What goes into an AML/CTF program? Here’s what AUSTRAC will expect you to have in place

Published September 4, 2025

If you’re a Tranche 2 small–medium business (perhaps you’re a legal practitioner, conveyancer, real estate agent, accountant or similar), you’ve probably been hearing a lot about the new Anti-Money Laundering AML/CTF regulations coming into effect next year. You might be at the point of wondering, ‘well, how do we actually build this thing?’. And that’s a great question! With industry-specific guidance expected from AUSTRAC shortly, now’s a great time to start thinking about mapping out your compliance program.

First, at a glance: what AUSTRAC means by an AML/CTF program

Tranche 2 businesses will need to have a written AML/CTF program in place before you start providing designated services. Your program will need to set out exactly how you will comply with the laws and how you’ll stop your services from being used for money laundering or terrorism financing.

Your program must be:

Documented. A written manual of policies, procedures, systems and controls.
Risk-based. Tailored to the actual risks of your business (size, nature, services, delivery channels, and foreign connections).
Practical. Showing how you identify, mitigate and manage ML/TF risks in day-to-day operations.

There’s no “one size fits all”. AUSTRAC has made it clear that each reporting entity must build a program that reflects its unique risks and business model.

The two parts of an AML/CTF program

Part A: This is your overarching framework. This includes your ML/TF risk assessment, board/senior oversight, a nominated AML/CTF compliance officer, staff due diligence, training, reporting systems, transaction monitoring, enhanced due diligence procedures, and regular independent review.

Part B: This is all about your customer due diligence procedures. This spells out how you identify and verify customers and beneficial owners (including politically exposed persons or ‘PEPs’), resolve discrepancies, and decide when extra information is needed.

Program types

Depending on how your business is set up, you may need a:

Standard program (most Tranche 2 SMEs will fall here).
Joint program (if you’re part of a designated business group and want one shared program).
Special program (limited to Australian Financial Services Licence holders arranging designated services, and only requires Part B).

A well-built AML/CTF program is vital not just for your business and how you will ensure your own compliance, but also for protecting Australia from money laundering (ML), terrorism financing (TF)and proliferation financing (PF) as a whole.

Let’s build it step‑by‑step: your AML/CTF program components

1) Do a fit‑for‑purpose ML/TF/PF risk assessment.

This is your foundation. Identify the real risks in your customers, services, delivery channels, geographies, and partners, then rank them and set controls proportionate to those risks. Revisit it when something material changes. This could be the introduction of new services, entry into a new market or a change in your client distribution.

Quick wins you can get now

Map your services and customer types, including their location.
Rate inherent risks and list the controls you already have in place (e.g. perhaps existing VOI procedures).
Note gaps where controls are too light or missing.
Calendar a review cycle (e.g., annually, or upon trigger events).

2) Put it in writing (and name your AML/CTF compliance officer).

AUSTRAC expects clear oversight from senior members of your team as well as a designated AML/CTF compliance officer, and governance that sits with them to keep your program current. Independent review of your program is required at least once every 3 years. For many small business owners, the oversight and compliance hats will both be worn by themselves.

Quick wins you can get now

Document roles/responsibilities (board, executive team, compliance officer, front line).
Add AML/CTF as a standing agenda item in leadership meetings.

3) Document policies, procedures, systems and controls.

Your AUSTRAC compliance program must be written, approved by senior management, kept up to date, and aligned to your risk profile. Policies should cover how you identify, mitigate and manage ML/TF/PF risks and how you meet legislative obligations.

Quick wins you can get now

Review your policy and procedure documents and ensure you have a single source of truth for each element/process in your business.
Consider how changes are made and document change controls for future reference when risks or policies change.

4) Look at customer due diligence (CDD) (initial, ongoing, enhanced/simplified).

You’ll apply initial CDD before providing designated services, including identity, beneficial ownership, and screening (PEPs and sanctions), then ongoing CDD via monitoring and periodic refresh. For many Tranche 2 businesses, some form of client ID happens already during your engagement. Consider what this looks like, where the gaps are and understand what would trigger the need for enhanced CDD (ECDD).

Quick wins you can get now

Define when you trigger ECDD (e.g., foreign PEPs, adverse media, unusual activity).
Implement a basic transaction monitoring procedure to get used to reviewing and flagging anomalies.

5) Set up reporting processes.

Under the new AML/CTF compliance rules, you’ll need to file:

Suspicious Matter Reports (SMRs) when you suspect a person isn’t who they claim to be, or an activity may involve crime.
Threshold Transaction Reports (TTRs) for physical currency transactions ≥ A$10,000.
International/value transfer reporting for international transfers of value (more information on this will come from AUSTRAC soon).
Annual compliance reports summarising how you met obligations.

6) Make sure your record‑keeping practices are reliable.

You’ll need to retain accurate, complete records of your program, CDD, transactions, training and audits for at least seven years. These need to be stored securely and retrievable on request. Look at the systems you’re currently using and consider what lives in your task/client management system vs. other storage options, as well as how you evidence decisions.

Quick wins you can get now.

Audit your record-keeping practices and ensure these are documented in your policy manual.

7) Train people and run employee due diligence.

Deliver role‑specific AML/CTF risk awareness training to all relevant staff (including contractors and directors), and run employee due diligence proportionate to role risk. Log attendance and keep staff informed early so that you can engage them throughout the process for an easier transition in 2026.

Quick wins you can get now.

Hold and track information/education sessions or invite your staff to attend webinars and external sessions.
Include “how to escalate a suspicion” in every session.

8) Plan your independent evaluation.

Every three years (or sooner after major changes), you will need your program independently reviewed, and to complete a compliance audit. More information around who/how/when this is required will be communicated by AUSTRAC as we near the implementation date.

9) Consider a group approach (if applicable).

If you operate within a group, the reforms introduce reporting groups (replacing designated business groups), allowing shared risk management and a group AML/CTF program in some circumstances, overseen by a lead entity.

AML/CTF compliance done without the overwhelm

If all these elements of the compliance program are stressing you out, or the cost and confusion that comes with working with multiple different providers has you tearing your hair out, we reckon you’d much prefer an all‑in‑one approach. easyAML is specifically built for Australian Tranche 2 SMEs and encompasses everything you need - risk assessment, CDD, ongoing monitoring, reporting workflows and evidence‑ready records in one place, aligned to AUSTRAC’s risk‑based expectations.

Want to know more about how we’re simplifying compliance? Register for one of our upcoming webinars to see first-hand how we’re helping businesses just like yours with their end‑to‑end AML obligations.

FAQs we hear from Tranche 2 SMEs

Do I really need a custom program, or can I copy a template?

Templates help you start, but AUSTRAC expects your program to be tailored to your actual risks and operations. A copy‑paste job won’t cut it.

What counts as “ongoing” CDD?

Monitoring customer activity against expected behaviour, updating risk ratings when triggers occur, and refreshing KYC information accordingly. Document the logic so you can show why you acted.

How fast do I need to report?

SMRs should be made as soon as practicable. TTRs and IFTIs are due within 10 business days of the transaction/instruction. Build this into your workflows now.

The AML compliance bottom line

A compliant AML/CTF program in Australia doesn’t have to be complicated. Yes, it has to be risk‑based, documented and quite comprehensive. But for a simpler, more manageable approach, have a chat with the easyAML team. We’ll give you a practical AUSTRAC compliance program framework with the tools to execute (from onboarding to ongoing monitoring to reporting), so you’re ready for Tranche 2 AML requirements in 2026.