AML/CTF Program Template (Australia, 2026): Full Structure

If you are looking for an AML/CTF program template, you are likely in one of three positions: you are a Tranche 2 business that has just realised you need a documented program by 1 July 2026, you are reviewing an existing program that may be out of date, or you are evaluating whether to build one yourself or use a platform that generates one for you.

This guide gives you the full structure of a compliant AML/CTF program for Australian businesses — every section AUSTRAC expects in Part A and Part B, with practical guidance on what each section needs to cover. You can use this as a template to build your own program from scratch, or as a checklist to audit an existing one.

A note before you start: a template is a starting point, not a finished program. AUSTRAC explicitly requires that your program be tailored to your business, proportionate to your ML/TF risks, and operationally embedded. A template downloaded and lightly edited is the most common reason programs fail audit.

What an AML/CTF program is (and is not)

Under Section 81 of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006, every reporting entity must have a written AML/CTF program before providing any designated service. The program is not a marketing document or a one-page policy statement. It is a working document that:

Identifies and documents your money laundering and terrorism financing risks
Sets out the systems and controls you have in place to manage those risks
Defines the roles and responsibilities of staff
Records how you onboard, monitor and report on customers
Tracks training, audits and ongoing reviews

The program has two parts:

Part A — your risk-based systems and controls. This is the strategic layer. Part B — your customer due diligence procedures. This is the operational layer.

Most programs that fail audit do so because Part B has been written in the abstract rather than tied to actual operating procedures.

Part A: AML/CTF risk-based systems and controls

Part A must include the following sections.

1. Designated services provided

Document every designated service your business provides under Section 6 of the Act. For Tranche 2 entities, this typically includes:

Real estate agents — buying, selling and leasing residential and commercial property; selling property by auction
Accountants and tax practitioners — assisting with planning or executing transactions involving real property, business entities, or large value transfers
Lawyers — providing professional services in connection with the purchase or sale of real estate, the management of trust funds, the formation of legal entities, or the provision of registered office services
Conveyancers — assisting with the buying, selling or transfer of real estate

Be specific. "We provide legal services" is not sufficient. "We act for vendors and purchasers in residential conveyancing and provide trust account services for property settlements" is.

2. ML/TF risk assessment

This is the core of your Part A. The risk assessment must consider, at minimum:

Customer types — individuals, companies, trusts, partnerships, government entities, foreign customers
The designated services you provide — different services carry different risks
The methods of delivery — in-person, online, through agents or intermediaries
The jurisdictions involved — including any high-risk countries or sanctioned jurisdictions

For each risk factor, rate the inherent risk (low, medium, high) and document the rationale. Then describe the controls you apply to reduce the risk to an acceptable residual level.

A practical risk matrix looks like this:

| Risk factor | Inherent risk | Controls applied | Residual risk | |---|---|---|---| | Cash transactions over $10k | High | TTR reporting, source-of-funds CDD, manager approval | Medium | | Foreign PEP customer | High | Enhanced CDD, senior management approval, ongoing monitoring | Medium | | Online onboarding (no face-to-face) | Medium | Electronic identity verification, document verification | Low | | Domestic individual customer, standard service | Low | Standard CDD | Low |

3. AML/CTF compliance officer

You must appoint an AML/CTF compliance officer at the management level. The program must document:

Who they are (name, title)
Their authority to make compliance decisions
Their responsibilities — including oversight of the program, reporting to senior management, liaison with AUSTRAC, and decisions on suspicious matter reports
Who their backup is when they are unavailable

For sole practitioners, you are your own compliance officer — but the document still needs to set out the role.

4. Employee due diligence

The program must describe your processes for:

Pre-employment screening of staff who will perform AML/CTF functions
Identifying employees who may pose a higher risk
Ongoing monitoring of employee conduct relevant to AML/CTF compliance

For small firms, this can be brief — but it must exist.

5. AML/CTF training

Document your training program, covering:

Induction training for new staff
Ongoing training (typically annual)
Specialised training for high-risk roles (compliance officer, senior management)
Training records — when each staff member completed training and on what topics

AUSTRAC routinely asks for training records during assessments. Spreadsheet records are acceptable; verbal assertions are not.

6. Independent review of Part A

Part A must be independently reviewed at regular intervals — typically annually, or more often if your business changes significantly. The reviewer should not have been involved in writing or operating Part A.

For sole practitioners and very small firms, this can be done by an external compliance consultant or a peer practitioner. Document who reviewed it, when, and what changed as a result.

7. Reporting to senior management

Document the reporting line from the compliance officer to senior management — typically through a board paper or principal-level briefing — covering:

Compliance program performance
Incidents (including SMRs filed)
Training completion
Audit findings and remediation

For sole practitioners, this is a self-reporting note in your records.

8. Oversight of designated business groups

If your business is part of a designated business group (DBG) — for example, a parent company with subsidiaries that share AML/CTF compliance functions — Part A must describe the group structure and how oversight works across entities.

Most Tranche 2 SMEs will not be in a DBG. If you are not, document that explicitly.

9. Risk awareness training programs

Beyond standard staff training, your program must address how customer-facing staff identify suspicious behaviour. Common content includes:

Red flags for money laundering relevant to your sector
Red flags for terrorism financing
Tipping off — what staff cannot say to customers
Escalation procedures

10. Permission to disclose

If you operate within a designated business group or share information across legal entities, document the permissions and processes for sharing AML/CTF information internally and with related entities.

Part B: Customer due diligence procedures

Part B is the operational manual for onboarding and monitoring customers. It must include the following sections.

1. Customer identification procedures

For each type of customer (individual, company, trust, partnership, etc.), document the information you collect and verify, including:

Full name, date of birth, residential address (for individuals)
Full company name, ABN/ACN, registered office, beneficial owners (for companies)
Trust deed, trustee details, beneficiaries (for trusts)
Partnership agreement, partner details (for partnerships)

For each type of customer, document the acceptable verification documents (passport, driver's licence, ASIC search, etc.) and the electronic verification methods you accept.

2. Beneficial ownership identification

For non-individual customers, you must identify and verify any individual who ultimately owns or controls 25% or more of the customer, or otherwise exercises effective control. Document:

How you collect beneficial ownership information
How you verify it (typically through ASIC, ABR, or trust deed review)
How you handle complex ownership structures

3. Customer risk rating

Document how you assign a risk rating (typically low, medium, high) to each customer, based on:

Customer type and country
Service requested
Delivery channel
Other risk factors specific to your business

The risk rating drives the level of CDD required.

4. Standard customer due diligence

For low- and medium-risk customers, document your standard CDD process — what you collect, what you verify, and when CDD is performed.

5. Enhanced customer due diligence

For high-risk customers (including foreign PEPs and customers in high-risk jurisdictions), document the additional steps required:

Senior management approval before establishing the relationship
Source-of-funds and source-of-wealth verification
Enhanced ongoing monitoring
More frequent CDD refresh

6. Simplified customer due diligence

If your risk assessment supports it, document where simplified CDD applies — typically for low-risk customers such as ASX-listed entities, government bodies, or other regulated reporting entities.

7. Ongoing customer due diligence

Document how you monitor customer relationships over time, including:

Periodic CDD refresh schedules (driven by customer risk rating)
Triggers for ad hoc CDD updates (significant transaction changes, change in beneficial ownership)
Transaction monitoring — what you look for and how

8. PEP and sanctions screening

Document how you screen customers and beneficial owners against:

Politically exposed persons (PEP) lists — domestic and foreign
Sanctions lists — including DFAT consolidated list and UN sanctions
The frequency of re-screening

9. Suspicious matter reporting

Document the SMR process end to end:

How staff report suspicious activity internally
Who decides whether to file an SMR with AUSTRAC
The 3 business day reporting deadline (24 hours for terrorism financing)
The tipping off offence — what cannot be disclosed to the customer
Record retention for SMRs (7 years)

10. Threshold transaction reporting

Document how you identify and report cash transactions of $10,000 or more (TTRs):

How transactions are flagged
Who approves the report
The 10 business day filing deadline
Record retention

11. International funds transfer instructions

For businesses involved in IFTI reporting (less common for Tranche 2 SMEs but applicable in some cases), document the IFTI process.

12. Record keeping

Document your record retention policy, covering:

7-year minimum retention for customer identification records
7-year minimum retention for transaction records
7-year minimum retention for SMRs and TTRs
How records are stored, secured and made available to AUSTRAC on request

Common reasons templates fail audit

Over our work with Tranche 2 customers, the same issues come up repeatedly when programs derived from generic templates are reviewed:

The risk assessment does not match the business. A template risk assessment is a starting framework; the actual customer types, services and geographies must be specific to your operation.
Part B is described in the abstract. "We perform CDD on all customers" is not enough. The procedure must describe exactly what you do, who does it, and when.
Roles and responsibilities are missing or vague. AUSTRAC will ask who is accountable. The program must answer that clearly.
No evidence of operation. A program that has never been used produces no records — no CDD logs, no training records, no risk reviews. AUSTRAC treats programs without operational evidence as non-compliant.
No version control or review schedule. Programs must be reviewed at regular intervals. Templates copied once and never revisited fail this test.

Building this yourself vs using a platform

Working through this template manually takes most Tranche 2 businesses 30 to 60 hours including legal review. Engaging a consultant to do it for you typically costs $5,000 to $15,000 upfront.

ComplyReady was built to do the same job for $99/month. The platform takes you through the risk assessment as a guided wizard, generates a tailored Part A and Part B based on your sector and services, and gives you the operational tools — CDD workflows, training, SMR submission, recordkeeping — to actually run the program day to day.

If you want to build your program from scratch using this template, you can. If you want to start with a tailored draft and customise from there, run our free readiness check — 8 minutes, no credit card, and you will see exactly what your program would look like.

If you are still deciding whether to build, buy or hire a consultant, our vendor-by-vendor comparison of AML/CTF software in Australia covers the full market.

What an AML/CTF program is (and is not)

Identifies and documents your money laundering and terrorism financing risks
Sets out the systems and controls you have in place to manage those risks
Defines the roles and responsibilities of staff
Records how you onboard, monitor and report on customers
Tracks training, audits and ongoing reviews

The program has two parts:

Part A — your risk-based systems and controls. This is the strategic layer. Part B — your customer due diligence procedures. This is the operational layer.

Most programs that fail audit do so because Part B has been written in the abstract rather than tied to actual operating procedures.

Part A: AML/CTF risk-based systems and controls

Part A must include the following sections.

1. Designated services provided

Document every designated service your business provides under Section 6 of the Act. For Tranche 2 entities, this typically includes:

Real estate agents — buying, selling and leasing residential and commercial property; selling property by auction
Accountants and tax practitioners — assisting with planning or executing transactions involving real property, business entities, or large value transfers
Lawyers — providing professional services in connection with the purchase or sale of real estate, the management of trust funds, the formation of legal entities, or the provision of registered office services
Conveyancers — assisting with the buying, selling or transfer of real estate

Be specific. "We provide legal services" is not sufficient. "We act for vendors and purchasers in residential conveyancing and provide trust account services for property settlements" is.

2. ML/TF risk assessment

This is the core of your Part A. The risk assessment must consider, at minimum:

Customer types — individuals, companies, trusts, partnerships, government entities, foreign customers
The designated services you provide — different services carry different risks
The methods of delivery — in-person, online, through agents or intermediaries
The jurisdictions involved — including any high-risk countries or sanctioned jurisdictions

For each risk factor, rate the inherent risk (low, medium, high) and document the rationale. Then describe the controls you apply to reduce the risk to an acceptable residual level.

A practical risk matrix looks like this:

3. AML/CTF compliance officer

You must appoint an AML/CTF compliance officer at the management level. The program must document:

Who they are (name, title)
Their authority to make compliance decisions
Their responsibilities — including oversight of the program, reporting to senior management, liaison with AUSTRAC, and decisions on suspicious matter reports
Who their backup is when they are unavailable

For sole practitioners, you are your own compliance officer — but the document still needs to set out the role.

4. Employee due diligence

The program must describe your processes for:

Pre-employment screening of staff who will perform AML/CTF functions
Identifying employees who may pose a higher risk
Ongoing monitoring of employee conduct relevant to AML/CTF compliance

For small firms, this can be brief — but it must exist.

5. AML/CTF training

Document your training program, covering:

Induction training for new staff
Ongoing training (typically annual)
Specialised training for high-risk roles (compliance officer, senior management)
Training records — when each staff member completed training and on what topics

AUSTRAC routinely asks for training records during assessments. Spreadsheet records are acceptable; verbal assertions are not.

6. Independent review of Part A

For sole practitioners and very small firms, this can be done by an external compliance consultant or a peer practitioner. Document who reviewed it, when, and what changed as a result.

7. Reporting to senior management

Document the reporting line from the compliance officer to senior management — typically through a board paper or principal-level briefing — covering:

Compliance program performance
Incidents (including SMRs filed)
Training completion
Audit findings and remediation

For sole practitioners, this is a self-reporting note in your records.

8. Oversight of designated business groups

Most Tranche 2 SMEs will not be in a DBG. If you are not, document that explicitly.

9. Risk awareness training programs

Beyond standard staff training, your program must address how customer-facing staff identify suspicious behaviour. Common content includes:

Red flags for money laundering relevant to your sector
Red flags for terrorism financing
Tipping off — what staff cannot say to customers
Escalation procedures

10. Permission to disclose

Part B: Customer due diligence procedures

Part B is the operational manual for onboarding and monitoring customers. It must include the following sections.

1. Customer identification procedures

For each type of customer (individual, company, trust, partnership, etc.), document the information you collect and verify, including:

Full name, date of birth, residential address (for individuals)
Full company name, ABN/ACN, registered office, beneficial owners (for companies)
Trust deed, trustee details, beneficiaries (for trusts)
Partnership agreement, partner details (for partnerships)

For each type of customer, document the acceptable verification documents (passport, driver's licence, ASIC search, etc.) and the electronic verification methods you accept.

2. Beneficial ownership identification

For non-individual customers, you must identify and verify any individual who ultimately owns or controls 25% or more of the customer, or otherwise exercises effective control. Document:

How you collect beneficial ownership information
How you verify it (typically through ASIC, ABR, or trust deed review)
How you handle complex ownership structures

3. Customer risk rating

Document how you assign a risk rating (typically low, medium, high) to each customer, based on:

Customer type and country
Service requested
Delivery channel
Other risk factors specific to your business

The risk rating drives the level of CDD required.

4. Standard customer due diligence

For low- and medium-risk customers, document your standard CDD process — what you collect, what you verify, and when CDD is performed.

5. Enhanced customer due diligence

For high-risk customers (including foreign PEPs and customers in high-risk jurisdictions), document the additional steps required:

Senior management approval before establishing the relationship
Source-of-funds and source-of-wealth verification
Enhanced ongoing monitoring
More frequent CDD refresh

6. Simplified customer due diligence

If your risk assessment supports it, document where simplified CDD applies — typically for low-risk customers such as ASX-listed entities, government bodies, or other regulated reporting entities.

7. Ongoing customer due diligence

Document how you monitor customer relationships over time, including:

Periodic CDD refresh schedules (driven by customer risk rating)
Triggers for ad hoc CDD updates (significant transaction changes, change in beneficial ownership)
Transaction monitoring — what you look for and how

8. PEP and sanctions screening

Document how you screen customers and beneficial owners against:

Politically exposed persons (PEP) lists — domestic and foreign
Sanctions lists — including DFAT consolidated list and UN sanctions
The frequency of re-screening

9. Suspicious matter reporting

Document the SMR process end to end:

How staff report suspicious activity internally
Who decides whether to file an SMR with AUSTRAC
The 3 business day reporting deadline (24 hours for terrorism financing)
The tipping off offence — what cannot be disclosed to the customer
Record retention for SMRs (7 years)

10. Threshold transaction reporting

Document how you identify and report cash transactions of $10,000 or more (TTRs):

How transactions are flagged
Who approves the report
The 10 business day filing deadline
Record retention

11. International funds transfer instructions

For businesses involved in IFTI reporting (less common for Tranche 2 SMEs but applicable in some cases), document the IFTI process.

12. Record keeping

Document your record retention policy, covering:

7-year minimum retention for customer identification records
7-year minimum retention for transaction records
7-year minimum retention for SMRs and TTRs
How records are stored, secured and made available to AUSTRAC on request

Common reasons templates fail audit

Over our work with Tranche 2 customers, the same issues come up repeatedly when programs derived from generic templates are reviewed:

The risk assessment does not match the business. A template risk assessment is a starting framework; the actual customer types, services and geographies must be specific to your operation.
Part B is described in the abstract. "We perform CDD on all customers" is not enough. The procedure must describe exactly what you do, who does it, and when.
Roles and responsibilities are missing or vague. AUSTRAC will ask who is accountable. The program must answer that clearly.
No evidence of operation. A program that has never been used produces no records — no CDD logs, no training records, no risk reviews. AUSTRAC treats programs without operational evidence as non-compliant.
No version control or review schedule. Programs must be reviewed at regular intervals. Templates copied once and never revisited fail this test.

Building this yourself vs using a platform

Working through this template manually takes most Tranche 2 businesses 30 to 60 hours including legal review. Engaging a consultant to do it for you typically costs $5,000 to $15,000 upfront.

If you are still deciding whether to build, buy or hire a consultant, our vendor-by-vendor comparison of AML/CTF software in Australia covers the full market.

What an AML/CTF program is (and is not)

Part A: AML/CTF risk-based systems and controls

1. Designated services provided

2. ML/TF risk assessment

3. AML/CTF compliance officer

4. Employee due diligence

5. AML/CTF training

6. Independent review of Part A

7. Reporting to senior management

8. Oversight of designated business groups

9. Risk awareness training programs

10. Permission to disclose

Part B: Customer due diligence procedures

1. Customer identification procedures

2. Beneficial ownership identification

3. Customer risk rating

4. Standard customer due diligence

5. Enhanced customer due diligence

6. Simplified customer due diligence

7. Ongoing customer due diligence

8. PEP and sanctions screening

9. Suspicious matter reporting

10. Threshold transaction reporting

11. International funds transfer instructions

12. Record keeping

Common reasons templates fail audit

Building this yourself vs using a platform

Ready to get AML/CTF compliant?

What an AML/CTF program is (and is not)

Part A: AML/CTF risk-based systems and controls

1. Designated services provided

2. ML/TF risk assessment

3. AML/CTF compliance officer

4. Employee due diligence

5. AML/CTF training

6. Independent review of Part A

7. Reporting to senior management

8. Oversight of designated business groups

9. Risk awareness training programs

10. Permission to disclose

Part B: Customer due diligence procedures

1. Customer identification procedures

2. Beneficial ownership identification

3. Customer risk rating

4. Standard customer due diligence

5. Enhanced customer due diligence

6. Simplified customer due diligence

7. Ongoing customer due diligence

8. PEP and sanctions screening

9. Suspicious matter reporting

10. Threshold transaction reporting

11. International funds transfer instructions

12. Record keeping

Common reasons templates fail audit

Building this yourself vs using a platform

Ready to get AML/CTF compliant?