time.

What is the difference between a joint program and an individual program?

An individual program covers a single reporting entity and its designated services. A joint program covers all members of a reporting group — the structure that replaced the previous 'designated business group' (DBG) model from 31 March 2026 — administered by a nominated lead entity. Under a joint program, one entity administers compliance on behalf of all group members, but each member retains individual legal liability for compliance with their own obligations.

Does my program need to be registered or lodged with AUSTRAC?

No. You do not lodge or register your AML/CTF program with AUSTRAC. You must have a compliant program in place and be ready to produce it to AUSTRAC on request during a compliance review or investigation. AUSTRAC may also ask you to self-certify compliance through the Annual Compliance Report lodged by 30 September each year.

What triggers a mandatory program update?

Your program must be updated when there is a material change to your business — including offering a new designated service, onboarding a new category of high-risk client, changes to the FATF country lists, significant changes to your ownership or staff, or changes to AUSTRAC guidance. Annual review is required as a minimum, but the program must remain current at all times.

What is a reporting group and does it affect my program obligations?

A reporting group lets two or more related reporting entities comply jointly under a single AML/CTF program, administered by a nominated lead entity. Reporting groups replaced the previous 'designated business group' (DBG) structure from 31 March 2026 — existing DBGs ceased to exist on that date, and any group wanting joint compliance had to transition to the new reporting group structure. A reporting group can form either because all members of an existing business group agree on a lead entity, or by two or more reporting entities electing to join together. The advantage is operational efficiency — one program, one compliance function — but each entity remains individually liable for its own compliance.

How does the outcomes-based approach under the 2026 reforms change what my program must demonstrate?

The AML/CTF Amendment Act 2024 shifts the compliance framework from prescriptive rules-based obligations toward an outcomes-based approach. AUSTRAC now assesses whether your program effectively manages ML/TF risk — not just whether you have a document that ticks statutory boxes. This means your risk assessment must be genuinely analytical, your controls must be traceable to identified risks, and your program must be operationally followed. A technically complete document that is not reflected in actual practice will not satisfy the outcomes-based standard.

What should I do if my business changes services after the program is approved?

Any material change to your designated services requires an update to your AML/CTF program before you begin providing the new service. This includes updating your risk assessment to address the risks associated with the new service, updating your CDD procedures if the new service involves new client types, and notifying AUSTRAC of the change to your designated services through AUSTRAC Online within 14 days.

Is there a minimum length or format required for an AML/CTF program?

AUSTRAC does not prescribe a minimum length, word count, or format. The program must cover all required elements under the AML/CTF Act 2006 and AML/CTF Rules 2025. A sole-trader program covering a single low-risk service might be 15–20 pages. A multi-service firm program covering complex client types and jurisdictions might be 50+ pages. The test is substance, not length.

What must an independent evaluation of an AML/CTF program actually assess?

AUSTRAC requires the evaluation to assess four areas: effectiveness (whether your program's controls genuinely manage the ML/TF risks you identified), compliance (whether the program meets the requirements of the AML/CTF Rules), implementation (whether your documented policies and procedures have actually been put into practice), and adherence (whether your business has consistently followed its own program in day-to-day operations). A program that looks complete on paper but isn't reflected in real practice will fail the implementation and adherence tests.

Who counts as 'independent' for an AML/CTF program evaluation?

The evaluator — internal or external — must not have been involved in designing, implementing, or maintaining the AML/CTF program being evaluated, and must not have been involved in developing your business's risk assessment or internal controls. An external compliance consultant is straightforwardly independent. An internal staff member can only conduct the evaluation if they had no role in building the program or risk assessment they're now reviewing — for most small and sole-practitioner firms, this makes an external evaluator the only practical option.

How much does it cost to build an AML/CTF program?

Costs vary widely by approach. Using AUSTRAC's free sector starter kits and building the program yourself costs nothing but your own time — typically 2–6 weeks for a small business. Engaging a boutique AML/CTF consultant for a complete program typically costs $5,000–$15,000 for a small professional services firm, plus $3,000–$8,000/year in ongoing retainer costs for ongoing reviews and updates. Compliance software that generates a firm-specific program, like Klyvon, is a lower-cost middle path.

How Klyvon helps

How does Klyvon generate your AML/CTF program?

Klyvon asks you 4–6 questions about your practice — your industry, designated services, client types, and compliance officer — then generates a complete, personalised AML/CTF program document in one session. The document cites AML/CTF Act sections throughout, is written in first person for your firm, and covers both your risk management framework and CDD procedures.

Klyvon’s output is a starting point built on AUSTRAC official guidance. We recommend review by a qualified AML/CTF adviser before operational reliance. Our documents give you the foundation — what would otherwise take days of research and drafting, ready in seconds.

Generate your AML/CTF program in one session

Personalised to your business. Risk framework and CDD procedures included. Built on AUSTRAC official guidance. Free plan — no credit card required. Upgrade to Essential $299/month when you need the full defence.

Generate My AML/CTF Program — Free →

Related resources