Sign up for free to receive our blogs, regulatory alerts, and monthly updates
Sign upFACT SHEET: What is an AML/CTF Program?
This Fact Sheet has been prepared based on the future requirements of the AML/CTF for Tranche 2 entities that will commence 1 July 2026.
An AML/CTF Program is not only a core compliance requirement of reporting entities who come within the Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Act but is also a key tool to protect your business from being used for the purpose of facilitating money-laundering or terrorism-financing activities.
| Not sure if you need to enrol as a reporting entity? Use the AUSTRAC’s ‘Check if you’ll be regulated‘ tool |
Your AML/CTF Program must include two core components:
- ML/TF risk assessment, and
- AML/CTF policies.
Once you have implemented the policies and procedures in your AML/CTF Program, you must continue to maintain your AML/CTF Program, including your ML/TF risk assessment, by reviewing and updating as required under the AML/CTF regime.
| If you are an item 54 service provider only, you have modified obligations under the AML/CTF regime . |
What is an ML/TF Risk Assessment?
As a reporting entity, you must undertake an assessment to identify and assess the risks of money-laundering (ML), terrorism financing (TF) and proliferation financing (PF) risks that your business may reasonably face when providing its designated services.
In undertaking your ML/TF risk assessment, you must consider the following risk categories:
- the nature of the services you provide or will provide (referred to as designated services in the AML/CTF Act), including any new emerging technologies relating to those services
- the clients you are providing the designated services to, for example individuals, and Politically Exposed Persons (PEPs)
- the delivery channels you use or will use to provide your designated services, including any new or emerging technologies relating to those delivery channels
- the countries you will deal with, or that your clients are connected with, in providing your designated services.
You must also consider any information that AUSTRAC communicates either directly or indirectly to you that provides guidance in relation to identifying, assessing or controlling the risks associated with designated services that you provide.
For example, AUSTRAC issues suspicious activity indicators for different industry sectors, to help reporting entities be aware of and identify potential money laundering, terrorism financing and other serious criminal behaviour activities.
| Your ML/TF risk assessment must be tailored for your business. It must be appropriate to the nature, scale and complexity of your business. |
Once you have considered the ML/TF/PF risks you may face, you then need to develop a model to measure the likelihood and impact of each ML/TF risk, and assign a rating to each risk, for example, low, medium or high risk. This process identifies your initial or inherent risk before any AML/CTF policies and procedures have been applied.
To do this, you could use a risk matrix such as the following.
| You must have an up-to-date ML/TF risk assessment before you provide a designated service. |
Your AML/CTF policies and procedures should then set out how you will minimise and manage each risk.
| If you appoint an outsourced service provider to assist you to comply with your AML/CTF obligations, for example, to complete your ‘know your customer checks, this is an important control that needs to be included in your ML/TF risk assessment. |
What Policies need to be in my AML/CTF Program?
Your AML/CTF policies help you identify, manage and control your ML/TF/PF risks, as well as help you to comply with your AML/CTF obligations.
| Your AML/CTF policies include your policies, procedures, systems and controls |
Like your ML/TF/PF risk assessment, your AML/CTF policies should be appropriate for the nature, size and complexity of your business. This means if you are a small business, they do not have to be complex, but they must be tailored for your business.
Where you assess your risk of your business facing proliferation financing is low, your PF risk can be addressed by your existing AML/CTF policies – you do not have to implement specific counter-proliferation financing policies.
Your AML/CTF policies should also address how you will identify any significant changes to your ML/TF risk assessment, as well as review and update your AML/CTF policies because of a change to your ML/TF risk assessment.
The AML/CTF Rules may also specify AML/CTF policies that must be included, such as the obligation to provide initial and ongoing AML/CTF training to employees.
| Don’t build your AML/CTF Program in isolation! Your AML/CTF Policies can be in any format, provided it meets your AML/CTF obligations |
Your AML/CTF Program does not have to be a separate document and framework to other statutory and professional obligations your business may have to comply with.
Consider what existing policies and procedures you already have in place, or are developing, that you could expand or use to comply with your new AML/CTF obligations. For example, if you are a registered tax agent, you could leverage your existing client verification policies and procedures to include your customer due diligence policy and procedures which comply with the requirements of the AML/CTF regime.
Depending on the nature of your business, clients and the designated services you provide, you could implement one compliance framework for your business to cover all your statutory and professional obligations. This approach could help to reduce your compliance costs, as well as reduce the risk of non-compliance with your different obligations.
The AML/CTF Act requires you to have the following policies in place as part of your AML/CTF Program:
- ML/TF risk assessment
- Customer due diligence (CDD)
- Management oversight and governance
- Personnel due diligence
- Personnel training
- Record Keeping
- Monitoring, reviewing and updating your AML/CTF Program
- External Reporting (to AUSTRAC)
- Independent evaluations
How to I keep my AML/CTF Program up to date?
You must continue to review and update your AML/CTF program. This means putting in place your ML/TF risk assessment is not a set and forget exercise, you must continue to review it when:
- you face any new or changed new or changed ML/TF/PF risks when providing designated services
- AUSTRAC provides information to you which identifies or assesses risks associated with the designated services you provide, or
- an independent evaluation report includes an adverse finding in relation to your ML/TF risk assessment.
If none of these factors apply, then you must review your ML/TF risk assessment at least once every three years.
Your AML/CTF policies and procedures will then also need to be updated for any changes to your ML/TF risk assessment, as well as any legislative and regulatory changes.
| Don’t forget to train your personnel on changes to your ML/TF risk assessment and AML/CTF policies that impact their role and responsibilities |
Need more information?
Check out the following resources:
- AML/CTF Reforms
- Fact Sheet: What are the AML/CTF Governance Obligations?
- Fact Sheet: Can you outsource your AML/CTF Obligations?
- AML/CTF Glossary
Sign up to our AML/CTF updates & receive a free ‘Getting Ready’ Workbook:
| Sign up |