Pillar Article — AML/CTF Procedure Implementation Series
From Paper to AI:
The Australian Reporting Entity’s Guide to Building AML/CTF Procedures That Actually Work
Quick answer
An AML/CTF program under Australian law (section 26B) comprises an ML/TF risk assessment and AML/CTF policies. AUSTRAC enforcement consistently targets entities whose procedures do not match their stated controls. This guide maps the 5-stage procedure maturity model and shows how to build procedures that are documented, trained, tested, and defensible.
IntroductionWhy Most AML/CTF Programs Fail Before They Start
AUSTRAC’s enforcement record tells a consistent story. Across every major civil penalty action and enforceable undertaking — from the Westpac matter to actions against remittance providers and digital currency exchanges — one theme recurs: the gap between having an AML/CTF program document and having procedures that staff can actually follow.
An AML/CTF program is a legal requirement. But documents sitting in a shared drive, reviewed infrequently and rarely opened, do not constitute a compliance program. They are a liability.
AUSTRAC does not fine entities for having imperfect policies. It takes action against entities whose operational reality does not match their stated controls — where transaction monitoring rules exist on paper but were never configured, where CDD procedures were documented but never trained, where SMR thresholds were set but staff did not know how to escalate.
The distinction that drives enforcement outcomes is not policy versus no policy. It is procedure that works versus procedure that doesn’t.
Section 1Policy vs Procedure — The Distinction That Costs Entities Millions
What is an AML/CTF Program?
Under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) as reformed from 31 March 2026, an AML/CTF program comprises two components s 26B:
- the reporting entity’s ML/TF risk assessment; and
- the reporting entity’s AML/CTF policies.
The ML/TF risk assessment ss 26C–26E identifies and assesses ML, TF, and — under the 2025 reforms — proliferation financing (PF) risks. It must be approved by a senior manager s 26P and reviewed at least every three years or on trigger events.
The AML/CTF policies s 26F are the operational layer: procedures, systems and controls that manage the risks identified in the ML/TF risk assessment. Both components must be documented s 26N and approved by a senior manager before commencing designated services.
Core Procedure Domains
- Customer identification and verification — initial CDD and KYC information collection
- Enhanced customer due diligence (EDD) for higher-risk customers and PEPs
- Ongoing CDD and transaction monitoring
- Suspicious matter reporting (SMR) — identification, escalation, and lodgement
- Threshold transaction reporting (TTR) — physical currency transactions of $10,000 or more
- IFTI reporting (note: transitioning to IVTS — see box below)
- Record keeping — creation, storage, and retention periods
- Targeted financial sanctions (TFS) screening and compliance
- Staff training, awareness, and competency assessment
- AMLCO functions, escalation pathway, and governing body reporting
- Independent evaluations of the AML/CTF program
- AML/CTF compliance reporting to AUSTRAC s 47
Section 2The 5-Stage AML/CTF Procedure Maturity Model
The maturity model is a diagnostic tool. The right stage depends on your risk profile, transaction volume, customer complexity, and the nature of your designated services. What matters is that your current stage is defensible to a regulator.
Stage 1 — Policy-Only
Documents exist but are not operationalised. Staff unaware of obligations. No configured transaction monitoring. CDD records cannot be produced. Highest regulatory exposure. Most common starting point for newly registered entities and Tranche 2 obligors.
Stage 2 — Documented
Procedures are written, accessible, and trained. CDD checklists and SMR flowcharts exist. Training is recorded. A legitimate, defensible position for many Australian reporting entities — particularly those with low transaction volumes and simple customer profiles.
Stage 3 — System-Assisted
Technology tools assist human decision-making. Name screening, alert generation, case management. Human-in-the-loop model. Appropriate for mid-size fintechs, remittance dealers, and DCEs. Risk: alert fatigue and configuration drift.
Stage 4 — Rule-Based Automated
Deterministic if-then rules applied at scale through a dedicated TM platform. Full audit trails. Key advantage: explainability — every alert has a precise, auditable reason. Appropriate endpoint for most major banks and large institutions.
Stage 5 — AI-Augmented
ML models, network analytics, NLP, and dynamic risk scoring. Justified only where transaction volumes are very high and typologies are complex. Introduces model governance, validation, and explainability obligations. Most entities do not need this.
Section 3How to Build Your Procedures — A Stage-by-Stage Roadmap
Moving from Stage 1 to Stage 2
Documents to Produce
- ML/TF risk assessment — documented and approved by a senior manager s 26P
- AML/CTF policies document — approved by a senior manager
- Customer identification and verification procedure (CDD) — separate procedures for individuals, companies, trusts
- Ongoing CDD and transaction monitoring procedure
- SMR identification and escalation procedure — including statutory timeframes
- TTR reporting procedure — physical currency $10,000 or more
- IFTI reporting procedure (and IVTS transition plan for 31 March 2029)
- Targeted financial sanctions (TFS) screening procedure
- Record keeping procedure
- Staff AML/CTF training schedule and completion register
Common Mistakes at This Stage
- Copying a competitor’s procedure without adapting it to your business model
- Writing procedures that describe what the system does rather than what the staff member does
- Omitting proliferation financing risk from the ML/TF risk assessment
- Treating AMLCO designation as a formality — 28 days to designate, 14 days to notify AUSTRAC ss 26K, 26M
Moving from Stage 2 to Stage 3
The trigger is typically volume, consistency failure, or key-person risk. Common mistake: purchasing a screening tool before documenting the procedure it is meant to support, or configuring TM rules based on vendor defaults rather than your own ML/TF risk assessment.
Moving from Stage 4 to Stage 5
Before committing to ML-based monitoring, address: do your current false negative rates justify the investment? Do you have model governance capability for validation, drift monitoring, and explainability? Is your compliance team equipped for probabilistic outputs rather than deterministic rules?
Section 4The Australian Context — What AUSTRAC Actually Expects
Key Obligations Summary
| Obligation | Legal Source | Key Requirement |
|---|---|---|
| ML/TF Risk Assessment | ss 26C–26E, 26P | Before commencing; covers ML, TF and PF; approved by senior manager; reviewed at least every 3 years |
| AML/CTF Policies | ss 26F, 26N, 26P | Documented; approved; reviewed at least every 3 years |
| SMR | s 41(2) | 24 hours (terrorism financing); 3 business days (all other cases). Civil penalty provisions. |
| TTR | ss 5, 43 | Physical currency only, $10,000+. Not virtual assets. Lodge within 10 business days. |
| IFTI / IVTS | ss 45–46; Transitional Rules ss 9–11 | IFTI continues until IVTS transition date (default 31 March 2029). s 46A from 31 March 2029. |
| TFS | Rules 5-3 | UN Security Council list + DFAT Australian Sanctions Register. Distinct from PEP screening. |
| Independent Evaluation | s 26F(4)(f); Rules 5-10 | At least every 3 years. Independent evaluator. Written report to governing body. Adverse findings trigger mandatory review. |
| AMLCO | ss 26J–26M; Rules 5-7, 5-14 | Designated within 28 days; fit and proper; AUSTRAC notified within 14 days; annual governing body report. |
| AML/CTF Compliance Report | s 47 | Annual report to AUSTRAC. Separate from SMR/TTR/IFTI reporting. |
SMR Timeframes
Under section 41(2) of the AML/CTF Act 2006:
- 24 hours — where the suspicion relates to terrorism financing (paragraphs 41(1)(g) or (h))
- 3 business days — all other cases
These are civil penalty provisions. Procedures must specify them explicitly and staff must be trained to understand when the clock starts.
Targeted Financial Sanctions
Reporting entities must ensure their AML/CTF policies address TFS compliance Rules 5-3. This requires screening against the UN Security Council consolidated list and DFAT’s Australian Sanctions Register. TFS is a standalone obligation — distinct from PEP screening — and must appear explicitly in AML/CTF policies.
Independent Evaluations
Required under section 26F(4)(f) and Rules 5-10. Minimum every three years. Evaluator must be sufficiently independent. Written report to governing body. Adverse findings trigger mandatory review.
Tranche 2 Reform
Australia’s Tranche 2 reforms extend AML/CTF obligations to designated non-financial businesses and professions (DNFBPs) — including legal practitioners, accountants, real estate agents, trust and company service providers, and dealers in precious metals and stones. This is the largest expansion of the AML/CTF regime since its introduction and brings Australia into alignment with FATF Recommendations.
Section 5Choosing the Right Tools for Your Stage
Technology does not create compliance. Procedures create compliance. Technology can make procedures faster and more consistent — but only if the underlying procedures are sound.
Stage 3 — Screening and Case Management
- LexisNexis Bridger Insight and World-Check — comprehensive PEP and sanctions databases with API integration
- Dow Jones Risk & Compliance — strong adverse media coverage
- ComplyAdvantage — cloud-native, stronger coverage of virtual asset risk typologies
Stage 4 — Transaction Monitoring Platforms
- NICE Actimize — industry-leading TM platform with strong Australian bank adoption
- Oracle FCCM — deep integration with Oracle banking infrastructure
- Temenos Financial Crime Mitigation — adopted among regional banks and non-bank lenders
- Napier — growing mid-market presence with strong regulatory reporting capability
Stage 5 — AI-Augmented
- Unsupervised learning for anomaly detection
- Network analytics — mapping entity relationships (Quantexa)
- NLP — automated SMR narrative drafting and adverse media summarisation
- Dynamic risk scoring — real-time customer risk rating (Sardine, NICE Actimize AI modules)
Section 6The 5 Mistakes That Keep Entities Stuck
Mistake 1: Treating the Program Document as the Finish Line
Entities invest in producing the ML/TF risk assessment and AML/CTF policies — then stop. Staff aren’t trained. Transaction monitoring isn’t configured. Twelve months later, nothing has changed operationally. That gap is what AUSTRAC finds.
The Fix Treat program completion as the beginning of implementation. Build an implementation plan with named owners, milestones, and evidence requirements.
Mistake 2: Copying a Template Without Customisation
A template describes a hypothetical business. Your ML/TF risk assessment must describe your actual risk profile — including proliferation financing risk, now a mandatory component under the reformed Act.
The Fix Customise every element against your actual business model before AML/CTF policies are built on top of it.
Mistake 3: Building Procedures in Isolation
If your onboarding team wasn’t consulted on the CDD procedure, they will find workarounds. Procedures built without the people who execute them fail at the point of execution.
The Fix Involve operational staff. Run tabletop exercises. Test with real scenarios — including the 24-hour terrorism financing SMR timeframe — before going live.
Mistake 4: Over-Investing in Technology Before the Procedure Foundation Exists
Purchasing a Stage 4 TM platform while operating at Stage 1 procedurally generates alerts no one knows what to do with. Technology is a multiplier. Multiply nothing by a large number and you still get nothing.
The Fix Build the procedure foundation first. Match your technology investment to your maturity stage.
Mistake 5: Failing to Review Procedures as the Business Evolves
The Act requires review at least every 3 years s 26F(3)(d) — but trigger events also mandate earlier review. Entities accumulate a gap between documented controls and operational reality. AUSTRAC assessments are designed to find it.
The Fix Embed procedure review into product development and change management. Ensure independent evaluation findings trigger the mandatory review processes in section 26F and Rules 5-4.
FAQFrequently Asked Questions
What is an AML/CTF program under Australian law?
Under section 26B, an AML/CTF program comprises: (1) the ML/TF risk assessment — identifying ML, TF, and PF risks; and (2) the AML/CTF policies — the operational procedures, systems and controls that manage those risks. Both must be documented (s 26N) and approved by a senior manager (s 26P).
What are the SMR timeframes in Australia?
Under section 41(2): 24 hours for terrorism financing suspicions (paras 41(1)(g) or (h)); 3 business days for all other cases. These are civil penalty provisions — not aspirational timeframes.
What does a threshold transaction report (TTR) cover?
TTR applies to designated services involving the transfer of physical currency (cash) of $10,000 or more (ss 5, 43). It does not apply to virtual assets — those are subject to IFTI/IVTS reporting. Lodge within 10 business days.
What is the difference between IFTI and IVTS?
IFTI is the existing reporting obligation. IVTS is the replacement regime. Under the AML/CTF Transitional Rules 2026 (s 10), IFTI continues until the IVTS transition date, defaulting to 31 March 2029. Section 46A (self-hosted wallet transfers) also applies from that date.
How often does an AML/CTF program need to be reviewed?
At least once every three years (s 26F(3)(d)), and whenever trigger events occur — including adverse findings in an independent evaluation. Annual review is not a legal requirement.
What is an independent evaluation?
A mandatory review under s 26F(4)(f) and Rules 5-10. At least every three years. Evaluator must be sufficiently independent. Written report to governing body. Adverse findings trigger mandatory review. The correct legal term is “independent evaluation” — not “independent audit”.
Who qualifies as an AMLCO?
Under ss 26J–26M: designated within 28 days of commencing designated services; must be a fit and proper person (Rules 5-14); must be an Australian resident (unless exempt); AUSTRAC notified within 14 days of designation (s 26M); annual report to governing body (Rules 5-7).
Who are Tranche 2 obligors?
Legal practitioners, accountants, real estate agents, trust and company service providers, and dealers in precious metals and stones. This is the largest expansion of the Australian AML/CTF regime since its introduction.
Where Does Your Program Sit Today?
The 5-stage maturity model provides a diagnostic framework for every Australian reporting entity — from the newly registered Tranche 1 obligor building its first program to the sophisticated financial institution evaluating AI-augmented monitoring capability.
The most important question is not which stage is most impressive. It is which stage is right for your organisation — and whether your current ML/TF risk assessment and AML/CTF policies are genuinely defensible to a regulator, not just documented in a file somewhere.
This article is for general information purposes and does not constitute legal advice. Legislative references are to the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) and the AML/CTF Rules as in force from 31 March 2026, and the AML/CTF Transitional Rules 2026.
Ready to Build Procedures That Work?
TheAMLConsultant.com is an Australian AML/CTF consultancy specialising in implementation — not just advice. From first-registration Tranche 2 obligors building their first CDD procedure to Tranche 1 entities upgrading to rule-based automation, we provide the hands-on expertise that compliance programs need to move from paper to practice.
Get in TouchContact TheAMLConsultant.com to discuss your requirements
info@TheAMLConsultant.com
Telephone / WhatsApp : (+61) 434 969 412