How to Write an AML/CTF Program: Step-by-Step Guide

If your business is a reporting entity under Australia's AML/CTF Act, you must have a written AML/CTF program in place before you provide any designated services. From 1 July 2026, this includes Tranche 2 entities such as real estate agents, accountants, lawyers, and conveyancers. This guide walks you through writing your program from scratch.

What Is an AML/CTF Program?

An AML/CTF program is your business's documented framework for identifying, managing, and mitigating money laundering and terrorism financing risks. It is not a one-page policy statement — it is an operational document that your team uses day to day. AUSTRAC expects it to be tailored to your business, proportionate to your risks, and actively maintained.

Under the new AML/CTF Rules, the program must be in place before you provide a designated service. Having no program — or having one that exists only on paper — is a contravention that carries penalties of up to $33 million per contravention for corporations.

The AUSTRAC Starter Kit Approach

AUSTRAC has published sector-specific Program Starter Kits for accounting, real estate, and legal professions. These kits provide a template structure you can customise for your business. The starter kit approach follows four steps:

Customise the starter kit documents to reflect your practice model, services, clients, and risks
Use the program in day-to-day operations (CDD, monitoring, reporting)
Review the program annually and whenever material changes occur
Maintain records and documentation

The starter kits are free and provide a solid starting point. However, they are static PDF documents with no tracking, no workflow automation, and no record management. Most businesses will need to operationalise the content with systems and processes.

The 8 Key Sections of Your AML/CTF Program

1. General Information and Governance

Document your business name, ABN, the designated services you provide, and your governance structure. Identify who is responsible for AML/CTF compliance within your organisation and how compliance decisions are escalated to senior management.

2. Risk Assessment

Your risk assessment is the foundation of the entire program. You must identify and assess ML/TF risks across four dimensions:

Customer risk — Who are your clients? Are any of them PEPs, from high-risk jurisdictions, or using complex structures?
Service/product risk — Which of your services are most susceptible to misuse?
Delivery channel risk — Do you provide services remotely, online, or through intermediaries?
Geographic risk — Do your clients or their transactions involve high-risk countries or regions?

Rate each risk as low, medium, or high, and document the controls you have in place to mitigate each one.

3. Customer Due Diligence (CDD) Procedures

Detail how and when you will verify your customers' identities. Cover:

Standard CDD — The baseline identification and verification process for all clients
Enhanced CDD — Additional measures for higher-risk clients (e.g., PEPs, foreign persons, complex structures)
Simplified CDD — Reduced measures where permitted for lower-risk scenarios
Ongoing CDD — How you will monitor existing client relationships and update information over time
Beneficial ownership — How you identify individuals who ultimately own or control 25% or more of an entity

4. Transaction Monitoring

Describe how you will monitor transactions for suspicious activity. This includes the red flags and indicators relevant to your industry, the process for escalating concerns, and how you distinguish legitimate transactions from those that warrant further investigation.

5. Reporting Procedures

Document your process for lodging reports with AUSTRAC:

Suspicious Matter Reports (SMRs) — When and how to report. Deadlines: 24 hours for terrorism financing suspicions, 3 business days for all other suspicious matters.
Threshold Transaction Reports (TTRs) — For physical currency transactions of $10,000 or more
IFTI reports — For international funds transfer instructions (primarily relevant to Tranche 1 entities)

Include the tipping-off prohibition: it is a criminal offence to disclose to a client that an SMR has been or will be made.

6. Employee Due Diligence

Outline how you screen employees who have access to AML/CTF processes or sensitive customer information. This includes background checks, reference checks, and ongoing suitability assessments.

7. Training Plan

Describe your AML/CTF training program:

Initial training for new staff within 30 days
Ongoing training at regular intervals (at least annually)
Role-specific training based on the employee's involvement with designated services
How training completion is recorded and tracked

8. Record Keeping

Specify what records you will keep, how they will be stored, and for how long. The AML/CTF Act requires a minimum retention period of seven years for CDD records, transaction records, SMRs, and program documentation. Records must be stored securely and be retrievable on request by AUSTRAC.

The Compliance Officer Role

Every reporting entity must appoint an AML/CTF Compliance Officer. This person must be:

Fit and proper — Possessing the competence, skills, knowledge, diligence, and integrity to manage the program
Senior enough to have authority over compliance decisions
Notified to AUSTRAC — By 29 July 2026 for Tranche 2 entities

The compliance officer's responsibilities include overseeing the day-to-day operation of the program, liaising with AUSTRAC, ensuring staff training is delivered, and reporting to the governing body (board or senior management) at least annually on the program's effectiveness.

In smaller businesses, the compliance officer is often the principal or owner. There is nothing wrong with this, provided they have the time and knowledge to fulfil the role properly.

Annual Review

Your AML/CTF program must be reviewed at least annually. The review should assess:

Whether the risk assessment is still accurate
Whether CDD procedures are working effectively
Whether staff training is up to date
Whether any regulatory changes require program updates
Whether any incidents or suspicious matters have highlighted gaps

In addition to annual reviews, you must also review the program whenever a material change occurs — for example, if you add new services, enter new markets, or experience a significant compliance incident.

Common Mistakes to Avoid

Copy-pasting a generic template without tailoring it to your business. AUSTRAC expects your program to reflect your specific services, clients, and risks.
Writing it and forgetting it — A program that sits in a drawer is not compliant. It must be operationalised and actively used.
Skipping the risk assessment — The risk assessment drives everything else. Without it, your CDD procedures and monitoring will not be proportionate to your actual risks.
No compliance officer appointed — This is a standalone obligation. Failing to appoint and notify AUSTRAC is a separate contravention.
Inadequate record keeping — If you cannot produce records on request, AUSTRAC will treat it as non-compliance regardless of what your program says.
No training records — Delivering training is not enough. You must document who was trained, when, and on what.

Get Started Today

Writing an AML/CTF program does not have to take months. With the right guidance, most businesses can have a compliant program in place within days. ComplyReady turns AUSTRAC's starter kit framework into an interactive, guided workflow that generates a tailored program for your business — complete with risk assessment, CDD procedures, and training plans.

Ready to simplify your AML/CTF compliance? Try ComplyReady free for 14 days.

What Is an AML/CTF Program?

The AUSTRAC Starter Kit Approach

Customise the starter kit documents to reflect your practice model, services, clients, and risks
Use the program in day-to-day operations (CDD, monitoring, reporting)
Review the program annually and whenever material changes occur
Maintain records and documentation

The 8 Key Sections of Your AML/CTF Program

1. General Information and Governance

2. Risk Assessment

Your risk assessment is the foundation of the entire program. You must identify and assess ML/TF risks across four dimensions:

Customer risk — Who are your clients? Are any of them PEPs, from high-risk jurisdictions, or using complex structures?
Service/product risk — Which of your services are most susceptible to misuse?
Delivery channel risk — Do you provide services remotely, online, or through intermediaries?
Geographic risk — Do your clients or their transactions involve high-risk countries or regions?

Rate each risk as low, medium, or high, and document the controls you have in place to mitigate each one.

3. Customer Due Diligence (CDD) Procedures

Detail how and when you will verify your customers' identities. Cover:

Standard CDD — The baseline identification and verification process for all clients
Enhanced CDD — Additional measures for higher-risk clients (e.g., PEPs, foreign persons, complex structures)
Simplified CDD — Reduced measures where permitted for lower-risk scenarios
Ongoing CDD — How you will monitor existing client relationships and update information over time
Beneficial ownership — How you identify individuals who ultimately own or control 25% or more of an entity

4. Transaction Monitoring

5. Reporting Procedures

Document your process for lodging reports with AUSTRAC:

Suspicious Matter Reports (SMRs) — When and how to report. Deadlines: 24 hours for terrorism financing suspicions, 3 business days for all other suspicious matters.
Threshold Transaction Reports (TTRs) — For physical currency transactions of $10,000 or more
IFTI reports — For international funds transfer instructions (primarily relevant to Tranche 1 entities)

Include the tipping-off prohibition: it is a criminal offence to disclose to a client that an SMR has been or will be made.

6. Employee Due Diligence

Outline how you screen employees who have access to AML/CTF processes or sensitive customer information. This includes background checks, reference checks, and ongoing suitability assessments.

7. Training Plan

Describe your AML/CTF training program:

Initial training for new staff within 30 days
Ongoing training at regular intervals (at least annually)
Role-specific training based on the employee's involvement with designated services
How training completion is recorded and tracked

8. Record Keeping

The Compliance Officer Role

Every reporting entity must appoint an AML/CTF Compliance Officer. This person must be:

Fit and proper — Possessing the competence, skills, knowledge, diligence, and integrity to manage the program
Senior enough to have authority over compliance decisions
Notified to AUSTRAC — By 29 July 2026 for Tranche 2 entities

In smaller businesses, the compliance officer is often the principal or owner. There is nothing wrong with this, provided they have the time and knowledge to fulfil the role properly.

Annual Review

Your AML/CTF program must be reviewed at least annually. The review should assess:

Whether the risk assessment is still accurate
Whether CDD procedures are working effectively
Whether staff training is up to date
Whether any regulatory changes require program updates
Whether any incidents or suspicious matters have highlighted gaps

Common Mistakes to Avoid

Copy-pasting a generic template without tailoring it to your business. AUSTRAC expects your program to reflect your specific services, clients, and risks.
Writing it and forgetting it — A program that sits in a drawer is not compliant. It must be operationalised and actively used.
Skipping the risk assessment — The risk assessment drives everything else. Without it, your CDD procedures and monitoring will not be proportionate to your actual risks.
No compliance officer appointed — This is a standalone obligation. Failing to appoint and notify AUSTRAC is a separate contravention.
Inadequate record keeping — If you cannot produce records on request, AUSTRAC will treat it as non-compliance regardless of what your program says.
No training records — Delivering training is not enough. You must document who was trained, when, and on what.

Get Started Today

Ready to simplify your AML/CTF compliance? Try ComplyReady free for 14 days.

How to Write an AML/CTF Program: Step-by-Step Guide

What Is an AML/CTF Program?

The AUSTRAC Starter Kit Approach

The 8 Key Sections of Your AML/CTF Program

1. General Information and Governance

2. Risk Assessment

3. Customer Due Diligence (CDD) Procedures

4. Transaction Monitoring

5. Reporting Procedures

6. Employee Due Diligence

7. Training Plan

8. Record Keeping

The Compliance Officer Role

Annual Review

Common Mistakes to Avoid

Get Started Today

Ready to get AML/CTF compliant?

How to Write an AML/CTF Program: Step-by-Step Guide

What Is an AML/CTF Program?

The AUSTRAC Starter Kit Approach

The 8 Key Sections of Your AML/CTF Program

1. General Information and Governance

2. Risk Assessment

3. Customer Due Diligence (CDD) Procedures

4. Transaction Monitoring

5. Reporting Procedures

6. Employee Due Diligence

7. Training Plan

8. Record Keeping

The Compliance Officer Role

Annual Review

Common Mistakes to Avoid

Get Started Today

Ready to get AML/CTF compliant?