Tranche 2 deadline: 1 July 2026—39 days remaining
AML/CTF Programs · Complete Guide · Updated May 2026
What is an AML/CTF Program? Complete Guide Australia 2026
An AML/CTF program is a written document that sets out how an Australian business will identify, manage, and mitigate its money laundering and terrorism financing risks. Every reporting entity under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) must have an AML/CTF program in place before providing designated services. From 1 July 2026, this obligation extends to lawyers, accountants, real estate agents, jewellers, and other Tranche 2 entities for the first time. The program must be approved by a senior manager and kept up to date as your business and risk profile change.
Key facts
Last updated: May 2026 · Source: austrac.gov.au ↗
Definition
What is an AML/CTF program and who needs one?
An AML/CTF program is a mandatory written compliance framework required under s.84 of the AML/CTF Act 2006. It must cover how your business assesses ML/TF risks, how you verify customer identities, how you monitor transactions, how you train staff, and how you report suspicious matters. Every business that provides a designated service under the AML/CTF Act is a reporting entity and must have one. Source: austrac.gov.au ↗.
Is an AML/CTF program the same as an AML/CTF policy?
The terms are often used interchangeably but technically the AML/CTF Act requires a program — a comprehensive framework covering risk assessment, customer due diligence, staff training, transaction monitoring, and reporting. A policy is typically one component within the program. When AUSTRAC refers to your AML/CTF program, it means the complete documented framework, not a single policy document.
Does every business need an AML/CTF program or only large ones?
Every reporting entity needs one regardless of size. A sole-practitioner conveyancer and a large law firm both need a written AML/CTF program. The difference is complexity — AUSTRAC expects the program to be proportionate to the size, nature, and risk profile of your business. A small, low-complexity practice can use AUSTRAC's Program Starter Kit as a starting point and customise it to their circumstances.
What happens if a business provides designated services without an AML/CTF program?
Operating a designated service without an AML/CTF program is a contravention of s.84 of the Act. Civil penalties reach up to $33,000,000 for body corporates under Part 15. AUSTRAC publishes enforcement actions publicly — reputational and professional consequences for lawyers and accountants extend beyond the financial penalty to their professional registration bodies.
Source: Part 15 AML/CTF Act 2006
Program structure
What is the difference between Part A and Part B of an AML/CTF program?
The AML/CTF Act requires every program to have two distinct parts. Part A is your risk-based framework — how you identify, assess, and manage ML/TF risks in your business. Part B is your customer identification and verification procedure — how you verify who your customers are before providing designated services. Both parts are mandatory and must work together. Source: ss.84–86 AML/CTF Act 2006 ↗.
Risk framework
ML/TF risk assessment · Governance and Compliance Officer role · Staff training requirements · Transaction monitoring procedures · Enhanced CDD triggers · Program review schedule · Independent review requirements
ss.84–85 AML/CTF Act; Part 8 AML/CTF Rules 2007
CDD procedures
Customer identification for individuals, companies and trusts · Beneficial ownership (25% threshold) · Simplified / standard / enhanced CDD · PEP identification · Ongoing CDD review · CDD record-keeping
ss.28–36 AML/CTF Act; Part 4 AML/CTF Rules 2007
What must Part A of an AML/CTF program cover?
Part A must include your ML/TF risk assessment methodology covering how risks are identified for each designated service, client type, delivery channel, and jurisdiction. It must define your risk rating framework — Low, Medium, and High — and document your governance structure including the Compliance Officer’s role. Staff training requirements and schedule, transaction monitoring procedures, enhanced due diligence triggers, and your program review schedule must all be included. The independent review requirement — at least every 2 years — must also be documented.
Source: ss.84–85 AML/CTF Act 2006; Part 8 AML/CTF Rules 2007.
What must Part B of an AML/CTF program cover?
Part B must include customer identification procedures for individuals, companies, and trusts or SMSFs separately. It must document the beneficial ownership identification process — tracing to natural persons who own or control 25% or more. It must specify when simplified CDD is permitted, the default standard CDD procedure, and the mandatory steps for enhanced CDD. PEP identification and management procedures must be included, as must the ongoing CDD review schedule by risk rating and record-keeping procedures for all CDD documents.
Source: ss.28–36 AML/CTF Act 2006; Part 4 AML/CTF Rules 2007.
Risk assessment
What is a ML/TF risk assessment and why does it come first?
The ML/TF risk assessment is the foundation of your AML/CTF program — it identifies and evaluates the money laundering and terrorism financing risks your business faces across four dimensions: client types, products and services, delivery channels, and jurisdictions. AUSTRAC requires the risk assessment to be completed first because the controls in your program must be proportionate to the risks you identify. Source: Part 8 AML/CTF Rules 2007 ↗.
What are the four risk vectors every business must assess?
Client-type risk
The ML/TF risk posed by different types of customers — individuals, companies, trusts, SMSFs, politically exposed persons, non-residents, and anonymous clients. Higher-risk client types require enhanced controls and more frequent ongoing CDD reviews.
Product and service risk
The ML/TF risk inherent in each designated service you provide. Property transactions, trust formation, precious metals dealing, and client fund management are internationally recognised as high-risk services and must be assessed accordingly.
Delivery channel risk
How you deliver your services affects risk — online-only onboarding, remote transactions, use of trust accounts, and intermediaries all increase risk compared to face-to-face delivery. Your program must address mitigation measures for higher-risk delivery channels.
Jurisdiction risk
Whether your clients or transactions have connections to FATF grey list or black list countries. AUSTRAC publishes current FATF country listings and expects your risk assessment to reference them and apply enhanced CDD to transactions involving high-risk jurisdictions.
How often must the ML/TF risk assessment be reviewed?
AUSTRAC requires the risk assessment to be reviewed at least annually or whenever there is a material change to your business — new services, new client types, changes to the FATF country lists, or significant changes to your staff or ownership. The review must be documented and approved by a senior manager, and the updated assessment must be reflected in any corresponding changes to your program controls.
Source: Part 8 AML/CTF Rules 2007; AUSTRAC enterprise-wide risk assessment guidance.
Customer due diligence
What is customer due diligence and how does it work in practice?
Customer due diligence (CDD) is the process of identifying and verifying your customers before providing a designated service. It is required under ss.28–36 of the AML/CTF Act and must be completed before service commencement in most cases. CDD has three levels — simplified, standard, and enhanced — applied based on the ML/TF risk of each customer and service.
What is the difference between simplified, standard and enhanced CDD?
Simplified CDD
Low risk onlyPermitted only where ML/TF risk is genuinely low and specifically approved in writing by the Compliance Officer. Requires less verification but must still meet minimum identification requirements under Rule 4.1.1 AML/CTF Rules. Must not be used as a default — it requires a documented decision each time.
Source: Rule 4.1.1 AML/CTF Rules 2007
Standard CDD
DefaultThe default level for all new clients. Requires collection and verification of full legal name, date of birth for individuals or ACN/ABN for entities, and address. Verification must use reliable, independent sources — government-issued ID, ASIC records, or the Document Verification Service.
Source: ss.28–31 AML/CTF Act 2006
Enhanced CDD
Mandatory when triggeredMandatory before providing a designated service when any high-risk trigger is present — PEP clients, FATF high-risk jurisdiction connections, anonymous transactions, or complex beneficial ownership structures. Requires senior management approval and source of funds or source of wealth documentation.
Source: ss.35–36 AML/CTF Act 2006
What is beneficial ownership and why does it matter for an AML/CTF program?
Beneficial ownership refers to the natural persons who ultimately own or control an entity — those who own 25% or more of shares or voting rights, or who otherwise control the entity. Identifying beneficial owners is a distinct obligation from identifying the person who signs your engagement documents. For trusts, this means tracing through to the natural persons who ultimately control and benefit — including the trustee, settlor, appointor, and identifiable beneficiaries.
Source: s.36 AML/CTF Act 2006; Part 4 AML/CTF Rules 2007.
Step-by-step
How do you write an AML/CTF program step by step?
These nine steps cover every element required under the AML/CTF Act and Rules. Complete them in order — each step builds on the previous one.
Confirm your designated services
Identify every service your business provides that appears in Schedule 3 of the AML/CTF Act as amended. Your program only needs to cover designated services — but it must cover all of them. Understating your services is itself a compliance risk if AUSTRAC reviews your program against your actual activities.
Appoint your Compliance Officer in writing
The Compliance Officer must be senior, have access to all records, and be formally appointed before the program is finalised. Their name, title, and responsibilities must appear in the program document. For sole traders, the owner fills this role.
s.36 AML/CTF Act 2006
Complete your ML/TF risk assessment
Assess your risks across client types, services, delivery channels, and jurisdictions. Assign risk ratings — Low, Medium, or High. Document your methodology and findings. This assessment is the foundation of everything else in the program — every control must be traceable to a risk you identified here.
Part 8 AML/CTF Rules 2007
Write Part A — your risk framework
Document your governance structure, training requirements and schedule, transaction monitoring procedures, enhanced due diligence triggers, program review schedule, and independent review timeline. Every control must connect back to a risk identified in your risk assessment.
ss.84–85 AML/CTF Act 2006
Write Part B — your CDD procedures
Document your customer identification and verification procedures for each client type — individuals, companies, trusts, SMSFs. Include simplified, standard, and enhanced CDD thresholds, triggers, and steps. Include your beneficial ownership identification procedure and your ongoing CDD review schedule.
ss.28–36 AML/CTF Act 2006; Part 4 AML/CTF Rules
Get senior management approval
The program must be approved by a senior manager — partner, principal, or director — before you start providing designated services. Document the approval with the approver's name, title, date, and signature. A program without documented approval is non-compliant.
Train your staff
All staff involved in providing designated services must complete AML/CTF induction training before client-facing work begins, and annual refresher training thereafter. Training must cover the program content, red flag indicators, CDD procedures, and SMR obligations. Training records must be retained for 7 years.
Part 12 AML/CTF Rules 2007
Implement and operate the program
Put the program into practice — conduct CDD on every relevant client, monitor transactions, escalate suspicious matters through your Compliance Officer, and submit SMRs and TTRs as required. A written program that is not operationally followed provides no compliance protection and no defence in an AUSTRAC review.
Schedule your independent review
Every AML/CTF program must be independently reviewed at least every 2 years by a suitably qualified person who is not involved in day-to-day operations. Book this in advance — qualified AML/CTF reviewers become scarce as the 1 July 2026 deadline approaches.
s.36 AML/CTF Act 2006
Starter kit vs custom
What is the difference between an AUSTRAC starter kit and a custom AML/CTF program?
AUSTRAC released sector-specific Program Starter Kits for small, low-complexity businesses in early 2026. They provide a pre-built framework aligned to AUSTRAC guidance that businesses can adopt as a starting point. The Starter Kits are available free of charge at austrac.gov.au ↗.
The starter kit is generic — it does not contain your business name, your compliance officer, your specific designated services, your client risk profile, or your jurisdiction exposure. AUSTRAC’s own guidance states the program must be tailored to your specific business. A starter kit adopted without customisation may not satisfy this requirement, particularly for firms with multiple service lines or complex client types.
When AUSTRAC reviews your program, the regulator looks for evidence it reflects how your business actually operates — not just that a document exists. A document that reads as a generic template for any business in your sector is a red flag in a compliance review. A document that references your specific services, client types, officer name, and risk profile demonstrates genuine compliance intent.
Record keeping
What are the record-keeping requirements for an AML/CTF program?
All AML/CTF program documents, risk assessments, CDD records, transaction records, SMRs, TTRs, and training records must be retained for a minimum of 7 years from the date the record was made or the transaction completed, whichever is later. Records must be stored securely, access-controlled, and retrievable within timeframes specified in any AUSTRAC request. Source: ss.112, 162 AML/CTF Act; Part 10 AML/CTF Rules 2007 ↗.
Does the 7-year record retention apply to the program document itself?
Yes. The AML/CTF program document, all previous versions of it, approval records, and independent review reports must all be retained. If AUSTRAC conducts a compliance review, they may request historical versions of the program to assess whether it was genuinely maintained and updated over time — not just written once and filed away. Version control and dated approval records are essential.
Common questions
Frequently asked questions about AML/CTF programs
Can I use the same AML/CTF program for multiple related entities?
A joint AML/CTF program is possible for a designated business group (DBG) — a group of related companies under common ownership or control that elect to comply jointly. Each entity in the group must still be enrolled separately with AUSTRAC. Outside a DBG structure, each reporting entity must have its own program. Source: ss.84, 87 AML/CTF Act 2006.
How long does it take to write an AML/CTF program?
Writing a compliant AML/CTF program from scratch typically takes 2–5 days for a small, low-complexity business, and several weeks for larger practices with multiple service lines and client types. The risk assessment alone — done properly — requires documenting every service, client type, delivery channel, and jurisdiction. Using AUSTRAC's Starter Kit as a base, or Klyvon's document generation, significantly reduces this time.
Does my program need a lawyer to review it?
AUSTRAC does not mandate legal review of your AML/CTF program, but professional review is strongly recommended before operational reliance — particularly for firms with complex service mixes, PEP clients, or international transactions. The program must demonstrate genuine risk-based thinking, not just tick boxes. A qualified AML/CTF adviser or compliance lawyer can identify gaps that may not be obvious from the AUSTRAC guidance alone.
What is an independent program review and who can conduct it?
Every AML/CTF program must be independently reviewed at least every 2 years by a suitably qualified person who is not involved in day-to-day AML/CTF operations. This can be an external compliance consultant, a qualified AML/CTF adviser, or — for larger firms — an internal audit function that is genuinely independent of the compliance team. The reviewer must assess whether the program is effective and being followed, and must produce a written report. Source: s.36 AML/CTF Act 2006.
Can my AML/CTF program be stored digitally or does it need to be printed?
AUSTRAC accepts programs in digital or printed form — there is no requirement for a physical document. Your program must be accessible to relevant staff and available for production to AUSTRAC on request. If stored digitally, ensure version control is maintained so that historical versions can be retrieved to demonstrate the program's evolution over time.
What is the difference between a joint program and an individual program?
An individual program covers a single reporting entity and its designated services. A joint program covers all members of a designated business group (DBG) — a formally elected group of related companies that comply collectively. Under a joint program, one entity administers compliance on behalf of all group members, but each member retains individual legal liability for compliance with their own obligations. Source: ss.84, 87 AML/CTF Act 2006.
Does my program need to be registered or lodged with AUSTRAC?
No. You do not lodge or register your AML/CTF program with AUSTRAC. You must have a compliant program in place and be ready to produce it to AUSTRAC on request during a compliance review or investigation. AUSTRAC may also ask you to self-certify compliance through the Annual Compliance Report lodged by 31 March each year. Source: s.47 AML/CTF Act 2006.
What triggers a mandatory program update?
Your program must be updated when there is a material change to your business — including offering a new designated service, onboarding a new category of high-risk client, changes to the FATF country lists, significant changes to your ownership or staff, or changes to AUSTRAC guidance. Annual review is required as a minimum, but the program must remain current at all times. Source: s.84 AML/CTF Act; AML/CTF Rules 2007, Part 9.
What is a designated business group and does it affect my program obligations?
A designated business group (DBG) is a group of two or more related companies under common ownership or control that elect to comply jointly under a single AML/CTF program. To form a DBG, each entity must formally elect to join, and the group must designate a responsible entity to administer the program. The advantage is operational efficiency — one program, one compliance function. Each entity remains individually liable for its own compliance. Source: s.5 AML/CTF Act 2006.
How does the outcomes-based approach under the 2026 reforms change what my program must demonstrate?
The AML/CTF Amendment Act 2024 shifts the compliance framework from prescriptive rules-based obligations toward an outcomes-based approach. AUSTRAC now assesses whether your program effectively manages ML/TF risk — not just whether you have a document that ticks statutory boxes. This means your risk assessment must be genuinely analytical, your controls must be traceable to identified risks, and your program must be operationally followed. A technically complete document that is not reflected in actual practice will not satisfy the outcomes-based standard.
What should I do if my business changes services after the program is approved?
Any material change to your designated services requires an update to your AML/CTF program before you begin providing the new service. This includes updating your risk assessment to address the risks associated with the new service, updating your CDD procedures if the new service involves new client types, and notifying AUSTRAC of the change to your designated services through AUSTRAC Online within 14 days. Source: ss.84, 76 AML/CTF Act 2006.
Is there a minimum length or format required for an AML/CTF program?
AUSTRAC does not prescribe a minimum length, word count, or format. The program must cover all required elements under ss.84–86 of the Act and Parts 4, 8, and 12 of the AML/CTF Rules 2007. A sole-trader program covering a single low-risk service might be 15–20 pages. A multi-service firm program covering complex client types and jurisdictions might be 50+ pages. The test is substance, not length.
How Klyvon helps
How does Klyvon generate your AML/CTF program?
Klyvon asks you 4–6 questions about your practice — your industry, designated services, client types, and compliance officer — then generates a complete, personalised AML/CTF program document in under 60 seconds. The document cites AML/CTF Act sections throughout, is written in first person for your firm, and covers both Part A and Part B.
Klyvon’s output is a starting point built on AUSTRAC official guidance. We recommend review by a qualified AML/CTF adviser before operational reliance. Our documents give you the foundation — what would otherwise take days of research and drafting, ready in seconds.
Generate your AML/CTF program in under 60 seconds
Personalised to your business. Part A and Part B included. Built on AUSTRAC official guidance. 7-day free trial. Cancel before trial ends — no charge.
Generate My AML/CTF Program — Free 7-Day Trial →