The AML Consultant.com

⚡ Direct Answer:  Building an AML/CTF program involves developing written policies, procedures, systems, and controls that manage and mitigate your business’s money laundering and terrorism financing risks. Under the AML/CTF Act, the program must be in place before you commence providing designated services, be approved by a senior manager, and be tailored to the nature, size, and complexity of your business.

What Is an AML/CTF Program?

An AML/CTF program is the written framework through which a reporting entity meets its obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006. It is the operational heart of your compliance regime — the document that brings together your risk assessment, customer identification and verification procedures, monitoring systems, reporting processes, staff training, and governance arrangements.

AUSTRAC’s guidance describes your AML/CTF policies as the “policies, procedures, systems and controls that work collectively” to ensure compliance with your obligations. The program must be genuinely tailored to your business — not a template copied from another entity.

Critically, the program must be in place before you commence providing designated services. You cannot begin operations and then develop your program — compliance must be built in from the start.

Step 1: Conduct Your ML/TF Risk Assessment

Your AML/CTF program must be built on a foundation of genuine risk assessment. You cannot design effective controls without first understanding where your risks are. AUSTRAC requires you to conduct a formal, documented risk assessment covering:

• Your designated services — including any new or emerging technologies related to those services
• Your customer types — including any unusual or complex customer profiles
• Your delivery channels — including digital and remote service channels
• The countries and jurisdictions you deal with — including any high-risk or sanctioned countries
• Any new services, customers, channels, or geographies that could increase risk

The risk assessment must be tailored to your specific business. AUSTRAC expects larger, more complex businesses to have more extensive assessments than smaller, simpler operations. The key is that the assessment genuinely reflects your business rather than being a theoretical exercise.

Once complete, the risk assessment should result in risk ratings (typically low, medium, high) for your various risk categories. These ratings drive the design of your controls.

Step 2: Design Your AML/CTF Program Structure

Your program must include, at a minimum:

• A risk-based framework for managing ML/TF risks identified in your risk assessment
• Customer due diligence (CDD) policies and procedures — including initial CDD, ongoing monitoring, and enhanced due diligence for high-risk customers
• Policies and procedures for detecting and reporting to AUSTRAC (SMRs, TTRs, IFTIs)
• Employee due diligence policies
• Staff training procedures
• Record-keeping policies
• An independent evaluation framework
• Governance arrangements — who is responsible, who approves, who reviews

Step 3: Develop Your CDD Procedures

Your CDD procedures should clearly specify:

• What identity information must be collected and verified for each customer type (individuals, companies, trusts, etc.)
• What verification methods are acceptable (documentary, electronic, in-person)
• How beneficial owners are identified and verified
• How customer risk ratings are assigned
• When simplified CDD is permitted and what conditions must be met
• What triggers enhanced due diligence and what EDD measures will be applied
• How PEP detection is conducted and how positive matches are escalated
• How targeted financial sanctions screening is performed
• What ongoing monitoring processes will be used — transaction monitoring and periodic CDD reviews

Step 4: Establish Your Reporting Procedures

Your program must include clear procedures for your reporting obligations. For each report type, specify:

• Who is responsible for identifying potential reportable matters
• The internal escalation path from the front-line employee to the AML compliance officer
• How the decision to submit an SMR is made and documented
• The process for submitting reports through AUSTRAC Online
• Reporting timeframes (e.g., 24 hours for terrorism financing SMRs, 10 business days for TTRs)
• How reports are tracked and recorded internally

Step 5: Design Employee Due Diligence and Training

Your program must address how the business manages AML/CTF risks arising from its own employees. This includes:

• Background screening and verification for relevant employees before commencement
• Ongoing employee monitoring for unusual behaviour or potential conflicts of interest
• Initial AML/CTF training for all relevant staff — including the tipping off prohibition
• Periodic refresher training
• Specific training for compliance officers and senior managers
• Documentation of training completion

Step 6: Establish Record-Keeping Systems

Your program must specify what records will be kept, how they will be stored, and for how long. Remember:

• Most AML/CTF records must be kept for at least 7 years
• Records must be retrievable within a reasonable time if requested by AUSTRAC
• CDD records must document the process undertaken, not just the outcome
• Transaction records must be sufficient to fully reconstruct the transaction

Step 7: Build in Governance and Oversight

Your program must have clear governance arrangements. AUSTRAC expects:

• Board or senior management approval and ownership of the AML/CTF program
• A designated AML/CTF compliance officer with appropriate knowledge and authority
• Clear roles and responsibilities for compliance functions
• Escalation paths for significant AML/CTF decisions
• A commitment to reviewing and updating the program when circumstances change
• A plan for periodic independent evaluation of the program

Step 8: Get the Program Approved and Implemented

Your completed program must be:

• Approved by a senior manager before commencing designated services
• Communicated to all relevant staff
• Actually implemented — not just stored in a filing cabinet
• Kept current as circumstances change — not treated as a one-time exercise

Maintaining and Updating Your Program

AML/CTF compliance is ongoing. Your program should be treated as a living document that evolves with your business. You must review and update your program when:

• You introduce new services or products
• You enter new geographic markets or customer segments
• There are material changes to your business structure
• New AUSTRAC guidance or regulatory changes take effect (such as the 2026 reforms)
• Your independent evaluation identifies deficiencies
• A compliance incident occurs that reveals gaps in your framework

Frequently Asked Questions

📣 Need expert AML/CTF support? 

👉 Get expert help building your AML/CTF program: contact us

👉 Download our AML compliance checklist: AML Compliance Checklist for Australian Businesses

👉 Read the complete AML guide: AML Compliance Australia – Complete Guide (2026)